Remote Control Software Execution Remote Control Software Execution-mask

Cyber Threat Breakdown November 2023

Here is the November 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.

Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.

Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.

Table of Contents

 Stealthy WailingCrab Malware Misuses MQTT Messaging Protocol

Ransomware Spotlight Trigona

DPRK State-Linked Cyber Actors Conduct Software Supply Chain Attacks

Israel-Hamas War Spotlight Shaking the Rust Off SysJoker

InfectedSlurs Botnet Spreads Mirai via Zero-Days

Diamond Sleet Supply Chain Compromise Distributes A Modified Cyberlink Installer

LitterDrifter Campaign

Attack Signals Possible Return of Genesis Market Abuses Nodejs and EV Code Signing

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats

HrServ Previously Unknown Web Shell Used in APT Attack

StopRansomware LockBit 30 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability CISA AA23-325A

Threat Actor Shifts To Own Websites To Deploy Malicious SolarMarker Payloads

XWorm Malware Exploring CC Communication

UAC-0050 Cyber Attack Using Remcos RAT Disguised as SBU Request

Suspected Rattlesnake Organization Uses Nim Backdoor To Spy On Intelligence From Many Countries In South Asia

A Deep Dive into Phobos Ransomware Recently Deployed by 8Base Group

Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific

Andariel Threat Group Attacks Servers Vulnerable To Apache ActiveMQ Vulnerability CVE-2023-46604

Stately Taurus APT Targets The Philippines With Trojans

Threat Trend Report On Kimsuky

Redline Dropped Through MSIX Package

Cert IL Alert – Iranian groups attack Israel with wipers

US Cert Alert – Rhysida Ransomware

Adversaries Exploit Confluence Vulnerability to Deploy Ransomware

GhostLocker – A Work In Progress RaaS

Malvertiser Copies PC News Site To Deliver RedLine Infostealer

Ransomware Roundup – Knight

Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability

US Cert Alert – Royal Ransomware Updated

IMPERIAL KITTEN Deploys Novel Malware Families

GhostSec – From Fighting ISIS to Possibly Targeting Israel with RaaS

Stealthy Flax Typhoon hackers use LOLBins to evade detection

SysAid Zero-Day Path Traversal Vulnerability Exploited CVE-2023-47246

MuddyC2Go Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel

Cert IL Alert – Exela Stealer

BlueNoroff strikes again with new macOS malware

From DarkGate To DanaBot

Cert IL Alert – Phishing campaign in Israel by Iranian Muddy Water

Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

Agonizing Serpens Aka Agrius Targeting the Israeli Higher Education and Tech Sectors

Malware Dropped Through a ZPAQ Archive

Cert IL Alert – New Phishing Campaign

Analysis Of Activities of Suspected APT-C-36 Blind Eagle Organization Launching Amadey Botnet Trojan

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Elastic Catches DPRK Passing Out KANDYKORN

Security Brief TA571 Delivers IcedID Forked Loader

A Retrospective on AvosLocker

From Albania to the Middle East The Scarred Manticore is Listening

Stealthy WailingCrab Malware Misuses MQTT Messaging Protocol

WailingCrab, also known as WikiLoader, is a sophisticated multi-component malware delivered almost exclusively by an initial access broker tracked as Hive0133, which overlaps with TA544.
WailingCrab was first observed in December 2022, and since then, it has been used extensively in email campaigns to deliver the Gozi backdoor, often against Italian targets.
In recent months, Hive0133 has targeted organizations beyond Italy with email campaigns delivering WailingCrab frequently using themes such as overdue delivery or shipping invoices.

IoCs

56b_browsing7001d029626cf1ae7ce295a63ed59b5ed087504f887c217fc753ff3a1f2b5XxX7Dll·dll
SHA1: 74aa7d555b8972362ba53e47f596e3403f5699b6
MD5: f6ea7ec5d94bc65bf82a6b42b57a6c82
SHA256: 56b7001d029626cf1ae7ce295a63ed59b5ed087504f887c217fc753ff3a1f2b5

50810e4696dd0_browsing75ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51XxX6Dll·dll
SHA1: 19307cd55c54e8d4db3666fd11d69f2fe27942c0
MD5: f6d0b9617405f35bb846d671edda75d3
SHA256: 50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51

9d80eb4be1e9139a03a6aa3f053fec14ed1880251b1f13d85d84d_edr7d64dddd581XxX1Dll·dll
SHA1: 7b3a2f5423e4b44b228ef8298d2947e307d43645
MD5: 971dd6c48909adf98861fb8457125faa
SHA256: 9d80eb4be1e9139a03a6aa3f053fec14ed1880251b1f13d85d84d7d64dddd581

Ransomware Spotlight Trigona

The Trigona ransomware was first tracked by Trend Micro as Water Ungaw emerged in October 2022.

