Created:
May 4, 2023
April has come and gone, leaving behind a trail of attacks listed below.
To celebrate the spring, we are changing the format of this report and are now including the IOCs related to each attack, to facilitate prevention.
The Table of Contents below is clickable, so you can access the required entry fast without scrolling down for hours.
Table of Contents
Trigona Ransomware Attacks MSSQL Servers
Daggerfly Targets Telecommunications Company in Africa
Ragnar Locker
Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job
Additional IOCs for 3CS Breach
Aukill EDR Killer Malware Abuses Process Explorer Driver
Fake Chrome Updates Spread Malware
Qbot Using New Attack Vector in its Latest Phishing Emails
CrossLock Ransomware Emerges: New Golangbased Malware on the Horizon
Windows ZeroDay Vulnerability CVE202328252 Exploited by Nokoyawa Ransomware Group
Apt36 Expands Interest Within Indian Education Sector
Resurgence of the Mexals Cryptojacking Campaign
Money Message Ransomware Targets Windows and Linux Devices
Mantis Uses New Tooling in Attacks Against Palestinian Targets
Malicious ISO File Leads to Quantum Ransomware Infection
Cl0p Ransomware Plagues Businesses Worldwide
Silkloader
Inside Mispadu Massive Infection Campaign in LATAM
Blackguard Stealer Extends Its Capabilities in New Variant
Trigona Ransomware Attacks MSSQL Servers
Summary
- Poorly managed MSSQL servers were discovered infected with the Trigona ransomware. The infected devices were also infected with shell malware that can take advantage of a privilege escalation (MS16032) vulnerability to execute a malicious binary. The ransomware created a registry run key for persistence and deleted volume shadow copies to inhibit system recovery.
IOCs
Trigonabgicgadfig_browsing77Dll.dll
- SHA1: c609ec0c1061fe3f04bc30e965a4d3d2450bd8d1
- MD5: 46b639d59fea86c21e5c4b05b3e29617
- SHA256: 19667eba21a1caefda0a23cb43bdcb09070944e7cf7e3c2c11de1ba036677f09
- SHA1: 41bcf469661ab9609a0d181953c2f8ffb75bb483
- MD5: 530967fb3b7d9427552e4ac181a37b9a
- SHA256: fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b
- SHA1: 672c0f37540788ba3332f1093b7b6b7b8817e27a
- MD5: 5db23a2c723cbceabec8d5e545302dc4
- SHA256: 09a5f38e6d534378583eb30ac6d893211983367cb0e01b58a11ef8933eb1f9a0
- SHA1: 2da7e0aea8f6392b2cc0858a3d0d0a67dd51e9b9
- MD5: 1cece45e368656d322b68467ad1b8c02
- SHA256: c7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f
- SHA1: c609ec0c1061fe3f04bc30e965a4d3d2450bd8d1
- MD5: 46b639d59fea86c21e5c4b05b3e29617
- SHA256: 19667eba21a1caefda0a23cb43bdcb09070944e7cf7e3c2c11de1ba036677f09
Daggerfly Targets Telecommunications Company in Africa
Summary
The Daggerfly APT group, also known as Evasive Panda and Bronze Highland, targeted a telecommunications organization in Africa. The campaign leveraged the MgBot malware framework, which can perform network scans and steal sensitive data. The operation used the living-of-the-land tools BITSAdmin and PowerShell to download the legitimate AnyDesk remote desktop software for persistence.
IOCs
Daggerflybgicgadcbd25_browsingExe.exe
- MD5: f78d1df059683b7c09433fd5d680d0d6
- SHA1: b904237c6fcf1a9c148b4564b6c199d03f654d47
- SHA256: 90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe
- MD5: 5a7a799e2400a0dfe73a877a4dd7a3b4
- SHA1: 2df8b44ab20f55c4fcd7a5d5f926a8921e320f89
- SHA256: d9b6e22b3a3ca6a7e2d5328ca66e79e2c1ee342d08f0489d6a16f6af84e6d1bf
- MD5: 3f76c3dc3b70d3881edf2eaf6bb1b2a7
- SHA1: 9b0496a84e0b1b45d8d6a7b139f5a0ce979a764d
- SHA256: 37a1f2e08f0e8a73a7a4a4c3f7d4db9a5a5e5fcd1e54b41c9f9ec73b7d85e0d6
- MD5: 40287f6ba1c6d05de6edfa7b4d8b4f4d
- SHA1: 4dfb8c6a9a6a2ed6d0e5bb1a87be5f178b2da5d5
- SHA256: a1965a5a3d5d5f85b8e489e1a298aa392a5f7d9a2a2f2607bbd1ddc17f7f1ab0
- MD5: a3a3a5b5f88e76b1a91ca34a5d7d5ab9
- SHA1: 2d1aeb7c555b8c6b0a6a1e0a7d6e8bb6a1c53ba0
- SHA256: 70d8b20df4b4bb3d4d1e4e0860b80a6a2d6a0e6d8d4f4e4be3e4d1d4e1e4d7b4
- MD5: c6d7f6e8a9b1e6f5d4c3b2a1b0a9b8c7
- SHA1: 2a9b7c6d5e4f3b1a0a8b7f6e5
- cb8aede4ad660adc1c78a513e7d5724cac8073bea9d6a77cf3b04b019395979a
- 585db6ab2f7b452091ddb29de519485027665335afcdb34957ff1425ecc3ec4b
- 29df6c3f7d13b259b3bc5d56f2cdd14782021fc5f9597a3ccece51ffac2010a0
- ea2be3d0217a2efeb06c93e32f489a457bdea154fb4a900f26bef83e2053f4fd
- 0bcdcc0515d30c28017fd7931b8a787feebe9ee3819aa2b758ce915b8ba40f99
- a16a70b0a1ac0718149a31c780edb126379a0d375d9f6007a6def3141bec6810
- db489e9760da2ed362476c4e0e9ddd6e275a84391542a6966dbcda0261b3f30a
- 632cd9067fb32ac8fbbe93eb134e58bd99601c8690f97ca53e8e17dda5d44e0e
- c31b409b1fe9b6387b03f7aedeafd3721b4ec6d6011da671df49e241394da154
- 7bcff667ab676c8f4f434d14cfc7949e596ca42613c757752330e07c5ea2a453
- 03bc62bd9a681bdcb85db33a08b6f2b41f853de84aa237ae7216432a6f8f817e
- 3f75818e2e43a744980254bfdc1225e7743689b378081c560e824a36e0e0a195
- 53d2506723f4d69afca33e90142833b132ed11dd0766192a087cb206840f3692
- 22069984cba22be84fe33a886d989b683de6eb09f001670dbd8c1b605460d454
- b45355c8b84b57ae015ad0aebfa8707be3f33e12731f7f8c282c8ee51f962292
- 7b945fb1bdeb27a35fab7c2e0f5f45e0e64df7821dd1417a77922c9b08acfdc3
- e8be3e40f79981a1c29c15992da116ea969ab5a15dc514479871a50b20b10158
- b5c46c2604e29e24c6eb373a7287d919da5c18c04572021f20b8e1966b86d585
- 2f4a97dc70f06e0235796fec6393579999c224e144adcff908e0c681c123a8a2
- 1b8500e27edc87464b8e5786dc8c2beed9a8c6e58b82e50280cebb7f233bcde4
- 26d129aaa4f0f830a7a20fe6317ee4a254b9caac52730b6fed6c482be4a5c79d
- ae39ced76c78e7c2043b813718e3cd610e1a8adac1f9ad5e69cf06bd6e38a5bd
- f6f6152db941a03e1f45d52ab55a2e3d774015ccb8828533654e3f3161cfcd21
- cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5
- 90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe
- c89316e87c5761e0fc50db1214beb32a08c73d2cad9df8c678c8e44ed66c1dab
- 706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36
- 017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7
- 2dcf9e556332da2a17a44dfceda5e2421c88168aafea73e2811d65e9521c715c
- 2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc
- d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934
- ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024
- 54198678b98c2094e74159d7456dd74d12ab4244e1d9376d8f4d864f6237cd79
- a6ed16244a5b965f0e0b84b21dcc6f51ad1e413dc2ad243a6f5853cd9ac8da0b
- c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350
- 5a0976fef89e32ddcf62c790f9bb4c174a79004e627c3521604f46bf5cc7bea2
- 1cf04c3e8349171d907b911bc2a23bdb544d88e2f9b8fcc516d8bcf68168aede
- 17dce65529069529bcb5ced04721d641bf6d7a7ac61d43aaf1bca2f6e08ead56
- 98b6992749819d0a34a196768c6c0d43b100ef754194308eae6aaa90352e2c13
Ragnar Locker
Summary
Ragnar Locker is both a criminal group and a ransomware strain that primarily targets critical infrastructure. Active since 2020, the group gains initial access by exploiting vulnerabilities in public-facing applications and utilizing custom and commercial tools. Upon successful compromise, they use the users\public folder as a staging directory to run execution scripts for discovery tasks, install remote access tools, and execute additional payloads.
