Remote Control Software Execution Remote Control Software Execution-mask

Cyber Threat Breakdown December 2023

Here is the December 2023 breakdown of threats with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.

Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.

 

Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.

 

Smoke and Mirrors Understanding The Workings of Wazawaka

New MetaStealer Malvertising Campaigns Discovered

Bandook Remote Access Trojan Continues To Evolve

Malvertisers zoom in on cryptocurrencies and initial access

Operation HamsaUpdate A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk

BattleRoyal DarkGate Cluster Spreads via Email and Fake Browser Updates

An Analysis Of A Persistent Actors Activity

AsyncRAT Code Injection Found Across Multiple Incident Response Cases

Analysis of Kimsuky Groups AppleSeed Malware Attack Trends

Threat Actor Launches Operation RusticWeb For Targeting Indian Government Officials

NKAbuse Malware Abuses The NKN Protocol

Operation HamsaUpdate A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk

Seedworm Iranian Hackers Target Telecoms Orgs in North and East Africa

Cert IL Alert – Phishing impersonating F5

US Cert Alert – Play Ransomware

Mallox Ransomware Resurrected To Burden Enterprises

Improperly Managed Linux SSH Servers Under Attack

Rhadamathys Information Stealer Deep Dive

Curse Of The Krasue – New Linux Remote Access Trojan Targets Thailand

US Cert Alert – Russian Foreign Intelligence Service SVR Exploiting JetBrains TeamCity CVE Globally CISA

Editbot Stealer Spreads Via Social Media Messages

New Tool Set Found Used Against Middle East Africa And The US

Lazarus Operation Blacksmith Campaign Uses DLang Malware

Kinsing Used To Exploit ActiveMQ CVE-2023-46604 Vulnerability In Cryptomining Operations

DanaBot Found Deploying IcedID

ParaSiteSnatcher – How Malicious Chrome Extensions Target Brazil

UAC-0050 Delivers RemcosRAT Or MeduzaStealer To Polish Targets In Mass Phishing Campaign

APT28 Carries Out High Volume Phishing Campaigns Against Sectors Across Europe And North America

US Cert Alert – Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 For Initial Access To Government Servers

New BlueNoroff Loader For MacOS

WSF Script Used To Distribute AsyncRAT

Cert IL Alert – A Cyber-Attack Tool Used By A State-Sponsored Attack Group Found In Attacks On Israeli Infrastructure

Threat Actor Targets Macintosh Users Via Fake Browser Updates For Distributing Atomic Stealer

North Korean Hackers Attacking MacOS Using Weaponized Documents

Storm-0978 Weaponizes New CVE

 

Smoke and Mirrors Understanding The Workings of Wazawaka

Mikhail Pavlovich Matveev also known by the monikers Wazawaka Boriselcin and Orange has recently risen to prominence within the Threat Intelligence (TI) community emerging as a key player in the dynamic digital threat landscape according to PRODRAFT researchers.

 

IOCs

46f1a4c_browsing77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561XxX1Elf·elf

MD5: 11d211ce3fa615ce35bff30fa37e9251

SHA1: eba816d7dc084d5702ad5d222c9b6429755b25fd

SHA256: 46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561

 

46f1a4c_edr77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561XxX1Elf·elf

MD5: 11d211ce3fa615ce35bff30fa37e9251

SHA1: eba816d7dc084d5702ad5d222c9b6429755b25fd

SHA256: 46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561

 

http://79·124·59·178

 

 

New MetaStealer Malvertising Campaigns Discovered

MetaStealer a prominent malware emerging in 2022 has been identified in recent malvertising campaigns. This malware derived from the RedLine code base utilizes two distinct ads related to Notepad++ and AnyDesk. Two domains serve as both decoy and landing pages with content appearing auto-generated if accessed directly. Users meeting specific criteria after clicking the ads encounter a malicious landing page and receive a download link. In the November payload a shortcut launching PowerShell with a hardcoded path to the Downloads folder was employed while the December campaign eliminated PowerShell opting for a recompiled malicious DLL.

 

IOCs

949c5ae482_browsing7a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77caXxX1Zip·zip

MD5: 13edc2c86a86e8880e92bb95f460e5fb

SHA1: e9d7d6dea828832b8e35701f4504199bc09cd55e

SHA256: 949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca

 

99123063690e244f95b89d96_browsing759ec7dbc28d4079a56817f3152834047ab047ebXxX3Zip·zip

MD5: 2a4b0b65897e7fd494ad0aced7f42aeb

SHA1: 7cdcbd78194eeaa4e3793c5b19d84537ff71bb3c

SHA256: 99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb

 

c559_browsing7da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90fXxX5Zip·zip

MD5: 8ba7059cc766798bc3993b720f561c11

SHA1: 891ad3e89d469f55245738a99c3e71e8a2a4fa42

SHA256: c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f

 

 

Bandook Remote Access Trojan Continues To Evolve

Bandook malware a remote access trojan initially detected in 2007 has evolved over the years and was recently identified in a new variant distributed through a PDF file in October 2023.
The PDF file contains a shortened URL leading to a password-protected .7z file. Upon extraction using the provided password the malware injects its payload into msinfo32·exe. The variant introduces two control codes one loading fcd.dll and the other establishing persistence and executing Bandooks copy. The malware communicates with its command and control (C2) server sending victim information and receiving commands such as *DJDSR^ @0001 @0002 and so on. The string sequence in the latest variants extends to @0155 with some codes used for sending results to the server and others present in different modules.

 

IOCs

e8_browsing7c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525XxX3Exe·exe

MD5: 5b49b856ed078c80306a6f190c445138

SHA1: efbeec9846500b7d54d7fbc51de78b92976d1bbc

SHA256: e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525

 

430b9e91a09369_browsing78757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ceXxX5Exe·exe

MD5: 89df83ffca7aae77fe72522173ec71ac

SHA1: b9d9d73c162969ef56931cc26928f67dfaae1523

SHA256: 430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce

 

31691_browsing71e671315e18949b2ff334db83f81a3962b8389253561c813f01974670bXxX9Exe·exe

MD5: cc9283299523aed18b5c82c22b0b9f27

SHA1: 33c172779ac7117e30d37a6fe26361b2175cae03

SHA256: 3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b

 

 

Malvertisers zoom in on cryptocurrencies and initial access

During the past month Malwarebytes have observed an increase in the number of malicious ads on Google searches for Zoom the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as Advanced IP Scanner or WinSCP normally geared towards IT administrators.

