Here is the December 2023 breakdown of threats with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.
Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.
Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.
Smoke and Mirrors Understanding The Workings of Wazawaka
New MetaStealer Malvertising Campaigns Discovered
Bandook Remote Access Trojan Continues To Evolve
Malvertisers zoom in on cryptocurrencies and initial access
Operation HamsaUpdate A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk
BattleRoyal DarkGate Cluster Spreads via Email and Fake Browser Updates
An Analysis Of A Persistent Actors Activity
AsyncRAT Code Injection Found Across Multiple Incident Response Cases
Analysis of Kimsuky Groups AppleSeed Malware Attack Trends
Threat Actor Launches Operation RusticWeb For Targeting Indian Government Officials
NKAbuse Malware Abuses The NKN Protocol
Operation HamsaUpdate A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk
Seedworm Iranian Hackers Target Telecoms Orgs in North and East Africa
Cert IL Alert – Phishing impersonating F5
US Cert Alert – Play Ransomware
Mallox Ransomware Resurrected To Burden Enterprises
Improperly Managed Linux SSH Servers Under Attack
Rhadamathys Information Stealer Deep Dive
Curse Of The Krasue – New Linux Remote Access Trojan Targets Thailand
Editbot Stealer Spreads Via Social Media Messages
New Tool Set Found Used Against Middle East Africa And The US
Lazarus Operation Blacksmith Campaign Uses DLang Malware
Kinsing Used To Exploit ActiveMQ CVE-2023-46604 Vulnerability In Cryptomining Operations
DanaBot Found Deploying IcedID
ParaSiteSnatcher – How Malicious Chrome Extensions Target Brazil
UAC-0050 Delivers RemcosRAT Or MeduzaStealer To Polish Targets In Mass Phishing Campaign
APT28 Carries Out High Volume Phishing Campaigns Against Sectors Across Europe And North America
New BlueNoroff Loader For MacOS
WSF Script Used To Distribute AsyncRAT
Threat Actor Targets Macintosh Users Via Fake Browser Updates For Distributing Atomic Stealer
North Korean Hackers Attacking MacOS Using Weaponized Documents
Smoke and Mirrors Understanding The Workings of Wazawaka
Mikhail Pavlovich Matveev also known by the monikers Wazawaka Boriselcin and Orange has recently risen to prominence within the Threat Intelligence (TI) community emerging as a key player in the dynamic digital threat landscape according to PRODRAFT researchers.
IOCs
46f1a4c_browsing77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561XxX1Elf·elf
MD5: 11d211ce3fa615ce35bff30fa37e9251
SHA1: eba816d7dc084d5702ad5d222c9b6429755b25fd
SHA256: 46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561
46f1a4c_edr77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561XxX1Elf·elf
MD5: 11d211ce3fa615ce35bff30fa37e9251
SHA1: eba816d7dc084d5702ad5d222c9b6429755b25fd
SHA256: 46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561
http://79·124·59·178
New MetaStealer Malvertising Campaigns Discovered
MetaStealer a prominent malware emerging in 2022 has been identified in recent malvertising campaigns. This malware derived from the RedLine code base utilizes two distinct ads related to Notepad++ and AnyDesk. Two domains serve as both decoy and landing pages with content appearing auto-generated if accessed directly. Users meeting specific criteria after clicking the ads encounter a malicious landing page and receive a download link. In the November payload a shortcut launching PowerShell with a hardcoded path to the Downloads folder was employed while the December campaign eliminated PowerShell opting for a recompiled malicious DLL.
IOCs
949c5ae482_browsing7a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77caXxX1Zip·zip
MD5: 13edc2c86a86e8880e92bb95f460e5fb
SHA1: e9d7d6dea828832b8e35701f4504199bc09cd55e
SHA256: 949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca
99123063690e244f95b89d96_browsing759ec7dbc28d4079a56817f3152834047ab047ebXxX3Zip·zip
MD5: 2a4b0b65897e7fd494ad0aced7f42aeb
SHA1: 7cdcbd78194eeaa4e3793c5b19d84537ff71bb3c
SHA256: 99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb
c559_browsing7da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90fXxX5Zip·zip
MD5: 8ba7059cc766798bc3993b720f561c11
SHA1: 891ad3e89d469f55245738a99c3e71e8a2a4fa42
SHA256: c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f
Bandook Remote Access Trojan Continues To Evolve
Bandook malware a remote access trojan initially detected in 2007 has evolved over the years and was recently identified in a new variant distributed through a PDF file in October 2023.
The PDF file contains a shortened URL leading to a password-protected .7z file. Upon extraction using the provided password the malware injects its payload into msinfo32·exe. The variant introduces two control codes one loading fcd.dll and the other establishing persistence and executing Bandooks copy. The malware communicates with its command and control (C2) server sending victim information and receiving commands such as *DJDSR^ @0001 @0002 and so on. The string sequence in the latest variants extends to @0155 with some codes used for sending results to the server and others present in different modules.
IOCs
e8_browsing7c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525XxX3Exe·exe
MD5: 5b49b856ed078c80306a6f190c445138
SHA1: efbeec9846500b7d54d7fbc51de78b92976d1bbc
SHA256: e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525
430b9e91a09369_browsing78757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ceXxX5Exe·exe
MD5: 89df83ffca7aae77fe72522173ec71ac
SHA1: b9d9d73c162969ef56931cc26928f67dfaae1523
SHA256: 430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce
31691_browsing71e671315e18949b2ff334db83f81a3962b8389253561c813f01974670bXxX9Exe·exe
MD5: cc9283299523aed18b5c82c22b0b9f27
SHA1: 33c172779ac7117e30d37a6fe26361b2175cae03
SHA256: 3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b
Malvertisers zoom in on cryptocurrencies and initial access
During the past month Malwarebytes have observed an increase in the number of malicious ads on Google searches for Zoom the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as Advanced IP Scanner or WinSCP normally geared towards IT administrators.
IOCs
30fda6_browsing7726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5cXxX1Dll·dll
MD5: 174ff2e9b7a6b77382a5de6cf6f8a877
SHA1: afcb6d65145288d8d8397c006c837dcf176dba01
SHA256: 30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c
44cac5bf0bab56b0840bd1c_browsing7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5XxX2Zip·zip
MD5: 7d27ed94ba01dc9c2761af0ed84c616f
SHA1: c2d9ecb9e0496dd21e636a77fac370325b8ae6ef
SHA256: 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5
5b91_browsing7d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0bXxX4Dll·dll
MD5: a9c40b7581be75e006436c5b22495909
SHA1: ce6a3b5d8cd553dfd114551fd61dc58628581ea7
SHA256: 5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b
Operation Hamas Update A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk
On December 19th the Israel National Cyber Directorate released an urgent alert warning regarding a phishing campaign actively targeting Israeli customers using F5s network devices.