IoCs

1_browsing70fa5d29cdb562d41a054abf2a57ca29fc233805b59692a1a57ebf25449be7cXxX4Exe·exe
SHA1: f158dd1eea5a99f9a93d9acde8a57e04eb028bbb
MD5: 17576d27c0bcd5ab82a73f0b7d4a3e55
SHA256: 170fa5d29cdb562d41a054abf2a57ca29fc233805b59692a1a57ebf25449be7c

4a0623195_browsing7c53dee1a11ff3eb84caad082f18761aee49e72d79c7f1d32884e34XxX6Exe·exe
SHA1: f899824e38a6d260df9b79d72b40899617819113
MD5: 0a8ee230e5390b8855b1968daee6827e
SHA256: 4a06231957c53dee1a11ff3eb84caad082f18761aee49e72d79c7f1d32884e34

http://45·227·253·99
SHA1: nan
MD5: nan
SHA256: nan

DPRK State-Linked Cyber Actors Conduct Software Supply Chain Attacks

DPRK state-linked cyber actors conduct software supply chain attacks Overview The National Intelligence Service (NIS) of the Republic of Korea (ROK) and the National Cyber Security Centre (NCSC) of the United Kingdom (UK) have identified Democratic People’s Republic of Korea (DPRK) state-linked cyber actors targeting software supply chain products widely used by government organizations financial institutions and defense industry companies globally.

IoCs

6c121f2b2efa6592c2c22b2921815_browsing7ec9e63f385e7a1d7425857d603ddef8c59XxX47Macho·macho
SHA1: 9e9a5f8d86356796162cee881c843cde9eaedfb3
MD5: 5faf36ca90f6406a78124f538a03387a
SHA256: 6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59

a64fa9f1c_browsing76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67XxX43Dylib·dylib
SHA1: 769383fc65d1386dd141c960c9970114547da0c2
MD5: 660ea9b8205fbd2da59fefd26ae5115c
SHA256: a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67

http://zacharryblogs·com
SHA1: nan
MD5: nan
SHA256: nan

Israel-Hamas War Spotlight Shaking the Rust Off SysJoker

A new variant of the SysJoker Windows malware developed in the Rust language has been linked to targeted attacks against Israel by a Hamas-affiliated threat actor.

IoCs

6_browsing7ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706XxX51Exe·exe
SHA1: f15f3ca6571c60e2116c0170f36992e856e2b10a
MD5: 31c2813c1fb1e42b85014b2fc3fe0666
SHA256: 67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706

e0_browsing76e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836XxX54Exe·exe
SHA1: 29e0815512b6f939e66693dcd54408b6d9900c78
MD5: d51e617fe1c1962801ad5332163717bb
SHA256: e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836

http://85·31·231·49
SHA1: nan
MD5: nan
SHA256: nan

InfectedSlurs Botnet Spreads Mirai via Zero-Days

In late October 2023, the Akamai SIRT observed an increase in activity targeting a rarely used TCP port on their honeypots, peaking at 20 attempts per day and later averaging two to three attempts daily.
Subsequent investigation until November 9 revealed a specific HTTP exploit path and targeted port, raising questions about discovered devices fitting the profile due to an odd HTTP response Server header with internet slang roots.

IoCs

f8abf9fb1_browsing7f59cbd7381aa9f5f2e1952628897cee368defd6baa6885d74f3eccXxX10Elf·elf
SHA1: 1da12852d25ed66a13bd14cd4fc243118dd14c95
MD5: cc888ace5a9ad90e95c7a08504a9de7f
SHA256: f8abf9fb17f59cbd7381aa9f5f2e1952628897cee368defd6baa6885d74f3ecc

7cc62a1bb2db82e_browsing76183eb06e4ca84e07a78cfb71241f21212afd1e01cb308b2XxX16Elf·elf
SHA1: db49b39b43fd1cd44f8695f3d5606b714ecd5c35
MD5: 8cafa4aecaeedc2beb48dc083f1516dd
SHA256: 7cc62a1bb2db82e76183eb06e4ca84e07a78cfb71241f21212afd1e01cb308b2

http://dfvzfvd·help
SHA1: nan
MD5: nan
SHA256: nan

Diamond Sleet Supply Chain Compromise Distributes A Modified Cyberlink Installer

Researchers uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp.,
a software company that develops multimedia software products.
This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.
The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.

