Here is the July 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.
Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.
Note: The ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.
Table of Contents
The resurgence of the Ursnif banking Trojan
Ransomware delivery URLs top campaigns and trends
Amadey Threat Analysis and Detections
India Cert Alert – Mallox Ransomware Targeting Unsecured MS SQL Servers
Sliver C2 in circulation through domestic program developers
New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking
Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer
First-ever Open-Source Software Supply Chain Attacks
Manipulated Caiman: The Sophisticated Snare of Mexico’s Banking Predator
DDoS Botnet Targets Zyxel Vulnerability (CVE-2023-28771)
A Look Into Space Pirates Unconventional Techniques Attack Vectors And Tools
The Turla APT Group Uses Multiple Malware Families To Exfiltrate Data (CERT-UA6981)
UAC-0006 Distributes SmokeLoader Through Phishing Emails (CERT-UA6999)
Google Firebase Hosting Abused To Deliver Sorillus RAT
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2
Trojanized Application Preying on TeamViewer Users
Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure GCP
APT36 Delivers Crimson RAT Using Pilgrimage Security Briefing Lure
Threat Actor Launches ScarLeteel 2.0
Attackers Exploit (CVE-2023-36884) Unpatched Windows Zero-Day Vulnerability
Underground Team Ransomware Demands Millions
Threat Trend Report On Kimsuky
US Cert Alert – (AA23-187A) Increased Truebot Activity Infects U.S. And Canada Networks
Operation Brainleeches Targets Microsoft 365 Users
TeamTNT Targets Cloud Native Environments
PhonyC2 Framework Used By MuddyWater
The DPRK strikes using a new variant of RUSTBUCKET
Word Document with an Online Attached Template
The resurgence of the Ursnif banking Trojan
The Ursnif banking trojan, described as May’s most wanted malware, is making a resurgence across its customers’ networks.
IoCs
Thebgjaficaah3_browsing7Gz·gz
SHA1: 73e5dbafa25946ed636e68d1733281e63332441d
MD5: 96f9d734c3cfdacceca70187cbc549b7
SHA256: 170e3e987e99867d8b4115b4a2d9dea074acb56383744d469a28c5611adeba22
Thebgjaficaah3_edr7Gz·gz
SHA1: 73e5dbafa25946ed636e68d1733281e63332441d
MD5: 96f9d734c3cfdacceca70187cbc549b7
SHA256: 170e3e987e99867d8b4115b4a2d9dea074acb56383744d469a28c5611adeba22
http://e9bja.com
Ransomware delivery URLs top campaigns and trends
Ransomware is increasingly being delivered via URLs as well as emails and third-party apps.
IoCs
rebgjafibghj14_browsingExe.exe
Ransom Ransomwarebgjafibghj14_browsingExe·exe
SHA1: f8eb2d6ee0e96fd79876a6a3332aacf834456570
MD5: d65a25b264b93cce242154d00aa670d1
SHA256: 0708d5027c26f96f5bf81b373348346149511a4b9f11391a979159185371bcc5
Ransomwarebgjafibghj2_browsingExe·exe
SHA1: 44055a24f0957b4adb3f958e8270e2e513586ca4
MD5: 15dd4bbbddef99b7d49a5ab171bcc76d
SHA256: d1ad11b98dd193b107731349a596558c6505e51e9b2e7195521e81b20482948d
Ransomwarebgjafibghj21_browsingExe·exe
SHA1: 8f500b68a893bf590c3c998c9d13869ded4bc32f
MD5: 50e31a7045c839dc1172daf9e45d5b73
SHA256: ff6d6f616687fac25a1d77e52024838239e9a3bbb7b79559b0439a968ac384fe
Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code
Talos recently discovered a new ransomware actor, RA Group, who emerged in April 2023 and seems to be using leaked Babuk source code in its attacks.
IoCs
Babukbgjahbidgd1_browsingExe·exe
SHA1: fb3d23940ad5f9e06be813f182eb7dc2ddd09608
MD5: 15b1147bcc846fe5dd750a3b02b8e552
SHA256: 3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e
Babukbgjahbidgd1_edrExe·exe
SHA1: fb3d23940ad5f9e06be813f182eb7dc2ddd09608
MD5: 15b1147bcc846fe5dd750a3b02b8e552
SHA256: 3ab167a82c817cbcc4707a18fcb86610090b8a76fe184ee1e8073db152ecd45e
Amadey Threat Analysis and Detections
The Amadey Trojan Stealer is one of the most prevalent forms of malware and has maintained a persistent botnet infrastructure since its emergence in 2018.
IoCs
Amadeybgjadjegjb32_browsingDll·dll
SHA1: 85466c95625bcbb7f68aa89a367149d35f80e1fa
MD5: 547bae937be965d63f61d89e8eafb4a1
SHA256: 015d60486e75035f83ea454e87afb38d11ec39643c33b07f61a40343078ee4f5
Amadeybgjadjegjb39_browsingExe·exe
SHA1: a05ccc08270e040508ebc01900249cc04ad391ed
MD5: f0c8df176843df1b9b13b849fc8a6639
SHA256: 89d30f7ba7b2af7f519d2fe066700fae723643e25b1859f32c60618956651710
Amadeybgjadjegjb35_browsingDll·dll
SHA1: b9c871d12662eb294776bb7eda846eedf681c1af
MD5: 076fcb9fd24a6fa50386d9e7cd8dd3cc
SHA256: 3d5d48ea2b6f76af583e541602950d89b8d96a13654469df3bc58dcddf879e9d
India Cert Alert – Mallox Ransomware Targeting Unsecured MS SQL Servers
It has been observed that Mallox Ransomware is currently targeting unsecured Microsoft SQL Servers, using them as entry points into victims’ ICT infrastructures to distribute the ransomware. It has also been observed that the threat actor group has used brute force techniques on publicly exposed MS SQL instances to gain initial access to the victims’ network infrastructure.