Intezer has labeled this campaign Operation HamsaUpdate. It features the deployment of a newly developed wiper malware that targets both Windows and Linux servers. The campaign leverages a convincingly written email in Hebrew and utilizes sophisticated social engineering techniques pressuring victims to execute the harmful code residing on their servers.
The final attack delivers a complex multi-stage loader or a destructive wiper each variant customized for either Linux or Windows environments.
IOCs
33616_browsing7b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767XxX8Exe·exe
MD5: b8ccbbb996bd93df4b93d1e027b7a0eb
SHA1: ce683968a78709adaf6305e73b690e05f04d02ca
SHA256: 336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767
454e6d3_browsing782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567XxX9Exe·exe
MD5: 4551a6cdf8d23a96aa4124ac9bdb6d1d
SHA1: b75b6cebe869e1636f0f294954b7906a4905701a
SHA256: 454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567
64c5fd_browsing791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428cXxX11Zip·zip
MD5: 08efd480e2c105382ba277a905f0c4a9
SHA1: 3a05a0238f892e53112654bf136ef352e7476a9b
SHA256: 64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c
BattleRoyal DarkGate Cluster Spreads via Email and Fake Browser Updates
Throughout the summer and fall of 2023 DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email Microsoft Teams Skype malvertising and fake updates.
IOCs
7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e_browsing7015ae49561f0fXxX4Exe·exe
MD5: 7c657d37d590b131fcf3af752553f1d8
SHA1: c3b3c5ae0d52677b46298672273a8d91abf8de29
SHA256: 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde_browsing744e08188fXxX7Url·url
MD5: 7c27512408c5d83388fb14c1661e3d79
SHA1: 91387c854741040a09f67d5af953db1ee779a690
SHA256: ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4_browsingXxX8Url·url
MD5: 160f5ebabccd2638882969c7dcb08a58
SHA1: 99796ccd2cb846a1d8a7f4c078d0be9eac6e380c
SHA256: fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4
An Analysis Of A Persistent Actors Activity
DFIR researchers discovered an open directory containing over a years worth of historical threat actor activity. Through analysis of tools logs and artifacts exposed on the internet they were able to profile the threat actor and their targets. The research suggests that the primary motivation behind the threat actors actions was not financial despite occasional financially motivated behaviors such as deploying crypto-miners and targeting finance sites.
The threat actor consistently scanned government services and defense contractors for vulnerabilities but also exhibited limited financially driven activities. The threat actor exclusively relied on open source tools and frameworks including sqlmap and ghauri for active scanning and reconnaissance and Metasploit and Sliver for post-exploitation activities after exploiting vulnerabilities.
IOCs
583c92f2ce6_browsing7d1d8df1fcac95c3765faad602509d6a3c9c5638310ddc0673e55XxX51Exe·exe
MD5: e16ae7c890b18a1d2e710b26938db959
SHA1: dc2c4c98141c08dbd6e895ce0e86d71e36f6aee7
SHA256: 583c92f2ce67d1d8df1fcac95c3765faad602509d6a3c9c5638310ddc0673e55
b5c4cc2bd69aceeb1fa_browsing7aa6538c3248514dc93f7b6d248e1d0f7b2db5ce86674XxX45Elf·elf
MD5: 2a11a19ba5d7c15e51dddb7695ea32ad
SHA1: ca20ea3fccad9614fe3e31e60098a9564d2d724c
SHA256: b5c4cc2bd69aceeb1fa7aa6538c3248514dc93f7b6d248e1d0f7b2db5ce86674
bb634bf93293_browsing7a683ebf002b2a1325e7fe7bfe172e924d2e528de761248b91ecXxX53Exe·exe
MD5: eb1bf5fcd65d86394628a03c0240243e
SHA1: 3f98962d627af1b63bcfbb80afcf4a2457d4a511
SHA256: bb634bf932937a683ebf002b2a1325e7fe7bfe172e924d2e528de761248b91ec
AsyncRAT Code Injection Found Across Multiple Incident Response Cases
During TrendMicro’s recent investigations the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT a Remote Access Tool (RAT) with multiple capabilities such as keylogging and remote desktop control that make it a substantial threat to victims. TrendMicro unravels the AsyncRAT infection chain across multiple cases shedding light on the misuse of aspnet_compiler.exe a legitimate Microsoft process originally designed for precompiling ASP.NET web applications. Malicious actors exploited this process to inject the AsyncRAT payload showing evolving adversary tactics.
IOCs
Asyncaq1_browsingPs1·ps1
MD5: e2de940fab2b14c512499006bbe5cd0a
SHA1: 899ca79e54a2d4af140a40a9ca0b2e03a98c46cb
SHA256: 9465750d2ddfcbfc68cd92da0bbad34a36a1eeac8c82a1c8ed086465b6c0cccf
Asyncaq2_browsingTxt·txt
MD5: 0818afc233b1ae3fb60d1fb7550f641d
SHA1: c5b16f22397c201a6e06f0049b6f948c648f11b7
SHA256: ef9d0086d23187030d4c2d05132a28d9ed2c3ab5cb76994a2dfc1c4754332315
Asyncaq3_browsingTxt·txt
MD5: 8eb61867a27fd921ece5c6454f1819c1
SHA1: c07b2c25f926550d804087ac663991cf06bac519
SHA256: 5d787de295a1d6a57e18ff54d9833ef0133248ae77084170162a01464d5b5203
Analysis of Kimsuky Groups AppleSeed Malware Attack Trends
The Kimsuky threat group which is said to be backed by North Korea has been active since 2013.
Initial attacks on South Koreas North Korea-related research institutes have been confirmed followed by attacks on South Koreas energy institutions in 2014 and attacks on other countries outside of South Korea since 2017. Spear phishing attacks are primarily aimed at stealing information and technology from organizations in the national defense, defense industry, media, diplomacy, state institutions, and academia.
IOCs
cbdcf6224aa15c_browsing70a22346594d1956c0589a9411beb75a003eaccb15db4370a5XxX131Dll·dll
MD5: 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
SHA1: 5d41e15aba6d89fe99b96e53a3c9d18da7e019a6
SHA256: cbdcf6224aa15c70a22346594d1956c0589a9411beb75a003eaccb15db4370a5
08d_browsing740277e6c3ba06cf6e4806132d8956795b64bb32a1433a5f09bdf941a1b72XxX156Dll·dll
MD5: f3a55d49562e41c7d339fb52457513ba
SHA1: 88ac3915d4204818d3360ac930497921fd35f44e
SHA256: 08d740277e6c3ba06cf6e4806132d8956795b64bb32a1433a5f09bdf941a1b72
cbdcf6224aa15c_edr70a22346594d1956c0589a9411beb75a003eaccb15db4370a5XxX131Dll·dll
MD5: 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
SHA1: 5d41e15aba6d89fe99b96e53a3c9d18da7e019a6
SHA256: cbdcf6224aa15c70a22346594d1956c0589a9411beb75a003eaccb15db4370a5
Threat Actor Launches Operation RusticWeb For Targeting Indian Government Officials
An ongoing phishing campaign named Operation RusticWeb was seen targeting Indian government officials since at least October 2023. With an overlap in tactics and techniques attribution has led to two groups identified with Pakistan-linked APT groups Transparent Tribe (APT36) and SideCopy. Shifting from well-known compiled languages to newer ones like Golang Rust and Nim the threat actors used two different infection chains primarily relying on Rust-based payloads spear-phishing and fake domains to achieve campaign objectives. The first infection chain was seen using PowerShell files in seemingly legitimate documents were used to download and execute scripts from malicious domains leading to the final Rust-based malware payload capable of stealing files and collecting system information. While the second infection chain utilizes maldocs with encrypted PowerShell commands delivered via documents containing VBA macros that lead to the download and execution of malicious payloads.