IoCs

166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de_browsing7e5bfbfb5afb8beXxX14Exe·exe
SHA1: 141b635caacd8def3a1869cfb717262207ecae35
MD5: 575ebf994b75d091e8df381cce992aaa
SHA256: 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be

0895_browsing73b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63dXxX13Png·png
SHA1: dde44c91e9394b97a6d18f5b13031e2399853b03
MD5: fbcbfe33cc9d29566ce2c0a4021b54fb
SHA256: 089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d

166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de_edr7e5bfbfb5afb8beXxX14Exe·exe
SHA1: 141b635caacd8def3a1869cfb717262207ecae35
MD5: 575ebf994b75d091e8df381cce992aaa
SHA256: 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be

LitterDrifter Campaign

The LitterDrifter worm is written in VBS and has two main functionalities: automatic spreading over USB drives and communication with a broad, flexible set of command-and-control servers.
These features are implemented in a manner that aligns with the group’s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets.
LitterDrifter seems to be an evolution of a Gamaredon group activity to a propagating USB Powershell worm.

IoCs

50f5e8f6_browsing73915508d2add406f1c72de5112a01a1b3fdd41b314029c796a7d754XxX9Txt·txt
SHA1: fa7a9c86744c233efa9289e919ec1ebb66e1ee84
MD5: 8096dfaa954113242011e0d7aaaebffd
SHA256: 50f5e8f673915508d2add406f1c72de5112a01a1b3fdd41b314029c796a7d754

3cfb6514e51f40a4c325e04a35c1_browsing74af4dab95167019e6aa36a2c422e35d7b72XxX2Txt·txt
SHA1: e1e46550f77b4cc2560668865d68169f5a641601
MD5: 6349dd85d9549f333117a84946972d06
SHA256: 3cfb6514e51f40a4c325e04a35c174af4dab95167019e6aa36a2c422e35d7b72

http://triticumos·ru
SHA1: nan
MD5: nan
SHA256: nan

Attack Signals Possible Return of Genesis Market Abuses Nodejs and EV Code Signing

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market.
The threat actor behind these operations abused Node.js to act as a platform for the backdoor Extended Validation (EV) Code Signing for defense evasion and possibly Google Colab to host search engine-optimized download sites.

IoCs

d9ca193b5da85a3841ec_browsing749b67168c906e21bbaac40f0a0bff40839efb3a74c1XxX27Exe·exe
SHA1: 506accb774d2a2be4b0ee3bdd3c549f09684ab9b
MD5: 8ade6f83a1ad66110945cac3ab34a3c5
SHA256: d9ca193b5da85a3841ec749b67168c906e21bbaac40f0a0bff40839efb3a74c1

cb99365bac3d168e295aa0_browsing764a1c67e1a7e582731880ad0522e9b6b3616275dfXxX24Exe·exe
SHA1: 3364dd410527f6fc2c2615aa906454116462bf96
MD5: da354f956ee4d8d0bb714b4bda0c57f6
SHA256: cb99365bac3d168e295aa0764a1c67e1a7e582731880ad0522e9b6b3616275df

https://91·212·166·16
SHA1: nan
MD5: nan
SHA256: nan

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats

CVE-2021-35394 was disclosed on Aug.
16 2021.
The vulnerability affects UDPServer in Realtek Jungle SDK version 2.0 and later Realtek Jungle SDK version 3.4.14B.
Remote unauthenticated attackers could leverage this vulnerability to achieve arbitrary command execution, leading to devices being taken over.

IoCs

26e96945ee32199536d4c85124a24c28e853b55_browsing7eb31f3907d19f08b9798dff4XxX1Elf·elf
SHA1: 68ec5f83bf5cff8c0af67a175a617b0f577ff557
MD5: aaee43e63d5a3abd70ffa774a16c816e
SHA256: 26e96945ee32199536d4c85124a24c28e853b557eb31f3907d19f08b9798dff4

196_browsing7370203138b9324f11c5cb3fd15ac8d2f0c585373486614600b676a4e2641XxX2Elf·elf
SHA1: c1700d081795b6770cb71eb79b3b3328253d2afe
MD5: 75ade86d5cb702c76576c587c167c451
SHA256: 1967370203138b9324f11c5cb3fd15ac8d2f0c585373486614600b676a4e2641

http://3·235·28·168
SHA1: nan
MD5: nan
SHA256: nan

HrServ Previously Unknown Web Shell Used in APT Attack

Kaspersky reports on a newly discovered DLL file identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution.