IoCs
Mallboxbgjadhhiij1_browsingExe·exe
SHA1: 8a1d92c8e5b7a5b3a6a34137c9eee01f89cd5564
MD5: 70c464221d3e4875317c9edbef04a035
SHA256: 6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330
Mallboxbgjadhhiij_browsing7Exe·exe
SHA1: c845638db9e1a24b9e8bacd8d82f2a72476e86ea
MD5: c3c590f44df548ce324bfdaac6ec33a6
SHA256: 10eea0c13fd1a782c065627e23e7051edc1622f2eae5fbe138725369c12f4b6d
Mallboxbgjadhhiij6_browsingExe·exe
SHA1: 31cc6fa2e174d43e719f21a450bd9a5185054d6d
MD5: a5328247106299a6ac54794c345a0380
SHA256: 36269d1892283991a9db23492cd8efcd68af74060384b9686219a97f76a9989e
Sliver C2 in circulation through domestic program developers
SparkRAT malware was distributed in the installation files of domestic VPN companies through posting SparkRAT being distributed and included in domestic VPN installation files [1] and Analysis of attack cases leading to MeshAgent infection in domestic VPN installation
IoCs
Sliverbgjadaajgj24_browsingExe·exe
SHA1: c2994b2969f315b189a151d545b35a2c8ed6a2f9
MD5: b66f351c35212c7a265272d27aa09656
SHA256: ba4c8e065f601de46ae7844e81921c68726d09345f3db13fb6e3f5ea2d413dde
Sliverbgjadaajgj2_browsing7Exe·exe
SHA1: aaec03da8855551b2a02e10a1a854773a59d927c
MD5: eefbc5ec539282ad47af52c81979edb3
SHA256: 5b018d8382e33713eba0b60b394e6f69edc0cd20aee7e384f5004403264d2781
Sliverbgjadaajgj19_browsingExe·exe
SHA1: cd6e7411730f9a244df83bbc4a1e2384011a4fdb
MD5: 5eb6821057c28fd53b277bc7c6a17465
SHA256: 87404431af48f776c9b83b5b57c1ddf43b05c7e986460b1a97473caf3c85f567
New Reptile Rootkit Malware Attacking Linux Systems Using Port Knocking
Reptile is a kernel module rootkit for Linux systems released as open source on GitHub.
A rootkit is a malicious code that has the ability to hide itself or other malicious codes and its targets are mainly file processes and network communication.
The hiding functions supported by Reptile include files and directories contents of files processes and network traffic in addition to the kernel module itself.
IoCs
Newbgjadaaiej8_browsingO·o
SHA1: 2ca4787d2cfffac722264a8bdae77abd7f4a2551
MD5: d1abb8c012cc8864dcc109b5a15003ac
SHA256: d182239d408da23306ea6b0f5f129ef401565a4d7ab4fe33506f8ac0a08d37ba
Newbgjadaaiej1_browsingSh·sh
SHA1: 0c6d838c408e88113a4580e733cdb1ca93807989
MD5: 1957e405e7326bd2c91d20da1599d18e
SHA256: 1425a4a89b938d5641ed438333708d1728cfed8c124451180d011f6bbb409976
Newbgjadaaiej6_browsingElf·elf
SHA1: 3cc2d6bf5215de3c24fb194c232a0411cede78e0
MD5: c3c332627e68ce7673ca6f0d273b282e
SHA256: 4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bca
Fabricated Microsoft Crypto Wallet Phishing Site Spreads Infostealer
Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca Stealer disguised as a beta version of Microsoft Crypto Wallet.
IoCs
Fabricatedbgjacfeaee1_browsingExe·exe
SHA1: 4238700742f6540119fc40f8f001fa1b5da99425
MD5: 2753fea9125455e452e1951295158bc5
SHA256: 480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1
Fabricatedbgjacfeaee1_edrExe·exe
SHA1: 4238700742f6540119fc40f8f001fa1b5da99425
MD5: 2753fea9125455e452e1951295158bc5
SHA256: 480cea45f9c10159ef76555a0b86c25b232952b5cbc6da2862ff4b8cbb2943c1
Ransomware Spotlight Play
Play is shaping up to be a player on the rise within the ransomware landscape, with its operators likely to continue using the ransomware in the future.
IoCs
Ransomwarebgjacdgace4_browsingExe·exe
SHA1: be17fe931305a82c891b7d7bfdecd644b4fb1219
MD5: b311256c0b964724258078affce39f01
SHA256: 5573cbe13c0dbfd3d0e467b9907f3a89c1c133c774ada906ea256e228ae885d5
Ransomwarebgjacdgace1_browsingExe·exe
SHA1: 14177730443c65aefeeda3162b324fdedf9cf9e0
MD5: 223eff1610b432a1f1aa06c60bd7b9a6
SHA256: 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
Ransomwarebgjacdgace10_browsingExe·exe
SHA1: 687a0ee18d18f7c1075b6509646ae2ea95af23b9
MD5: a72b78ad61f7e9cfcebbe444c92a2fc3
SHA256: e4f32fe39ce7f9f293ccbfde30adfdc36caf7cfb6ccc396870527f45534b840b
First-ever Open-Source Software Supply Chain Attacks
Two separate open-source software supply-chain attacks targeting the banking sector have been identified by researchers.
IoCs
Firsteverbgjacahebh52_browsingExe·exe
SHA1: 921c5c8d5dd416ae69d880b1af9eb52d6c3ab1db
MD5: 58a4f9eed576b9bc14e1a06afd52f00e
SHA256: 4eb44e10dba583d06b060abe9f611499eee8eec8ca5b6d007ed9af40df87836d
Firsteverbgjacahebh51_browsingExe·exe
SHA1: 0f6a8dd9c9651ff94f45d916a3a20d210dc3747c
MD5: 494bd8c8d2fbdbbb53855cc1a533a1ef
SHA256: 4e54c430206cd0cc57702ddbf980102b77da1c2f8d6d345093819d24c875e91a
Firsteverbgjacahebh49_browsingExe·exe
SHA1: 626e4db197fb18f8d67ceba5014d28deb54afa75
MD5: 5a789786e5996cfdceb8866993b02fd2
SHA256: f4a57a3b28c15376dbb8f6b4d68c8cb28e6ba9703027ac66cbb76ee0eb1cd0c9
Manipulated Caiman: The Sophisticated Snare of Mexico’s Banking Predator
Manipulated Caiman has been active for at least two years, targeting primarily the citizens of Mexico.