IOCs
26bf853b951e8d8ba600_browsing7e9d5c77f441faa739171e95f27f8d3851e07bc65b11XxX26Lnk·lnk
MD5: 13ee4bd10f05ee0499e18de68b3ea4d5
SHA1: 8c969dbe0fe30244802cda1c8e33b04040831466
SHA256: 26bf853b951e8d8ba6007e9d5c77f441faa739171e95f27f8d3851e07bc65b11
db9afd2c59f20e04db3_browsing7ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604XxX28Rar·rar
MD5: 56cb95b63162d0dfceb30100ded1131a
SHA1: 5dd201fa53cb5c76103579785a3d220d578dd12a
SHA256: db9afd2c59f20e04db37ddd38d1e911cdb4bddf39c24e4ce7cedda4eec984604
b80f1554_browsing71b545db9ffb3253c4c3295995547c3acca3bf1115baff20955bcfd8XxX30Docx·docx
MD5: de30abf093bd4dfe6b660079751951c6
SHA1: a68fd8c33f0c1f21cabaf17f4ade02b25a1f262a
SHA256: b80f155471b545db9ffb3253c4c3295995547c3acca3bf1115baff20955bcfd8
NKAbuse Malware Abuses The NKN Protocol
Researchers have uncovered a new multiplatform threat named “NKAbuse.” The malware utilizes NKN technology for peer-to-peer data exchange operating as a powerful implant with flooder and backdoor capabilities. Written in Go it is adaptable to various architectures with Linux desktops being its primary target. However it can also infect MISP and ARM systems posing a threat to IoT devices. NKAbuse infiltrates systems by uploading an implant to the victim host establishing persistence through a cron job and installing itself in the hosts home folder.
The malware exhibits a range of capabilities from flooding to backdoor access and remote administration (RAT). While designed for integration into a botnet it can also function as a backdoor on a specific host. Notably its use of blockchain technology ensures both reliability and anonymity suggesting the potential for steady expansion over time without an identifiable central controller·
IOCs
2f2fda8895e69ceabeb1cf566b9a3ae5_browsing784657cc84aa07f42311bb5ef776debfXxX130Elf·elf
MD5: 11e2d7a8d678cd72e6e5286ccfb4c833
SHA1: 9b28c9842febf26841d4e5ce895fcfae90c3f4fb
SHA256: 2f2fda8895e69ceabeb1cf566b9a3ae5784657cc84aa07f42311bb5ef776debf
2f2fda8895e69ceabeb1cf566b9a3ae5_edr784657cc84aa07f42311bb5ef776debfXxX130Elf·elf
MD5: 11e2d7a8d678cd72e6e5286ccfb4c833
SHA1: 9b28c9842febf26841d4e5ce895fcfae90c3f4fb
SHA256: 2f2fda8895e69ceabeb1cf566b9a3ae5784657cc84aa07f42311bb5ef776debf
Operation Hamas Update A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure At Risk
On December 19th the Israel National Cyber Directorate released an urgent alert warning regarding a phishing campaign actively targeting Israeli customers using F5s network devices.
Intezer has labeled this campaign Operation HamsaUpdate. It features the deployment of a newly developed wiper malware that targets both Windows and Linux servers. The campaign leverages a convincingly written email in Hebrew and utilizes sophisticated social engineering techniques pressuring victims to execute the harmful code residing on their servers. The final attack delivers a complex multi-stage loader or a destructive wiper each variant customized for either Linux or Windows environments.
IOCs
33616_browsing7b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767XxX8Exe·exe
MD5: b8ccbbb996bd93df4b93d1e027b7a0eb
SHA1: ce683968a78709adaf6305e73b690e05f04d02ca
SHA256: 336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767
454e6d3_browsing782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567XxX9Exe·exe
MD5: 4551a6cdf8d23a96aa4124ac9bdb6d1d
SHA1: b75b6cebe869e1636f0f294954b7906a4905701a
SHA256: 454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567
64c5fd_browsing791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428cXxX11Zip·zip
MD5: 08efd480e2c105382ba277a905f0c4a9
SHA1: 3a05a0238f892e53112654bf136ef352e7476a9b
SHA256: 64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c
Seedworm Iranian Hackers Target Telecoms Orgs in North and East Africa
Security company Symantec has released new evidence of an Iranian espionage group targeting telecommunications companies in North and East Africa and the MuddyC2Go backdoor which is believed to have been used by Seedworm.
IOCs
3916ba913e4d9a46cfce43_browsing7b18735bbb5cc119cc97970946a1ac4eab6ab39230XxX2Exe·exe
MD5: 3579e899e6fae7d641d4e7ea7c0ae90e
SHA1: b01e8110090246e44c0cadf37d2e9334e1dc9cef
SHA256: 3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230
1a082_browsing7082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdacaXxX1Dll·dll
MD5: a0074df7d2690db277847257392459c1
SHA1: 54083e4f3feb443c3bd160b3bf46b9d8f61c389b
SHA256: 1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca
1a082_edr7082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdacaXxX1Dll·dll
MD5: a0074df7d2690db277847257392459c1
SHA1: 54083e4f3feb443c3bd160b3bf46b9d8f61c389b
SHA256: 1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca
Cert IL Alert – Phishing impersonating F5
The National Cyber Directorate has received reports of a targeted phishing campaign impersonating the company F5. The messages from the attacker include a link to download a file which downloads a Wiper type malware to the users station. This alert is accompanied by an identifying file. It is highly recommended to intercept this in all relevant organizational security systems. Avoid activating any link of this type and it is advisable to report any similar messages to the National Cyber Directorate.