IOCs
Ragnarlockerbgicdddeji101_browsingExe.exe
- SHA1: bbbffe248c90e28e89df348d9fbb6958771152fb
- MD5: 3b849bece3794e082c495d12593c4f5e
- SHA256: bc23fce117a33ada4c677084aa9eed8bfc99cefdb6049383fcab1dc31b5d41d1
- SHA1: bbbffe248c90e28e89df348d9fbb6958771152fb
- MD5: 3b849bece3794e082c495d12593c4f5e
- SHA256: bc23fce117a33ada4c677084aa9eed8bfc99cefdb6049383fcab1dc31b5d41d1
Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job
Summary
Description: Researchers have discovered a new campaign conducted by Lazarus, known as “Operation DreamJob,” which targets Linux users with malware for the first time. The researchers state that this new targeting confirms with high confidence that Lazarus was responsible for the recent supply chain attack on VoIP provider 3CX.
IOCs
Lazarusbgicddcjjh2_browsingElf.elf
- SHA1: 3a63477a078ce10e53dfb5639e35d74f93cefa81
- MD5: 3cf7232e5185109321921046d039cf10
- SHA256: 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd
- SHA1: 9d8bade2030c93d0a010aa57b90915eb7d99ec82
- MD5: fc41cb8425b6432af8403959bb59430d
- SHA256: f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff652ca
- SHA1: 9d8bade2030c93d0a010aa57b90915eb7d99ec82
- MD5: fc41cb8425b6432af8403959bb59430d
- SHA256: f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff652ca
- SHA1: 3a63477a078ce10e53dfb5639e35d74f93cefa81
- MD5: 3cf7232e5185109321921046d039cf10
- SHA256: 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd
- https://od.lk
Additional IOCs for 3CS Breach
Over time, an increasing number of IOCs have been detected by analysts in the cybersecurity landscape. These IOCs are associated with malicious activities such as beaconing to actor-controlled infrastructure, deploying second-stage payloads, and in a few instances, exhibiting hands-on-keyboard behavior. 3CXDesktopApp, which is at the center of these activities, is an enterprise voice and video conferencing PABX software designed for call routing. It is developed by 3CX, a company specializing in business communications software.
IOCs
3cxdesktopappbgibiafhgi14_browsingMacho.macho
- MD5: a267243cc99cd38810f5043158fc8208
- SHA1: 2abc98e004dc5ebb426a3611d7b4a1c2d1c939bd
- SHA256: 51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72
- MD5: 74bc2d0b6680faa1a5a76b27e5479cbc
- SHA1: bf939c9c261d27ee7bb92325cc588624fca75429
- SHA256: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
- MD5: cb01ff4809638410a531400a66376fa3
- SHA1: ff3dd457c0d00d00d396fdf6ebe7c254fed2a91e
- SHA256: 253f3a53796f1b0fbe64f7b05ae1d66bc2b0773588d00c3d2bf08572a497fa59
- MD5: 3703770e32820397c6e7e1e1221e6d0d
- SHA1: 5d833bcc679db38a45111269e727ec58b75c8d31
- SHA256: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
- MD5: f6d63e45fe3b18454462711a97053b5a
- SHA1: e8d14c5b3bb4290fb028504efac8cfee0bfd15b5
- SHA256: ac99602999bf9823f221372378f95baa4fc68929bac3a10e8d9a107ec8074eca
- MD5: ca8c0385ce2b8bdd19423c8b98a5924b
- SHA1: f3487a1324f4c11b35504751a5527bc60eb95382
- SHA256: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
- MD5: 27b134af30f4a86f177db2f2555fe01d
- SHA1: 188754814b37927badc988b45b7c7f7d6b4c8dd3
- SHA256: c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360
Aukill EDR Killer Malware Abuses Process Explorer Driver
Summary
The AuKill tool exploits an outdated version of the driver used by version 16.32 of Microsoft’s Process Explorer. It disables EDR processes before deploying either a backdoor or ransomware on the target system. The tool has been used in at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and ransomware deployment.
IOCs
Aukillbgibjigjfc1_browsingExe.exe
- SHA1: ff11360f6ad22ba2629489ac286b6fdf4190846e
- MD5: 811bd70aa6d099716b49794870c07b7d
- SHA256: 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540
- SHA1: ff11360f6ad22ba2629489ac286b6fdf4190846e
- MD5: 811bd70aa6d099716b49794870c07b7d
- SHA256: 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540
Fake Chrome Updates Spread Malware
Summary
A campaign running since the end of last year uses hacked sites to push fake web browser updates to potential victims. Malwarebytes reports that the campaign has now expanded to target speakers of Korean, Spanish, and Japanese. Affected sites include news, stores, and adult portals. Attackers are likely targeting sites based on vulnerability rather than content served, making it difficult to predict where these bogus updates will appear next.
IOCs
Fakeupdatebgibjiehcf2_browsingExe.exe
- SHA1: 40fc800c56c5b2268c9b97a70cc230b086f6c078
- MD5: 16feb4ab1e1f7870627a42ddae4755b9
- SHA256: 002dd3cc05fa8b7b266c33a3c652bccd9340eabcaca1e44d4abae8b2e4ad3547
- SHA1: 04c131e5caac1a81c18eff641774b885c5ddba61
- MD5: 5e2efae752c73a3cdc0a900af39bbd5b
- SHA256: 24f60f14ccea5ae2ae320e166b8fa5cd4769fcdf7b8338ca0c456d2e5b975cb8
- SHA1: 40fc800c56c5b2268c9b97a70cc230b086f6c078
- MD5: 16feb4ab1e1f7870627a42ddae4755b9
- SHA256: 002dd3cc05fa8b7b266c33a3c652bccd9340eabcaca1e44d4abae8b2e4ad3547
- SHA1: 04c131e5caac1a81c18eff641774b885c5ddba61
- MD5: 5e2efae752c73a3cdc0a900af39bbd5b
- SHA256: 24f60f14ccea5ae2ae320e166b8fa5cd4769fcdf7b8338ca0c456d2e5b975cb8
Qbot Using New Attack Vector in its Latest Phishing Emails
Summary
QBot, also known as QakBot, has evolved from a banking trojan into malware that facilitates initial entry into corporate networks for other threat actors. It deploys supplementary payloads, including Cobalt Strike, Brute Ratel, and other malware, allowing other threat actors to infiltrate the compromised system. The recent phishing campaign uses new attack vectors and has several IOCs and files associated with it.