Based on Perception Point’s research, the potential revenue the group has accumulated is over $55 million.
There have been over 4K victims in total, with over 140 victims in the past two months alone.
Manipulated Caiman uses a wide arsenal of tools against victims, though its ultimate goal is to gain access to victims’ bank accounts.
Manipulated Caiman employs spear phishing with malicious attachments to deliver malware, such as URSA, SMTP brute force client, malicious extension installer, net info checker, and spammer client.
IoCs
Manipulatedcaimanbgjabaaibd14_browsingJs·js
SHA1: 4de75077763084db3c52692a67976773f30f5db3
MD5: a5dae68f1a5125a3ada5034bc64ada11
SHA256: 45e03985103b25828e3d01a415958639db0aed53564455908dab35c803e69fcd
Manipulatedcaimanbgjabaaibd_browsing7Exe·exe
SHA1: 664baee4f00fd5a3ef74185c8597ce6c5a0410e4
MD5: d4d08923c80aee492140795f5393d056
SHA256: 203cc5d525b0583b3db0552fd4af4cfd970bdd8b97ae8d210ee95c4c9f971e44
Manipulatedcaimanbgjabaaibd11_browsingExe·exe
SHA1: 41f5559b4ed3c9a23279f87fb0ff8fdea40d0d58
MD5: cf9bcbb9844f34e004044a1b0f3e2cf1
SHA256: 7a7ac75052a6e43cfabbabc30c5b6e01c253a49080a37ada098ee84011c6b897
DDoS Botnet Targets Zyxel Vulnerability (CVE-2023-28771)
Threat actors are taking advantage of a command injection vulnerability to infect Zyxel devices with a DDoS botnet.
The flaw is due to the improper handling of error messages and could be exploited by sending malicious packets.
The malware can perform a range of attacks, including udpflood, synflood, greflood, ackflood, tcpflood, tcp2flood, udp2flood, socketflood, udpconnflood, wraflood, and vseflood.
IoCs
Ddosbgijibiigd_browsing77Elf·elf
SHA1: 588ed1ba11384f855d23c4d272bf1b5c5b5a2348
MD5: f2a714d2c99f091a380883be26338a7f
SHA256: 85d3d93910bfb8410a0e82810d05aa67a6702ce0cdfc38d1d01f2f9471d20150
Ddosbgijibiigd_browsing78Elf·elf
SHA1: e682c58bbff74568632cca6470c84612573ea212
MD5: 1f9cd01cb9bfafcdfec2a6fe93d3d73f
SHA256: a6729c047d776294fa21956157eec0b50efa7447b8e2834b05be31080767006f
Ddosbgijibiigd_browsing79Elf·elf
SHA1: 85e96d75e1940323ce306bdc480b9fab47ef5a0c
MD5: be2f2959ae20d42131b58f37f241749c
SHA256: 42b4e116c5d2d3e9d4777c7eaa3c3835a126c02673583c2dfb1ae2bf0bf0db48
A Look Into Space Pirates Unconventional Techniques Attack Vectors And Tools
The Space Pirates APT group has evolved from previous years, including new tools, tactics, techniques, and procedures in their operations.
The main goal of the group seems to be the theft of sensitive information from educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense energy, and infosec companies located in Russia and Serbia, according to researchers.
The tools used by the group include penetration testing tools and open-source malware.
However, they have started to use other private solutions like Deed RAT or Voidoor, which uses GitHub as its main command and control channel in their attacks.
IoCs
Abgijibigeg18_browsingDll·dll
SHA1: 84ca568879ca62448d035d56bec816a11188b831
MD5: 8002cd74e579a44a78b2c8e66f8f08a4
SHA256: 8c3e0fdddc2c53cf7961f770080e96332592c847839ccf84c280da555456baf0
Abgijibigeg21_browsingDll·dll
SHA1: 3f8ee1e875cbb01e145a09db7d857b6be22bdd92
MD5: 972a1a6f17756da29d55a84d7f3f23a4
SHA256: b6860214fcc1ef17937e82b1333672afa5fcf1c1b394a0c7c0447357477fe7c9
Abgijibigeg22_browsingDll·dll
SHA1: e986b238cb5fe037718172d965a41c12c85bbdd0
MD5: 633ccb76bd17281d5288f3a5e03277a0
SHA256: ceca49486dd7e5cf8af7b8f297d87efe65aba69124a3b61255c6f4a099c4a2ab
The Turla APT Group Uses Multiple Malware Families To Exfiltrate Data (CERT-UA6981)
The Turla APT group used multiple malware families to carry out espionage attacks.
The initial infection vector consisted of spear phishing emails with malicious attachments.
The malware was used to collect and exfiltrate a range of data, including passwords, bookmarks history, and cookies and data from KeePass Azure Google Cloud and AWS.
IoCs
Thebgijibifhf1_browsingDll·dll
SHA1: b2fa58da8af06e49c626a8377551fd25e359d73d
MD5: 491e462bf1213fede82925dea5df8fff
SHA256: ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39
Thebgijibifhf1_edrDll·dll
SHA1: b2fa58da8af06e49c626a8377551fd25e359d73d
MD5: 491e462bf1213fede82925dea5df8fff
SHA256: ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39
Ursnif campaign in Italy
An investigation by Kostas from the DFIR Report covering an Ursnif campaign in Italy.
