Cyber Threat Breakdown August 2023

Here is the July 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.

Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.

Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.

Table of Content

Analysis of Andariels New Attack Activities

CERT-IL – Active attack against Israel

Threat Actor Interplay Good Days Victim Portals and Their Ties to Cloak

UAC-0173 judicial authorities and notaries under the gun

HTML Smuggling Leads to Domain Wide Ransomware

Telekopye Hunting Mammoths using Telegram bot

Smoke Loader Drops Whiffy Recon Malware

Analyzing Andariel Group Attack Activity

Lazarus Groups infrastructure reuse leads to discovery of new malware

JPCERT Detects new ways to infect PDF files with Maldocs

Carderbee APT Targets South Asian Based Organizations Using Supply Chain Attack

Cuba Ransomware Deploys New Tools Targets Critical Infrastructure Sector in the United States and IT Integrator in Latin America

macOS Users Hit With XLoader Variant Disguised As Signed OfficeNote App

Ragnar Locker Ransomware Attack Paralyzes Maayeney Hayeshuah Hospital in Israel

HiatusRAT

Operation LABRAT Targets GitLab

DLL Hijacking in the Asian Gambling Sector

MultiStaged Attack Used To Deploy XWorm Malware

Monti Ransomware Unleashes a New Encryptor for Linux

MS-SQL Servers Attacked With Proxyware

Raccoon Stealer Announce Return After Hiatus

Analysis Of APT Attacks Targeting Web Services

Continued OSS Supply Chain Hidden In Python Package Index

JanelaRAT

Leaked Ransomware Builders Utilized In Tech Scam Campaign

AdLoad Turns Mac Systems Into Proxy Exit Nodes

Malicious Control Panel File Used To Drop Agent Tesla

German Embassy Lures Used By APT29 To Drop Duke Malware

Statc Stealer Targets Browser Data

New Variants Of GlobeImposter Ransomware Discovered

A Ransomware attack on an Israeli institution

Rhysida ransomware

RedHotel Threat Group Operating At A Global Scale

North Korea Compromises Sanctioned Russian Missile Engineering Company

New threat actor targets Bulgaria China Vietnam and other countries with customized Yashma ransomware

Kimsuky Using Self-Extracting Word And PDF Documents To Deliver Malicious Code

Operation PhantomControl Infects Systems With AsyncRAT

Analysis Of DoDo And Proton Ransomware

Honeypot Recon New Variant of SkidMap Targeting Redis

Report Ransomware Command-and-Control Providers Unmasked

Threat Brief RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers

Analysis of Andariels New Attack Activities

The Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated with the Lazarus threat group or one of its subsidiaries.
Attacks against Korean targets have been identified since 2008. Major target industries are those related to national security such as national defense political organizations shipbuilding energy and communications.
Various other companies and institutes in Korea including universities logistics and ICT companies are also becoming attack targets.

IoCs

Analysisbgjdfaiieb38_browsingExe·exe
SHA1: 393ec0051c457f199c406d5771d276754fa29e3b
MD5: 0211a3160cc5871cbcd4e5514449162b
SHA256: 5758765a59abfdf5e255df4d0447f92132891d1b325faaa2fb155ebb41cba818

Analysisbgjdfaiieb39_browsingExe·exe
SHA1: dfe5d75ed31b6cfc2cceebb1404d3eabc02f0021
MD5: 0a09b7f2317b3d5f057180be6b6d0755
SHA256: 8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f

Analysisbgjdfaiieb40_browsingExe·exe
SHA1: a100daa33d7db6d2424ac1a8c9ec4b3ae8a3105c
MD5: 1ffccc23fef2964e9b1747098c19d956
SHA256: 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061

CERT-IL – Active attack against Israel

Recently CERT-IL reported about an active attack in Israel.
In some cases the attackers are utilizing a variant of an attack tool that has been operational against organizations in the Israeli sector since 2022.

IoCs

Certilbgjdeiiaji1_browsingExe·exe
SHA1: 6cafd44c86fff605b4c25582955b725b96c1d911
MD5: 85427a8a47c4162b48d8dfb37440665d
SHA256: 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb

Certilbgjdeiiaji2_browsingExe·exe
SHA1: b8421c8e54fa5dabcfd38df68b3ac93b449d8d2d
MD5: 57c916da83cc634af22bde0ad44d0db3
SHA256: 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7

Certilbgjdeiiaji3_browsingExe·exe
SHA1: 9c58ec8f7ce75ba1b629c9ef84ab069a32313288
MD5: 4abcf21b63781a53bbc1aa17bd8d2cbc
SHA256: 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c

Threat Actor Interplay Good Days Victim Portals and Their Ties to Cloak

Good Day ransomware a variant within the ARCrypter family was first observed in-the-wild in May of 2023.
Between June and August of 2023 we observed an uptick in Good Day ransomware campaigns and a proliferation of new ransom note samples in public malware repositories.
This new wave of Good Day attacks features individual TOR-based victim portals for each target.

IoCs

Threatbgjdebeihh5_browsingExe·exe
SHA1: d5fba798bb2a0aaca17f17fa14f2ff240be8d34d
MD5: 487dc1c180ed86a412b610bb69a658a2
SHA256: 24b1b23b046a0cd196f38ffd6d43b661fbbc2496dc7f67824f1ac16f3e90ccc1

Threatbgjdebeihh5_edrExe·exe
SHA1: d5fba798bb2a0aaca17f17fa14f2ff240be8d34d
MD5: 487dc1c180ed86a412b610bb69a658a2
SHA256: 24b1b23b046a0cd196f38ffd6d43b661fbbc2496dc7f67824f1ac16f3e90ccc1

UAC-0173 judicial authorities and notaries under the gun

Since the first quarter of 2023, the government computer emergency response team of Ukraine CERT-UA has been monitoring targeted malicious activity, which consists of the distribution of messages with attachments in the form of BZIP GZIP RAR archives containing BAT files created with the help of the ScrubCrypt cryptor (cost – from USD 249) the launch of which will ensure that the computer is affected by the malicious program AsyncRAT (the source code is published on GitHub).