 

IOCs

30fda6_browsing7726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5cXxX1Dll·dll

MD5: 174ff2e9b7a6b77382a5de6cf6f8a877

SHA1: afcb6d65145288d8d8397c006c837dcf176dba01

SHA256: 30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c

 

44cac5bf0bab56b0840bd1c_browsing7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5XxX2Zip·zip

MD5: 7d27ed94ba01dc9c2761af0ed84c616f

SHA1: c2d9ecb9e0496dd21e636a77fac370325b8ae6ef

SHA256: 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5

 

5b91_browsing7d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0bXxX4Dll·dll

MD5: a9c40b7581be75e006436c5b22495909

SHA1: ce6a3b5d8cd553dfd114551fd61dc58628581ea7

SHA256: 5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b

 

Operation Hamas Update A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk

On December 19th the Israel National Cyber Directorate released an urgent alert warning regarding a phishing campaign actively targeting Israeli customers using F5s network devices.
Intezer has labeled this campaign Operation HamsaUpdate. It features the deployment of a newly developed wiper malware that targets both Windows and Linux servers. The campaign leverages a convincingly written email in Hebrew and utilizes sophisticated social engineering techniques pressuring victims to execute the harmful code residing on their servers.
The final attack delivers a complex multi-stage loader or a destructive wiper each variant customized for either Linux or Windows environments.

 

IOCs

33616_browsing7b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767XxX8Exe·exe

MD5: b8ccbbb996bd93df4b93d1e027b7a0eb

SHA1: ce683968a78709adaf6305e73b690e05f04d02ca

SHA256: 336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767

 

454e6d3_browsing782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567XxX9Exe·exe

MD5: 4551a6cdf8d23a96aa4124ac9bdb6d1d

SHA1: b75b6cebe869e1636f0f294954b7906a4905701a

SHA256: 454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567

 

64c5fd_browsing791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428cXxX11Zip·zip

MD5: 08efd480e2c105382ba277a905f0c4a9

SHA1: 3a05a0238f892e53112654bf136ef352e7476a9b

SHA256: 64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c

 

BattleRoyal DarkGate Cluster Spreads via Email and Fake Browser Updates

Throughout the summer and fall of 2023 DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email Microsoft Teams Skype malvertising and fake updates.

 

IOCs

7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e_browsing7015ae49561f0fXxX4Exe·exe

MD5: 7c657d37d590b131fcf3af752553f1d8

SHA1: c3b3c5ae0d52677b46298672273a8d91abf8de29

SHA256: 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f

 

ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde_browsing744e08188fXxX7Url·url

MD5: 7c27512408c5d83388fb14c1661e3d79

SHA1: 91387c854741040a09f67d5af953db1ee779a690

SHA256: ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f

 

fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4_browsingXxX8Url·url

MD5: 160f5ebabccd2638882969c7dcb08a58

SHA1: 99796ccd2cb846a1d8a7f4c078d0be9eac6e380c

SHA256: fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4

 

An Analysis Of A Persistent Actors Activity

DFIR researchers discovered an open directory containing over a years worth of historical threat actor activity. Through analysis of tools logs and artifacts exposed on the internet they were able to profile the threat actor and their targets. The research suggests that the primary motivation behind the threat actors actions was not financial despite occasional financially motivated behaviors such as deploying crypto-miners and targeting finance sites.
The threat actor consistently scanned government services and defense contractors for vulnerabilities but also exhibited limited financially driven activities. The threat actor exclusively relied on open source tools and frameworks including sqlmap and ghauri for active scanning and reconnaissance and Metasploit and Sliver for post-exploitation activities after exploiting vulnerabilities.

 

IOCs

583c92f2ce6_browsing7d1d8df1fcac95c3765faad602509d6a3c9c5638310ddc0673e55XxX51Exe·exe

MD5: e16ae7c890b18a1d2e710b26938db959

SHA1: dc2c4c98141c08dbd6e895ce0e86d71e36f6aee7

SHA256: 583c92f2ce67d1d8df1fcac95c3765faad602509d6a3c9c5638310ddc0673e55

 

b5c4cc2bd69aceeb1fa_browsing7aa6538c3248514dc93f7b6d248e1d0f7b2db5ce86674XxX45Elf·elf

MD5: 2a11a19ba5d7c15e51dddb7695ea32ad

SHA1: ca20ea3fccad9614fe3e31e60098a9564d2d724c

SHA256: b5c4cc2bd69aceeb1fa7aa6538c3248514dc93f7b6d248e1d0f7b2db5ce86674

 

bb634bf93293_browsing7a683ebf002b2a1325e7fe7bfe172e924d2e528de761248b91ecXxX53Exe·exe

MD5: eb1bf5fcd65d86394628a03c0240243e

SHA1: 3f98962d627af1b63bcfbb80afcf4a2457d4a511

SHA256: bb634bf932937a683ebf002b2a1325e7fe7bfe172e924d2e528de761248b91ec

 

 

AsyncRAT Code Injection Found Across Multiple Incident Response Cases

During TrendMicro’s recent investigations the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT a Remote Access Tool (RAT) with multiple capabilities such as keylogging and remote desktop control that make it a substantial threat to victims.  TrendMicro unravels the AsyncRAT infection chain across multiple cases shedding light on the misuse of aspnet_compiler.exe a legitimate Microsoft process originally designed for precompiling ASP.NET web applications. Malicious actors exploited this process to inject the AsyncRAT payload showing evolving adversary tactics.

IOCs

Asyncaq1_browsingPs1·ps1

MD5: e2de940fab2b14c512499006bbe5cd0a

SHA1: 899ca79e54a2d4af140a40a9ca0b2e03a98c46cb

SHA256: 9465750d2ddfcbfc68cd92da0bbad34a36a1eeac8c82a1c8ed086465b6c0cccf

 

Asyncaq2_browsingTxt·txt

MD5: 0818afc233b1ae3fb60d1fb7550f641d

SHA1: c5b16f22397c201a6e06f0049b6f948c648f11b7

SHA256: ef9d0086d23187030d4c2d05132a28d9ed2c3ab5cb76994a2dfc1c4754332315

 

Asyncaq3_browsingTxt·txt

MD5: 8eb61867a27fd921ece5c6454f1819c1

SHA1: c07b2c25f926550d804087ac663991cf06bac519

SHA256: 5d787de295a1d6a57e18ff54d9833ef0133248ae77084170162a01464d5b5203

 

Analysis of Kimsuky Groups AppleSeed Malware Attack Trends

The Kimsuky threat group which is said to be backed by North Korea has been active since 2013.
Initial attacks on South Koreas North Korea-related research institutes have been confirmed followed by attacks on South Koreas energy institutions in 2014 and attacks on other countries outside of South Korea since 2017. Spear phishing attacks are primarily aimed at stealing information and technology from organizations in the national defense, defense industry, media, diplomacy, state institutions, and academia.