IoCs
Ursnifbgijhigahi1_browsingDll·dll
SHA1: 0f661ba97e702021988fa372fde43bd3165f1cfe
MD5: b565aa423ca4ba6e8c6b208c22e5b056
SHA256: 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
Ursnifbgijhigahi4_browsingPs1·ps1
SHA1: 5a7021b7b1d05321f95b8464339688007ac502ea
MD5: 665a152dc746deaaab11e1c0af4b513e
SHA256: 6e8b848e7e28a1fd474bf825330bbd4c054346ad1698c68e7a59dd38232a940a
Ursnifbgijhigahi1_edrDll·dll
SHA1: 0f661ba97e702021988fa372fde43bd3165f1cfe
MD5: b565aa423ca4ba6e8c6b208c22e5b056
SHA256: 894668791d06262dd16740235faa3b1672e2cb5cf171954f29abaca421c09265
UAC-0006 Distributes SmokeLoader Through Phishing Emails (CERT-UA6999)
The UAC-0006 threat actor sent spear-phishing emails with malicious attachments to infect devices with SmokeLoader.
The attachments consisted of ZIP files containing either VBS or HTML files that were used to download the malicious payload.
Obfuscation was used for defense evasion, while a scheduled task was created for persistence.
IoCs
Uac0006bgijhdcdcg13_browsingHtml·html
SHA1: b83f21187381638dba7ee3b4b53f5a1302590484
MD5: b3ee60f2626bc1ba158ea2b82cf5ec3d
SHA256: d138da2039ef93b0b511bc380f3be1f53a9859e616973afae6059d0225cb40cf
Uac0006bgijhdcdcg14_browsingZip·zip
SHA1: d2bf555971ddeff7fd03f506838872df4ae444cf
MD5: f634458ac460762c0e9e3b8b7c29cb09
SHA256: be33946e29b3f0d2f3b1b68042bd6e81f64a18da0f0705d104a85f1bee207432
Uac0006bgijhdcdcg15_browsingZip·zip
SHA1: cee7d9254e3014e122c3aca3db15767c8f404fd9
MD5: d2d02a414a886ad60a5f25c081f8c11b
SHA256: f664f4122f5cf236e9e6a7aabde5714dfe9c6c85bd4214b5362b11d04c76763d
Google Firebase Hosting Abused To Deliver Sorillus RAT
Adversaries were found abusing Google’s Firebase Hosting service to deliver the legitimate Sorillus remote administration tool.
The initial infection vector consisted of phishing emails with malicious attachments.
The attachments contained an HTML file that used the HTML Smuggling technique to infect devices with Sorillus.
The remote tool can steal video keystrokes system information and credentials from web browsers.
IoCs
Googlebgijhdccbi4_browsingZip·zip
SHA1: b422408ee20b3a939c498640feeec475356f1f40
MD5: e93b8dddfc9715f1785ff8f554d538a8
SHA256: c65c347ce9c62b8765831f0deb11be08eb8818c036587c1a2b0da2dab7aa5d7a
Googlebgijhdccbi5_browsingHtml·html
SHA1: 7742903c880aa45f7702d9c54b2b6c1a3715ba00
MD5: 5f74bc4dc4ed13805295ae2f249450bb
SHA256: 5733f7b22ed1f1e86ea177c4beb44e424284a3cf14b3cf09c2cf85ddf6678e45
Googlebgijhdccbi6_browsingHtml·html
SHA1: acbcc56226cbbbe41e8112f71bbd2436aef82f83
MD5: 29fc65f116072a072d52dac21d33335f
SHA256: ee793fe7b529925b6ffde42f64aac8a3842957a9fe2c229e46dbb9568789d6ea
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
Symantec Threat Hunter Team recently observed the Syssphinx (aka FIN8) cyber-crime group deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware.
IoCs
Fin8bgijhbhgec4_browsingPs1·ps1
SHA1: 4e693689526ee28290ddd9cdd242a3c5f0383b8d
MD5: 10e75f522c3a52532d124e507d1d6561
SHA256: 1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509
Fin8bgijhbhgec9_browsingDll·dll
SHA1: ea50aa7c4d8b3097a2e7d8a4c575b08cfabbbdd8
MD5: bd265f2d3e827e2ffa22417a6334d5fa
SHA256: 48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd
Fin8bgijhbhgec10_browsingDll·dll
SHA1: 12c3b36ee26b031e6c7b80b7e34b48489bfd108d
MD5: 2dad0e66463869b2565449e4c9e84417
SHA256: 4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31
Reverse Engineering Walkthrough | Analyzing A Sample Of Arechclient2
SentinelOne found an initial loader that was implemented in AutoIt and uses Process Hollowing to load a .NET-based payload they reconstructed the string decryption method enabling them to partially deobfuscate the loader.
IoCs
Reversebgijgjcegg1_browsingExe·exe
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
Reversebgijgjcegg3_browsingExe·exe
SHA1: 054742329f83a5d177dd1937992e6755f43c420e
MD5: e10a54c88b0055b69165618590583805
SHA256: a835602db71a42876d0a88cc452cb60001de4875a5e91316da9a74363f481910
Reversebgijgjcegg1_edrExe·exe
SHA1: 2a4062e10a5de813f5688221dbeb3f3ff33eb417
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
Trojanized Application Preying on TeamViewer Users
Cyble Research & Intelligence Labs analyzes a trojanized version of the TeamViewer application and how it distributes njRAT.
IoCs
Trojanizedbgijgefgee1_browsingExe·exe
SHA1: 9b9539fec7d0227672717e126a9b46cda3315895
MD5: 11aacb03c7e370d2b78b99efe9a131eb
SHA256: 224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31
Trojanizedbgijgefgee2_browsingExe·exe
SHA1: b2f847dce91be5f5ea884d068f5d5a6d9140665c
MD5: 8ccbb51dbee1d8866924610adb262990
SHA256: 9bcb093f911234d702a80a238cea14121c17f0b27d51bb023768e84c27f1262a
Trojanizedbgijgefgee1_edrExe·exe
SHA1: 9b9539fec7d0227672717e126a9b46cda3315895
MD5: 11aacb03c7e370d2b78b99efe9a131eb
SHA256: 224ae485b6e4c1f925fff5d9de1684415670f133f3f8faa5f23914c78148fc31
Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure GCP
Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and Google Cloud Platform (GCP) services.