IoCs

Uac01_browsing73bgjddcbedi14Lnk·lnk
SHA1: bfac5f27c9b5010797d7e2db6f639332b8d0e6d5
MD5: 8e24eea62fe636524ad992c1195ed4aa
SHA256: 0571c7fd18f633e731f93e93f82260c89157e2e014152b1d909cfbc1c7d68570

Uac01_browsing73bgjddcbedi22Bz2·bz2
SHA1: 5def72d8a98ca430f27e7857a9d5690fff4ee8ec
MD5: 516495bc2118b6efc8566ef2d2d0233b
SHA256: 682d0ba18f9eb32993222bb686b53d6ec0d3255ca11b3c2dac929098651c7164

Uac01_browsing73bgjddcbedi27Bz2·bz2
SHA1: 5f6b29902573abfc968a4cac7ec4e7c0fa15c503
MD5: 93a039e82f9ef7dea401236f526fd7c9
SHA256: ee2bd27a47271fc62b0da3d8b4139746eae3deada5acecda7c4f502a162b9d11

HTML Smuggling Leads to Domain Wide Ransomware

Analysis of an intrusion that began with the email delivery of an HTML file and concluded with the deployment of Nokoyawa Ransomware within 12 hours after the initial compromise.

IoCs

Htmlbgjdcjcfjh1_browsingExe·exe
SHA1: a5c1e4203c740093c5184faf023911d8f12df96c
MD5: 16ef238bc49b230b9f17c5eadb7ca100
SHA256: ce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f

Htmlbgjdcjcfjh10_browsingDll·dll
SHA1: 306e4ede6c7ea75ef5841f052f9c40e3a761c177
MD5: 14f37c8690dda318f9e9f63196169510
SHA256: e71772b0518fa9bc6dddd370de2d6b0869671264591d377cdad703fa5a75c338

Htmlbgjdcjcfjh13_browsingZip·zip
SHA1: 7bd217554749f0f3c31957a37fc70d0a86e71fc3
MD5: 4f4231ca9e12aafac48a121121c6f940
SHA256: be604dc018712b1b1a0802f4ec5a35b29aab839f86343fc4b6f2cb784d58f901

Telekopye Hunting Mammoths using Telegram bot

A toolkit that helps cybercriminals scam people on online marketplaces has been uncovered by ESET Research and is being used by a group of scammers in Russia, Ukraine, and Uzbekistan.

IoCs

Telekopyebgjdaeajbg54_browsingPhp·php
SHA1: 8a3ca9efa2631435016a4f38ff153e52c647146e
MD5: dc7cb3bfdc236c41f1c4bbac911daaa2
SHA256: 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a

Telekopyebgjdaeajbg52_browsingPhp·php
SHA1: 26727d5fceef79de2401ca0c9b2974cd99226dcb
MD5: fce9de7cfeadf6aab90734ca9bc0eab2
SHA256: 4f1a6058f7cd89ab378de10b4b27ca964c9671fb3724a8c5519606626520e5ef

Telekopyebgjdaeajbg53_browsingPhp·php
SHA1: 285e0573ef667c6fb7aeb1608ba1af9e2c86b452
MD5: 092c44e78fcadb5e28bf4227d8f108bb
SHA256: b7f6edb98652e3de989c0b8a54b7a8b02053c32883114cd28dd035350a9896d3

Smoke Loader Drops Whiffy Recon Malware

A Smoke Loader botnet was found dropping Whiffy Recon malware on infected devices.
The malicious software checks for the WLANSVC service and creates an entry in the Startup folder for persistence.
Whiffy Recon also triangulates the devices’ position using the Windows WLAN API.

IoCs

Smokebgjcjccbej5_browsing7Exe·exe
SHA1: 8532e67e1fd8441dc8ef41f5e75ee35b0d12a087
MD5: 009230972491f5f5079e8e86e19d5458
SHA256: 935b44784c055a897038b2cb6f492747c0a1487f0ee3d3a39319962317cd4087

Smokebgjcjccbej5_edr7Exe·exe
SHA1: 8532e67e1fd8441dc8ef41f5e75ee35b0d12a087
MD5: 009230972491f5f5079e8e86e19d5458
SHA256: 935b44784c055a897038b2cb6f492747c0a1487f0ee3d3a39319962317cd4087

Analyzing Andariel Group Attack Activity

The Andariel APT group continues to focus attacks on corporations and institutions in South Korea.
The adversary uses a range of malicious software, including various remote access trojans, backdoors downloaders, and information stealers.
The group uses the Dotfuscator tool for defense evasion Mimikatz to dump credentials, and PowerShell and MSHTA to carry out the attacks.

IoCs

Analyzingbgjcjcbiai39_browsingExe·exe
SHA1: 3b49d20f726a8b4209827f3fc8dbf6b971297c90
MD5: 6ab4eb4c23c9e419fbba85884ea141f4
SHA256: 02135f60f3edff0b9baa4c20715ee6a80c94f282079bf879265f5e020d37cf88

Analyzingbgjcjcbiai25_browsingExe·exe
SHA1: b1c0b42a6b64536dfb825a7a7b029a1c72060167
MD5: bcac28919fa33704a01d7a9e5e3ddf3f
SHA256: 1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1

Analyzingbgjcjcbiai2_browsing7Exe·exe
SHA1: a100daa33d7db6d2424ac1a8c9ec4b3ae8a3105c
MD5: 1ffccc23fef2964e9b1747098c19d956
SHA256: 3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061

Lazarus Group infrastructure reuse leads to discover new malware

In the Lazarus Group’s latest campaign, which is detailed in Talos blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats.
In addition to their QuiteRAT malware which is covered in the blog, it was also discovered Lazarus Group is using a new threat called CollectionRAT.

IoCs

Lazarusbgjcjaabfh10_browsingExe·exe
SHA1: 97e9c7091a7275655d0e44559a3df6d5a0cf21d9
MD5: c90d094a8fbeaa8a0083c7372bfc1897
SHA256: db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984

Lazarusbgjcjaabfh11_browsingExe·exe
SHA1: 10408e6cf829699f0eb4c5199575261db14fee66
MD5: 7ba98edd7015779a2625f11f3eabe869
SHA256: e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

Lazarusbgjcjaabfh_browsing7Exe·exe
SHA1: f141f9dfc7e082521c9d26980bfc8bf100bb2f61
MD5: c027d641c4c1e9d9ad048cda2af85db6
SHA256: ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6

JPCERT Detects new ways to infect PDF files with Maldocs

JPCERT/CC has confirmed that a new technique that embeds a malicious Word file into a PDF file to evade detection was used in the attacks that occurred in July.