IOCs
fe0_browsing7dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2XxX1Exe·exe
MD5: 2ff97de7a16519b74113ea9137c6ba0c
SHA1: 5def5e492435cfd423e51515925d17285b77cdbc
SHA256: fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2
e28085e8d64bb_browsing737721b1a1d494f177e571c47aab7c9507dba38253f6183af35XxX2Exe·exe
MD5: 8678cca1ee25121546883db16846878b
SHA1: db38eeb9490cc7946b3ed0cf3759acb41666bdc3
SHA256: e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35
ad66251d9e8_browsing792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8aXxX4Zip·zip
MD5: 04ca69ec86453bdea484e1c1edc3f883
SHA1: b57a6098e56961f1800c9d485117e9a7cd4eeddd
SHA256: ad66251d9e8792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8a
US Cert Alert – Play Ransomware
The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA) and Australian Signals Directorates Australian Cyber Security Centre (ASDs ACSC) are releasing this joint CSA to disseminate the Play ransomware groups IOCs and TTPs identified through FBI investigations as recently as October 2023.
Since June 2022 the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America South America and Europe.
As of October 2023 the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
In Australia the first Play ransomware incident was observed in April 2023 and most recently in November 2023. The Play ransomware group is presumed to be a closed group designed to “guarantee the secrecy of deals” according to a statement on the groups data leak website.
Play ransomware actors employ a double-extortion model encrypting systems after exfiltrating data.
Ransom notes do not include an initial ransom demand or payment instructions rather victims are instructed to contact the threat actors via email.
IOCs
4_browsing7c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57XxX2Exe·exe
MD5: 57bcb8cfad510109f7ddedf045e86a70
SHA1: e6c381859f53d0c0db9fcd30fa601ecb935b93e0
SHA256: 47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c855_browsing7a2e09d61c00c11986XxX4Dll·dll
MD5: 4412f230da1a3954d5065395b512ff49
SHA1: b86f648484364d6dbd0f42b526d4f25814ff00e7
SHA256: 7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
7dea6_browsing71be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8acaXxX6Dll·dll
MD5: 8fcb6fb21b4326466378991e42ce9865
SHA1: dd27145d9e4ec4a921b664183a9cbebee568c234
SHA256: 7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
Mallox Ransomware Resurrected To Burden Enterprises
Mallox operates as a Ransomware-as-a-Service (RaaS) model utilizing underground forums like Nulled and RAMP to advertise and recruit affiliates. The group targets vulnerable and publicly exposed services particularly focusing on MS-SQL and ODBC interfaces.
They exploit specific vulnerabilities such as CVE-2019-1068 and CVE-2020-0618 in Microsoft SQL Server and employ brute force attacks on weakly configured services.
Mallox affiliates also use phishing emails to deliver attack frameworks like Cobalt Strike and Sliver. After gaining access they execute PowerShell commands and use batch scripts to download ransomware payloads.
The groups variants consistent from 2021 onwards have a core set of functionalities and recent payloads are labeled “Mallox.Resurrection.” Encrypted files have a .mallox extension and a ransom note is deposited in each folder with locked files instructing victims on how to obtain a decryption tool using TOR. Non-compliance with ransom demands may lead to the exposure of data on Malloxs data leak site.
IOCs
22816dc4dda6beec453e9a48520842b8409c54933cc81f1a338bc_browsing77199ab917eXxX15Bat·bat
MD5: 0e115cd39c3c92a0c3736555c022c7f3
SHA1: 3fa79012dfdac626a19017ed6974316df13bc6ff
SHA256: 22816dc4dda6beec453e9a48520842b8409c54933cc81f1a338bc77199ab917e
ccac4ad01b0c8_browsing72a90f85f22fbeedde04c46bb1839f417156bb64fd85ae136b5XxX23Exe·exe
MD5: 550ff249ae479d9fd36fe9d988ecd6ef
SHA1: 4fcfb65cb757c83ed91bc01b3f663072a52da54b
SHA256: ccac4ad01b0c872a90f85f22fbeedde04c46bb1839f417156bb64fd85ae136b5
634043ca_browsing72cd2b6a4d7a1cfe2aa12b7cd8c8348055fbc38c7d8006602ac66b87XxX25Exe·exe
MD5: 170685388eaeda42cf6b27c427165069
SHA1: 88f8629423efe84e2935eb71d292e194be951a16
SHA256: 634043ca72cd2b6a4d7a1cfe2aa12b7cd8c8348055fbc38c7d8006602ac66b87
Improperly Managed Linux SSH Servers Under Attack
Researchers analyzed a series of attacks targeting poorly managed Linux SSH servers.
Attackers first need to acquire information about the target such as IP addresses and SSH credentials before installing malicious code including coin miners and DDoS bots. They do this by scanning for IP addresses and servers with active SSH services then performing brute force or dictionary attacks to discover ID/password information.
The more coinminers and DDoS bots the attackers secure the more virtual currency they can mine and the stronger the DDoS attacks they can perform. However to install more of these they need to acquire more target information and credentials. Attackers also install malicious code that performs scanning and brute force attacks on the infected systems they have secured allowing them to acquire more information about the attack targets. They could also potentially sell the acquired target IP and credential information on the dark web.
IOCs
78da0f82a258292d_browsing758bde05fa98e13ae15aedc8c8529f1e008cfb27b60e0f8eXxX6Elf·elf
MD5: dfa3dcb5b825f5622e54bd09be73b6ed
SHA1: 1a42fe1bf3dcf1d7dd4245576ec251cecbbb97c1
SHA256: 78da0f82a258292d758bde05fa98e13ae15aedc8c8529f1e008cfb27b60e0f8e
2ef26484ec9e_browsing70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251XxX4Elf·elf
MD5: 45901e5b336fd0eb79c6decb8e9a69cb
SHA1: a9c7d059a22fed787f48698c5c10b0b5146f616d
SHA256: 2ef26484ec9e70f9ba9273a9a7333af195fb35d410baf19055eacbfa157ef251
14_browsing779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949aXxX8Elf·elf
MD5: 946689ba1b22d457be06d95731fcbcac
SHA1: e998494f91b08b52b28fe3304e9322962e3d1b58
SHA256: 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a
Rhadamathys Information Stealer Deep Dive
The Rhadamanthys stealer available on the black market has undergone a recent update to version 0.5.0 showcasing expanded stealing capabilities and the introduction of general-purpose spying functions. This multi-layer malware employs a new plugin system for adaptability to specific distributor needs. The initial loader a 32-bit Windows executable was largely rewritten but retains similarities with the previous version (0.4.9).
Notably the malware now checks the executables name during automated analysis in sandboxes exiting immediately if it detects hash-like characteristics. The XS1 format reveals a component in the second stage of the loading process featuring changes in string dumping and utilizing a decoded buffer with a C2 URL. The update introduces TLS (Thread Local Storage) for temporary buffers facilitating the deobfuscation of data like strings.