Previously this actor focused exclusively on Amazon Web Services (AWS) credentials.
IoCs
Cloudybgijdhcafh9_browsingSh·sh
SHA1: 61da5d358df2e99ee174b22c4899dbbf903c76f0
MD5: f7df739f865448ac82da01b3b1a97041
SHA256: 3f129141bfb73aca77a4605088af86138b3ea6f9cb14e5c50dbf2352983a2142
Cloudybgijdhcafh8_browsingSh·sh
SHA1: 6123bbca11385f9a02f888b21a59155242a96aba
MD5: 92d6cc158608bcec74cf9856ab6c94e5
SHA256: 8b7414c268b54a50b0499a6a9f6d32d0beb34db8d3624aa660578b353ba30204
Cloudybgijdhcafh5_browsingElf·elf
SHA1: 37cb34a044c70d1acea5a3a91580b7bfc2a8e687
MD5: 87c8423e0815d6467656093bff9aa193
SHA256: 0f37a4b3eb939b1a1750a7a132d4798aa609f0cd862e47f641dd83c0763d8c8f
APT36 Delivers Crimson RAT Using Pilgrimage Security Briefing Lure
APT36 activity has been observed delivering a PowerPoint presentation containing a malicious macro.
The document contains a lure that seems targeted at Indian government entities.
Allowing the macro to execute will drop and execute Crimson remote access trojan (RAT) on the victims’ machine.
The .NET-based Crimson RAT can be used to perform reconnaissance, exfiltrate data C2 communication, and execute additional commands and payloads.
IoCs
Apt36bgijdaafca_browsing79Exe·exe
SHA1: 88ea01712e88378af42f6d8d2da58982e59d0756
MD5: c93cb6bb245e90c1b7df9f3c55734887
SHA256: ce43a5f80b6e5285722b929ea912d455a3c725276ae126c1348ff95df3f7f6e9
Apt36bgijdaafca81_browsingZip·zip
SHA1: 93c29543bef15309da3266074cb05a533f7f2e5c
MD5: 66d65a321d7ad9f0d33c70e888e589ff
SHA256: dbf8b14503b1670432b574a32a928b73e325f3088604a267503c987d97659551
Apt36bgijdaafca80_browsingDocx·docx
SHA1: 87d492d00d4aa50623254c3c408b40519a10c21b
MD5: 0ad121b4eb1ef9c491181c5ab8fe1ed7
SHA256: 6778381dd3a660599b36483e7403aea67f49a944ae15449e19131e1a98fe24ae
Threat Actor Launches ScarLeteel 2.0
The ScarLeteel campaign was discovered in early 2023 and continues to target cloud environments steal data improve defenses, and mine for cryptocurrency.
Initial access is carried out by exploiting public-facing web applications while additional tools, including AWS-CLI Pacu and Peirates are used to carry out the infection process.
The threat actor was also found to have installed a Mirai Botnet variant to provide DDoS capabilities.
IoCs
Threatbgijdaabfc3_browsingSh·sh
SHA1: 5919531f7649adc01afea8e78704da7c67eaf2cc
MD5: c451822e6030fb55095692ef395ff50b
SHA256: 99e70e041dad90226186f39f9bc347115750c276a35bfd659beb23c047d1df6e
Threatbgijdaabfc2_browsingSh·sh
SHA1: b2231de3f2de5ec00aba450762919459abf6250d
MD5: 3bcef172739dea6c5fe93375d5e14b8a
SHA256: 00a6b7157c98125c6efd7681023449060a66cdb7792b3793512cd368856ac705
Threatbgijdaabfc4_browsingSh·sh
SHA1: 5611cb5676556410981eefab70d0e2aced01dbc5
MD5: b9113ccc0856e5d44bab8d3374362a06
SHA256: 3769e828f39126eb8f18139740622ab12672feefaae4a355c3179136a09548a0
Attackers Exploit (CVE-2023-36884) Unpatched Windows Zero-Day Vulnerability
A zero-day vulnerability (CVE-2023-36884) affecting Microsoft Windows and Office products is being exploited by attackers in the wild. To date, the exploit has been used in highly targeted attacks against organizations in the government and defense sectors in Europe and North America.
The vulnerability was disclosed yesterday (July 11) by Microsoft, which said that an attacker could create a specially crafted Microsoft Office document that enables remote code execution on the target’s computer.
In order for the exploit to succeed, the victim needs to open the malicious file.
No patch has been released yet for the vulnerability.
However, Microsoft is still investigating the issue and said a patch may be rolled out in its monthly release process or in an out-of-cycle security update.
The company provided some mitigation guidance in its advisory.
IoCs
Attackersbgijcceegh1_browsingDocx·docx
SHA1: 2400b169ee2c38ac146c67408debc9b4fa4fca5f
MD5: d227874863036b8e73a3894a19bd25a0
SHA256: a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
Attackersbgijcceegh4_browsingLnk·lnk
SHA1: dd0dc5ecc7818a1dd3077e0a0570b36966fb1c67
MD5: 8ed058fa2fa7fa89400c8fcaf9fccad6
SHA256: d3263cc3eff826431c2016aee674c7e3e5329bebfb7a145907de39a279859f4a
Attackersbgijcceegh1_edrDocx·docx
SHA1: 2400b169ee2c38ac146c67408debc9b4fa4fca5f
MD5: d227874863036b8e73a3894a19bd25a0
SHA256: a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
Infamous Meduza Stealer
Meduza Stealer recently appeared on Russian forums and is being sold to subscribers in 1-month and 3-month subscriptions.
The malware is written in C++ and targets Chromium and Gecko-based browsers CryptoWallets and Password Managers.
The info stealer shares similarities with the Aurora Stealer however, the Meduza Stealer is actively being developed.