IoCs

Jpcertbgjciifjdb1_browsingPdf·pdf
SHA1: 2bfd1175e777e6df26b151071ec24376086a5c51
MD5: d537f8b812a3902b90aa16281aa1314b
SHA256: ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058

Jpcertbgjciifjdb2_browsingPdf·pdf
SHA1: 21f4eb85170df7bbb7c4cf75fec67e435d6f8f7f
MD5: cba6bd373e42a7bcbc4c7251bc188b69
SHA256: 098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187

Jpcertbgjciifjdb2_edrPdf·pdf
SHA1: 21f4eb85170df7bbb7c4cf75fec67e435d6f8f7f
MD5: cba6bd373e42a7bcbc4c7251bc188b69
SHA256: 098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187

Carderbee APT Targets South Asian Based Organizations Using Supply Chain Attack

The Carderbee APT group exploited legitimate software to carry out supply-chain attacks against organizations in Hong Kong and other regions of South Asia.
The threat actor exploited Cobra DocGuard software, deployed a Microsoft-signed version of the PlugX backdoor, and injected the malicious code into svchost.exe to evade detection.
The malware can execute commands, enumerate files check processes, download files, open firewall ports, and perform keylogging.

IoCs

Carderbeebgjcidfcig16_browsingExe·exe
SHA1: fb0f69ac21dbc96ff57bb53977a1aa4b914be9c9
MD5: 954341609521cde45ce4f8e3db99f91b
SHA256: 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d

Carderbeebgjcidfcig14_browsingExe·exe
SHA1: 0bd01aa647fd21d7dd551a380e4ca3a0b52e6f2a
MD5: 117c97ef49ae641ba988d95411ce7f92
SHA256: b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea

Carderbeebgjcidfcig12_browsingExe·exe
SHA1: a03782c1fa732ba7d829c3e5b852fcdc06a0bf5d
MD5: 5a122e86a8f134e42ebae8510404df3d
SHA256: 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d

Cuba Ransomware Deploys New Tools Targets Critical Infrastructure Sector in the United States and IT Integrator in Latin America

Researchers have discovered and documented new tools used by the Cuba ransomware threat group.
Cuba ransomware is currently in the fourth year of its operation and shows no sign of slowing down.
In the first half of 2023 alone, the operators behind Cuba ransomware were the perpetrators of several high-profile attacks across disparate industries.

IoCs

Cubabgjcgggaff4_browsingExe·exe
SHA1: 8a06c836c05537fcd8c600141073132d28e1172d
MD5: 25a089f2082a5fcb0f4c1a12724a5521
SHA256: 3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0

Cubabgjcgggaff1_browsingExe·exe
SHA1: a2c8f822c591b08566b0df1043fcbe9d3ffcc9c0
MD5: d8caf0318c501c85c76ac54dce2d8c6f
SHA256: bd93d88cb70f1e33ff83de4d084bb2b247d0b2a9cec61ae45745f2da85ca82d2

Cubabgjcgggaff11_browsingExe·exe
SHA1: a804ebec7e341b4d98d9e94f6e4860a55ea1638d
MD5: 04a88f5974caa621cee18f34300fc08a
SHA256: 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c

macOS Users Hit With XLoader Variant Disguised As Signed OfficeNote App

The latest variant of XLoader targeting macOS is being delivered in the form of the office productivity application OneNote.
The malware is packaged in a dmg file and delivered to the target with a valid Apple developer signature intact.
The XLoader malware-as-a-service infostealer and botnet has been operational since at least 2015, with this latest iteration masquerading as a legitimate application.
Once executed, the loader drops a LaunchAgent, and the payload to the machine sets up persistence and creates hidden directories.
The malware then makes communication with the attackers C2 collects information from browsers and the clipboard takes screen captures to exfiltrate for further use.

IoCs

Macosbgjcggcehf2_browsingMacho·macho
SHA1: 958147ab54ee433ac57809b0e8fd94f811d523ba
MD5: fe85734855d1c344b98dece4a5e73ac0
SHA256: 8766d05be9b3dc2ba87a5c9f560e9b54539e9cdfe774dded0ac67a5fe5a18697

Macosbgjcggcehf1_browsingMacho·macho
SHA1: 26fd638334c9c1bd111c528745c10d00aa77249d
MD5: c68e9ab57bff9de72414c83d612636dc
SHA256: adda1b2139b7bbec7f051ecb58d1015d9ac8d5552987374ec48c6598acf54de8

Macosbgjcggcehf4_browsingMacho·macho
SHA1: 47cacf7497c92aab6cded8e59d2104215d8fab86
MD5: 42f942691bec23b60dcd5a587a2ec43f
SHA256: 2f513e4706cf8cd54f8c859afbbb581d36fe25ae113867d52a7dcafe1ed972c7

Ragnar Locker Ransomware Attack Paralyzes Maayeney Hayeshuah Hospital in Israel

The Mayanei Hayeshua Hospital in Israel fell victim to a crippling RagnarLocker ransomware attack leading to major disruptions in patient care and data accessibility.
The cyber-assault raised concerns over the vulnerability of critical healthcare infrastructure, prompting a nationwide review of cybersecurity practices.

Since the ransomware attack, operations have resumed to normal.

IoCs

Ragnarbgjcfbideb1_browsingExe·exe
SHA1: b6e14c4f157eda1267252c89440a3be446c47fb0
MD5: 2a887c67f2a42c906d5216027f3af000
SHA256: 6fdd56465a950f36490c47caa3aaffa93bafa2a2f09a5e4e16bc09918bf5c576

Ragnarbgjcfbideb1_edrExe·exe
SHA1: b6e14c4f157eda1267252c89440a3be446c47fb0
MD5: 2a887c67f2a42c906d5216027f3af000
SHA256: 6fdd56465a950f36490c47caa3aaffa93bafa2a2f09a5e4e16bc09918bf5c576

HiatusRAT

The HiatusRAT continues to carry out operations on behalf of the PRC when initially discovered the malware was targeting IoT devices in Latin America as well as Europe.
After a small break and minor change to targeted architectures, the malware operators recompiled binaries and are now targeting IoT devices in the US military and Taiwanese private and public organizations.
The recently compiled RAT seems to have taken a particular interest in Ruckus edge devices in Taiwan but is capable of compromising IoT devices with Arm Intel 80386 and x86-64 architecture as well as the previously targeted architectures MIPS MIPS64 and i386.