IOCs
bb8bbcc948e8dca2e5a02_browsing70c41c062a29994a2d9b51e820ed74d9b6e2a01ddcfXxX30Exe·exe
MD5: b2dc71aeb389c4c5f6b3699163ea1d0f
SHA1: 578239aefa2c93cae72624754146e8f3e275fa5e
SHA256: bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcf
bb8bbcc948e8dca2e5a02_edr70c41c062a29994a2d9b51e820ed74d9b6e2a01ddcfXxX30Exe·exe
MD5: b2dc71aeb389c4c5f6b3699163ea1d0f
SHA1: 578239aefa2c93cae72624754146e8f3e275fa5e
SHA256: bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcf
fcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e
Curse Of The Krasue – New Linux Remote Access Trojan Targets Thailand
A new Linux remote access trojan named Krasue has been discovered targeting telecom companies in Thailand. Krasue is designed to maintain covert access to victim networks by concealing its presence during the initialization phase. The initial access vector is unknown but it may involve vulnerability exploitation credential brute-force attacks or being part of a fake software package.
Krasue uses a rootkit derived from open-source projects like Diamorphine Suterusu and Rooty to achieve persistence on the host and evade detection. The trojan employs RTSP messages as disguised alive pings a tactic rarely seen. Krasues command-and-control communications allow it to designate a communicating IP as its master upstream C2 server and terminate itself.
There are source code similarities with another Linux malware XorDdos suggesting a common origin.
IOCs
b6db6_browsing702ca85bc80599d7f1d8b1a9b6dd56a8e87c55fc831dc9c689e54b8205dXxX12Elf·elf
MD5: 5055925b5bcd715d5b70b57fdbeda66b
SHA1: eddb4476ca610f3c5e895f4811c9744704552d2f
SHA256: b6db6702ca85bc80599d7f1d8b1a9b6dd56a8e87c55fc831dc9c689e54b8205d
902013bc59be545fb_browsing70407e8883717453fb423a7a7209e119f112ff6771e44ccXxX11Elf·elf
MD5: 7b756fff0eedc91deba968e308e13081
SHA1: 5c517edad3fb295e1fd92ed5cb16e132d1473132
SHA256: 902013bc59be545fb70407e8883717453fb423a7a7209e119f112ff6771e44cc
ed38a61a6b_browsing7af436120465d352baa4cdf4ed8f01a7db7245b6254353e52f818fXxX10Elf·elf
MD5: 100a5f3875e430f6de03d99752fbb6a7
SHA1: 051bc3273a20a53d730a3beaff2fadcd38d6bb85
SHA256: ed38a61a6b7af436120465d352baa4cdf4ed8f01a7db7245b6254353e52f818f
US Cert Alert – Russian Foreign Intelligence Service SVR Exploiting JetBrains TeamCity CVE Globally CISA
Russias foreign intelligence service (SVR) is targeting servers hosting TeamCity software according to the CISA Cybersecurity and Infrastructure Security Agency (CISA) a US government agency that oversees cyber security.
IOCs
0296e2ce999e6_browsing7c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5XxX1Exe·exe
MD5: c996d7971c49252c582171d9380360f2
SHA1: c948ae14761095e4d76b55d9de86412258be7afd
SHA256: 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
620d2bf14fe345eef618fdd1dac242b3a0bb65ccb_browsing75699fe00f7c671f2c1d869XxX7Dll·dll
MD5: 98a082e95628b51307343581cfb7eac7
SHA1: d4411f70e0dcc2f88d74ae7251d51c6676075f6f
SHA256: 620d2bf14fe345eef618fdd1dac242b3a0bb65ccb75699fe00f7c671f2c1d869
8afb_browsing71b7ce511b0bce642f46d6fc5dd79fad86a58223061b684313966efef9c7XxX18Dll·dll
MD5: 347b4f985414ca9f78bbbbff002e3ec6
SHA1: a4b03f1e981ccdd7e08e786c72283d5551671edf
SHA256: 8afb71b7ce511b0bce642f46d6fc5dd79fad86a58223061b684313966efef9c7
Editbot Stealer Spreads Via Social Media Messages
Researchers discovered an attack campaign targeting social media users. The campaign involves a multi-stage attack with each phase having a distinct role such as evading detection downloading additional payloads or gaining persistence on the victims system. Threat actors use open-source code-sharing platforms such as Gitlab to retrieve the next stage payloads.
The downloaded payload is a Python-based stealer designed to steal process information and browser-stored data such as passwords cookies and web data. It uses the Telegram channel to exfiltrate stolen information to the threat actors. The scam revolves around the theme defective product to be sent back. As users comment on or like posts within these fake pages or groups they inadvertently expand the reach of the fraudulent content causing it to appear in their networks news feeds. This helps the threat actors spread their scam to a broader audience.
IOCs
bc3993_browsing769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aaXxX39Bat·bat
MD5: c3a447c5c6c73d80490347c1b4afe9d5
SHA1: cf019e96e16fdaa504b29075aded36be27691956
SHA256: bc3993769a5f82e454acef92dc2362c43bf7d6b6b203db7db8803faa996229aa
9d048e99bed4ced4f3_browsing7d91a29763257a1592adb2bc8e17a66fa07a922a0537d0XxX37Zip·zip
MD5: f23465088d26e90514b5661936016c05
SHA1: 93d70f02b2ee2c4c2cd8262011ed21317c7d92de
SHA256: 9d048e99bed4ced4f37d91a29763257a1592adb2bc8e17a66fa07a922a0537d0
3f_browsing7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6dXxX33Py·py
MD5: 669e7ac187fb57c4d90b07d9a6bb1d42
SHA1: eed59a282588778ffbc772085b03d229a5d99e35
SHA256: 3f7bd47fbbf1fb0a63ba955c8f9139d6500b6737e5baf5fdb783f0cedae94d6d
New Tool Set Found Used Against Middle East Africa And The US
A new tool set used by nation-state hackers to steal user credentials and access confidential information has been identified by researchers at Palo Alto Network.
IOCs
7eb901a6dbf41bcb2e0cdcbb6_browsing7c53ab722604d6c985317cb2b479f4c4de7cf90XxX14Dll·dll
MD5: fd37b309870f9fb200232b1051431831
SHA1: 70150eccf32da8a463ae5b757c86e9ff2b4b000e
SHA256: 7eb901a6dbf41bcb2e0cdcbb67c53ab722604d6c985317cb2b479f4c4de7cf90
3a2d0e5e4bfd6db9c45f094a638d1f1b9d0_browsing7110b9f6eb8874b75d968401ad69cXxX11Exe·exe
MD5: 231867ad872656f37938d23002f8e9e3
SHA1: 09b300b77bd155a398b543385d8beaf428928f7a
SHA256: 3a2d0e5e4bfd6db9c45f094a638d1f1b9d07110b9f6eb8874b75d968401ad69c
bcd2bdea2bfecd09e258b8_browsing777e3825c4a1d98af220e7b045ee7b6c30bf19d6dfXxX1Dll·dll
MD5: c49d5658f785b2cc9608755d5ace2add
SHA1: 6eb12947a536625a39835725dadffd6fefa12802
SHA256: bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df
Lazarus Operation Blacksmith Campaign Uses DLang Malware
Researchers have uncovered a campaign dubbed “Operation Blacksmith” orchestrated by the Lazarus Group. This operation involves three newly identified DLang-based malware families.