Speculation suggests the same developers are involved in the development of Meduza in addition to this recent infostealer the developers offer malware development services in Java JavaScript, TypeScript, Kotlin, and Python programming languages.
IoCs
Infamousbgijcbdjad19_browsingExe·exe
SHA1: 9261a29f0d94a6c9a30521a28ed57bd62b1b4cad
MD5: 8659732b1e658a65fe4f65bedae7835b
SHA256: afbf62a466552392a4b2c0aa8c51bf3bde84afbe5aa84a2483dc92e906421d0a
Infamousbgijcbdjad14_browsingExe·exe
SHA1: 21b0057bf675fe420d42df7427fbdd41ef4faffa
MD5: fa81c42c6d79564d0356ed01a4490d90
SHA256: a73e95fb7ba212f74e0116551ccba73dd2ccba87d8927af29499bba9b3287ea7
Infamousbgijcbdjad18_browsingExe·exe
SHA1: 1540c398646158e3a563bb7f55e3ab2a784ff62c
MD5: 7915d2f34f49cec0bf4e1c089ab1556b
SHA256: cbc07d45dd4967571f86ae75b120b620b701da11c4ebfa9afcae3a0220527972
Underground Team Ransomware Demands Millions
Underground Team ransomware utilizes the ShellExecuteW() function to execute multiple commands for deleting volume shadow copies modifying the registry, and stopping the MSSQLSERVER service.
After completing the encryption process the malware creates a CMD file to delete specific files and clear the event logs.
Finally, the ransom note is dropped, informing victims to make a ransom payment for gaining access to the decryption key.
IoCs
Undergroundbgijafbfig39_browsingExe·exe
SHA1: fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6
MD5: 059175be5681a633190cd9631e2975f6
SHA256: d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666
Undergroundbgijafbfig39_edrExe·exe
SHA1: fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6
MD5: 059175be5681a633190cd9631e2975f6
SHA256: d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666
Threat Trend Report On Kimsuky
The Kimsuky APT group continues evolving its tactics and techniques to compromise further systems.
This time researchers have noticed the usage of new Top-Level Domains (TLD) to lure victims, including some of them with Korean characters.
Also known tools such as FlowerPower RandomQuery or AppleSeed have been modified, including new features to try to stay under the radar.
IoCs
Threatbgijafbfgb38_browsingChm·chm
SHA1: 128fac6c2a68dd844fe51a86308a38136c9e8027
MD5: 002fd493096214a9a44d82acb7f1ac30
SHA256: 76b2f8df4578d65d5b6d57af8784584c1bcf86402d964b567db58e63723b636c
Threatbgijafbfgb38_edrChm·chm
SHA1: 128fac6c2a68dd844fe51a86308a38136c9e8027
MD5: 002fd493096214a9a44d82acb7f1ac30
SHA256: 76b2f8df4578d65d5b6d57af8784584c1bcf86402d964b567db58e63723b636c
Unleashing WhiteSnake Stealer
WhiteSnake Stealer was discovered in early 2022 and can collect data from browsers, emails, client messages, apps, and crypto-wallets.
The malware can also gather and exfiltrate system information location data and keystrokes to command-and-control servers in a ZIP archive.
Communication between the infected device and the threat actor is carried out over Tor.
IoCs
Unleashingbgijafbdca1_browsingExe·exe
SHA1: 087a787a34ee05478bfa07b50fd39c8367b0a157
MD5: a338043c6b5260df6b7ce4c4ec3d1b80
SHA256: f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50
Unleashingbgijafbdca2_browsingExe·exe
SHA1: c7fac0793d14413bdb2b6240dff2a2ce33b50ba4
MD5: a65e9165a47ed2cd2f168bf71db4181e
SHA256: c219beaecc91df9265574eea6e9d866c224549b7f41cdda7e85015f4ae99b7c7
Unleashingbgijafbdca1_edrExe·exe
SHA1: 087a787a34ee05478bfa07b50fd39c8367b0a157
MD5: a338043c6b5260df6b7ce4c4ec3d1b80
SHA256: f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50
US Cert Alert – (AA23-187A) Increased Truebot Activity Infects U.S. And Canada Networks
Organizations in the United States and Canada are the targets of variants from the Truebot malware family.
Initial access is achieved by exploiting a remote code execution vulnerability in the Netwrix Auditor application (CVE-2022-31199) or through phishing campaigns with malicious redirect hyperlinks.
Various malicious software and tools are used to carry out the attacks, including Raspberry Robin Flawed Grace Cobalt Strike and the Teleport data exfiltration tool.
IoCs
Truebotbgiiijfbga1_browsingExe·exe
SHA1: 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d
MD5: 12011c44955fd6631113f68a99447515
SHA256: c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
Truebotbgiiijfbga4_browsingExe·exe
SHA1: afda13d5365b290f7cdea701d00d05b0c60916f8
MD5: e4a42cbda39a20134d6edcf9f03c44ed
SHA256: 47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464
Truebotbgiiijfbga6_browsingExe·exe
SHA1: 03916123864aa034f7ca3b9d45b2e39b5c91c502
MD5: 338476c2b0de4ee2f3e402f3495d0578
SHA256: a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c
Buddyransome
Buddyransome is ransomware that encrypts data and appends the “.buddyransome” extension to filenames.
Also, it drops the “HOW_TO_RECOVERY_FILES.txt” text file (a ransom note).
An example of how Buddyransome renames files: it changes “1.jpg” to “1.jpg.buddyransome”, “2.png” to “2.png.buddyransome”, and so forth.