 

IOCs

cbdcf6224aa15c_browsing70a22346594d1956c0589a9411beb75a003eaccb15db4370a5XxX131Dll·dll

MD5: 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf

SHA1: 5d41e15aba6d89fe99b96e53a3c9d18da7e019a6

SHA256: cbdcf6224aa15c70a22346594d1956c0589a9411beb75a003eaccb15db4370a5

 

08d_browsing740277e6c3ba06cf6e4806132d8956795b64bb32a1433a5f09bdf941a1b72XxX156Dll·dll

MD5: f3a55d49562e41c7d339fb52457513ba

SHA1: 88ac3915d4204818d3360ac930497921fd35f44e

SHA256: 08d740277e6c3ba06cf6e4806132d8956795b64bb32a1433a5f09bdf941a1b72

 

cbdcf6224aa15c_edr70a22346594d1956c0589a9411beb75a003eaccb15db4370a5XxX131Dll·dll

MD5: 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf

SHA1: 5d41e15aba6d89fe99b96e53a3c9d18da7e019a6

SHA256: cbdcf6224aa15c70a22346594d1956c0589a9411beb75a003eaccb15db4370a5

 

 

Threat Actor Launches Operation RusticWeb For Targeting Indian Government Officials

An ongoing phishing campaign named Operation RusticWeb was seen targeting Indian government officials since at least October 2023. With an overlap in tactics and techniques attribution has led to two groups identified with Pakistan-linked APT groups Transparent Tribe (APT36) and SideCopy. Shifting from well-known compiled languages to newer ones like Golang Rust and Nim the threat actors used two different infection chains primarily relying on Rust-based payloads spear-phishing and fake domains to achieve campaign objectives. The first infection chain was seen using PowerShell files in seemingly legitimate documents were used to download and execute scripts from malicious domains leading to the final Rust-based malware payload capable of stealing files and collecting system information. While the second infection chain utilizes maldocs with encrypted PowerShell commands delivered via documents containing VBA macros that lead to the download and execution of malicious payloads.

 

IOCs

26bf853b951e8d8ba600_browsing7e9d5c77f441faa739171e95f27f8d3851e07bc65b11XxX26Lnk·lnk

MD5: 13ee4bd10f05ee0499e18de68b3ea4d5

SHA1: 8c969dbe0fe30244802cda1c8e33b04040831466

SHA256: 26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11

 

 db9afd2c59f20e04db3_browsing7ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604XxX28Rar·rar

MD5: 56cb95b63162d0dfceb30100ded1131a

SHA1: 5dd201fa53cb5c76103579785a3d220d578dd12a

SHA256: db9afd2c59f20e04db37ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604

 

b80f1554_browsing71b545db9ffb3253c4c3295995547c3acca3bf1115baff20955bcfd8XxX30Docx·docx

MD5: de30abf093bd4dfe6b660079751951c6

SHA1: a68fd8c33f0c1f21cabaf17f4ade02b25a1f262a

SHA256: b80f155471b545db9ffb3253c4c3295995547c3acca3bf1115baff20955bcfd8

 

NKAbuse Malware Abuses The NKN Protocol

Researchers have uncovered a new multiplatform threat named “NKAbuse.” The malware utilizes NKN technology for peer-to-peer data exchange operating as a powerful implant with flooder and backdoor capabilities. Written in Go it is adaptable to various architectures with Linux desktops being its primary target. However it can also infect MISP and ARM systems posing a threat to IoT devices. NKAbuse infiltrates systems by uploading an implant to the victim host establishing persistence through a cron job and installing itself in the hosts home folder.
The malware exhibits a range of capabilities from flooding to backdoor access and remote administration (RAT). While designed for integration into a botnet it can also function as a backdoor on a specific host. Notably its use of blockchain technology ensures both reliability and anonymity suggesting the potential for steady expansion over time without an identifiable central controller·

 

IOCs

 

2f2fda8895e69ceabeb1cf566b9a3ae5_browsing784657cc84aa07f42311bb5ef776debfXxX130Elf·elf

MD5: 11e2d7a8d678cd72e6e5286ccfb4c833

SHA1: 9b28c9842febf26841d4e5ce895fcfae90c3f4fb

SHA256: 2f2fda8895e69ceabeb1cf566b9a3ae5784657cc84aa07f42311bb5ef776debf

 

2f2fda8895e69ceabeb1cf566b9a3ae5_edr784657cc84aa07f42311bb5ef776debfXxX130Elf·elf

MD5: 11e2d7a8d678cd72e6e5286ccfb4c833

SHA1: 9b28c9842febf26841d4e5ce895fcfae90c3f4fb

SHA256: 2f2fda8895e69ceabeb1cf566b9a3ae5784657cc84aa07f42311bb5ef776debf

 

 

Operation Hamas Update A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk

On December 19th the Israel National Cyber Directorate released an urgent alert warning regarding a phishing campaign actively targeting Israeli customers using F5s network devices.
Intezer has labeled this campaign Operation HamsaUpdate. It features the deployment of a newly developed wiper malware that targets both Windows and Linux servers. The campaign leverages a convincingly written email in Hebrew and utilizes sophisticated social engineering techniques pressuring victims to execute the harmful code residing on their servers. The final attack delivers a complex multi-stage loader or a destructive wiper each variant customized for either Linux or Windows environments.

 

IOCs

33616_browsing7b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767XxX8Exe·exe

MD5: b8ccbbb996bd93df4b93d1e027b7a0eb

SHA1: ce683968a78709adaf6305e73b690e05f04d02ca

SHA256: 336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767

 

454e6d3_browsing782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567XxX9Exe·exe

MD5: 4551a6cdf8d23a96aa4124ac9bdb6d1d

SHA1: b75b6cebe869e1636f0f294954b7906a4905701a

SHA256: 454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567


64c5fd_browsing791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428cXxX11Zip·zip

MD5: 08efd480e2c105382ba277a905f0c4a9

SHA1: 3a05a0238f892e53112654bf136ef352e7476a9b

SHA256: 64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c


Seedworm Iranian Hackers Target Telecoms Orgs in North and East Africa

Security company Symantec has released new evidence of an Iranian espionage group targeting telecommunications companies in North and East Africa and the MuddyC2Go backdoor which is believed to have been used by Seedworm.

 

IOCs

3916ba913e4d9a46cfce43_browsing7b18735bbb5cc119cc97970946a1ac4eab6ab39230XxX2Exe·exe

MD5: 3579e899e6fae7d641d4e7ea7c0ae90e

SHA1: b01e8110090246e44c0cadf37d2e9334e1dc9cef

SHA256: 3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230

 

1a082_browsing7082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdacaXxX1Dll·dll

MD5: a0074df7d2690db277847257392459c1

SHA1: 54083e4f3feb443c3bd160b3bf46b9d8f61c389b

SHA256: 1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca

 

1a082_edr7082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdacaXxX1Dll·dll

MD5: a0074df7d2690db277847257392459c1

SHA1: 54083e4f3feb443c3bd160b3bf46b9d8f61c389b

SHA256: 1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca

 

 

Cert IL Alert – Phishing impersonating F5

The National Cyber Directorate has received reports of a targeted phishing campaign impersonating the company F5. The messages from the attacker include a link to download a file which downloads a Wiper type malware to the users station. This alert is accompanied by an identifying file. It is highly recommended to intercept this in all relevant organizational security systems. Avoid activating any link of this type and it is advisable to report any similar messages to the National Cyber Directorate.