IOCs
Qbotbgibjicjeg3_browsingDll.dll
- SHA1: 59569dfd57245fe2132364d690aca1ed7f2dcba4
- MD5: d0a338ff4f216fc647281eb49f08628a
- SHA256: 483d45f68e449c607129770a374a718dff4bad42a314c4424d91d5d2ea9c3430
- SHA1: 0988905bc960607608a0cbe3c8d5624735175392
- MD5: dfc1983c3e7a041ba251b2310b6d1524
- SHA256: 3e13e46159b545b37b47bddbbda467ee5269d88df981d47617bee1646e0adba4
- SHA1: 3d2c568f7554058f22172d32880db29eeac2e780
- MD5: ff2fbe2db1ea2003cb63df65b8b6eccc
- SHA256: ed2728b28524bb01e629a6984e36bd26ab0eb727bb65e583eb826d378e20f02b
- SHA1: 59569dfd57245fe2132364d690aca1ed7f2dcba4
- MD5: d0a338ff4f216fc647281eb49f08628a
- SHA256: 483d45f68e449c607129770a374a718dff4bad42a314c4424d91d5d2ea9c3430
- SHA1: 3d2c568f7554058f22172d32880db29eeac2e780
- MD5: ff2fbe2db1ea2003cb63df65b8b6eccc
- SHA256: ed2728b28524bb01e629a6984e36bd26ab0eb727bb65e583eb826d378e20f02b
- SHA1: 0988905bc960607608a0cbe3c8d5624735175392
- MD5: dfc1983c3e7a041ba251b2310b6d1524
- SHA256: 3e13e46159b545b37b47bddbbda467ee5269d88df981d47617bee1646e0adba4
URL
CrossLock Ransomware Emerges: New Golangbased Malware on the Horizon
Summary
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from its victims. This technique involves not only encrypting the victim’s data but also exfiltrating it from their system. The attackers then threaten to publicly leak or sell the stolen data on the dark web if the ransom is not paid to decrypt the data. This approach puts significant pressure on the victim to pay the ransom, as they risk losing access to their data as well as the potential consequences of data exposure or theft.
IOCs
Crosslockbgibjiachc1_browsingExe.exe
- SHA1: 55de88118fe8abefb29dec765df7f78785908621
- MD5: 9756b1c7d0001100fdde3efefb7e086f
- SHA256: 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
- SHA1: 55de88118fe8abefb29dec765df7f78785908621
- MD5: 9756b1c7d0001100fdde3efefb7e086f
- SHA256: 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72
Windows ZeroDay Vulnerability CVE202328252 Exploited by Nokoyawa Ransomware Group
Summary
A zeroday vulnerability in the Microsoft Windows system, which also affects Windows 11, has been employed in a ransom operation identified by Kaspersky. The Nokoyawa ransomware group has used CVE202328252 in recent attacks against businesses in the Middle East, North America, and Asia regions. Kaspersky has detected five distinct but similar exploits utilized by threat actors to target industries such as retail and wholesale, energy, manufacturing, healthcare, and software development.
IOCs
Nokoyawabgibjhgdej1_browsingExe.exe
- SHA1: 0f5457b123e60636623f585cc2bf2729f13a95d6
- MD5: 40c9dc2897b6b348da88b23deb0d3952
- SHA256: 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6
- SHA1: 0f5457b123e60636623f585cc2bf2729f13a95d6
- MD5: 40c9dc2897b6b348da88b23deb0d3952
- SHA256: 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6
CVEs
- CVE202224521
- CVE202237969
- CVE202323376
- CVE202328252
Apt36 Expands Interest Within Indian Education Sector
Summary
Transparent Tribe is a suspected Advanced Persistent Threat (APT) based in Pakistan which has been in operation since at least 2013. The threat actor has targeted the Indian government and military personnel but expanded its scope towards Indian educational institutions and students. The group distributed malicious documents via phishing email documents which were hosted on hosting services or attacker created domains. The malicious documents were used to distribute Crimson RAT which masqueraded as an update process. Crimson RAT is obfuscated with Eazfuscator and has various capabilities such as keylogging screen capture exfiltration enumeration and starting and stopping processes.
IOCs
| Apt36bgibiadegf2_browsing7Exe.exe • MD5: b60da0d0ee64df0eb180170984f689d0 • SHA1: 973cb3afc7eb47801ff5d2487d2734ada6b4056f • SHA256: 32c2f8d068172457b33db145bc409a43df1175aaca30e2ac11d9b51c20bc807a |
| Apt36bgibiadegf28_browsingExe.exe • MD5: 85e9bdb40322b52c1faa450722276a86 • SHA1: 87e0ea08713a746d53bef7fb04632bfcd6717fa9 • SHA256: b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b |
| Apt36bgibiadegf29_browsingExe.exe • MD5: be4d70a6fa8d9cba1cd5173931f37a3d • SHA1: 911226d78918b303df5110704a8c8bb599bcd403 • SHA256: 83494953bb6fc04774efe41ba5013ff2500feb0ea6e3a29bbcbf89ae4e9e8727 |
| Apt36bgibiadegf30_browsingDocx.docx • MD5: db05d76ff9a9d3f582bd4278221f244a • SHA1: 9ed39c6a3faab057e6c962f0b2aaab07728c5555 • SHA256: 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee |
| Apt36bgibiadegf31_browsingDocx.docx • MD5: f8f0fa1baea7ee466e24935700b318bb • SHA1: af6608755e2708335dc80961a9e634f870aecf3c • SHA256: 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227 |
| Apt36bgibiadegf32_browsingExe.exe • MD5: e40e0a71efd051374be1663e08f0dbd8 • SHA1: 842f55579db786e46b20f7a7053861170e1c0c5e • SHA256: 63f96f77786b8499ce4e08a1883a1d5569563da14b507390cfcbd7b37c5dfb9a |
| Apt36bgibiadegf33_browsingDocx.docx • MD5: 9649531d94b75c1b8f4ca47c46abef13 • SHA1: fd46411b315beb36926877e4b021721fcd111d7a • SHA256: e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129 |
| Apt36bgibiadegf34_browsingDocx.docx • MD5: abc96ec4610c799d9289159d1146e49c • SHA1: 738d31ceca78ffd053403d3b2bc15847682899a0 • SHA256: 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b |
| Apt36bgibiadegf35_browsingExe.exe • MD5: 33a48bb729e916b5571d02f444104e93 • SHA1: 516db7998e3bf46858352697c1f103ef456f2e8e • SHA256: 5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea |
| Apt36bgibiadegf36_browsingDocx.docx • MD5: 40ebd1557ea9f8f855c10af807ea6188 • SHA1: e000596ad65b2427d7af3313e5748c2e7f37fba7 • SHA256: 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110 |
| Apt36bgibiadegf2_edr7Exe.exe • MD5: b60da0d0ee64df0eb180170984f689d0 • SHA1: 973cb3afc7eb47801ff5d2487d2734ada6b4056f • SHA256: 32c2f8d068172457b33db145bc409a43df1175aaca30e2ac11d9b51c20bc807a |
| Apt36bgibiadegf28_edrExe.exe • MD5: 85e9bdb40322b52c1faa450722276a86 • SHA1: 87e0ea08713a746d53bef7fb04632bfcd6717fa9 • SHA256: b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b |
| Apt36bgibiadegf29_edrExe.exe • MD5: be4d70a6fa8d9cba1cd5173931f37a3d • SHA1: 911226d78918b303df5110704a8c8bb599bcd403 • SHA256: 83494953bb6fc04774efe41ba5013ff2500feb0ea6e3a29bbcbf89ae4e9e8727 |
| Apt36bgibiadegf30_edrDocx.docx • MD5: db05d76ff9a9d3f582bd4278221f244a • SHA1: 9ed39c6a3faab057e6c962f0b2aaab07728c5555 • SHA256: 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee |
| Apt36bgibiadegf31_edrDocx.docx • MD5: f8f0fa1baea7ee466e24935700b318bb • SHA1: af6608755e2708335dc80961a9e634f870aecf3c • SHA256: 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227 |
| Apt36bgibiadegf32_edrExe.exe • MD5: e40e0a71efd051374be1663e08f0dbd8 • SHA1: 842f55579db786e46b20f7a7053861170e1c0c5e • SHA256: 63f96f77786b8499ce4e08a1883a1d5569563da14b507390cfcbd7b37c5dfb9a |
| Apt36bgibiadegf33_edrDocx.docx • MD5: 9649531d94b75c1b8f4ca47c46abef13 • SHA1: fd46411b315beb36926877e4b021721fcd111d7a • SHA256: e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129 |
| Apt36bgibiadegf34_edrDocx.docx • MD5: abc96ec4610c799d9289159d1146e49c • SHA1: 738d31ceca78ffd053403d3b2bc15847682899a0 • SHA256: 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b |
| Apt36bgibiadegf35_edrExe.exe • MD5: 33a48bb729e916b5571d02f444104e93 • SHA1: 516db7998e3bf46858352697c1f103ef456f2e8e • SHA256: 5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea |
| Apt36bgibiadegf36_edrDocx.docx • MD5: 40ebd1557ea9f8f855c10af807ea6188 • SHA1: e000596ad65b2427d7af3313e5748c2e7f37fba7 • SHA256: 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110 |
| Apt36bgibiadegf30_mailDocx.docx • MD5: db05d76ff9a9d3f582bd4278221f244a • SHA1: 9ed39c6a3faab057e6c962f0b2aaab07728c5555 • SHA256: 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee |
| Apt36bgibiadegf31_mailDocx.docx • MD5: f8f0fa1baea7ee466e24935700b318bb • SHA1: af6608755e2708335dc80961a9e634f870aecf3c • SHA256: 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227 |
| Apt36bgibiadegf33_mailDocx.docx • MD5: 9649531d94b75c1b8f4ca47c46abef13 • SHA1: fd46411b315beb36926877e4b021721fcd111d7a • SHA256: e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129 |
| Apt36bgibiadegf34_mailDocx.docx • MD5: abc96ec4610c799d9289159d1146e49c • SHA1: 738d31ceca78ffd053403d3b2bc15847682899a0 • SHA256: 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b |
| Apt36bgibiadegf36_mailDocx.docx • MD5: 40ebd1557ea9f8f855c10af807ea6188 • SHA1: e000596ad65b2427d7af3313e5748c2e7f37fba7 • SHA256: 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110 |
- 32c2f8d068172457b33db145bc409a43df1175aaca30e2ac11d9b51c20bc807a
- b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b
- 83494953bb6fc04774efe41ba5013ff2500feb0ea6e3a29bbcbf89ae4e9e8727
- 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee
- 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227
- 63f96f77786b8499ce4e08a1883a1d5569563da14b507390cfcbd7b37c5dfb9a
- e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129
- 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b
- 5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea
- 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110
URLs
- http://clouddrive.store
- ttp://drivephone.online
Chinaz DDoS Bot Malware Distributed to Linux SSH Servers
Summary
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft Windows also exists. The malicious software can perform SYN UDP ICMP and DNS flood attacks. The malware also collects and exfiltrates system and network information to actor-controlled C&C servers.