IoCs
Buddyransombgiiiijacb1_browsingExe·exe
SHA1: adebd8a52b6dc9ad35dee583eae8d93e0040b837
MD5: f7b5b9fd8c7020dedb138ef75190dffc
SHA256: 8843bafbb4a43a6c7a77c62a513908d1e2352ae5f58bd8bfa6d604bc795dcd12
Buddyransombgiiiijacb2_browsingExe·exe
SHA1: 393c2a157d52301405d1594cbcb694c6d2931296
MD5: 50881c434db8730bfc5e67bccf573ec2
SHA256: 2c9599396f8267baa20e89bab33b323ae98497f855534a8b2a629af502539cfe
Buddyransombgiiiijacb1_edrExe·exe
SHA1: adebd8a52b6dc9ad35dee583eae8d93e0040b837
MD5: f7b5b9fd8c7020dedb138ef75190dffc
SHA256: 8843bafbb4a43a6c7a77c62a513908d1e2352ae5f58bd8bfa6d604bc795dcd12
Operation Brainleeches Targets Microsoft 365 Users
Operation Brainleeches consisted of malicious open-source packages and commodity phishing attacks designed to steal credentials from their victims.
The packages posted to npm mimicked legitimate modules and were downloaded around 1000 times, while the phishing attacks consisted of emails with malicious attachments.
Victims were presented with fake login forms asking for their Microsoft 365 username and password.
IoCs
Operationbgiihibied11_browsingJs·js
SHA1: 6c2d2d3c2e68bf3df88a41033a536d16c59c2f9d
MD5: 861392914a5e5a6c15182239533176b6
SHA256: 4e74205220e3dba621a73eda505397606d59ff3a3dc68aa3575be37c95fd7cd6
Operationbgiihibied11_edrJs·js
SHA1: 6c2d2d3c2e68bf3df88a41033a536d16c59c2f9d
MD5: 861392914a5e5a6c15182239533176b6
SHA256: 4e74205220e3dba621a73eda505397606d59ff3a3dc68aa3575be37c95fd7cd6
Threat Profile UNC3944
UNC3944 is a financially motivated threat actor group that has been active since May 2022.
They primarily target telecommunications and Business Process Outsourcing (BPO) organizations gaining initial access through social engineering tactics such as phishing and SIM swapping attacks.
They have been observed impersonating IT personnel to convince individuals to share their credentials or grant remote access to their computers.
They exploit vulnerabilities such as CVE-2015-2291 and utilize tools like STONESTOP and POORTRY to terminate security software and evade detection.
The group demonstrates a deep understanding of the Azure environment and leverages built-in tools for their attacks.
Once initial access has been gained UNC3944 has been observed conducting reconnaissance of various environments, including Windows, Linux, Google Workspace Azure Active Directory, Microsoft 365, and AWS, as well as conducting lateral movement and downloading additional tools to exfiltrate VPN and MFA enrollment data in select cases.
The group has also been known to establish persistence through legitimate remote access tools such as AnyDesk LogMeIn and ConnectWise Control.
IoCs
Threatbgiigjfhhb_browsing78Exe·exe
SHA1: a3ed5cbfbc17b58243289f3cf575bf04be49591d
MD5: 7f9309f5e4defec132b622fadbcad511
SHA256: 6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421
Threatbgiigjfhhb_browsing73Exe·exe
SHA1: a804ebec7e341b4d98d9e94f6e4860a55ea1638d
MD5: 04a88f5974caa621cee18f34300fc08a
SHA256: 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c
Threatbgiigjfhhb_browsing74Exe·exe
SHA1: 6debce728bcff73d9d1d334df0c6b1c3735e295c
MD5: 6fcf56f6ca3210ec397e55f727353c4a
SHA256: 8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104
TeamTNT Targets Cloud Native Environments
The TNT threat group is suspected to be behind malicious infrastructure that is used to attack cloud-native environments.
Four distinct container images were found uploaded to Docker Hub public registry with less than 100 pulls.
Successful infections would result in devices infected with malware and crypto miners, including the Tsunami backdoor, which has been in operation since at least 2002.
IoCs
Teamtntbgiigjfdih2_browsingElf·elf
SHA1: 37cb34a044c70d1acea5a3a91580b7bfc2a8e687
MD5: 87c8423e0815d6467656093bff9aa193
SHA256: 0f37a4b3eb939b1a1750a7a132d4798aa609f0cd862e47f641dd83c0763d8c8f
Teamtntbgiigjfdih1_browsingElf·elf
SHA1: 664888ea84d0caf23d8367c0f8b1c8ef34f4ebb4
MD5: ba1b03bc2c262d724c0616eba9d7828b
SHA256: 50450b61d0536764d0dd7836c543742eb744a19dd4132c4b8cd7501f658d05cf
Teamtntbgiigjfdih2_edrElf·elf
SHA1: 37cb34a044c70d1acea5a3a91580b7bfc2a8e687
MD5: 87c8423e0815d6467656093bff9aa193
SHA256: 0f37a4b3eb939b1a1750a7a132d4798aa609f0cd862e47f641dd83c0763d8c8f
PhonyC2 Framework Used By MuddyWater
The MuddyWater APT group also known as Mango Sandstorm was found to be using a new C2 framework labeled PhonyC2.
The framework uses random UUIDs (Universal Unique Identifiers) to make tracking URLs more difficult.
Multiple PowerShell scripts are used to start a multi-threaded webserver and a command line listener serving the C2 framework payloads and receiving commands from the command-and-control servers.
IoCs
Phonyc2bgiigaijja5_browsingPs1·ps1
SHA1: ddfed3c7232d9ad6ed7179907435a1cc58aba7ac
MD5: 6301cc00fcf591a2f3195187a271e006
SHA256: 2f14ce9e4e8b1808393ad090289b5fa287269a878bbb406b6930a6c575d1f736
Phonyc2bgiigaijja9_browsingJs·js
SHA1: 8bbd4c46185e11c665eb92418def409f3c9d70aa
MD5: f0dda7bc24000b871d358a5b68c2cd27
SHA256: b38d036bbe2d902724db04123c87aeea663c8ac4c877145ce8610618d8e6571f
Phonyc2bgiigaijja10_browsingJs·js
SHA1: 4172fc34d7f69cd950a23f3bdc15451b9236c863
MD5: 06f260d727ed11820c9cc2f171e0bc62
SHA256: 1c95496da95ccb39d73dbbdf9088b57347f2c91cf79271ed4fe1e5da3e0e542a
The suspected Maha grass organization uses the WarHawk backdoor variant Spyder to spy on many countries
Maha Grass, also known as Patchwork, White Elephant, Hangover, Dropping Elephant, etc, Qi Anxin internal tracking number APT-Q-36.