IoCs

f3851_browsing7692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0XxX4Dll·dll
SHA1: a5796a2cc31e1ab1a8a12131f803affe735a835f
MD5: d0fe27865ab271963e27973e81b77bae
SHA256: f38517692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0

f3851_edr7692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0XxX4Dll·dll
SHA1: a5796a2cc31e1ab1a8a12131f803affe735a835f
MD5: d0fe27865ab271963e27973e81b77bae
SHA256: f38517692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0

StopRansomware LockBit 30 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability CISA AA23-325A

The Cybersecurity and Infrastructure Security Agency (CISA) Federal Bureau of Investigation (FBI) Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Australian Signals Directorates Australian Cyber Security Center (ASDs ACSC) have issued a joint Cybersecurity Advisory (CSA).
The advisory shares Indicators of Compromise (IOCs), Tactics Techniques and Procedures (TTPs), and detection methods associated with LockBit 3.0 ransomware exploiting the CVE-2023-4966 vulnerability also known as Citrix Bleed.
This vulnerability affects Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
The advisory includes TTPs and IOCs gathered from the FBI ACSC and information voluntarily shared by Boeing.
Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966 to gain initial access to Boeing Distribution Inc.
Its parts and distribution business and similar activity has been reported by other trusted third parties impacting their organizations.

IoCs

e55_browsing7e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068XxX183Exe·exe
SHA1: ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28
MD5: 37f7241963cf8279f7c1d322086a5194
SHA256: e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068

1_browsing7a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994XxX185Dll·dll
SHA1: 364ef2431a8614b4ef9240afa00cd12bfba3119b
MD5: 206b8b9624ee446cad18335702d6da19
SHA256: 17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994

http://62·233·50·25/en-us/test·html
SHA1: nan
MD5: nan
SHA256: nan

Threat Actor Shifts To Own Websites To Deploy Malicious SolarMarker Payloads

Researchers analyzed the latest SolarMarker campaign, noting a shift from using Google Drive and compromised WordPress sites to the threat actors’ own websites for deploying malicious payloads.
This change provides greater control over the hosting environment, allowing them to quickly remove the malicious landing page hindering researchers’ scrutiny.
The landing pages mimic legitimate companies with replicas of self-publishing and engineering company sites.
Despite this shift, the threat actors continue to employ SEO poisoning to manipulate search engine rankings.
The initial infection chain remains similar to previous campaigns involving users clicking on links that redirect to a dynamically generated payload download page.
The payload is served from the attackers’ server hosted on the Hestia Control Panel over port 8083.
The latest SolarMarker payloads drop decoys like SumatraPDF and PDF files.

IoCs

e25d336e9160e0f9e0e9d3932f561_browsing7247e3e3c37828e92b3321d3ed744b77f52XxX3Exe·exe
SHA1: cf51b44e96e516f9478b0465b0cd8b7c4c1dbb21
MD5: 80b2e25abd8a70909cc7b94bec90efc2
SHA256: e25d336e9160e0f9e0e9d3932f5617247e3e3c37828e92b3321d3ed744b77f52

7d1c_browsing7561a6c3f78a6bd5cbe4265fff1fdb9d3b87814d655221a372660ca4d565XxX5Exe·exe
SHA1: df28ca50d4d6440f11d7fc737986920c6f71e6ad
MD5: e33c50ee3bdb341ae0739c9b0a1093c1
SHA256: 7d1c7561a6c3f78a6bd5cbe4265fff1fdb9d3b87814d655221a372660ca4d565

http://146·70·169·170
SHA1: nan
MD5: nan
SHA256: nan

XWorm Malware Exploring CC Communication

A sophisticated phishing campaign, initially detected in September, has shown a remarkable evolution in its tactics. Initially focused on disseminating DarkGate malware, this campaign has now incorporated more complex and elusive strategies. These advanced techniques are not only aimed at evading detection but also include anti-analysis measures, enabling the continued spread of DarkGate. More recently, this campaign has also been observed distributing PikaBot malware. Cybersecurity firm Cymulate has identified a sample in the wild that could be linked to this campaign, though the connection remains uncertain.