IOCs
Chinazbgiabfjcjj33_browsingElf.elf
- SHA1: 05de02436153498818c061ed9feb6c3085b9071e
- MD5: c69f5eb555cc10f050375353c205d5fa
- SHA256: df318d08c8f0e11ccebb48f7a4df29c5f54cccb16200d8e9e36d8aa6b7189c45
- SHA1: 200e09de526d088df0e9e70ae17a8fbdd36dc023
- MD5: 2ec7348e6b6b32d50a01c3ffe480ef70
- SHA256: 9d689a79269188691f0d681536faadaed9ac346a0ef49cbaeb8b9cefa7b8cb0b
- SHA1: 14075386e307a2ccb247541efac86284efefc217
- MD5: c9eb0815129c135db5bbb8ac79686b9a
- SHA256: 14afd7d319cf271a7d871f297a27eac388d7f0381a1fc0691b18a8dd15ddf327
- SHA1: 05de02436153498818c061ed9feb6c3085b9071e
- MD5: c69f5eb555cc10f050375353c205d5fa
- SHA256: df318d08c8f0e11ccebb48f7a4df29c5f54cccb16200d8e9e36d8aa6b7189c45
- SHA1: 200e09de526d088df0e9e70ae17a8fbdd36dc023
- MD5: 2ec7348e6b6b32d50a01c3ffe480ef70
- SHA256: 9d689a79269188691f0d681536faadaed9ac346a0ef49cbaeb8b9cefa7b8cb0b
- SHA1: 14075386e307a2ccb247541efac86284efefc217
- MD5: c9eb0815129c135db5bbb8ac79686b9a
- SHA256: 14afd7d319cf271a7d871f297a27eac388d7f0381a1fc0691b18a8dd15ddf327
URLs
http://45.113.163.219/linux32 http://45.113.163.219/linux64 http://45.113.163.219/win32
Resurgence of the Mexals Cryptojacking Campaign
Summary
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues to evolve. A new wave of attacks started in late 2022 with new functionality including SSH worm and LAN spreader modules and improved obfuscation. The malicious software kills competitor miners and CPU-heavy processes, clears command history for defense evasion, and creates a cron job for persistence.
IOCs
Resurgencebgibgdedhf3_browsingElf.elf
- SHA1: e998494f91b08b52b28fe3304e9322962e3d1b58
- MD5: 946689ba1b22d457be06d95731fcbcac
- SHA256: 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a
- SHA1: 787942f85273ffe57fba89beb16aed1258486a40
- MD5: af354459aa81e1908665f4f98c7f759d
- SHA256: 0037cc30be8824b8d5c1576d6a93342de063778ee210d3127de6c3b1173de451
- SHA1: 8ba7c2b9d432d938760d272e0732fcefca1411de
- MD5: f52c0b32b3f617de2e8e30db04df09d1
- SHA256: cc0b01955db20101f93771f81a9fa6ab7c091cac8435529996020d4f3932a3e7
- SHA1: 1a552e137fa9b2cade5efd708016927a5fdbeeff
- MD5: 5287edba33d593df8511b8fc7e44603c
- SHA256: 2a5db77895b09980d9fefdfe79602d69341b29312d8afc1c183fbf8d79f04bcd
- SHA1: c377e7e073c2aeb116f9aed9d325a132cabf6472
- MD5: 2b846edfe925bf15bbaaaea8ecd3ef18
- SHA256: 183aba3414c78ad553b1af5a9875926d5b1021498db63d3cc42bdf00e7315ef6
- SHA1: 1a25fcb115ee7f4aa493142817ae995e27931b93
- MD5: 44102492e7235a8b0b26861af68927db
- SHA256: 44d35c673b274ea227c578b165212dadd4af2eba784db12adee1bfd8ce506a85
- MD5: 4afff4318c080e0abd7dc12034b885a1
- SHA1: d41d8f3997d0712b280e2faae21e61d4ab93a032
- SHA256: 09083e01529521e7d871c68e34d90e978c55191874f0acedeeb58ac041497f77
- MD5: c6d1ca0e4a0498bd02b67d8fac519ccd
- SHA1: 1c8c16db8f458ded97484e56af58f638adbafc72
- SHA256: 1e878334ff97bce5c948dda62a1046cd2121a657b612e412e423e36b5ee6461a
- MD5: 037500ae7c49a0e080cf532149e33654
- SHA1: d10c3a3df80b9c142b05a6fab9a61a1e117f73fc
- SHA256: 815dd34957f6c640ff6a70b16a71c5781a4618fe51d5d77a6e51526eb49cf2f5
- MD5: fe2157ffedfcf23dd1846c820ee96e8c
- SHA1: 7b24581356ccbd2d01b9ac55bfd3343251c04ccd
- SHA256: 2487cde56c2937964b6e27be8d484480a880e4386d15f0c6adf4fda88cf29864
- https://discord.com/api/webhooks/1036206037373571082/9bs01KrTTrcbSAPI_iadV1Bhn56A4X4fxzCYEw3zMq95H1mFvlKWb6KYzvEoVfTnS
- https://discord.com/api/webhooks/954295081765072926/Zu7VuLpfgRqSmCyFvz3BCkR1Lt7clYOJeayCFzZwtPmZlVn9og_6mPS_BJY374m5Y3
- https://discord.com/api/webhooks/1036205058456563722/1_saZM0fE7nLgYG668LmDfNmSvrWpD6Z8nIXljm0qlm6YyMxAyYuZIu4LhN2gHsgSQy
- https://discord.com/api/webhooks/965651135102865479/PFdU4u8yZrn0XhzIKShcaxL3_IaBjsstYmFEXlThF2_1XCnwXSAjKos3ptwKYpPyGqvI
- https://discord.com/api/webhooks/848592916951203860/WeWBGYSVreTlE0aO_6alVN3Qrj6_aRxnaDpq4_6wD04V2aHlMFvgik2Z2h78Dstg9fZY
- http://139.99.123.196
- http://212.193.30.11
- http://212.192.241.163
Money Message Ransomware Targets Windows and Linux Devices
Summary
The Money Message ransomware targets both the Windows and Linux operating systems and exfiltrates sensitive data before encryption. The malware creates a custom mutex, stops a range of services and processes, and deletes all Volume Shadow Copy Service (VSS) snapshots. The Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm are leveraged for encryption while a ransom note is created in money_message.log.