IoCs

Hiatusratbgjcehbhac1_browsingElf·elf
SHA1: 5afe05692cb7893b454ee65911e98ffc362d925b
MD5: 5a07d8566930c9ead926c2f079620510
SHA256: 774f2f3a801ddfe5d8a9ab1b90398ee28ee2be3d7ad0fa75eacbdf7ab51f6939

Hiatusratbgjcehbhac6_browsingElf·elf
SHA1: 53089f236e3188b050bd141f3ebdc104a77db40b
MD5: 2843c0dd5d689de872be924addd2a3f0
SHA256: 766e13d2a085c7c1b5e37fe0be92658932a13cfbcadf5b08977420fc6ac6d3e3

Hiatusratbgjcehbhac4_browsingElf·elf
SHA1: 525c04e97a0e2b38243f11debec9e100cc51fb15
MD5: ff8e26ec2573f482abbd1a8fdd80fc81
SHA256: 6e21e42cfb93fc2ab77678b040dc673b88af31d78fafe91700c7241337fc5db2

Operation LABRAT Targets GitLab

An attack campaign was discovered targeting a GitLab vulnerability to perform cryptojacking and proxyjacking.
The financially motivated operation utilized undetected tools, malware, and rootkits for defense evasion and persistence.
The adversary also leveraged the legitimate TryCloudFlare infrastructure to create domains and obfuscate their C2 location.

IoCs

Operationbgjcecifig25_browsingShell·shell
SHA1: 24202c4a872ff0010163f341a181c7f7a61fe4b8
MD5: 6c8f46ca060556fb383200de1c22c619
SHA256: c236b6337572217eb83dc628579bcd4cd5dfb13c35cca54757f34fb9abf3edd6

Operationbgjcecifig29_browsingElf·elf
SHA1: 5849749be5829392102ffcb53f09a3482ee160fe
MD5: 213d24434f8a8f6fa6c708dcbe8cbfb4
SHA256: d475ed387f2960611833348ba740d44b707a913bcd088f9731337a909a854c4c

Operationbgjcecifig30_browsingElf·elf
SHA1: 20867c3c93e28add48d5f645f8a62940b3f9df34
MD5: e02c69dfd8fc582882c74ce839cc03ab
SHA256: 00df3dc4fe3a1c12acf3180d097ca88e0219331ae5cb6989fa4c3262597a2aba

DLL Hijacking in the Asian Gambling Sector

Chinese hackers are targeting the gambling sector within Southeast Asia, according to SentinelLabs and ESET, who have identified suspected Chinese malware and infrastructure linked to a series of attacks reported in March 2023.

IoCs

Dllbgjcciiaib8_browsingExe·exe
SHA1: 09f82b963129bbcc6d784308f0d39d8c6b09b293
MD5: af9752b5badcb2c8f228fa4df4d36cba
SHA256: f9fe8eea441fce4bbb9d81034cfeb617449a5816d104456ce5d45082fcb212f9

Dllbgjcciiaib15_browsingDll·dll
SHA1: 88c353e12bd23437681c79f31310177fd476a846
MD5: c8ac3a9e3e855e9101461d6163fd1881
SHA256: b2e7f6c5678c707936aaa202752712700680cb6c72fd4d3b9fffd2cc4f16b71d

Dllbgjcciiaib5_browsingExe·exe
SHA1: 6e9592920cdce90a7c03155ef8b113911c20bb3a
MD5: f050c9fa2cab55097a1e037c7df0c10f
SHA256: 43fb2d2e7596bed395bba6e012d0ee13ed61856cd63db47bf94160881d3e3ac7

MultiStaged Attack Used To Deploy XWorm Malware

An unidentified threat actor deployed XWorm malware which used Living Off the Land Binary (LoLBins) techniques.
Initial access was gained through a malicious .lnk file attached to spear phishing emails which was used to execute a PowerShell script remotely hosted on a WebDAV server.
The malicious script was responsible for downloading a ZIP file that contained Batloader which dropped sophisticated XWorm malware.
The malware can achieve various objectives such as conducting DDoS attacks deploying ransomware and stealing sensitive information.

IoCs

Multistagedbgjcchbcbd2_browsing73Lnk·lnk
SHA1: 1c559cdce2d6502813e2caf6af4e161b5823ec04
MD5: e2f029c7d8548b4d69907facd22a785a
SHA256: a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5

Multistagedbgjcchbcbd2_browsing71Bat·bat
SHA1: f873ca0898c53b06c27f824425d3e7ff4d3fc77d
MD5: dd4468bffd868b37633b79934e65fbef
SHA256: 9587ef7ba7dfe745e4c98f724110382b7b53f5f7781d1d3fcfc910abacb3fbb8

Multistagedbgjcchbcbd2_browsing72Exe·exe
SHA1: fd8bd12039a3964ddad2db7f1036f8ca8fc3bef4
MD5: 25d7d0012224d2f725fba2469ac1f4c5
SHA256: b64ed641eafbae33d195864576629ae9e922948b59d9f7e6f4fcaafebcc1b1ca

Monti Ransomware Unleashes a New Encryptor for Linux

The Monti ransomware collective has restarted their operations focusing on institutions in the legal and governmental fields.
Simultaneously a new variant of Monti based on the Linux platform has surfaced demonstrating notable differences from its previous Linux-based versions.

IoCs

Montibgjccgddhc2_browsingElf·elf
SHA1: a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef
MD5: 0ce82210b5678f3f7e28ad0244e56af9
SHA256: cd8ad31e1d760b4f79eb1c3d5ff15770eb88fa1c576c02775ec659ff872c1bf7

Montibgjccgddhc1_browsingElf·elf
SHA1: f1c0054bc76e8753d4331a881cdf9156dd8b812a
MD5: ecdbfee4904dcb3ae2e20f050b5b69b3
SHA256: 44c0774f53ab5071ee2969c5e44df56b13f5047e3fca6108375e6055998b86f2

Montibgjccgddhc1_edrElf·elf
SHA1: f1c0054bc76e8753d4331a881cdf9156dd8b812a
MD5: ecdbfee4904dcb3ae2e20f050b5b69b3
SHA256: 44c0774f53ab5071ee2969c5e44df56b13f5047e3fca6108375e6055998b86f2

MS-SQL Servers Attacked With Proxyware

Internet facing MS-SQL servers were attacked to drop Proxyware which was used to steal Internet bandwidth.
Threat actors gained initial access to the devices by performing brute force or dictionary attacks.
Various Proxyware applications were leveraged including Traffmonetizer IPRoyal Proxyrack and PacketStream.