IoCs

7df14d2929a500eec6a144ec8e68_browsing7960bbea047f9a78a46ea64faa1fa28f8724XxX6Dll·dll
SHA1: 624c0a51cc720d82dd814d6bf0ef52940ab02f7d
MD5: 090f6384ef4463a23a331d03e796af6c
SHA256: 7df14d2929a500eec6a144ec8e687960bbea047f9a78a46ea64faa1fa28f8724

0ee68c8008e2a8d6252db3d3b1a1b01_browsing79e1f868b0b3240bbcec3d1c29d5364fbXxX7Dll·dll
SHA1: 06a9689266396eea2e893e17db33647f1175048b
MD5: 250c1b9f4f4b2fe05977ed2dc0bd85ec
SHA256: 0ee68c8008e2a8d6252db3d3b1a1b0179e1f868b0b3240bbcec3d1c29d5364fb

a0434d04361c1d134819_mail71f4072681781b2075a5c8025c028ef85f50357b808cXxX1Zip·zip
SHA1: dbe84264b6a722aae5ea014f7a8694bb0f0669a1
MD5: e5b3ac1c9b784feec61401a3b3f81ece
SHA256: a0434d04361c1d13481971f4072681781b2075a5c8025c028ef85f50357b808c

UAC-0050 Cyber Attack Using Remcos RAT Disguised as SBU Request

CERT-UA has identified a widespread phishing campaign impersonating the Security Service of Ukraine.

IoCs

a4d5382438138f6_browsing79073396bca73dc4f6bc39420966944f4fea8a9ab4087d004XxX6Exe·exe
SHA1: 649f3f6259c5c8b0d81ef769afd70c24fd61414a
MD5: 78850bbef776551ca830317fb244b086
SHA256: a4d5382438138f679073396bca73dc4f6bc39420966944f4fea8a9ab4087d004

2ce640_browsing749819e27d457827eede4d14abbf65981cd716ef25d9489b7eeba314d2XxX2Rar·rar
SHA1: 45b2ac4c1723487b1a9a88b21b2330f698992332
MD5: 769f464fa505add7a477ad95407afec3
SHA256: 2ce640749819e27d457827eede4d14abbf65981cd716ef25d9489b7eeba314d2

http://111·90·147·98
SHA1: nan
MD5: nan
SHA256: nan

Suspected Rattlesnake Organization Uses Nim Backdoor To Spy On Intelligence From Many Countries In South Asia

Sidewinder, also known as Sidewinder QiAnXin, has an internal tracking number APT-Q-39.
This organization is generally believed to have a background in South Asia and was disclosed by domestic and foreign security vendors in 2018.
Its earliest attack activities can be traced back to 2012.
The organization’s attack targets are generally government and military departments in China and many South Asian countries.
Some of its attacks also involve universities and scientific research institutions.

IoCs

1409f9d855c06f66fb_browsing7d7c7bf9f821b5d1631da926b07dcdb260606e09763ad3XxX224Exe·exe
SHA1: 59a44179fdaf06cf7756ba77091eb05a1666b110
MD5: 30ddd9ebe00f34f131efcd8124462fe3
SHA256: 1409f9d855c06f66fb7d7c7bf9f821b5d1631da926b07dcdb260606e09763ad3

0355_browsing7c70951eb3fa74e1650eb9dc87b8e3820a063fb4b14ccc8c8cd887a77f35XxX225Docx·docx
SHA1: 18a561aa100c87d386e4a256b4e3aaac12d067e2
MD5: 7bea8ea83d5b4fe5985172dbb4fa1468
SHA256: 03557c70951eb3fa74e1650eb9dc87b8e3820a063fb4b14ccc8c8cd887a77f35

0355_mail7c70951eb3fa74e1650eb9dc87b8e3820a063fb4b14ccc8c8cd887a77f35XxX225Docx·docx
SHA1: 18a561aa100c87d386e4a256b4e3aaac12d067e2
MD5: 7bea8ea83d5b4fe5985172dbb4fa1468
SHA256: 03557c70951eb3fa74e1650eb9dc87b8e3820a063fb4b14ccc8c8cd887a77f35

A Deep Dive into Phobos Ransomware Recently Deployed by 8Base Group

Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations.

IoCs

2_browsing704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66XxX7Exe·exe
SHA1: aed68cfa282ec2b0f8a681153beaebe3a17d04ee
MD5: 9376f223d363e28054676bb6ef2c3e79
SHA256: 2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66

518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c_browsing7c3951b01c1b19cXxX9Exe·exe
SHA1: 4a8f0331abaf8f629b3c8220f0d55339cfa30223
MD5: 2809e15a3a54484e042fe65fffd17409
SHA256: 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c

fc4b14250db_edr7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6XxX13Exe·exe
SHA1: b092a6bf7fb6755e095ed9f35147d1c6710cf2c4
MD5: b119cdd3d02b60009b9ad39da799ed3b
SHA256: fc4b14250db7f66107820ecc56026e6be3e8e0eb2d428719156cf1c53ae139c6

Stately Taurus Targets the Philippines As Tensions Flare in the South Pacific

Coinciding with these real-world events, researchers observed three Stately Taurus campaigns during the month of August.
These campaigns are assessed to have targeted entities in the South Pacific, including the Philippines government.
The campaigns leveraged legitimate software, including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution), to sideload malicious files.
Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command and control (C2) connections.