Two of them are remote access trojans (RATs) with one utilizing Telegram bots and channels for command and control (C2) communication named “NineRAT” and the other operating without Telegram labeled “DLRAT.” Additionally a DLang-based downloader known as “BottomLoader” was identified.
The campaign involves the opportunistic targeting of global enterprises exposing vulnerable infrastructure particularly those susceptible to n-day vulnerabilities such as CVE-2021-44228 (Log4j). Lazarus has been observed targeting various industries including manufacturing agriculture and physical security companies.
IOCs
4_browsing7e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30XxX11Exe·exe
MD5: 12e399411185e386c863954eaa6f6595
SHA1: 8cf133d72ba6d476e28dfc18e3ba13dc15f99071
SHA256: 47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30
534f5612954db99c86baa6_browsing7ef51a3ad88bc21735bce7bb591afa8a4317c35433XxX7Exe·exe
MD5: 96d98c83daf368066efe3dd41a0dc622
SHA1: be49443603068d9913b4634126749217df6a695e
SHA256: 534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433
000_browsing752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eeeXxX1Exe·exe
MD5: 19a05a559b0c478f3049cd414300a340
SHA1: fadbbb63e948b5b3bbbaeedc77e69472143a3b86
SHA256: 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
Kinsing Used To Exploit ActiveMQ CVE-2023-46604 Vulnerability In Cryptomining Operations
A vulnerability publicized in October 2023 and tracked as CVS-2023-46604 is being exploited to deliver Kinsing malware. Once the target is identified by the attackers vulnerability scans the attackers then exploit the OpenWire module in ActiveMQ to retrieve an XML file from the attacker-controlled webserver. Upon executing the unauthorized code cURL is used to retrieve additional shell scripts to perform various functions on victim systems.
Additionally upon execution a script downloads a rootkit removes other malware downloads and executes Kinsing establishes persistence and manipulates firewall rules. The Kinsing malware further proceeds to download and install a cryptominer as well as scripts to allow network traversal and further infection of the victim infrastructure. Analysis of the Kinsing malware revealed payload repos C2 infrastructure and attacker machines which are used to primarily target additional vulnerable servers.
The malware itself is not obfuscated and contains a multitude of functions including C2 URL retrieval network scanning functionality and Redis server brute forcing functionality however the Kinsing malware appears to be more focused on the deployment of cryptominers and monetary gain.
IOCs
6fc94d8aecc538b1d099a429fb68ac20d_browsing7b6ae8b3c7795ae72dd2b7107690b8fXxX27Elf·elf
MD5: c82bb3c68f7a033b407aa3f53827b7fd
SHA1: 6296e8ed40e430480791bf7b4fcdafde5f834837
SHA256: 6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f
c38c21120d8c1_browsing7688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808aXxX23So·so
MD5: ccef46c7edf9131ccffc47bd69eb743b
SHA1: 38c56b5e1489092b80c9908f04379e5a16876f01
SHA256: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a
b9e_browsing79bb09995a9dd2f5a22dc2e59738696e2be2204ec92a2881fb3fa70e0160fXxX31Elf·elf
MD5: e40a01bfe85f6c6820a7da523e747e23
SHA1: 36ef9de431202e643f3410b5906bb23607e7df90
SHA256: b9e79bb09995a9dd2f5a22dc2e59738696e2be2204ec92a2881fb3fa70e0160f
DanaBot Found Deploying IcedID
In early November 2023 researchers identified the presence of DanaBot a sophisticated banking Trojan known for stealing banking credentials personal information and featuring a hidden Virtual Network Computing (hVNC) capability. DanaBot was used to deliver IcedID a well-established banking Trojan with a history dating back to 2017.
The initial infection occurred through a drive-by download wherein a user searching for a Webex installer inadvertently visited a fraudulent website distributing the payload named Webex.zip. The execution of webex.exe initiated a series of actions including side-loading a malicious DLL (sqlite3·dll) decrypting and decompressing the contents of rash·docx file injecting into explorer·exe via Process Doppelgnging and finally running the DanaBot payload.
IOCs
e_browsing7351978a0011be925a7831e37a82750c51b2ef5e913b42d69b3d509fe8e6b8aXxX7Zip·zip
MD5: 4be85751a07081de31f52329c2e2ddc8
SHA1: ed668d305bbb8029c0a828fb0b319d5c39d03a64
SHA256: e7351978a0011be925a7831e37a82750c51b2ef5e913b42d69b3d509fe8e6b8a
15986433fce_browsing7359a77d7be49376a88bc208c854b2cfb2cfd011648ad6713a188XxX5Dll·dll
MD5: 350915536540a76d44ce12dc03450424
SHA1: a7ebf777bc4b6562f353feac90a193f7bb31e17d
SHA256: 15986433fce7359a77d7be49376a88bc208c854b2cfb2cfd011648ad6713a188
995e48d1f943288e14b_browsing7d4331ffadfb112c2fdde7ee2ad046c1d7dc2e9b6716aXxX3Dll·dll
MD5: 4ca6db064effc1730299a0f20531e49c
SHA1: 31d0db4b51fa0190c319013693d6ab082e0f3646
SHA256: 995e48d1f943288e14b7d4331ffadfb112c2fdde7ee2ad046c1d7dc2e9b6716a
ParaSiteSnatcher – How Malicious Chrome Extensions Target Brazil
Trend Micros investigations on potential security threats uncovered a malicious Google Chrome extension that they named ParaSiteSnatcher. The ParaSiteSnatcher framework allows threat actors to monitor manipulate and exfiltrate highly sensitive information from multiple sources.
ParaSiteSnatcher also utilizes the powerful Chrome Browser API to intercept and exfiltrate all POST requests containing sensitive account and financial information before the HTTP request initiates a transmission control protocol (TCP) connection.