 

IOCs

 fe0_browsing7dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2XxX1Exe·exe

MD5: 2ff97de7a16519b74113ea9137c6ba0c

SHA1: 5def5e492435cfd423e51515925d17285b77cdbc

SHA256: fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2

 

 

 e28085e8d64bb_browsing737721b1a1d494f177e571c47aab7c9507dba38253f6183af35XxX2Exe·exe

MD5: 8678cca1ee25121546883db16846878b

SHA1: db38eeb9490cc7946b3ed0cf3759acb41666bdc3

SHA256: e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35

 

 ad66251d9e8_browsing792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8aXxX4Zip·zip

MD5: 04ca69ec86453bdea484e1c1edc3f883

SHA1: b57a6098e56961f1800c9d485117e9a7cd4eeddd

SHA256: ad66251d9e8792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8a

 

US Cert Alert – Play Ransomware

The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA) and Australian Signals Directorates Australian Cyber Security Centre (ASDs ACSC) are releasing this joint CSA to disseminate the Play ransomware groups IOCs and TTPs identified through FBI investigations as recently as October 2023.

Since June 2022 the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America South America and Europe.
As of October 2023 the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.

In Australia the first Play ransomware incident was observed in April 2023 and most recently in November 2023. The Play ransomware group is presumed to be a closed group designed to “guarantee the secrecy of deals” according to a statement on the groups data leak website.
Play ransomware actors employ a double-extortion model encrypting systems after exfiltrating data.
Ransom notes do not include an initial ransom demand or payment instructions rather victims are instructed to contact the threat actors via email.

 

IOCs

4_browsing7c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57XxX2Exe·exe

MD5: 57bcb8cfad510109f7ddedf045e86a70

SHA1: e6c381859f53d0c0db9fcd30fa601ecb935b93e0

SHA256: 47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57

 

 7a42f96599df8090cf89d6e3ce4316d24c6c00e499c855_browsing7a2e09d61c00c11986XxX4Dll·dll

MD5: 4412f230da1a3954d5065395b512ff49

SHA1: b86f648484364d6dbd0f42b526d4f25814ff00e7

SHA256: 7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986

 

 7dea6_browsing71be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8acaXxX6Dll·dll

MD5: 8fcb6fb21b4326466378991e42ce9865

SHA1: dd27145d9e4ec4a921b664183a9cbebee568c234

SHA256: 7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca

 

Mallox Ransomware Resurrected To Burden Enterprises

Mallox operates as a Ransomware-as-a-Service (RaaS) model utilizing underground forums like Nulled and RAMP to advertise and recruit affiliates. The group targets vulnerable and publicly exposed services particularly focusing on MS-SQL and ODBC interfaces.

They exploit specific vulnerabilities such as CVE-2019-1068 and CVE-2020-0618 in Microsoft SQL Server and employ brute force attacks on weakly configured services.
Mallox affiliates also use phishing emails to deliver attack frameworks like Cobalt Strike and Sliver. After gaining access they execute PowerShell commands and use batch scripts to download ransomware payloads.

The groups variants consistent from 2021 onwards have a core set of functionalities and recent payloads are labeled “Mallox.Resurrection.” Encrypted files have a .mallox extension and a ransom note is deposited in each folder with locked files instructing victims on how to obtain a decryption tool using TOR. Non-compliance with ransom demands may lead to the exposure of data on Malloxs data leak site.

 

IOCs

22816dc4dda6beec453e9a48520842b8409c54933cc81f1a338bc_browsing77199ab917eXxX15Bat·bat

MD5: 0e115cd39c3c92a0c3736555c022c7f3

SHA1: 3fa79012dfdac626a19017ed6974316df13bc6ff

SHA256: 22816dc4dda6beec453e9a48520842b8409c54933cc81f1a338bc77199ab917e

 

 ccac4ad01b0c8_browsing72a90f85f22fbeedde04c46bb1839f417156bb64fd85ae136b5XxX23Exe·exe

MD5: 550ff249ae479d9fd36fe9d988ecd6ef

SHA1: 4fcfb65cb757c83ed91bc01b3f663072a52da54b

SHA256: ccac4ad01b0c872a90f85f22fbeedde04c46bb1839f417156bb64fd85ae136b5

 

 634043ca_browsing72cd2b6a4d7a1cfe2aa12b7cd8c8348055fbc38c7d8006602ac66b87XxX25Exe·exe

MD5: 170685388eaeda42cf6b27c427165069

SHA1: 88f8629423efe84e2935eb71d292e194be951a16

SHA256: 634043ca72cd2b6a4d7a1cfe2aa12b7cd8c8348055fbc38c7d8006602ac66b87

 

Improperly Managed Linux SSH Servers Under Attack

Researchers analyzed a series of attacks targeting poorly managed Linux SSH servers.
Attackers first need to acquire information about the target such as IP addresses and SSH credentials before installing malicious code including coin miners and DDoS bots. They do this by scanning for IP addresses and servers with active SSH services then performing brute force or dictionary attacks to discover ID/password information.

The more coinminers and DDoS bots the attackers secure the more virtual currency they can mine and the stronger the DDoS attacks they can perform. However to install more of these they need to acquire more target information and credentials. Attackers also install malicious code that performs scanning and brute force attacks on the infected systems they have secured allowing them to acquire more information about the attack targets. They could also potentially sell the acquired target IP and credential information on the dark web.

 

IOCs

 78da0f82a258292d_browsing758bde05fa98e13ae15aedc8c8529f1e008cfb27b60e0f8eXxX6Elf·elf

MD5: dfa3dcb5b825f5622e54bd09be73b6ed

SHA1: 1a42fe1bf3dcf1d7dd4245576ec251cecbbb97c1

SHA256: 78da0f82a258292d758bde05fa98e13ae15aedc8c8529f1e008cfb27b60e0f8e

 

 2ef26484ec9e_browsing70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251XxX4Elf·elf

MD5: 45901e5b336fd0eb79c6decb8e9a69cb

SHA1: a9c7d059a22fed787f48698c5c10b0b5146f616d

SHA256: 2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251

 

 14_browsing779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949aXxX8Elf·elf

MD5: 946689ba1b22d457be06d95731fcbcac

SHA1: e998494f91b08b52b28fe3304e9322962e3d1b58

SHA256: 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a

 

 

Rhadamathys Information Stealer Deep Dive

The Rhadamanthys stealer available on the black market has undergone a recent update to version 0.5.0 showcasing expanded stealing capabilities and the introduction of general-purpose spying functions. This multi-layer malware employs a new plugin system for adaptability to specific distributor needs. The initial loader a 32-bit Windows executable was largely rewritten but retains similarities with the previous version (0.4.9).