IOCs
Moneybgibdigdgi_browsing73Exe.exe
- SHA1: a85ff9091f298ea2d6823a7b0053daa08b237423
- MD5: 163e651162f292028ca9a8d7f1ed7340
- SHA256: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b
- SHA1: 456e5cb1739cb5f29020d1a692289a5af07ce90d
- MD5: 400fa5d02c1ac704cd290d959b725e67
- SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac
- SHA1: 3b4ecff980285461642cc4aef60d4a1b9708453e
- MD5: abe3c3cc45dec9c01762ba3e534564ed
- SHA256: 4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904
- SHA1: 3b4ecff980285461642cc4aef60d4a1b9708453e
- MD5: abe3c3cc45dec9c01762ba3e534564ed
- SHA256: 4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904
- SHA1: a85ff9091f298ea2d6823a7b0053daa08b237423
- MD5: 163e651162f292028ca9a8d7f1ed7340
- SHA256: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b
- SHA1: 456e5cb1739cb5f29020d1a692289a5af07ce90d
- MD5: 400fa5d02c1ac704cd290d959b725e67
- SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac
URLs and IPs
hxxp://money-message[.]com 185[.]62[.]190[.]58
CVEs
CVE-2021-41379: Vulnerability in the Windows Print Spooler service CVE-2021-34527: Windows Print Spooler remote code execution vulnerability
Mantis Uses New Tooling in Attacks Against Palestinian Targets
Summary
The Mantis cyber-espionage group, also known as Desert Falcon, targeted entities within the Palestinian territories with custom backdoors. The Micropsia backdoor was used to run secondary payloads, including a reverse proxy and a data exfiltration tool. Arid Gopher was also dropped by Micropsia and included a legitimate 7-Zip executable, a tool to set persistence, and a copy of the legitimate Shortcut.exe utility.
IOCs
Mantisbgiaghffcg48_browsingExe.exe
- SHA1: 6e43d26dc58234373532f27436ce6510ba0301cc
- MD5: 871d46a82c6c6172b91323a85ea196db
- SHA256: 21708cea44e38d0ef3c608b25933349d54c35e392f7c668c28f3cf253f6f9db8
- SHA1: efabf3e323b0231d6e0a9ecd2d5d42eee1a42a3b
- MD5: c1948aca777a2b360e2588279ca584f9
- SHA256: 11b81288e5ed3541498a4f0fd20424ed1d9bd1e4fae5e6b8988df364e8c02c4e
- SHA1: e9ed5cc8e5bce59e2d0eee8f39e79cdda53d4517
- MD5: ebd1cf78fbb8531533426cb19f78d58e
- SHA256: 1d1a0f39f339d1ddd506a3c5a69a9bc1e411e057fe9115352482a20b63f609aa
- SHA1: e9ed5cc8e5bce59e2d0eee8f39e79cdda53d4517
- MD5: ebd1cf78fbb8531533426cb19f78d58e
- SHA256: 1d1a0f39f339d1ddd506a3c5a69a9bc1e411e057fe9115352482a20b63f609aa
- SHA1: 6e43d26dc58234373532f27436ce6510ba0301cc
- MD5: 871d46a82c6c6172b91323a85ea196db
- SHA256: 21708cea44e38d0ef3c608b25933349d54c35e392f7c668c28f3cf253f6f9db8
- SHA1: efabf3e323b0231d6e0a9ecd2d5d42eee1a42a3b
- MD5: c1948aca777a2b360e2588279ca584f9
- SHA256: 11b81288e5ed3541498a4f0fd20424ed1d9bd1e4fae5e6b8988df364e8c02c4e
Malicious ISO File Leads to Quantum Ransomware Infection
Summary:
A spam campaign was discovered using IcedID contained within an ISO image to drop variants from the Quantum ransomware family. Multiple Windows utilities such as net nltest and ipconfig were used for reconnaissance while Atera Splashtop and a Cobalt Strike beacon were used for persistence. Additional tools including ProcDump PowerShell Mimikatz and Rclone were used to collect and exfiltrate sensitive information.
IOCs
Maliciousbgiaghfehb2_browsingExe.exe
- SHA1: 970e793c86266b20d280c04e0f41ec7ae9c2093c
- MD5: 397020072f5787dbbc0c344f98623bbd
- SHA256: 6511d6e84343c2d3a4cd36853170509e2751e27c86f67c6a031dc88e7e495e48
- SHA1: a7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c
- MD5: df5ce1159ef2e257df92e1825d786d87
- SHA256: 842737b5c36f624c9420a005239b04876990a2c4011db87fe67504fa09281031
- SHA1: fffa0ce086791c41360971e3ce6a0d1af1701616
- MD5: 92edbbeff775928cfc6e3c8efefe4ecc
- SHA256: fc4da07183de876a2b8ed1b35ec1e2657400da9d99a313452162399c519dbfc6
- SHA1: f8473c6c8b298a3d72c8ca890667eddab62d2ba8
- MD5: 9bd6b1f24b9589a3fbc1d54b6e6184b8
- SHA256: 03a9d6afc99e70333723d921bd1265ac948cdabb8b15689b5ceb1c02365a9572
URLs
http://choifejuce.lol http://erinindiaka.quest https://alockajilly.com http://considerf.info http://fazehotafa.com http://antiflamez.bar http://guteyutu.com http://111.90.143.191 http://zoomersoidfor.com http://opiransiuera.com http://199.127.60.117 http://45.66.151.109 http://172.93.181.165 http://78.128.112.139 http://199.101.184.230
Cl0p Ransomware Plagues Businesses Worldwide
Summary
The Cl0p Ransomware-as-a-Service (RaaS) model has been in operation since at least 2019. The malware exfiltrates sensitive information before encrypting files and threatens to release the stolen data if the ransom is not paid. The malicious software is compiled using Microsoft Visual C/C++ and can solely encrypt network drives a predetermined list of files or encrypt all local and network drives.
IOCs
Cl0pbgiagaagee8_browsingElf.elf
- SHA1: 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5
- MD5: 31e0439e6ef1dd29c0db6d96bac59446
- SHA256: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef
- SHA1: eaa8a81f8564b2da25b9d91797fda8e53fca93b8
- MD5: a610664961870a1817df06f3eae1010b
- SHA256: e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf
- SHA1: a074790705ecbede2e67cced4bcb62d833d828a5
- MD5: 1e98a8d79ed7afbd77f6536dd7b4398f
- SHA256: 343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335
- SHA1: 25109b11c5dd418ca98f7971b8cc4ded8b0cd446
- MD5: bcf497379b84656ede89d562067d1ced
- SHA256: 4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84
- SHA1: 40b7b386c2c6944a6571c6dcfb23aaae026e8e82
- MD5: f59d2a3c925f331aae7437dd7ac1a7c8
- SHA256: 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed
- SHA1: 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5
- MD5: 31e0439e6ef1dd29c0db6d96bac59446
- SHA256: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef
- SHA1: eaa8a81f8564b2da25b9d91797fda8e53fca93b8
- MD5: a610664961870a1817df06f3eae1010b
- SHA256: e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf
- SHA1: a074790705ecbede2e67cced4bcb62d833d828a5
- MD5: 1e98a8d79ed7afbd77f6536dd7b4398f
- SHA256: 343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335
- SHA1: 25109b11c5dd418ca98f7971b8cc4ded8b0cd446
- MD5: bcf497379b84656ede89d562067d1ced
- SHA256: 4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84
- SHA1: 40b7b386c2c6944a6571c6dcfb23aaae026e8e82
- MD5: f59d2a3c925f331aae7437dd7ac1a7c8
- SHA256: 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed
Silkloader
Summary
The initial SILKLOADER samples found were maliciously crafted libvlc.dll files designed to be dropped alongside a legitimate but renamed VLC binary. Execution of the binary causes the malicious DLL to be side-loaded. It is worth noting that side-loading malware through VLC Media Player is a technique that has previously been used by threat actors. Operations leveraging DLL side-loading techniques to launch Cobalt Strike beacons such as LithiumLoader4 have also been observed in the past.