IoCs

24c6449a9e234b0_browsing7772db8fdb944457a23eecbd6fbb95bc0b1398399de798584XxX23Dll·dll
SHA1: 7cd582a3e8799cb5b621c7f602e9d027c860e5af
MD5: 8f7fc5613e1d0305f5c8450801178dcf
SHA256: 24c6449a9e234b07772db8fdb944457a23eecbd6fbb95bc0b1398399de798584

2b05a04cd9_browsing7d7547c8c1ac0c39810d00b18ba3375b8feac78a82a2f9a314a596XxX24Dll·dll
SHA1: 4098f3773e7bc426787888f1458da64253d42fbe
MD5: 6bce82d85999d3eba967577299aa7352
SHA256: 2b05a04cd97d7547c8c1ac0c39810d00b18ba3375b8feac78a82a2f9a314a596

bebde82e636e2_mail7aa91e2e60c6768f30beb590871ea3a3e8fb6aedbd9f5c154c5XxX29Zip·zip
SHA1: 0d2e6c416056a549604ba441a9ded8fe922df741
MD5: 8f8896294a2229cd66332fbb80c35411
SHA256: bebde82e636e27aa91e2e60c6768f30beb590871ea3a3e8fb6aedbd9f5c154c5

Andariel Threat Group Attacks Servers Vulnerable To Apache ActiveMQ Vulnerability CVE-2023-46604

The Andariel group is exploiting the Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware, specifically NukeSped and TigerRat backdoors.
While there are no direct logs, it is presumed that the group is using this vulnerability to carry out the installation.
CVE-2023-46604 is a remote code execution vulnerability in the Apache ActiveMQ server and if an unpatched server is exposed, attackers can remotely execute malicious commands and gain control of the system.
During the investigation, it was confirmed that the NukeSped backdoor previously associated with the Andariel group was installed on a specific system.
The Apache ActiveMQ server was identified on the compromised system along with various attack logs, including indications of HelloKitty ransomware.
The attacker utilized a malicious Java class file in the exploitation process, and the malware is responsible for downloading and installing additional payloads in both Windows and Linux environments.

IoCs

dd13cf13c1fbdc_browsing76da63e76adcf36727cfe594e60af0dc823c5a509a13ae1e15XxX32Exe·exe
SHA1: a191b1cfbdfcc53dc49d35d21f3f5b52808dc476
MD5: dc9d60ce5b3d071942be126ed733bfb8
SHA256: dd13cf13c1fbdc76da63e76adcf36727cfe594e60af0dc823c5a509a13ae1e15

c3c0cf25d682e981c_browsing7ce1cc0a00fa2b8b46cce2fa49abe38bb412da21da99cb7XxX34Exe·exe
SHA1: c789942d013d8b45b6988ecc6491f5f1a1746311
MD5: 26ff72b0b85e764400724e442c164046
SHA256: c3c0cf25d682e981c7ce1cc0a00fa2b8b46cce2fa49abe38bb412da21da99cb7

http://168·100·9·154:9090/Notification·msi
SHA1: nan
MD5: nan
SHA256: nan

Stately Taurus APT Targets The Philippines With Trojans

In August 2023, researchers identified three Stately Taurus campaigns targeting entities in the South Pacific, including the Philippines government.
These campaigns utilized legitimate software like Solid PDF Creator and SmadavProtect (an Indonesian antivirus solution) to sideload malicious files.
The malware was creatively configured to mimic legitimate Microsoft traffic for command and control (C2) connections.
In the first campaign, a Stately Taurus malware package hosted on Google Drive disguised itself as a ZIP file containing meeting minutes.
Victims unaware of a hidden DLL file inadvertently side-loaded the malicious file while attempting to execute the visible Solid PDF Creator.
The second campaign used a ZIP file named NUGs Foreign Policy Strategy referencing the National Unity Government of Myanmar.
Similar to the first, this campaign employed the same sideloading technique, including additional hidden files.
The third campaign, structurally identical to the first, used the filename Labour Statement.zip.
Victims again deceived by a visible Solid PDF Creator inadvertently loaded the hidden malicious DLL establishing a connection to 45.121.146[.]113 for C2 consistent with the previous campaigns.