Notably the malware now checks the executables name during automated analysis in sandboxes exiting immediately if it detects hash-like characteristics. The XS1 format reveals a component in the second stage of the loading process featuring changes in string dumping and utilizing a decoded buffer with a C2 URL.  The update introduces TLS (Thread Local Storage) for temporary buffers facilitating the deobfuscation of data like strings.

 

IOCs

bb8bbcc948e8dca2e5a02_browsing70c41c062a29994a2d9b51e820ed74d9b6e2a01ddcfXxX30Exe·exe

MD5: b2dc71aeb389c4c5f6b3699163ea1d0f

SHA1: 578239aefa2c93cae72624754146e8f3e275fa5e

SHA256: bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcf

 

 bb8bbcc948e8dca2e5a02_edr70c41c062a29994a2d9b51e820ed74d9b6e2a01ddcfXxX30Exe·exe

MD5: b2dc71aeb389c4c5f6b3699163ea1d0f

SHA1: 578239aefa2c93cae72624754146e8f3e275fa5e

SHA256: bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcf

 

 fcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e

 

Curse Of The Krasue – New Linux Remote Access Trojan Targets Thailand

A new Linux remote access trojan named Krasue has been discovered targeting telecom companies in Thailand. Krasue is designed to maintain covert access to victim networks by concealing its presence during the initialization phase. The initial access vector is unknown but it may involve vulnerability exploitation credential brute-force attacks or being part of a fake software package.

Krasue uses a rootkit derived from open-source projects like Diamorphine Suterusu and Rooty to achieve persistence on the host and evade detection. The trojan employs RTSP messages as disguised alive pings a tactic rarely seen. Krasues command-and-control communications allow it to designate a communicating IP as its master upstream C2 server and terminate itself.
There are source code similarities with another Linux malware XorDdos suggesting a common origin.

 

IOCs

b6db6_browsing702ca85bc80599d7f1d8b1a9b6dd56a8e87c55fc831dc9c689e54b8205dXxX12Elf·elf

MD5: 5055925b5bcd715d5b70b57fdbeda66b

SHA1: eddb4476ca610f3c5e895f4811c9744704552d2f

SHA256: b6db6702ca85bc80599d7f1d8b1a9b6dd56a8e87c55fc831dc9c689e54b8205d

 

902013bc59be545fb_browsing70407e8883717453fb423a7a7209e119f112ff6771e44ccXxX11Elf·elf

MD5: 7b756fff0eedc91deba968e308e13081

SHA1: 5c517edad3fb295e1fd92ed5cb16e132d1473132

SHA256: 902013bc59be545fb70407e8883717453fb423a7a7209e119f112ff6771e44cc

 

 ed38a61a6b_browsing7af436120465d352baa4cdf4ed8f01a7db7245b6254353e52f818fXxX10Elf·elf

MD5: 100a5f3875e430f6de03d99752fbb6a7

SHA1: 051bc3273a20a53d730a3beaff2fadcd38d6bb85

SHA256: ed38a61a6b7af436120465d352baa4cdf4ed8f01a7db7245b6254353e52f818f

 

 

US Cert Alert – Russian Foreign Intelligence Service SVR Exploiting JetBrains TeamCity CVE Globally CISA

Russias foreign intelligence service (SVR) is targeting servers hosting TeamCity software according to the CISA Cybersecurity and Infrastructure Security Agency (CISA) a US government agency that oversees cyber security.

 

IOCs

0296e2ce999e6_browsing7c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5XxX1Exe·exe

MD5: c996d7971c49252c582171d9380360f2

SHA1: c948ae14761095e4d76b55d9de86412258be7afd

SHA256: 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5

 

 620d2bf14fe345eef618fdd1dac242b3a0bb65ccb_browsing75699fe00f7c671f2c1d869XxX7Dll·dll

MD5: 98a082e95628b51307343581cfb7eac7

SHA1: d4411f70e0dcc2f88d74ae7251d51c6676075f6f

SHA256: 620d2bf14fe345eef618fdd1dac242b3a0bb65ccb75699fe00f7c671f2c1d869

 

 8afb_browsing71b7ce511b0bce642f46d6fc5dd79fad86a58223061b684313966efef9c7XxX18Dll·dll

MD5: 347b4f985414ca9f78bbbbff002e3ec6

SHA1: a4b03f1e981ccdd7e08e786c72283d5551671edf

SHA256: 8afb71b7ce511b0bce642f46d6fc5dd79fad86a58223061b684313966efef9c7

 

Editbot Stealer Spreads Via Social Media Messages

Researchers discovered an attack campaign targeting social media users. The campaign involves a multi-stage attack with each phase having a distinct role such as evading detection downloading additional payloads or gaining persistence on the victims system. Threat actors use open-source code-sharing platforms such as Gitlab to retrieve the next stage payloads.

The downloaded payload is a Python-based stealer designed to steal process information and browser-stored data such as passwords cookies and web data. It uses the Telegram channel to exfiltrate stolen information to the threat actors. The scam revolves around the theme defective product to be sent back. As users comment on or like posts within these fake pages or groups they inadvertently expand the reach of the fraudulent content causing it to appear in their networks news feeds. This helps the threat actors spread their scam to a broader audience.

 

IOCs

 bc3993_browsing769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aaXxX39Bat·bat

MD5: c3a447c5c6c73d80490347c1b4afe9d5

SHA1: cf019e96e16fdaa504b29075aded36be27691956

SHA256: bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa

 

9d048e99bed4ced4f3_browsing7d91a29763257a1592adb2bc8e17a66fa07a922a0537d0XxX37Zip·zip

MD5: f23465088d26e90514b5661936016c05

SHA1: 93d70f02b2ee2c4c2cd8262011ed21317c7d92de

SHA256: 9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0

 

 3f_browsing7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6dXxX33Py·py

MD5: 669e7ac187fb57c4d90b07d9a6bb1d42

SHA1: eed59a282588778ffbc772085b03d229a5d99e35

SHA256: 3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d

 

New Tool Set Found Used Against Middle East Africa And The US

A new tool set used by nation-state hackers to steal user credentials and access confidential information has been identified by researchers at Palo Alto Network.