IoCs

Mssqlbgjccffigh48_browsingExe·exe
SHA1: efa5283c54128da5cd74bdaa100281cbf4d283c4
MD5: dd7c9fe604867e2705dc581fedc1f554
SHA256: f863098046480058f7139d0f56f2b2d1f41fe5ba6d97a04f74604a6663c56685

Mssqlbgjccffigh49_browsingExe·exe
SHA1: fb48948eea3301bfa5b4adfaf73261238a12dc86
MD5: 2d9c5507f204fc5a223bff457b4cb0e7
SHA256: c3a9ec3d8cc5c8def80930f4ee8f44157e9e6b6030e50ef59cb4fdc5aa3dc3cb

Mssqlbgjccffigh46_browsingDll·dll
SHA1: 4ab9525f10aaa7fd5c1970202ea66d15b658dec8
MD5: a88e1eaf5576d27572ccc5655afb9d1a
SHA256: 608a691a49bb03f1db2f8f2c75b59e2ed0a84f151dbc30eb7e2b6326c72f146b

Raccoon Stealer Announce Return After Hiatus

First observed in 2019 and advertised as a Malware-as-a-Service (MaaS) threat on various cybercriminal forums Raccoon is an information stealer targeting victim credentials and cryptocurrency wallets.

IoCs

Raccoonbgjcbjegeb60_browsingDocx·docx
SHA1: c4b3109cf39b301b30e732db7493f3241236ed1f
MD5: 719009a094c6f3155e7abc537078b943
SHA256: a2420c7f0c7bf5d3c0893aff6b7440a09c0531632434d2bbb6f8ed98b04317b9

Raccoonbgjcbjegeb54_browsingExe·exe
SHA1: 122b97dc9db7aa44b685327722d0fd69a41d9dda
MD5: db8e6a08c6ddc34b327ba5329d15e243
SHA256: 40175d0027919244b6b56fe5276c44aba846d532501e562da37831403c9ed44e

Raccoonbgjcbjegeb59_browsingExe·exe
SHA1: 3cfaf4f2bc92c52bafd9ff46d9950b8128dd9006
MD5: 705e3e540053591142af5a8f4bac8c09
SHA256: 75c3a83073d9b15d4f47308b5d688f1ec07422419e3bd54e78f6ef8683d42e5c

Analysis Of APT Attacks Targeting Web Services

External facing web services are constantly targeted by APT threat groups to drop malware including web shells information stealers downloaders and open-source tools.
Scheduled tasks are created for persistence PowerShell commands used to download tools and files obfuscated for defense evasion.
Sectors targeted include hotels manufacturers and online shopping malls.

IoCs

Analysisbgjcbgjchd4_browsingExe·exe
SHA1: c822f6100333e84bd0ec87675ca79d65cb01a01e
MD5: ab9091f25a5ad44bef898588764f1990
SHA256: 77e82c3d5fea369f6598339dcd97b73f670ff0ad373bf7fc3a2d8586f58d9d32

Analysisbgjcbgjchd10_browsingExe·exe
SHA1: 3c2fff92ba1c8c53e405a6d293fa8af302ecdfda
MD5: 0ea582880c53419c8b1a803e19b8ab1f
SHA256: 66aea848f088cd3c29e79d3445d76e2a7dae64a3180e28612193c096f6f2352a

Analysisbgjcbgjchd25_browsingExe·exe
SHA1: a606ed0bfc5b01376545b2a68fa06d30a21d7c61
MD5: 5a163a737e027dbaf60093714c3a021f
SHA256: f0d7cad83f4344d3a6555f64c57c513661b3f5a414858236e2a80a6bcff70a21

Continued OSS Supply Chain Hidden In Python Package Index

An OSS supply chain attack was found infecting unsuspecting users with multiple information stealers.
The malicious software attempts to exfiltrate credit cards wallets account logins and other sensitive data using a Discord webhook.
The same author is suspected to be behind the release of the malicious packages.

IoCs

Continuedbgjcaicihh2_browsingPy·py
SHA1: 3b0f6b51dbf3689e4e668fab3b721fac30cdb538
MD5: 475e15da18cd785eb079981585a6519b
SHA256: 7370c8d95fc1b94d12b1eceee640f1350637cd9ffb4f57bfd7f9ba010dbf5418

Continuedbgjcaicihh2_edrPy·py
SHA1: 3b0f6b51dbf3689e4e668fab3b721fac30cdb538
MD5: 475e15da18cd785eb079981585a6519b
SHA256: 7370c8d95fc1b94d12b1eceee640f1350637cd9ffb4f57bfd7f9ba010dbf5418

JanelaRAT

Researchers at Zscaler have published a new blog on JanelaRAT.
The malware is focused on harvesting LATAM financial data in a targeted and stealthy way.

IoCs

Janelaratbgjcafeagj18_browsingZip·zip
SHA1: 61133c709a35a37532cc1d49a0213b827edbedb3
MD5: 3ec6342286d5b699bc1fb2ef6598f906
SHA256: 16748fc7cc71ff6568a09d5ea4d4ac2fa23667b9aa9dd0766e425bb18f842aa8

Janelaratbgjcafeagj1_browsing7Zip·zip
SHA1: 569e2eb0781084699b115f4502163aeea79232a3
MD5: 3cbe59c309f803fffdadcc69d3578a53
SHA256: c206df6a4e25c65d77a65358093d81d07072169598abb48e14e0749b12f096a6

Janelaratbgjcafeagj23_browsingZip·zip
SHA1: 7d64c14813d75545c8aa491c161fe562cd030419
MD5: 4b142b23110fbb7b98ad49c051d7a1af
SHA256: 0c6e12d23d94eddb3bdf15a2108401bcf47a5bc3796a4e5e5fa985eaacbae454

Leaked Ransomware Builders Utilized In Tech Scam Campaign

A tech scam campaign was discovered attempting to persuade victims to pay for non-existent antivirus solutions.
The campaign leveraged the CraxsRAT dropper and a downloader to carry out the infection process.
The final payload included variants from multiple ransomware families including Chaos NoCry and LockBit Black.

IoCs

Leakedbgjbicdhge4_browsingExe·exe
SHA1: a415fd0c932145988017569fc4d99e2e207c5892
MD5: f68f6ae996370de813845da89f0111ab
SHA256: b38943f777ec2cb42abe5ef35b5d2933ce65e3aa3915d7d62bc1cd75c7586886

Leakedbgjbicdhge6_browsingExe·exe
SHA1: acb395ca02d645bf20388915a233247fedb31dbf
MD5: 7f350db2b16343645a220922c7a96dc5
SHA256: d79f5fe23a82b67205037c268f2fed92d727bf4215b20fa21c8a765e20661362

Leakedbgjbicdhge11_browsingExe·exe
SHA1: b09fc1637f76a55784cc000304bcaf3e77b3f906
MD5: 096ad6849a2666c503c3243dba8a589f
SHA256: f6eaa0d761f364d68443445b43ee4ebf722af3e65319c26bf136cda50a532685

AdLoad Turns Mac Systems Into Proxy Exit Nodes

AdLoad malware was found infecting Mac systems to turn the devices into a large proxy botnet.
The malware profiles the infected system which is used later by the command-and-control server to identify the device.
The botnet has been discovered being used in spam campaigns and to deliver additional payloads.