IOCs
Silkloaderbgiaedfaeg29_browsingDll.dll
- SHA1: 1d43b8fd92e7df7c65b6e57427917e804de6a564
- MD5: ec73981cee1c74ea3b7ec7f7b2fa6178
- SHA256: 262d966fd82312bcb82b056b2dc378b173f5c335917bc53125aef7f5a03cfce4
- SHA1: 4d7a649ecbb2075b0e8c84ba42ef31f67bc14e78
- MD5: 95a0e7a6e3f74b83600966b97df41960
- SHA256: f1f5142a456e8a316b281ad7f2fe1b463d93f30460a6be3afa9c5593f1392656
- SHA1: d2f41e0ac1ba669df87f9080307ec5161c2cf714
- MD5: d5c79fd0be4960aed844b0ed94ae8ca5
- SHA256: e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25
- SHA1: 157ad611845eb40b51cd058bfd1cfa32eac9039c
- MD5: 62dc12b501d4fdb94c17f7de20f715e4
- SHA256: d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad
- SHA1: 88d5a8450f21dc9354ca7129be9944a4fdae52ee
- MD5: 2a4765084931fe83c36e081bb6db4b19
- SHA256: c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865
- SHA1: ab1b95de9b592116e1ab820ce0aea50439aab942
- MD5: 48313534030e8504d7fb7dbc783e784b
- SHA256: a6fff6890c0b6642931f9b0bfd67f830bb85af0f218280776170abfcc5baa576
- SHA1: 495fd09317498d2b0021fd6b3326ae3b32044fb1 • MD5: 6dc22e4ea039a430abd055d71a0450bc • SHA256: 7c2ea97f8fff301a03f36fb6b87d08dc81e948440c87c2805b9e4622eb4e1991
| Silkloaderbgiaedfaeg22_browsingDll.dll • SHA1: 3c9e8a47c696c3910a78e1b8270ec83d16f2d693 • MD5: 2ecdb2c9d65c5de06dfb4b3f84e35d0c • SHA256: 7070b232de836ce33b7778f6b6f7aecb252d542831367bc78d0eea77461be9a7 |
| Silkloaderbgiaedfaeg21_browsingDll.dll • SHA1: 42d283ad6aed710327fbc71acb9ea48b6746cb83 • MD5: 9ced7d4916964bde6636d7ee5bff4bfa • SHA256: 575caa641dbb83364e8c0664737666f3bcd24d40316ff149c9ef476115b927cb |
| Silkloaderbgiaedfaeg20_browsingDll.dll • SHA1: 29c1213b8fb73198dcd34de1fe2cbbe65df7f199 • MD5: 70883e29a1c7ccdb0fd993c06595b06d • SHA256: 56377607abfb0616fc1dc222cc765966954155b69b5c4b16cad92cdd353720a4 |
| Silkloaderbgiaedfaeg19_browsingDll.dll • SHA1: caa80da075d3367fc5bafc1cf3a61bbc7ee0abcd • MD5: 314769d32dee3393f0abdd6462d5d4ed • SHA256: 5623f7b2a3e459d91ed85d20c20b58fb7edc166c63a3a72b703d7af400bdc12c |
| Silkloaderbgiaedfaeg18_browsingDll.dll • SHA1: e3dc0927f5cf07865587dc75ff8106eb1d161829 • MD5: 0a692eb6c9cf7ae6016c2e43bde8ec43 • SHA256: 54d45b872ee6651d670c3580da74ca56f626bc6ed5ce60cc7e3ba71bb68cd23f |
| Silkloaderbgiaedfaeg1_browsing7Dll.dll • SHA1: cfae4f3ddffe86d81376e6ae62890e0f0ef473e4 • MD5: 7c2fd853e5cfbeb24342208979fcb859 • SHA256: 3d1df6633ec9b16f856c6ddf7c40138e524f7c5e286af2271e32643f88f071a2 |
| Silkloaderbgiaedfaeg16_browsingDll.dll • SHA1: bba1f4db26c003855c1d10b686cb3e40eab0278e • MD5: b04a3ad09c033fc82d929493ea43d26d • SHA256: 2e57d2d14d8f98464e501d99dad0ae2c2f237b45aceecb73850c17ad1455e39c |
| Silkloaderbgiaedfaeg15_browsingDll.dll • SHA1: b2a50390b18d9b90928e67998cd612682365e717 • MD5: e237a245ebae6b05aed1f0cc18653950 • SHA256: 0248572780e94f3557c50d2c161365f09b175438ed5e750ccc5b5f1c895118c2 |
| Silkloaderbgiaedfaeg13_browsingExe.exe • SHA1: 619fcb16ddf64e132f22d1e55a8eb36bcb2fa35c • MD5: 5f70544d19ccf00e8b2ca71a60e157af • SHA256: e24be344923aea8223fe90f23bfa7151b149ef032e67ba5972a9a10bd63effc6 |
| Silkloaderbgiaedfaeg11_browsingExe.exe • SHA1: 1ff6a23948739b3b1ca354080835771448be8cb0 • MD5: c6ebe8b2f3f282ae0d6fed6cacfe4653 • SHA256: d378d01f863454911a345869b66d60769a894c74dfebaa0a9a07efc884a3d15c |
| Silkloaderbgiaedfaeg10_browsingExe.exe • SHA1: a01f0b6462b6c5da49896df1142ccd54530df115 • MD5: be7d99345ff6d24422d4bea162cb21c0 • SHA256: bf02668f884937f697af326a6678fe5c1d3844e104da8c4049f23d63dcb5bb5c |
| Silkloaderbgiaedfaeg9_browsingExe.exe • SHA1: cc4e88a254a920a7bb5927819cdfab49affbaa53 • MD5: 503f813ecdf9c0f162946c07ef5d7b97 • SHA256: 9c1914143b0ba7fa15848223d0695664fc8225c37eed09eeb00e0af1b7ee0d7b |
| Silkloaderbgiaedfaeg8_browsingExe.exe • SHA1: 3fb6cd18b13cfe39f4c72e832942002124e93278 • MD5: 64f650a5377729fe61072f4300b40857 • SHA256: 0322f9201a3887659f7568f3f2292248e29afc19a6e80cdda6915834a3fc925d |
| Silkloaderbgiaedfaeg_browsing7Exe.exe • SHA1: 5f42204b2bac349c60e460b31ed7d8cb3cfc0118 • MD5: 544107beb5ab8c894253576d2cef1b0c • SHA256: d93155adefca33960a5a125f10854dc8178e80e9bf3b86600a4c59647dd80114 |
| Silkloaderbgiaedfaeg6_browsingDll.dll • SHA1: f34e8cc26b1d45c245af3cf797600c9366402356 • MD5: 1d2be08c0a54658541f43c9f2053264d • SHA256: a0b496d927dd1b2e01fcb29c2ef76671e34e7cd841e485c401e15dccad8e897e |
| Silkloaderbgiaedfaeg5_browsingDll.dll • SHA1: ae86bd2ede21b656e556b68b844b29c8f7d75572 • MD5: 0d4f415d08c6ec73c38d2f03df5b019d • SHA256: 994f2777f175a6fb784df7b138069f0a6503a458df67915317f23a0a37c16067 |
| Silkloaderbgiaedfaeg4_browsingDll.dll • SHA1: eec02d57089889e9864b85a89d0e5791a69fc374 • MD5: e3414ecc97bafe1384e7700f1d8bd284 • SHA256: 75288b3d1da8d634477609ea804a351915aa7f0a12a50e1eba1d8578debc8ab2 |
| Silkloaderbgiaedfaeg3_browsingDll.dll • SHA1: 841bd42f08613e86d7bd39a675b3087074d730ee • MD5: 026d88c36a541ad4ba479193aea6d94e • SHA256: 70826162169e5326601d85a0b459645c6bf8fda641d3d3015c035da0cf16db42 |
| Silkloaderbgiaedfaeg2_browsingExe.exe • SHA1: b51701709e9a3c0a706a0bf18b2ef11fd944a4d6 • MD5: 2ec895b18e6b8bdbc85cdb3c8724e4f6 • SHA256: 676ace0449fbad2f5498df7b16c3576f73252f23032604e1a94ce4b5a855974e |
| Silkloaderbgiaedfaeg1_browsingExe.exe • SHA1: 6e5905c4d796bffb88aec87bbdeea9bb45c5dd09 • MD5: 837f93120be9f7f203fca410ee16a096 • SHA256: 1ef852362ab9bb0af061eb8a19556962c7f5a350e3ef0c2751401afd4cef9f3e |