 

 IOCs

7eb901a6dbf41bcb2e0cdcbb6_browsing7c53ab722604d6c985317cb2b479f4c4de7cf90XxX14Dll·dll

MD5: fd37b309870f9fb200232b1051431831

SHA1: 70150eccf32da8a463ae5b757c86e9ff2b4b000e

SHA256: 7eb901a6dbf41bcb2e0cdcbb67c53ab722604d6c985317cb2b479f4c4de7cf90

 

3a2d0e5e4bfd6db9c45f094a638d1f1b9d0_browsing7110b9f6eb8874b75d968401ad69cXxX11Exe·exe

MD5: 231867ad872656f37938d23002f8e9e3

SHA1: 09b300b77bd155a398b543385d8beaf428928f7a

SHA256: 3a2d0e5e4bfd6db9c45f094a638d1f1b9d07110b9f6eb8874b75d968401ad69c

 

 bcd2bdea2bfecd09e258b8_browsing777e3825c4a1d98af220e7b045ee7b6c30bf19d6dfXxX1Dll·dll

MD5: c49d5658f785b2cc9608755d5ace2add

SHA1: 6eb12947a536625a39835725dadffd6fefa12802

SHA256: bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df

 

 

Lazarus Operation Blacksmith Campaign Uses DLang Malware

Researchers have uncovered a campaign dubbed “Operation Blacksmith” orchestrated by the Lazarus Group. This operation involves three newly identified DLang-based malware families.
Two of them are remote access trojans (RATs) with one utilizing Telegram bots and channels for command and control (C2) communication named “NineRAT” and the other operating without Telegram labeled “DLRAT.” Additionally a DLang-based downloader known as “BottomLoader” was identified.

The campaign involves the opportunistic targeting of global enterprises exposing vulnerable infrastructure particularly those susceptible to n-day vulnerabilities such as CVE-2021-44228 (Log4j). Lazarus has been observed targeting various industries including manufacturing agriculture and physical security companies.

 

IOCs

 4_browsing7e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30XxX11Exe·exe

MD5: 12e399411185e386c863954eaa6f6595

SHA1: 8cf133d72ba6d476e28dfc18e3ba13dc15f99071

SHA256: 47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30

 

 534f5612954db99c86baa6_browsing7ef51a3ad88bc21735bce7bb591afa8a4317c35433XxX7Exe·exe

MD5: 96d98c83daf368066efe3dd41a0dc622

SHA1: be49443603068d9913b4634126749217df6a695e

SHA256: 534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433

 

000_browsing752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eeeXxX1Exe·exe

MD5: 19a05a559b0c478f3049cd414300a340

SHA1: fadbbb63e948b5b3bbbaeedc77e69472143a3b86

SHA256: 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

 

Kinsing Used To Exploit ActiveMQ CVE-2023-46604 Vulnerability In Cryptomining Operations

A vulnerability publicized in October 2023 and tracked as CVS-2023-46604 is being exploited to deliver Kinsing malware.  Once the target is identified by the attackers vulnerability scans the attackers then exploit the OpenWire module in ActiveMQ to retrieve an XML file from the attacker-controlled webserver. Upon executing the unauthorized code cURL is used to retrieve additional shell scripts to perform various functions on victim systems.

Additionally upon execution a script downloads a rootkit removes other malware downloads and executes Kinsing establishes persistence and manipulates firewall rules. The Kinsing malware further proceeds to download and install a cryptominer as well as scripts to allow network traversal and further infection of the victim infrastructure. Analysis of the Kinsing malware revealed payload repos C2 infrastructure and attacker machines which are used to primarily target additional vulnerable servers.

The malware itself is not obfuscated and contains a multitude of functions including C2 URL retrieval network scanning functionality and Redis server brute forcing functionality however the Kinsing malware appears to be more focused on the deployment of cryptominers and monetary gain.

 

IOCs

6fc94d8aecc538b1d099a429fb68ac20d_browsing7b6ae8b3c7795ae72dd2b7107690b8fXxX27Elf·elf

MD5: c82bb3c68f7a033b407aa3f53827b7fd

SHA1: 6296e8ed40e430480791bf7b4fcdafde5f834837

SHA256: 6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f

 

 c38c21120d8c1_browsing7688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808aXxX23So·so

MD5: ccef46c7edf9131ccffc47bd69eb743b

SHA1: 38c56b5e1489092b80c9908f04379e5a16876f01

SHA256: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

 

 b9e_browsing79bb09995a9dd2f5a22dc2e59738696e2be2204ec92a2881fb3fa70e0160fXxX31Elf·elf

MD5: e40a01bfe85f6c6820a7da523e747e23

SHA1: 36ef9de431202e643f3410b5906bb23607e7df90

SHA256: b9e79bb09995a9dd2f5a22dc2e59738696e2be2204ec92a2881fb3fa70e0160f

 

DanaBot Found Deploying IcedID

In early November 2023 researchers identified the presence of DanaBot a sophisticated banking Trojan known for stealing banking credentials personal information and featuring a hidden Virtual Network Computing (hVNC) capability. DanaBot was used to deliver IcedID a well-established banking Trojan with a history dating back to 2017.

The initial infection occurred through a drive-by download wherein a user searching for a Webex installer inadvertently visited a fraudulent website distributing the payload named Webex.zip. The execution of webex.exe initiated a series of actions including side-loading a malicious DLL (sqlite3·dll) decrypting and decompressing the contents of rash·docx file injecting into explorer·exe via Process Doppelgnging and finally running the DanaBot payload.

 

IOCs

 e_browsing7351978a0011be925a7831e37a82750c51b2ef5e913b42d69b3d509fe8e6b8aXxX7Zip·zip

MD5: 4be85751a07081de31f52329c2e2ddc8

SHA1: ed668d305bbb8029c0a828fb0b319d5c39d03a64

SHA256: e7351978a0011be925a7831e37a82750c51b2ef5e913b42d69b3d509fe8e6b8a

 

 15986433fce_browsing7359a77d7be49376a88bc208c854b2cfb2cfd011648ad6713a188XxX5Dll·dll

MD5: 350915536540a76d44ce12dc03450424

SHA1: a7ebf777bc4b6562f353feac90a193f7bb31e17d

SHA256: 15986433fce7359a77d7be49376a88bc208c854b2cfb2cfd011648ad6713a188

 

 995e48d1f943288e14b_browsing7d4331ffadfb112c2fdde7ee2ad046c1d7dc2e9b6716aXxX3Dll·dll

MD5: 4ca6db064effc1730299a0f20531e49c

SHA1: 31d0db4b51fa0190c319013693d6ab082e0f3646

SHA256: 995e48d1f943288e14b7d4331ffadfb112c2fdde7ee2ad046c1d7dc2e9b6716a

 

ParaSiteSnatcher – How Malicious Chrome Extensions Target Brazil

Trend Micros investigations on potential security threats uncovered a malicious Google Chrome extension that they named ParaSiteSnatcher.  The ParaSiteSnatcher framework allows threat actors to monitor manipulate and exfiltrate highly sensitive information from multiple sources.
ParaSiteSnatcher also utilizes the powerful Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information before the HTTP request initiates a transmission control protocol (TCP) connection.