IoCs

24c6449a9e234b0_browsing7772db8fdb944457a23eecbd6fbb95bc0b1398399de798584XxX49Dll·dll
SHA1: 7cd582a3e8799cb5b621c7f602e9d027c860e5af
MD5: 8f7fc5613e1d0305f5c8450801178dcf
SHA256: 24c6449a9e234b07772db8fdb944457a23eecbd6fbb95bc0b1398399de798584

http://45·121·146·113
SHA1: nan
MD5: nan
SHA256: nan

Threat Trend Report On Kimsuky

This AhnLab research report from September 2023 highlights a significant increase in the activities of the Kimsuky group, specifically in the use of RandomQuery malware.
The activities of other malware were reported to be relatively low or non-existent during this period.
The Kimsuky group is known for its cyber threats, and this surge in activity indicates a potential increase in cyber risk.
The report does not provide further details on the nature of these activities or their potential impact.
It is recommended that organizations remain vigilant and ensure their cyber security measures are up to date to mitigate any potential threats.

IoCs

1426269940ef6036941ccfbf68b0b65259bc_browsing72918f30481465a11d8b97250f07XxX136Lnk·lnk
SHA1: c0ecac442d2a58be19a486393e84ce68ef0b7575
MD5: fb5aec165279015f17b29f9f2c730976
SHA256: 1426269940ef6036941ccfbf68b0b65259bc72918f30481465a11d8b97250f07

c626_browsing77543eeb50e0def44fc75009a7748cdbedd0a3ccf62f50d7f219f6a5aa05XxX138Chm·chm
SHA1: b5224224fdbabdea53a91a96e9f816c6f9a8708c
MD5: 364d4fdf430477222fe854b3cd5b6d40
SHA256: c62677543eeb50e0def44fc75009a7748cdbedd0a3ccf62f50d7f219f6a5aa05

http://smart·com-www·click
SHA1: nan
MD5: nan
SHA256: nan

Redline Dropped Through MSIX Package

SANS Analysts say that recent developments have highlighted the MSIX package file format, particularly concerning the malwares that had been found to circumvent several security measures when delivered through an MSIX package.

IoCs

82db2d060d69ab6f88b85b_browsing79cf16255ee30982db1228d6e94ea02bf4feb2f181XxX1Zip·zip
SHA1: 88e9a850a66c08cddf943eb1b69c1eb86a7bfa5d
MD5: d3163127b1e6b7c3a21d04fd39beffbd
SHA256: 82db2d060d69ab6f88b85b79cf16255ee30982db1228d6e94ea02bf4feb2f181

82db2d060d69ab6f88b85b_edr79cf16255ee30982db1228d6e94ea02bf4feb2f181XxX1Zip·zip
SHA1: 88e9a850a66c08cddf943eb1b69c1eb86a7bfa5d
MD5: d3163127b1e6b7c3a21d04fd39beffbd
SHA256: 82db2d060d69ab6f88b85b79cf16255ee30982db1228d6e94ea02bf4feb2f181

82db2d060d69ab6f88b85b_mail79cf16255ee30982db1228d6e94ea02bf4feb2f181XxX1Zip·zip
SHA1: 88e9a850a66c08cddf943eb1b69c1eb86a7bfa5d
MD5: d3163127b1e6b7c3a21d04fd39beffbd
SHA256: 82db2d060d69ab6f88b85b79cf16255ee30982db1228d6e94ea02bf4feb2f181

Cert IL Alert – Iranian groups attack Israel with wipers

The National Cyber Directorate has information about an Iranian attack group operating with Wipers (aggressive server and workstation erasers) in the Israeli internet space. The National Cyber Directorate deems it appropriate to share this information.

IoCs

Wiper1_browsingHtml·html
SHA1: a2d52a998c4343aa565e703372c0bd5ea325c12c
MD5: 8f9b77145385c9d0f7d75942790ffc4e
SHA256: abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d

Wiper1_edrHtml·html
SHA1: a2d52a998c4343aa565e703372c0bd5ea325c12c
MD5: 8f9b77145385c9d0f7d75942790ffc4e
SHA256: abfde7c29a4a703daa2b8ad2637819147de3a890fdd12da8279de51a3cc0d96d

US Cert Alert – Rhysida Ransomware

The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023.
Rhysidaan emerging ransomware variant has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023