IoCs

Adloadbgjbhdhegb42_browsingMacho·macho
SHA1: c914a0e79998a84e358b75712ec9532d59d89b98
MD5: c13641967a755b28efa29c79ada65f0b
SHA256: 956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472

Adloadbgjbhdhegb41_browsingMacho·macho
SHA1: 8a35ceed808fa4893aa10fee663fb696d9548f9d
MD5: 17d680825d23e672d23cc82126069c71
SHA256: 7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3

Adloadbgjbhdhegb43_browsingMacho·macho
SHA1: 8647c44cb3db23341986b014d71d50cea88c8ad0
MD5: f1cb5fc4d248c60959ded6758625be10
SHA256: ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51

Malicious Control Panel File Used To Drop Agent Tesla

An infection chain was found using spear phishing emails with a malicious attachment to infect devices with Agent Tesla.
The zip attachment consisted of a control panel file (CPL) and a Tax related document.
Executing the CPL file resulted in multiple PowerShell and VBS scripts executed ultimately infecting the system with the remote access trojan.

IoCs

Maliciousbgjbhdhdib18_browsingDll·dll
SHA1: 4617ddabccc0aeb4ce669b370de3079410657fe0
MD5: 4729b73425c811e8b9c4142504c7500d
SHA256: 38b41ad398e4807cb6153eebc0bfff248799ac94d842766d47c37d8a288b720e

Maliciousbgjbhdhdib1_browsing7Vbs·vbs
SHA1: d874a11d00aa240f837efd742deb028de79eaad0
MD5: 2dcdda94429cdbe8d1f0c4e4a9f04e36
SHA256: a4e6a885d3c0f0b62a3b322e3210c63977f2a5a3d0cea5e0f5be51b3d73d4054

Maliciousbgjbhdhdib16_browsingDll·dll
SHA1: 5ea9c0fbe63b1e6755504f932d6f53e1bb0aa280
MD5: 2220fb8ec2e0055ed544f3eccb953fdd
SHA256: 72219e131476a429db3323631405429880f29bb3bbe655d31f1b3e37edd18303

German Embassy Lures Used By APT29 To Drop Duke Malware

The APT29 threat group sent spear phishing emails to Ministries of Foreign Affairs of NATO aligned countries.
The emails contained malicious attachments that were used to drop a variant of Duke malware.
To evade and hide its activities the threat actor leveraged the open-source Zulip application for command and control.

IoCs

Germanbgjbhdhdaj_browsing7Pdf·pdf
SHA1: 5e58f3ce5b42d1b3c1658bdc9db5b27b4993a3cf
MD5: 50f57a4a4bf2c4b504954a36d48c99e7
SHA256: b6d26c5b2b2300fa8bf784919638ba849805896cf969c5c330668b350907c148

Germanbgjbhdhdaj9_browsingDll·dll
SHA1: 15d9b5a0d442e9dccf1e0f0ded34f7b6014c47b6
MD5: 0be11b4f34ede748892ea49e473d82db
SHA256: ae79aa17e6f3cc8e816e32335738b61b343e78c20abb8ae044adfeac5d97bf70

Germanbgjbhdhdaj8_browsingDll·dll
SHA1: fa71d067f8187a023334c5503e66fd9be2b73698
MD5: 5e1389b494edc86e17ff1783ed6b9d37
SHA256: 7fc9e830756e23aa4b050f4ceaeb2a83cd71cfc0145392a0bc03037af373066b

Statc Stealer Targets Browser Data

Statc Stealer is an information stealer focused on exfiltrating web browser data cryptocurrency wallets credentials passwords and data from multiple applications.
The malware performs a range of tasks to evade detection including checking filenames.
The stealer uses HTTPS encryption to send the stolen information to command-and-control servers.

IoCs

Statcbgjbgfajjj30_browsingExe·exe
SHA1: e8ec4884ef797d46461aece68c488addbda96ac4
MD5: 65affc4e1d5242a9c3825ce51562d596
SHA256: f4d60dde0ba2d06e34adb688c135613077659b2b7c0770b09a083b25168048f1

Statcbgjbgfajjj28_browsingExe·exe
SHA1: 43d71c32d76005d5c36e21f78e68fc987ba54865
MD5: f49348fa15d87e92896363b40267c9ae
SHA256: e68649a91df324229a6f33685a5ba3827767c8105bcd3c6808ac9e06a4a76045

Statcbgjbgfajjj26_browsingExe·exe
SHA1: 9bfa371d3b08ade38b3199ef584ec6c41714badb
MD5: f77dc89afbaab53e5f63626e122db61e
SHA256: 96d76c08cf580c2d8b213c834f96b454d111e7b57a4dc25ef700e35692af5534

New Variants Of GlobeImposter Ransomware Discovered

New samples of GlobeImposter ransomware also known as LOLKEK have been discovered since the malware was first seen in 2016.
The new variants direct victims to a new portal hosted on TOR and append the “.MMM” extension to encrypted files.
Victims are required to pay $1350.00 USD for the decryption key which must be paid in Bitcoin.

IoCs

Newbgjbgfajeg23_browsingExe·exe
SHA1: ed247b58c0680b7c92632209181733e92f1b0721
MD5: 3e7591082b36244767c1b5393a44f846
SHA256: 08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed

Newbgjbgfajeg22_browsingExe·exe
SHA1: 768b8d81a6b0f779394e4af48755ca3ad77ed951
MD5: 518a38b47292b1e809c5e6f0bb1858be
SHA256: 58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

Newbgjbgfajeg22_edrExe·exe
SHA1: 768b8d81a6b0f779394e4af48755ca3ad77ed951
MD5: 518a38b47292b1e809c5e6f0bb1858be
SHA256: 58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

A Ransomware attack on an Israeli institution

Recently, the Israeli CERT was alerted to a cyber attack involving ransomware encryption and data exfiltration.