 

IOCs

 88_browsing7c167569c786b1639d87e0f624ce4af939baf67e1113bedde7226c744dbb38XxX4Txt·txt

MD5: 5fd2109a94fb5138d9f43e1689e6769c

SHA1: 3129858e7d71d53b0503ae1b0253447ed426cd29

SHA256: 887c167569c786b1639d87e0f624ce4af939baf67e1113bedde7226c744dbb38

 

 72f32_browsing7f62710f60f43569741c2cb391b833b44c4dafe1f5d5c085a39c485b5dfXxX35Txt·txt

MD5: a4f5fb28a60f93673ea090793548f40d

SHA1: be00952c204ee5f14d472da9a3a110fd6ca84f26

SHA256: 72f327f62710f60f43569741c2cb391b833b44c4dafe1f5d5c085a39c485b5df

 

 1ebfe_browsing73932122e898c30098be4384a0fc9150565c3a340750b37b121ea7a55faXxX17Txt·txt

MD5: 6f0310639f969ac520eb3870f81769fa

SHA1: 12db9eef907477b89f0781092f48402e0b3345dd

SHA256: 1ebfe73932122e898c30098be4384a0fc9150565c3a340750b37b121ea7a55fa

 

 

 

UAC-0050 Delivers RemcosRAT Or MeduzaStealer To Polish Targets In Mass Phishing Campaign

A spearphishing campaign detected in early December 2023 targeted Polish authorities with a mass distribution of malicious emails containing subjects related to judicial claims and debts.
The emails contained password protected archive attachments which included an executable that infected the recipients machine with malware such as the RemcosRAT or the MeduzaStealer. The attackers made use of software packer like AutoIT and delivered the campaign using legitimate but compromised accounts including those with the gov.ua domain to send these malicious emails.

 

 IOCs

4cc6fb5b5f41652_browsing7296a4b2a84a6da92ce97dcca7db03f9e1c526048443453d2XxX144Exe·exe

MD5: fad0fac025dc107d194710bf4d71fe93

SHA1: 951993a2351f5fc7374eb38d6610006959a46692

SHA256: 4cc6fb5b5f416527296a4b2a84a6da92ce97dcca7db03f9e1c526048443453d2

 

8a2443_browsing79c63cf5ae11f1c79cb7834374f76fd1c6ebed293d0569102d5d6308aaXxX148Exe·exe

MD5: 33f28845863fa59c79b3ac8669722b68

SHA1: 3126f302f29279f2e37df6ba4bbc125a0070c03c

SHA256: 8a244379c63cf5ae11f1c79cb7834374f76fd1c6ebed293d0569102d5d6308aa

 

3c99a4a03bd_browsing7c9b54ef6c2262dad042bb04f3f61f2453d336201c8e086606085XxX160Rar·rar

MD5: 573806ca8fe46711550de2e961e09145

SHA1: dc45229bca6b9c65d508a6855bfcb24d80fde19b

SHA256: 3c99a4a03bd7c9b54ef6c2262dad042bb04f3f61f2453d336201c8e086606085

 

APT28 Carries Out High Volume Phishing Campaigns Against Sectors Across Europe And North America

Researchers have detected ongoing phishing activity by the threat actor TA422 (also known as APT28 or by aliases such as Forest Blizzard Pawn Storm Fancy Bear and BlueDelta).
TA422 exploits patched vulnerabilities to conduct high-volume campaigns primarily targeting government aerospace education finance manufacturing and technology sectors in Europe and North America.

The actor uses these vulnerabilities including CVE-2023-23397 and CVE-2023-38831 to gain initial access potentially revealing user credentials or facilitating follow-on activities.
TA422 is linked to the Russian General Staff Main Intelligence Directorate (GRU) according to the United States Intelligence Community.

 

 IOCs

9a_browsing798e0b14004e01c5f336aeb471816c11a62af851b1a0f36284078b8cf09847XxX16Dll·dll

MD5: 2b9d21311c803ca26fa9741b37882c11

SHA1: e9db80181b228d347e8a0c1f5fd3487c143bfd3f

SHA256: 9a798e0b14004e01c5f336aeb471816c11a62af851b1a0f36284078b8cf09847

 

 7_browsing7cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799XxX26Zip·zip

MD5: 2b02523231105ff17ea07b0a7768f3fd

SHA1: c3b5e844012346c881e7c7ed6b210f69f1d3d9fb

SHA256: 77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799

 

 339ff_browsing720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5XxX24Bat·bat

MD5: da8947f86da80b4c619c6fdf8a99d8e9

SHA1: b789e7345edf110a5ac67456a34b409062f150cc

SHA256: 339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5

 

 

US Cert Alert – Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 For Initial Access To Government Servers

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).

CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agencys investigation analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.

 

IOCs

 a3acb9f_browsing79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864XxX1Exe·exe

MD5: ba69669818ef9ccec174d647a8021a7b

SHA1: b6818d2d5cbd902ce23461f24fc47e24937250e6

SHA256: a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864

 

a3acb9f_edr79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864XxX1Exe·exe

MD5: ba69669818ef9ccec174d647a8021a7b

SHA1: b6818d2d5cbd902ce23461f24fc47e24937250e6

SHA256: a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864

 

 be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656

 

 

New BlueNoroff Loader For MacOS

A new type of malicious loader that targets Apples operating system BlueNoroff has been discovered and spread its malicious payload via a PDF file.

 

 IOCs

c_browsing7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14feXxX71Macho·macho

MD5: d8011dcca570689d72064b156647fa82

SHA1: 060a5d189ccf3fc32a758f1e218f814f6ce81744

SHA256: c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe

 

36001b8b9e05935_browsing756fa7525dd49d91b59ea882efe5a2d23ccec35fef96138d4XxX80Zip·zip

MD5: b1e01ae0006f449781a05f4704546b34

SHA1: 884cebf1ad0e65f4da60c04bc31f62f796f90d79

SHA256: 36001b8b9e05935756fa7525dd49d91b59ea882efe5a2d23ccec35fef96138d4

 

c556baaac_browsing706191ce75c9263b349242caa3d8efca7b5639896fa3e6570d7c76eXxX69Zip·zip

MD5: 3b3b3b9f7c71fcd7239abe90c97751c0

SHA1: 5c93052713f317431bf232a2894658a3a4ebfad9

SHA256: c556baaac706191ce75c9263b349242caa3d8efca7b5639896fa3e6570d7c76e

 

WSF Script Used To Distribute AsyncRAT

The AhnLab Security Emergency Response Center (ASEC) has identified a new variant of the AsyncRAT malware being distributed via WSF scripts. The malware is delivered through URL links embedded in emails which download a compressed (.zip) file. Upon decompression a .wsf file is revealed which contains a script that downloads and executes a Visual Basic script.
This script then downloads a .jpg file (disguised as a .zip file) from the same C2 address changes the file extension to .zip decompresses it and executes the Error.vbs file contained within.

The malware then sequentially executes other files each with a specific role in the attack.
The final file pwng·ps1 converts an internal string into a .NET binary and executes it.
This process involves injecting a malicious binary into a legitimate process (aspnet_compiler·exe) which is then used to perform the malwares functions.

The final payload is the AsyncRAT malware which has information theft and backdoor capabilities. It maintains persistence through scheduled tasks and registry entries and collects information such as OS version user details antivirus product list browser information and cryptocurrency wallet information. The malware communicates with a C2 server which is encrypted within the file and only revealed at runtime.