| Silkloaderbgiaedfaeg14_browsingElf.elf • SHA1: 5ac80ab0a218144b515e24ca854ed4f05c03e635 • MD5: 6ef8eeea8d289bf1ffce142e2df348ab • SHA256: 326383ed5b2480fac2b5aad00c7ae198f290f0ec4c86503b86fabe748cdf904e |
| Silkloaderbgiaedfaeg12_browsingElf.elf • SHA1: 3fc671df6c6bc8340fcb40af29151a5b05673e3e • MD5: 01d0b01afb5c2e650dafde87b56fa788 • SHA256: 04c7a062a9bd9fe6fe1b0c4e72e319aff866a42b21d8971f1215c347ee5e8980 |
| Silkloaderbgiaedfaeg29_edrDll.dll • SHA1: 1d43b8fd92e7df7c65b6e57427917e804de6a564 • MD5: ec73981cee1c74ea3b7ec7f7b2fa6178 • SHA256: 262d966fd82312bcb82b056b2dc378b173f5c335917bc53125aef7f5a03cfce4 |
| Silkloaderbgiaedfaeg28_edrDll.dll • SHA1: 4d7a649ecbb2075b0e8c84ba42ef31f67bc14e78 • MD5: 95a0e7a6e3f74b83600966b97df41960 • SHA256: f1f5142a456e8a316b281ad7f2fe1b463d93f30460a6be3afa9c5593f1392656 |
| Silkloaderbgiaedfaeg2_edr7Dll.dll • SHA1: d2f41e0ac1ba669df87f9080307ec5161c2cf714 • MD5: d5c79fd0be4960aed844b0ed94ae8ca5 • SHA256: e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25 |
| Silkloaderbgiaedfaeg26_edrDll.dll • SHA1: 157ad611845eb40b51cd058bfd1cfa32eac9039c • MD5: 62dc12b501d4fdb94c17f7de20f715e4 • SHA256: d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad |
| Silkloaderbgiaedfaeg25_edrDll.dll • SHA1: 88d5a8450f21dc9354ca7129be9944a4fdae52ee • MD5: 2a4765084931fe83c36e081bb6db4b19 • SHA256: c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865 |
| Silkloaderbgiaedfaeg24_edrDll.dll • SHA1: ab1b95de9b592116e1ab820ce0aea50439aab942 • MD5: 48313534030e8504d7fb7dbc783e784b • SHA256: a6fff6890c0b6642931f9b0bfd67f830bb85af0f218280776170abfcc5baa576 |
| Silkloaderbgiaedfaeg23_edrDll.dll • SHA1: 495fd09317498d2b0021fd6b3326ae3b32044fb1 • MD5: 6dc22e4ea039a430abd055d71a0450bc • SHA256: 7c2ea97f8fff301a03f36fb6b87d08dc81e948440c87c2805b9e4622eb4e1991 |
| Silkloaderbgiaedfaeg22_edrDll.dll • SHA1: 3c9e8a47c696c3910a78e1b8270ec83d16f2d693 • MD5: 2ecdb2c9d65c5de06dfb4b3f84e35d0c • SHA256: 7070b232de836ce33b7778f6b6f7aecb252d542831367bc78d0eea77461be9a7 |
| Silkloaderbgiaedfaeg21_edrDll.dll • SHA1: 42d283ad6aed710327fbc71acb9ea48b6746cb83 • MD5: 9ced7d4916964bde6636d7ee5bff4bfa • SHA256: 575caa641dbb83364e8c0664737666f3bcd24d40316ff149c9ef476115b927cb |
| Silkloaderbgiaedfaeg20_edrDll.dll • SHA1: 29c1213b8fb73198dcd34de1fe2cbbe65df7f199 • MD5: 70883e29a1c7ccdb0fd993c06595b06d • SHA256: 56377607abfb0616fc1dc222cc765966954155b69b5c4b16cad92cdd353720a4 |
| Silkloaderbgiaedfaeg19_edrDll.dll • SHA1: caa80da075d3367fc5bafc1cf3a61bbc7ee0abcd • MD5: 314769d32dee3393f0abdd6462d5d4ed • SHA256: 5623f7b2a3e459d91ed85d20c20b58fb7edc166c63a3a72b703d7af400bdc12c |
| Silkloaderbgiaedfaeg18_edrDll.dll • SHA1: e3dc0927f5cf07865587dc75ff8106eb1d161829 • MD5: 0a692eb6c9cf7ae6016c2e43bde8ec43 • SHA256: 54d45b872ee6651d670c3580da74ca56f626bc6ed5ce60cc7e3ba71bb68cd23f |
| Silkloaderbgiaedfaeg1_edr7Dll.dll • SHA1: cfae4f3ddffe86d81376e6ae62890e0f0ef473e4 • MD5: 7c2fd853e5cfbeb24342208979fcb859 • SHA256: 3d1df6633ec9b16f856c6ddf7c40138e524f7c5e286af2271e32643f88f071a2 |
| Silkloaderbgiaedfaeg16_edrDll.dll • SHA1: bba1f4db26c003855c1d10b686cb3e40eab0278e • MD5: b04a3ad09c033fc82d929493ea43d26d • SHA256: 2e57d2d14d8f98464e501d99dad0ae2c2f237b45aceecb73850c17ad1455e39c |
| Silkloaderbgiaedfaeg15_edrDll.dll • SHA1: b2a50390b18d9b90928e67998cd612682365e717 • MD5: e237a245ebae6b05aed1f0cc18653950 • SHA256: 0248572780e94f3557c50d2c161365f09b175438ed5e750ccc5b5f1c895118c2 |
| Silkloaderbgiaedfaeg13_edrExe.exe • SHA1: 619fcb16ddf64e132f22d1e55a8eb36bcb2fa35c • MD5: 5f70544d19ccf00e8b2ca71a60e157af • SHA256: e24be344923aea8223fe90f23bfa7151b149ef032e67ba5972a9a10bd63effc6 |
| Silkloaderbgiaedfaeg11_edrExe.exe • SHA1: 1ff6a23948739b3b1ca354080835771448be8cb0 • MD5: c6ebe8b2f3f282ae0d6fed6cacfe4653 • SHA256: d378d01f863454911a345869b66d60769a894c74dfebaa0a9a07efc884a3d15c |
| Silkloaderbgiaedfaeg10_edrExe.exe • SHA1: a01f0b6462b6c5da49896df1142ccd54530df115 • MD5: be7d99345ff6d24422d4bea162cb21c0 • SHA256: bf02668f884937f697af326a6678fe5c1d3844e104da8c4049f23d63dcb5bb5c |
| Silkloaderbgiaedfaeg9_edrExe.exe • SHA1: cc4e88a254a920a7bb5927819cdfab49affbaa53 • MD5: 503f813ecdf9c0f162946c07ef5d7b97 • SHA256: 9c1914143b0ba7fa15848223d0695664fc8225c37eed09eeb00e0af1b7ee0d7b |
| Silkloaderbgiaedfaeg8_edrExe.exe • SHA1: 3fb6cd18b13cfe39f4c72e832942002124e93278 • MD5: 64f650a5377729fe61072f4300b40857 • SHA256: 0322f9201a3887659f7568f3f2292248e29afc19a6e80cdda6915834a3fc925d |
| Silkloaderbgiaedfaeg_edr7Exe.exe • SHA1: 5f42204b2bac349c60e460b31ed7d8cb3cfc0118 • MD5: 544107beb5ab8c894253576d2cef1b0c • SHA256: d93155adefca33960a5a125f10854dc8178e80e9bf3b86600a4c59647dd80114 |
| Silkloaderbgiaedfaeg6_edrDll.dll • SHA1: f34e8cc26b1d45c245af3cf797600c9366402356 • MD5: 1d2be08c0a54658541f43c9f2053264d • SHA256: a0b496d927dd1b2e01fcb29c2ef76671e34e7cd841e485c401e15dccad8e897e |
| Silkloaderbgiaedfaeg5_edrDll.dll • SHA1: ae86bd2ede21b656e556b68b844b29c8f7d75572 • MD5: 0d4f415d08c6ec73c38d2f03df5b019d • SHA256: 994f2777f175a6fb784df7b138069f0a6503a458df67915317f23a0a37c16067 |