IoCs

Bietholimbgjbfjagjh23_browsingExe·exe
SHA1: b155264bbfbad7226b5eb3be2ab38c3ecd9f3e18
MD5: 6171000983cf3896d167e0d8aa9b94ba
SHA256: 9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376

Bietholimbgjbfjagjh12_browsingExe·exe
SHA1: 50d384d0cac7a0e0ad3e0e600e0e22701bda522c
MD5: f8e0e87d37574e2bcacb2da34f06861e
SHA256: 5469182495d92a5718e0e1dcdf371e92b79724e427050154f318de693d341c89

Bietholimbgjbfjagjh2_browsingExe·exe
SHA1: f7a38385fe41bcd154fc7b6da034bfe719d6a0a7
MD5: 574f3513f6d7e15f102e82e4d35bf164
SHA256: 04c9cc0d1577d5ee54a4e2d4dd12f17011d13703cdd0e6efd46718d14fd9aa87

Rhysida ransomware

Cisco Talos is aware of the recent advisory published by the U.S.
Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.

IoCs

Rhysidabgjbfigaic11_browsingExe·exe
SHA1: 134c25e1b864f14d25e06d29cce0ca0b90968b44
MD5: fbbb2685cb612b25c50c59c1ffa6e654
SHA256: f6f74e05e24dd2e4e60e5fb50f73fc720ee826a43f2f0056e5b88724fa06fbab

Rhysidabgjbfigaic8_browsingExe·exe
SHA1: b07f6a5f61834a57304ad4d885bd37d8e1badba8
MD5: 59a9ca795b59161f767b94fc2dece71a
SHA256: 250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1

Rhysidabgjbfigaic12_browsingExe·exe
SHA1: 560a64721d5a647ffae76febdb6f99bf356dae79
MD5: c9a5e675dbb1f0ce61623f24757a1c72
SHA256: 0bb0e1fcff8ccf54c6f9ecfd4bbb6757f6a25cb0e7a173d12cf0f402a3ae706f

RedHotel Threat Group Operating At A Global Scale

RedHotel also known as Aquatic Panda and Earth Lusca is suspected to be a Chinese state-sponsored threat activity group known to attack the academia aerospace government media telecommunications and research sectors across multiple countries.
The threat actor uses a range of malware and open-source tools to carry out their operations including Cobalt Strike Brute Ratel PlugX ScatterBee and many others.
The group also takes advantage of multiple vulnerabilities including Microsoft Exchange (ProxyShell) and the Log4Shell vulnerability in Apache Log4J.

IoCs

Redhotelbgjbfgeeje1_browsing7Exe·exe
SHA1: 3f749e545561104c43af9faa68ea9495aa9cbfaf
MD5: 9555ecef1396db7d27a819712588e098
SHA256: 1ded9878f8680e1d91354cbb5ad8a6960efd6ddca2da157eb4c1ef0f0430fd5f

Redhotelbgjbfgeeje3_browsingExe·exe
SHA1: 6026eb9f7b3b1d7f667051afb77f13f0584c36fa
MD5: 92df8c81d6a4295dc6a4300f081f88c9
SHA256: 48e81b1c5cc0005cc58b99cefe1b6087c841e952bb06db5a5a6441e92e40bed6

Redhotelbgjbfgeeje15_browsingDll·dll
SHA1: 04409eee2624521b4389218780a7f2a26f8885f1
MD5: 0590768d6120036f1d0c7a0e434e0b07
SHA256: e053ca5888fb0d5099efed76e68a1af0020aaaa34ca610e7a1ac0ae9ffe36f6e

North Korea Compromises Sanctioned Russian Missile Engineering Company

SentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.
Their findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server alongside the use of a Windows backdoor dubbed OpenCarrot.
Their analysis attributes the email server compromise to the ScarCruft threat actor.

IoCs

Northbgjbeefhbg12_browsingDll·dll
SHA1: f974d22f74b0a105668c72dc100d1d9fcc8c72de
MD5: 516beb7da7f2a8b85cb170570545da4b
SHA256: 5345ac8130adb752a0bd8224969f0ced0172f2fce5aa39a90f3075e75ad50767

Northbgjbeefhbg11_browsingExe·exe
SHA1: 8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f
MD5: 921aa3783644750890b9d30843253ec6
SHA256: 8600a593750580cee7240af4069685e8c2a1683d84652122fcdf6a478e5a4e93

Northbgjbeefhbg14_browsingExe·exe
SHA1: 07b494575d548a83f0812ceba6b8d567c7ec86ed
MD5: 9216198a2ebc14dd68386738c1c59792
SHA256: 125dde6564589bc5284f244e7c6f49b7b8b1be9c8fdd4c5f29d88b000bb15314

New threat actor targets Bulgaria, China, Vietnam, and other countries with customized Yashma ransomware

An unknown threat actor is carrying out a ransomware operation that mimics the WannaCry attack Cisco Talos has discovered and is targeting victims in English-speaking countries Bulgaria, China and Vietnam.

IoCs

Newbgjbeefgid2_browsingExe·exe
SHA1: f38e8932f4c88c1fd801696267924c6767155028
MD5: 08c7ff3a65f703d12fc644b63dff19d5
SHA256: 3ea6df18492d21811421659c4cf9b88e64c316f2bef8a19766b0c79012476cac

Newbgjbeefgid2_edrExe·exe
SHA1: f38e8932f4c88c1fd801696267924c6767155028
MD5: 08c7ff3a65f703d12fc644b63dff19d5
SHA256: 3ea6df18492d21811421659c4cf9b88e64c316f2bef8a19766b0c79012476cac

Kimsuky Using Self-Extracting Word And PDF Documents To Deliver Malicious Code

Self-extracting files masquerading as coin exchange and investment-related documents are being used to deliver malicious code to target users.
The threat actor Kimsuky is suspected of the campaign activities due to a user agent string identified in the file written to the user profile.
The code is hidden inside self-extracting Word documents and PDF files. Once executed, the malicious code invokes Windows binaries to fetch additional files from the attacker-controlled C2.

IoCs

Kimsukybgjbdjjddg40_browsingExe·exe
SHA1: 2a09b2542a920477432232ffddc89560eb334645
MD5: 8a5fd1e9c9841ff0253b2a6f1e533d0e
SHA256: 51a0d350c910a357476db7079c27d1384d58b285cd4a9998b77bdb789d848107

Kimsukybgjbdjjddg41_browsingExe·exe
SHA1: c95c2dff5647114e81bf1aa1487c5f868e5b73e4
MD5: 002105e21f1bddf68e59743c440e416a
SHA256: de4cac7950d1bb99c86ab9ac86d94c3ed48a088b121245c3239f140a8fc2fcc4

Kimsukybgjbdjjddg39_browsingDocx·docx
SHA1: 84ef8256bece765b0f44dc6d4cf664cb8f222c59
MD5: b6614471ebf288689d33808c376540e1
SHA256: 928e61590b2c4acf3991bd4327c5107c1cfd2604d992647c4e63bd1d620ff636

Operation PhantomControl Infects Systems With AsyncRAT

An un-named attacker used the legitimate ScreenConnect client to control and infect systems with the open-source AsyncRAT remote access trojan.
The ScreenConnect client was hosted on a compromised Teachflix website.
Multiple PowerShell and VBS files were used to create a scheduled task for persistence perform process hollowing and run a malicious batch file.