The attacker uses a sophisticated fileless technique and users are advised to exercise caution when opening attachments or external links in emails and to use security products for monitoring and control.

 

 IOCs

9de260_browsing716f318fa13874b0e8ad4b54bccb889433e23795d99aa4a47d320b0699XxX32Ps1·ps1

MD5: ac12d457d3ee177af8824cdc1de47f2a

SHA1: 43b48bb6cd7838151c1552523b1acb2a95fec4c8

SHA256: 9de260716f318fa13874b0e8ad4b54bccb889433e23795d99aa4a47d320b0699

 

 a0064bdcf92b_browsing7c1a55a8e88fd4ecb38d27c4d602f7bf5feb18c2304d775d7387XxX34Bat·bat

MD5: 61b7507a6814e81cda6b57850f9f31da

SHA1: 316b99a2bf664ccd94eb050005975c52806d2163

SHA256: a0064bdcf92b7c1a55a8e88fd4ecb38d27c4d602f7bf5feb18c2304d775d7387

 

70029e8693a_browsing7a5608b442b1944a3f6c11fe2ff1949f26e3f6178472b87837d75XxX38Bat·bat

MD5: a31191ca8fe50b0a70eb48b82c4d6f39

SHA1: 921bd5cb08b5c6a77a28e2864417bb8cdefafbf0

SHA256: 70029e8693a7a5608b442b1944a3f6c11fe2ff1949f26e3f6178472b87837d75

 

 

Cert IL Alert – A Cyber-Attack Tool Used By A State-Sponsored Attack Group Found In Attacks On Israeli Infrastructure

Recently Israels National Cyber Directorate investigated a cyber-attack tool used by a state-sponsored attack group. The attacker targets various sectors in the economy including technology and IT academia media communication and others.

 

IOCs

3308fbe0e_browsing7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64dXxX1Exe·exe

MD5: e4bc92ff7416b82fc21825b30defba37

SHA1: b89f00d48d55ca97e95b7d511d177ab272525ed9

SHA256: 3308fbe0e7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64d

 

3308fbe0e_edr7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64dXxX1Exe·exe

MD5: e4bc92ff7416b82fc21825b30defba37

SHA1: b89f00d48d55ca97e95b7d511d177ab272525ed9

SHA256: 3308fbe0e7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64d

 

 

Threat Actor Targets Macintosh Users Via Fake Browser Updates For Distributing Atomic Stealer

An unidentified threat actor launched a novel campaign that extensively targeted Macintosh users with Atomic MacOS Stealer via fake browser updates. The adversary mimicked the Google Chrome and Safari browsers to lure potential victims into downloading Atomic MacOS Stealer in order to gather sensitive information from compromised systems. The threat actor exfiltrated the lucrative information to an adversarial command and control (C2) server.

 

IOCs

be634e_browsing786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7bXxX51Dmg·dmg

MD5: c90631bbd0e2dc84776ca0450a173d05

SHA1: 6d0f18d0326d1a07fb84e3756a35c89e407b46b8

SHA256: be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

 

5b5ffb0d2fb1f2de514_browsing7ec270d60a3ac3f02c36153c943fbfe2a3427ce39d13dXxX53Dmg·dmg

MD5: 14846b0bf9faea8f26e7c0332d43167c

SHA1: a7174b90058ea22e6ab7812b6c9ee8a7983563db

SHA256: 5b5ffb0d2fb1f2de5147ec270d60a3ac3f02c36153c943fbfe2a3427ce39d13d

 

4cb531bd83a1ebf4061c98f_browsing799cdc2922059aff1a49939d427054a556e89f464XxX49Dmg·dmg

MD5: 34643560a215ce876bcae133b5ba2ccd

SHA1: 24698fad7ff7c316e68a4fcb4c18e12157b25eed

SHA256: 4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464

 

 

North Korean Hackers Attacking MacOS Using Weaponized Documents

In 2023 North Korean threat actors intensified their focus on macOS through two major campaigns named RustBucket and KandyKorn.

 

 IOCs

4_browsing7b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1XxX2Zip·zip

MD5: 90385d612877e9d360196770d73d22d6

SHA1: 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036

SHA256: 47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1

 

51dd4efcf_browsing714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077XxX6Macho·macho

MD5: 541341fc477523fed26e8b7edec1c6bb

SHA1: 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3

SHA256: 51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077

 

2360a69e5fd_browsing7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1XxX5Macho·macho

MD5: 470275eaf344be97f9950c4c42a783ef

SHA1: 43f987c15ae67b1183c4c442dc3b784faf2df090

SHA256: 2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1

 

 

LUMMA Malware

In this InfoStealer attack a threat actor leverages a multi-layered fake invoice campaign to distribute LUMMA malware. Perception Points team of researchers recently investigated a malware attack aimed to bypass threat detection engines.

 

IOCs

 515ad6ad_browsing76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196bXxX1Exe·exe

MD5: 0563076ebdeaa2989ec50da564afa2bb

SHA1: ac14e7468619ed486bf6c3d3570bea2cee082fbc

SHA256: 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

 

515ad6ad_edr76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196bXxX1Exe·exe

MD5: 0563076ebdeaa2989ec50da564afa2bb

SHA1: ac14e7468619ed486bf6c3d3570bea2cee082fbc

SHA256: 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

 

http://224·0·0·252

 

 

Storm-0978 Weaponizes New CVE

During analysis of a July 2023 campaign targeting groups supporting Ukraines admission into NATO Unit 42 discovered a new vulnerability for bypassing Microsofts Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group in reference to their use of the RomCom backdoor). Further investigation revealed a new exploit method related to CVE-2023-36884 that can bypass MotW. Microsoft assigned CVE-2023-36584 (CVSS score 5) to this new vulnerability discovered during the investigation.

 

IOCs

3d0dae359325e8e96cf46459c38d0862_browsing79865457379bd6380523727db350de43XxX5Txt·txt

MD5: aaadc580be50b435cce383d3c1eb877d

SHA1: 5bb785b54f637566412783fd3b5f24bcdbc6694f

SHA256: 3d0dae359325e8e96cf46459c38d086279865457379bd6380523727db350de43

 

fd4fd44ff26e84ce658_browsing7413271cf7ff3960471a55eb0d51b0a9870b577d66f4aXxX11Html·html

MD5: c785ed40172b17944256d50dc40ff934

SHA1: db95d6f0146136a28278869a63fc434f9fc5cef3

SHA256: fd4fd44ff26e84ce6587413271cf7ff3960471a55eb0d51b0a9870b577d66f4a

 

 e_browsing7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539XxX4Rtf·rtf

MD5: 3ca154da4b786a7c89704d0447a03527

SHA1: 98bb203c44421c89cdbbb54ea05602255ce7a61e

SHA256: e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539

 

 

Book a Demo