IOCs
88_browsing7c167569c786b1639d87e0f624ce4af939baf67e1113bedde7226c744dbb38XxX4Txt·txt
MD5: 5fd2109a94fb5138d9f43e1689e6769c
SHA1: 3129858e7d71d53b0503ae1b0253447ed426cd29
SHA256: 887c167569c786b1639d87e0f624ce4af939baf67e1113bedde7226c744dbb38
72f32_browsing7f62710f60f43569741c2cb391b833b44c4dafe1f5d5c085a39c485b5dfXxX35Txt·txt
MD5: a4f5fb28a60f93673ea090793548f40d
SHA1: be00952c204ee5f14d472da9a3a110fd6ca84f26
SHA256: 72f327f62710f60f43569741c2cb391b833b44c4dafe1f5d5c085a39c485b5df
1ebfe_browsing73932122e898c30098be4384a0fc9150565c3a340750b37b121ea7a55faXxX17Txt·txt
MD5: 6f0310639f969ac520eb3870f81769fa
SHA1: 12db9eef907477b89f0781092f48402e0b3345dd
SHA256: 1ebfe73932122e898c30098be4384a0fc9150565c3a340750b37b121ea7a55fa
UAC-0050 Delivers RemcosRAT Or MeduzaStealer To Polish Targets In Mass Phishing Campaign
A spearphishing campaign detected in early December 2023 targeted Polish authorities with a mass distribution of malicious emails containing subjects related to judicial claims and debts.
The emails contained password protected archive attachments which included an executable that infected the recipients machine with malware such as the RemcosRAT or the MeduzaStealer. The attackers made use of software packer like AutoIT and delivered the campaign using legitimate but compromised accounts including those with the gov.ua domain to send these malicious emails.
IOCs
4cc6fb5b5f41652_browsing7296a4b2a84a6da92ce97dcca7db03f9e1c526048443453d2XxX144Exe·exe
MD5: fad0fac025dc107d194710bf4d71fe93
SHA1: 951993a2351f5fc7374eb38d6610006959a46692
SHA256: 4cc6fb5b5f416527296a4b2a84a6da92ce97dcca7db03f9e1c526048443453d2
8a2443_browsing79c63cf5ae11f1c79cb7834374f76fd1c6ebed293d0569102d5d6308aaXxX148Exe·exe
MD5: 33f28845863fa59c79b3ac8669722b68
SHA1: 3126f302f29279f2e37df6ba4bbc125a0070c03c
SHA256: 8a244379c63cf5ae11f1c79cb7834374f76fd1c6ebed293d0569102d5d6308aa
3c99a4a03bd_browsing7c9b54ef6c2262dad042bb04f3f61f2453d336201c8e086606085XxX160Rar·rar
MD5: 573806ca8fe46711550de2e961e09145
SHA1: dc45229bca6b9c65d508a6855bfcb24d80fde19b
SHA256: 3c99a4a03bd7c9b54ef6c2262dad042bb04f3f61f2453d336201c8e086606085
APT28 Carries Out High Volume Phishing Campaigns Against Sectors Across Europe And North America
Researchers have detected ongoing phishing activity by the threat actor TA422 (also known as APT28 or by aliases such as Forest Blizzard Pawn Storm Fancy Bear and BlueDelta).
TA422 exploits patched vulnerabilities to conduct high-volume campaigns primarily targeting government aerospace education finance manufacturing and technology sectors in Europe and North America.
The actor uses these vulnerabilities including CVE-2023-23397 and CVE-2023-38831 to gain initial access potentially revealing user credentials or facilitating follow-on activities.
TA422 is linked to the Russian General Staff Main Intelligence Directorate (GRU) according to the United States Intelligence Community.
IOCs
9a_browsing798e0b14004e01c5f336aeb471816c11a62af851b1a0f36284078b8cf09847XxX16Dll·dll
MD5: 2b9d21311c803ca26fa9741b37882c11
SHA1: e9db80181b228d347e8a0c1f5fd3487c143bfd3f
SHA256: 9a798e0b14004e01c5f336aeb471816c11a62af851b1a0f36284078b8cf09847
7_browsing7cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799XxX26Zip·zip
MD5: 2b02523231105ff17ea07b0a7768f3fd
SHA1: c3b5e844012346c881e7c7ed6b210f69f1d3d9fb
SHA256: 77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799
339ff_browsing720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5XxX24Bat·bat
MD5: da8947f86da80b4c619c6fdf8a99d8e9
SHA1: b789e7345edf110a5ac67456a34b409062f150cc
SHA256: 339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5
US Cert Alert – Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 For Initial Access To Government Servers
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).
CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agencys investigation analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.
IOCs
a3acb9f_browsing79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864XxX1Exe·exe
MD5: ba69669818ef9ccec174d647a8021a7b
SHA1: b6818d2d5cbd902ce23461f24fc47e24937250e6
SHA256: a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
a3acb9f_edr79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864XxX1Exe·exe
MD5: ba69669818ef9ccec174d647a8021a7b
SHA1: b6818d2d5cbd902ce23461f24fc47e24937250e6
SHA256: a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864
be332b6e2e2ed9e1e57d8aafa0c00aa77d4b8656
New BlueNoroff Loader For MacOS
A new type of malicious loader that targets Apples operating system BlueNoroff has been discovered and spread its malicious payload via a PDF file.
IOCs
c_browsing7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14feXxX71Macho·macho
MD5: d8011dcca570689d72064b156647fa82
SHA1: 060a5d189ccf3fc32a758f1e218f814f6ce81744
SHA256: c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe
36001b8b9e05935_browsing756fa7525dd49d91b59ea882efe5a2d23ccec35fef96138d4XxX80Zip·zip
MD5: b1e01ae0006f449781a05f4704546b34
SHA1: 884cebf1ad0e65f4da60c04bc31f62f796f90d79
SHA256: 36001b8b9e05935756fa7525dd49d91b59ea882efe5a2d23ccec35fef96138d4
c556baaac_browsing706191ce75c9263b349242caa3d8efca7b5639896fa3e6570d7c76eXxX69Zip·zip
MD5: 3b3b3b9f7c71fcd7239abe90c97751c0
SHA1: 5c93052713f317431bf232a2894658a3a4ebfad9
SHA256: c556baaac706191ce75c9263b349242caa3d8efca7b5639896fa3e6570d7c76e
WSF Script Used To Distribute AsyncRAT
The AhnLab Security Emergency Response Center (ASEC) has identified a new variant of the AsyncRAT malware being distributed via WSF scripts. The malware is delivered through URL links embedded in emails which download a compressed (.zip) file. Upon decompression a .wsf file is revealed which contains a script that downloads and executes a Visual Basic script.
This script then downloads a .jpg file (disguised as a .zip file) from the same C2 address changes the file extension to .zip decompresses it and executes the Error.vbs file contained within.
The malware then sequentially executes other files each with a specific role in the attack.
The final file pwng·ps1 converts an internal string into a .NET binary and executes it.
This process involves injecting a malicious binary into a legitimate process (aspnet_compiler·exe) which is then used to perform the malwares functions.
The final payload is the AsyncRAT malware which has information theft and backdoor capabilities. It maintains persistence through scheduled tasks and registry entries and collects information such as OS version user details antivirus product list browser information and cryptocurrency wallet information. The malware communicates with a C2 server which is encrypted within the file and only revealed at runtime.
The attacker uses a sophisticated fileless technique and users are advised to exercise caution when opening attachments or external links in emails and to use security products for monitoring and control.