IoCs

Operationbgjbdjjccg36_browsingPs1·ps1
SHA1: c5d34218a68a458804dca0af01dac03db6b8da78
MD5: 5093aa07dcead8ec112fe9ff80fc6499
SHA256: 5011812a6fa8c9f59d5e5d35db91823a9bcb3fac749b88f185543004e8434bab

Operationbgjbdjjccg31_browsingExe·exe
SHA1: 69910d266e26e68fc47c9336aa3f2a8937865f52
MD5: bf96552cf18eb495d06ec007cef18831
SHA256: b35338a0e41b53bfa0795d38245213b5fce6748d035ef1616f696b073de38098

Operationbgjbdjjccg32_browsingExe·exe
SHA1: fae76e1249d719564fe220435f271ff64d9435c0
MD5: addfb71ffe786565f2e156fb5bb45f42
SHA256: b277d9efd245fc61a8832ac1ff31e64d183ecad74969579337e0bb4fbb2c4e89

Analysis Of DoDo And Proton Ransomware

Variants from the DoDo and Proton ransomware families were discovered targeting Microsoft Windows users.
Samples of DoDo ransomware were created using the Mercurial Grabber open-source malware builder.
Proton ransomware has several variants, with most appending the actor’s email address along with the “.Proton” file extension.

IoCs

Analysisbgjbdjjaeg12_browsingExe·exe
SHA1: 7640294a145a2e00993ef0838cc1af322aa7cac0
MD5: f64f80e81c1f9a3775d4e8d5a41a0d3b
SHA256: 9adae78f48f24419b6f8a895c1244a1576a4c7fe73e9bc32136893630ce735bd

Analysisbgjbdjjaeg1_browsingExe·exe
SHA1: 48a3723f38ef4c9ee6b044823f0ddec9851e028d
MD5: b88adcf21d3f63f1d4e3b51f1d4eeb6a
SHA256: e43db9691d7947f7edadb0f9ae8317301aeaea7604f74e69dbcb4b23420e4cbe

Analysisbgjbdjjaeg2_browsingExe·exe
SHA1: 07fed95218f8d680688a28921ee18fb86dc0d5bd
MD5: 57a105cb1aaff41fa43d7eaea98493de
SHA256: 464d6aa8389dad3aebc36f748f6687cb57432ee791b84ff18b3dd5a342ce23a0

Honeypot Recon New Variant of SkidMap Targeting Redis

Since Redis is becoming increasingly popular around the world we decided to investigate attacks on the Redis instance.
The Sandbox trap caught an activity about which the Western world does not hear too often while analyzing SkidMap.
More importantly, this variant turned out to be a new, improved, and dangerous variation of the malware.

IoCs

Honeypotbgjbaejgga1_browsingSh·sh
SHA1: 9970809e1dedce286888f7d25790b4dcca1e704b
MD5: 000916c60b2ab828ba8cea914c308999
SHA256: 969e10e4a61cc5f80c414259c4d90c74bcf43ccd5678910700bdc14cd60f9725

Honeypotbgjbaejgga2_browsingElf·elf
SHA1: 0ae049aab363fb8d2e164150dffbafd332725e00
MD5: 44de739950eb4a8a3552b4e1987e8ec2
SHA256: 9b81bad2111312e669697b69b9f121a1f9519da61cd5d37689e38381c1ffad28

Honeypotbgjbaejgga4_browsingElf·elf
SHA1: 940f45f8a5dfb16281a35cd8303cd98c1ab1fabd
MD5: e23b3c7eb5d68e3cd43e9e61a3055fe8
SHA256: f77c4b704b20affdd737af44cabd3d7b56d8987924f2179137bbeef0e4be0367

Report Ransomware Command-and-Control Providers Unmasked

The Halcyon Research and Engineering Team has published new research that details novel techniques used to unmask yet another Ransomware Economy player that is facilitating ransomware attacks and state-sponsored APT operations Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile.

IoCs

Reportbgjbaacife1_browsingExe·exe
SHA1: d85c8d4d308addb8ce25780368cf2228bf3851c4
MD5: 2ebf5f9c715ef9d8428ea935babb50d4
SHA256: 4d56e0a878b8a0f04462e7aa2a47d69a6f3a31703563025fb40fb82bab2a2f05

Reportbgjbaacife1_edrExe·exe
SHA1: d85c8d4d308addb8ce25780368cf2228bf3851c4
MD5: 2ebf5f9c715ef9d8428ea935babb50d4
SHA256: 4d56e0a878b8a0f04462e7aa2a47d69a6f3a31703563025fb40fb82bab2a2f05

http://mojimetigi·biz

Threat Brief RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers

On July 18, 2023, Citrix published a security bulletin for vulnerabilities affecting their NetScaler ADC and NetScaler Gateway products.
When these appliances are configured as a gateway or authentication server and managed by a customer (i.e. not Citrix-managed) they can be vulnerable to remote code execution initiated by an attacker.
Vulnerabilities on Citrix-managed servers have already been mitigated.

IoCs

Threatbgjaigcefd1_browsingPhp·php
SHA1: 2a8908699d91a2a567bd70e40bb90f8ede0f5d4f
MD5: 0377dc9c7cfcd1e64598c619821ca114
SHA256: 293fe23849cffb460e8d28691c640a5292fd4649b0f94a019b45cc586be83fd9

Threatbgjaigcefd1_edrPhp·php
SHA1: 2a8908699d91a2a567bd70e40bb90f8ede0f5d4f
MD5: 0377dc9c7cfcd1e64598c619821ca114
SHA256: 293fe23849cffb460e8d28691c640a5292fd4649b0f94a019b45cc586be83fd9

Threatbgjaigcefd1_mailPhp·php
SHA1: 2a8908699d91a2a567bd70e40bb90f8ede0f5d4f
MD5: 0377dc9c7cfcd1e64598c619821ca114
SHA256: 293fe23849cffb460e8d28691c640a5292fd4649b0f94a019b45cc586be83fd9

That is all for now!

Stay cyber safe and see you next month!