| Silkloaderbgiaedfaeg4_edrDll.dll • SHA1: eec02d57089889e9864b85a89d0e5791a69fc374 • MD5: e3414ecc97bafe1384e7700f1d8bd284 • SHA256: 75288b3d1da8d634477609ea804a351915aa7f0a12a50e1eba1d8578debc8ab2 |
| Silkloaderbgiaedfaeg3_edrDll.dll • SHA1: 841bd42f08613e86d7bd39a675b3087074d730ee • MD5: 026d88c36a541ad4ba479193aea6d94e • SHA256: 70826162169e5326601d85a0b459645c6bf8fda641d3d3015c035da0cf16db42 |
| Silkloaderbgiaedfaeg2_edrExe.exe • SHA1: b51701709e9a3c0a706a0bf18b2ef11fd944a4d6 • MD5: 2ec895b18e6b8bdbc85cdb3c8724e4f6 • SHA256: 676ace0449fbad2f5498df7b16c3576f73252f23032604e1a94ce4b5a855974e |
| Silkloaderbgiaedfaeg1_edrExe.exe • SHA1: 6e5905c4d796bffb88aec87bbdeea9bb45c5dd09 • MD5: 837f93120be9f7f203fca410ee16a096 • SHA256: 1ef852362ab9bb0af061eb8a19556962c7f5a350e3ef0c2751401afd4cef9f3e |
| Silkloaderbgiaedfaeg14_edrElf.elf • SHA1: 5ac80ab0a218144b515e24ca854ed4f05c03e635 • MD5: 6ef8eeea8d289bf1ffce142e2df348ab • SHA256: 326383ed5b2480fac2b5aad00c7ae198f290f0ec4c86503b86fabe748cdf904e |
| Silkloaderbgiaedfaeg12_edrElf.elf • SHA1: 3fc671df6c6bc8340fcb40af29151a5b05673e3e • MD5: 01d0b01afb5c2e650dafde87b56fa788 • SHA256: 04c7a062a9bd9fe6fe1b0c4e72e319aff866a42b21d8971f1215c347ee5e8980 |
URLs and IPS
- http://193.106.191.187
- https://020-rce500.r1z.rocks
- http://45.144.179.204
- http://cerupedi.com
- http://data.hik.icu
- https://d3-up.ssndob.cn.com
- http://107.148.12.162
- https://dl.kaspersky360.com
- http://dl.kasperskyupdates.com
Inside Mispadu Massive Infection Campaign in LATAM
Summary
The Metabase Q Security Operations Center had alerted on a recent attempt to infect a customer’s network. Although the customers’ endpoint detection and response security tools properly blocked the initial payload, the use of fake certificates to try to evade detection was unusual and warranted additional investigation by Metabase Q’s Threat Intelligence Team. During the analysis of the artifacts, 20 different spam campaigns were identified, which targeted Chile, Mexico, Peru, and Portugal. The campaigns focused on credential stealing, specifically online banking, schools, government services, social media, gaming, ecommerce, public repositories, and Outlook email. In several cases, the cyber criminals created fake webpages for the victim, such as online banking windows.
IOCs
Mispadubgiaecbcdj_browsing7Txt.txt
- SHA1: bf0d9f8f7cb3e1e2d8665e5cf190d5f8e0b167ea
- MD5: 72e83b133a9e4cecd21fdb47334672f6
- SHA256: cd0fffdcaeff7a2c075e4104c4a48a0a07185b2822f1b534aef61986076caa7e
- SHA1: f3d3a35e7713b564725a45f5b8ee4e23d2371d29
- MD5: 2858cdf0b9fb6ddd18709909df612063
- SHA256: dedf8d748b672a1b689405ea0369da4a77c7de8acf839b1422888984e9915fca
- SHA1: 2d351c44d9c7593eed224e0015c571440f010c8b
- MD5: e5967a8274d40e0573c28b664670857e
- SHA256: 3504e40c6a3cfdd5fa084250cf488cf9d3fad763f3c327ad4d99cf08be328cff
- SHA1: 0e7d922b8fb2dfe1a2c43f28550a9bd1066d0bca
- MD5: a96125294afa1c3f92ab7be615dc1cbe
- SHA256: 91e61286b7881351a6ce33e1bed5ee6f219f906511af1fe2ce21f679a28b7dec
- SHA1: b60d2b33b6577c3520094e2605f2a0642a7ca3f4
- MD5: b41e2b88fff36ff4937dc19f2677ee84
- SHA256: c2864517d05573df58bb07ee2ca4011158b05c7dee35c65869677f6661d4d882
- SHA1: ed6969557a8f3c6c1e86deae90731c80aaaeae84
- MD5: 618a60899aae66ea55e5dc8374c7b828
- SHA256: a0a22e2f26f0e04e2b097e1611f5a83d3e3b9a3a3d826e079e8bc5b5caceb0a5
- SHA1: 8f2f2c7b2e2d1e7e011d35c3e0363a9a032eaf7b
- MD5: d3a91e3ca6b740d8d0a408e0c97a9e37
- SHA256: 4b6b20e6a850f6a0f8fa2dca20c7b64a9f686d7d45b64719c7a6196a25a6c0c8
- SHA1: 3c1b3ecf6d276d8e19b6f0adab9f1d4e4e4d95b7
- MD5: 1f7c8e285d41c7e3e42af3d372681678
- SHA256: 56f22efde0a0e5e8d5c5a27e5ac5b5e0f8db2cc1f7d8b0c0a7ef122ca1235f5b
- SHA1: 5c9637d45b2d0b7a63b85eeec1b3a9ac6c3b8d45
- MD5: 3b3c4a4d0eb2c0d3f3e28f0336a351a2
- SHA256: 9abf20b3a8a31e4957a6b31f6c7dd8a75a8821c39e9eb9b1787f63a592e35f7c
Blackguard Stealer Extends Its Capabilities in New Variant
Summary
AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.
Key takeaways:
- BlackGuard steals user sensitive information from a wide range of applications and browsers.
- The malware can hijack crypto wallets copied to clipboard.
- The new variant is trying to propagate through removable media and shared devices.
IOCs
Blackguardbgiaebigcd1_browsingExe.exe
- SHA1: 9a79c41f2faee86794ce19fe60bfce4ba65ad2dc
- MD5: 3235ebcead914e4a210dc9dbe5c36c2f
- SHA256: 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3
- SHA1: 9a79c41f2faee86794ce19fe60bfce4ba65ad2dc
- MD5: 3235ebcead914e4a210dc9dbe5c36c2f
- SHA256: 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3
URLs and Ips
URL: http://23.83.114.131That is all for now.
Stay cyber safe!
Related Resources
Whitepaper
APT-Ready in Four Steps: Your Action Plan
Learn how to establish a continuous, repeatable system to defend SMB and enterprise networks with Cymulate.
READ MORE
Video
Defending Against Immediate Threats
With Cymulate’s technology, you can simulate the latest cyber threat to see if and how it penetrates your organization, giving you immediate answers to immediate threats.
WATCH NOW
Case Study
Euronext Secures Trading with Breach and Attack Simulation
Learn how simulations of the latest immediate threats, across the company’s infrastructure, enable Euronext to benefit from breach and attack simulation.
READ MORE