IOCs
9de260_browsing716f318fa13874b0e8ad4b54bccb889433e23795d99aa4a47d320b0699XxX32Ps1·ps1
MD5: ac12d457d3ee177af8824cdc1de47f2a
SHA1: 43b48bb6cd7838151c1552523b1acb2a95fec4c8
SHA256: 9de260716f318fa13874b0e8ad4b54bccb889433e23795d99aa4a47d320b0699
a0064bdcf92b_browsing7c1a55a8e88fd4ecb38d27c4d602f7bf5feb18c2304d775d7387XxX34Bat·bat
MD5: 61b7507a6814e81cda6b57850f9f31da
SHA1: 316b99a2bf664ccd94eb050005975c52806d2163
SHA256: a0064bdcf92b7c1a55a8e88fd4ecb38d27c4d602f7bf5feb18c2304d775d7387
70029e8693a_browsing7a5608b442b1944a3f6c11fe2ff1949f26e3f6178472b87837d75XxX38Bat·bat
MD5: a31191ca8fe50b0a70eb48b82c4d6f39
SHA1: 921bd5cb08b5c6a77a28e2864417bb8cdefafbf0
SHA256: 70029e8693a7a5608b442b1944a3f6c11fe2ff1949f26e3f6178472b87837d75
Cert IL Alert – A Cyber-Attack Tool Used By A State-Sponsored Attack Group Found In Attacks On Israeli Infrastructure
Recently Israels National Cyber Directorate investigated a cyber-attack tool used by a state-sponsored attack group. The attacker targets various sectors in the economy including technology and IT academia media communication and others.
IOCs
3308fbe0e_browsing7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64dXxX1Exe·exe
MD5: e4bc92ff7416b82fc21825b30defba37
SHA1: b89f00d48d55ca97e95b7d511d177ab272525ed9
SHA256: 3308fbe0e7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64d
3308fbe0e_edr7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64dXxX1Exe·exe
MD5: e4bc92ff7416b82fc21825b30defba37
SHA1: b89f00d48d55ca97e95b7d511d177ab272525ed9
SHA256: 3308fbe0e7e49941f9d961ed29fd4e3ac432cb1538273cea7a8cedc1bf68c64d
Threat Actor Targets Macintosh Users Via Fake Browser Updates For Distributing Atomic Stealer
An unidentified threat actor launched a novel campaign that extensively targeted Macintosh users with Atomic MacOS Stealer via fake browser updates. The adversary mimicked the Google Chrome and Safari browsers to lure potential victims into downloading Atomic MacOS Stealer in order to gather sensitive information from compromised systems. The threat actor exfiltrated the lucrative information to an adversarial command and control (C2) server.
IOCs
be634e_browsing786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7bXxX51Dmg·dmg
MD5: c90631bbd0e2dc84776ca0450a173d05
SHA1: 6d0f18d0326d1a07fb84e3756a35c89e407b46b8
SHA256: be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b
5b5ffb0d2fb1f2de514_browsing7ec270d60a3ac3f02c36153c943fbfe2a3427ce39d13dXxX53Dmg·dmg
MD5: 14846b0bf9faea8f26e7c0332d43167c
SHA1: a7174b90058ea22e6ab7812b6c9ee8a7983563db
SHA256: 5b5ffb0d2fb1f2de5147ec270d60a3ac3f02c36153c943fbfe2a3427ce39d13d
4cb531bd83a1ebf4061c98f_browsing799cdc2922059aff1a49939d427054a556e89f464XxX49Dmg·dmg
MD5: 34643560a215ce876bcae133b5ba2ccd
SHA1: 24698fad7ff7c316e68a4fcb4c18e12157b25eed
SHA256: 4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
North Korean Hackers Attacking MacOS Using Weaponized Documents
In 2023 North Korean threat actors intensified their focus on macOS through two major campaigns named RustBucket and KandyKorn.
IOCs
4_browsing7b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1XxX2Zip·zip
MD5: 90385d612877e9d360196770d73d22d6
SHA1: 09ade0cb777f4a4e0682309a4bc1d0f7d4d7a036
SHA256: 47b8b4d55d75505d617e53afcb6c32dd817024be209116f98cbbc3d88e57b4d1
51dd4efcf_browsing714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077XxX6Macho·macho
MD5: 541341fc477523fed26e8b7edec1c6bb
SHA1: 46ac6dc34fc164525e6f7886c8ed5a79654f3fd3
SHA256: 51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077
2360a69e5fd_browsing7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1XxX5Macho·macho
MD5: 470275eaf344be97f9950c4c42a783ef
SHA1: 43f987c15ae67b1183c4c442dc3b784faf2df090
SHA256: 2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1
LUMMA Malware
In this InfoStealer attack a threat actor leverages a multi-layered fake invoice campaign to distribute LUMMA malware. Perception Points team of researchers recently investigated a malware attack aimed to bypass threat detection engines.
IOCs
515ad6ad_browsing76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196bXxX1Exe·exe
MD5: 0563076ebdeaa2989ec50da564afa2bb
SHA1: ac14e7468619ed486bf6c3d3570bea2cee082fbc
SHA256: 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b
515ad6ad_edr76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196bXxX1Exe·exe
MD5: 0563076ebdeaa2989ec50da564afa2bb
SHA1: ac14e7468619ed486bf6c3d3570bea2cee082fbc
SHA256: 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b
http://224·0·0·252
Storm-0978 Weaponizes New CVE
During analysis of a July 2023 campaign targeting groups supporting Ukraines admission into NATO Unit 42 discovered a new vulnerability for bypassing Microsofts Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group in reference to their use of the RomCom backdoor). Further investigation revealed a new exploit method related to CVE-2023-36884 that can bypass MotW. Microsoft assigned CVE-2023-36584 (CVSS score 5) to this new vulnerability discovered during the investigation.
IOCs
3d0dae359325e8e96cf46459c38d0862_browsing79865457379bd6380523727db350de43XxX5Txt·txt
MD5: aaadc580be50b435cce383d3c1eb877d
SHA1: 5bb785b54f637566412783fd3b5f24bcdbc6694f
SHA256: 3d0dae359325e8e96cf46459c38d086279865457379bd6380523727db350de43
fd4fd44ff26e84ce658_browsing7413271cf7ff3960471a55eb0d51b0a9870b577d66f4aXxX11Html·html
MD5: c785ed40172b17944256d50dc40ff934
SHA1: db95d6f0146136a28278869a63fc434f9fc5cef3
SHA256: fd4fd44ff26e84ce6587413271cf7ff3960471a55eb0d51b0a9870b577d66f4a
e_browsing7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539XxX4Rtf·rtf
MD5: 3ca154da4b786a7c89704d0447a03527
SHA1: 98bb203c44421c89cdbbb54ea05602255ce7a61e
SHA256: e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539