The organization is generally considered to have a South Asian background.
Its earliest attack activities can be traced back to November 2009 and it has been active for more than 10 years.
The organization mainly conducts cyber espionage activities against countries in the Asian region targeting organizations in the fields of government, military, electric power industry, scientific research, education, diplomacy, and economy.
IoCs
Thebgiifccegi9_browsingExe·exe
SHA1: 739766a8ca2884015452b760c896475036d138a6
MD5: eb9068161baa5842b40d5565130526b9
SHA256: f5766ece18b863c7747d739b4a0b944cdb13e9993dbc3401d4ea1923dbb0578a
Thebgiifccegi10_browsingExe·exe
SHA1: e687209a0d65ec72077f774b87a2b89049d1a20b
MD5: 53b3a018d1a4d935ea7dd7431374caf1
SHA256: 137d47864fb79c1a892265690bc8c64d67945847058b5a49ad5785ac902ae105
Thebgiifccegi13_browsingExe·exe
SHA1: 4aa0c88ec03aff7fbf83d1679715dff91a47f025
MD5: 1f4b225813616fbb087ae211e9805baf
SHA256: b41d54a9686b312f9e114f62e6bf11e21c8e97dda477d488ca19e2afa45efc9e
The DPRK strikes using a new variant of RUSTBUCKET
This variant of RUSTBUCKET, a malware family that targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines.
Elastic Defend behavioral and prebuilt detection rules provide protection and visibility for users.
We have also released a signature to prevent this malware execution.
IoCs
Thebgiiecjcjg122_browsingMacho·macho
SHA1: 182760cbe11fa0316abfb8b7b00b63f83159f5aa
MD5: f90b544f89cfbe38aee18024d7c39e40
SHA256: 9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
Thebgiiecjcjg125_browsingMacho·macho
SHA1: 831dc7bc4a234907d94a889bcb60b7bedf1a1e13
MD5: 352715d5770b53768bf9f23d810ad55f
SHA256: 7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
Thebgiiecjcjg126_browsingMacho·macho
SHA1: 3cc19cef767dee93588525c74fe9c1f1bf6f8007
MD5: e2699d59c3602893698c5958f485c6c2
SHA256: ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
Decrypted Akira Ransomware
Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download.
The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance, and real estate industries, amongst others.
IoCs
Decryptedbgiieciiji1_browsingExe·exe
SHA1: 923161f345ed3566707f9f878cc311bc6a0c5268
MD5: c7ae7f5becb7cf94aa107ddc1caf4b03
SHA256: 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
Decryptedbgiieciiji2_browsingExe·exe
SHA1: f070a115100559dcaf31ce34d9e809a3134b2511
MD5: af95fbcf9da33352655f3c2bab3397e2
SHA256: 7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488
Decryptedbgiieciiji3_browsingExe·exe
SHA1: db9ba4f42942b27e1690c6d8a1bbd5b9d188fe49
MD5: e44eb48c7f72ffac5af3c7a37bf80587
SHA256: 8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50
Word Document with an Online Attached Template
SANS analyst found a Word document that behaves like a dropper.
IoCs
Matryoshkabgiididgjd2_browsingRtf·rtf
SHA1: b0f62e50605e27aad587a927b281400bf74c77d2
MD5: aad0a0df8d6cdd67b95a57e38edb0036
SHA256: a7056b7ae82c04e4ff2e674ddf76d08ac7e89baa4d18bc17059eaba9c522cb3d
Matryoshkabgiididgjd1_browsingDocx·docx
SHA1: 7ef52b3b5b24fa474ed73479414b053812a8fae0
MD5: 9c7bf7b8a7a33174e3b449e87abe0b31
SHA256: 5070e8a3fdaf3027170ade066eaf7f8e384c1cd25ce58af9155627975f97d156
Matryoshkabgiididgjd3_browsingExe·exe
SHA1: 1efefa84046a43da9a99a7d0c2f982d76bb8a8fb
MD5: e51d6eea3b64bd2db84f7401750b77cd
SHA256: 9d6ead1f911aa56ad0d3bb44131f22f0064d7c553c86d1d518d35247af49d488
New Qakbot (Qbot) activity
Qakbot using the Obama-series distribution tag has been active recently on Tuesday, 2023-06-20 (obama269), Wednesday, 2023-06-21 (obama270), and Thursday, 2023-06-22 (obama271).
IoCs
Qbotbgiidicbbd1_browsingDll·dll
SHA1: 2e1a1291c0606ed7205b9506cf1e73cc58df38ac
MD5: bc48507c05a4ac575e5c398a39c5da86
SHA256: 98bf24844d138dfd50188f3325f13ea3a1cde4d650900ae1d6820a2b1d4a59fd
Qbotbgiidicbbd2_browsingJs·js
SHA1: 44273d6acf083eeb75e38f4108b5fb01033dfae7
MD5: 60685270bf241a7a9eac9e1591e574dc
SHA256: c465f039b08c3320fdce5f63992b5363b96c21d6e3b1da1df1e38caf65482caa
Qbotbgiidicbbd3_browsingZip·zip
SHA1: f2e3380b10709e6f8d1e4fbd860471945212302d
MD5: d39fc74d05d1e7f33b80ec0731339d8a
SHA256: d32e1cc5c161ae0fd8ae6c11cb6df5bce79690d1c533b4a5b9140ed8cb005f21
Related Resources
Whitepaper
APT-Ready in Four Steps: Your Action Plan
Video
Defending Against Immediate Threats
Case Study
Euronext Secures Trading with Breach and Attack Simulation