IoCs

0_browsing78163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937bXxX2Exe·exe
SHA1: 3e2272b916da4be3c120d17490423230ab62c174
MD5: 24a648a48741b1ac809e47b9543c6f12
SHA256: 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

edfae1a69522f8_browsing7b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525efXxX8Exe·exe
SHA1: 0098c79e1404b4399bf0e686d88dbf052269a302
MD5: db89ec570e6281934a5c5fcf7f4c8967
SHA256: edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef

http://157·154·194·6
SHA1: nan
MD5: nan
SHA256: nan

Adversaries Exploit Confluence Vulnerability to Deploy Ransomware

On November 5 2023 Red Canary detected suspected exploitation of Atlassian Confluence CVE-2023-22518 that led to an attempt to deploy Cerber ransomware.

IoCs

f2e1_browsing7ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707fXxX3Exe·exe
SHA1: c13c49b52069287bbf74b328e6ce084587ec5ffb
MD5: 7415347d5ea5f0db29ec95a4a61aba90
SHA256: f2e17ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707f

f2e1_edr7ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707fXxX3Exe·exe
SHA1: c13c49b52069287bbf74b328e6ce084587ec5ffb
MD5: 7415347d5ea5f0db29ec95a4a61aba90
SHA256: f2e17ec85c3f8ee26a3be3ce52c6e140448941d705a9bdedb7c1aa82a9d9707f

http://193·176·179·41
SHA1: nan
MD5: nan
SHA256: nan

GhostLocker – A Work In Progress RaaS

What makes the current landscape unusual is the entry of hacktivist groups into this domain.
One such group, GhostSec, has introduced a novel Ransom-as-a-Service encryptor known as GhostLocker.

IoCs

abac31b552_browsing7803a89c941cf24280a9653cdee898a7a338424bd3e9b15d792972XxX4Exe·exe
SHA1: e59372a29c43af4d15ed77784547aae34d3a6bdc
MD5: 9c66d8fde4e6d395558182156e6fe298
SHA256: abac31b5527803a89c941cf24280a9653cdee898a7a338424bd3e9b15d792972

7e14d88f60fe80f8fa2_browsing7076566fd77e51c7d04674973a564202b4a7cbfaf2778XxX2Exe·exe
SHA1: 63ddf8364efe1130ecf788ab9ce566026a972cbe
MD5: 81a136029d29d26920c0287faf778776
SHA256: 7e14d88f60fe80f8fa27076566fd77e51c7d04674973a564202b4a7cbfaf2778

http://88·218·62·219/download
SHA1: nan
MD5: nan
SHA256: nan

Malvertiser Copies PC News Site To Deliver RedLine Infostealer

In a recent campaign, researchers discovered a threat actor mimicking the legitimate Windows news portal WindowsReport.com to distribute a malicious installer for the widely used processor tool CPU-Z.
The genuine Windows Report site was not compromised; instead, threat actors replicated its content to deceive users.
This incident is part of a broader malvertising effort targeting various utilities like Notepad++ Citrix and VNC Viewer, which is evident in the campaign’s infrastructure and cloaking techniques to avoid detection.
The malicious ad promotes CPU-Z, a popular Windows utility using the likely compromised or fake identity of Scott Cooper.
Cloaking is employed to show a standard blog to unintended visitors, while those searching for CPU-Z and clicking the ad are led to a download page with a deceptive URL.
The payload includes a digitally signed MSIX installer containing a malicious PowerShell script and a loader known as FakeBat facilitating the installation of Redline Stealer.

IoCs

9acbf1a5cd040c6dcecbe4e8e65044b380b_browsing7432f46c5fbf2ecdc97549487ca88XxX86Exe·exe
SHA1: 97ad717d9f028ec11b14303e245f180fb3c1d816
MD5: a468d19fc98a47339a5fb82d57fd9e57
SHA256: 9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88

55d3ed51c3d8f56ab305a40936b446f_browsing761021abfc55e5cc8234c98a2c93e99e1XxX82Zip·zip
SHA1: 3b22fa8cbb2cd671cf051843f4b4e02ccbf0db50
MD5: 08246a76130d756af9ebe5f663f6c504
SHA256: 55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1

http://94·131·111·240
SHA1: nan
MD5: nan
SHA256: nan

Ransomware Roundup – Knight

Knight is a relatively new ransomware group that arrived in August 2023.
Like many attackers, the gang behind this variant employs double extortion tactics where the Knight ransomware encrypts files on victims machines and exfiltrates data for extortion purposes.

IoCs

fba8fee602b5c3db46cbbb45ff2f8aa_browsing72791f47f8b8c6a556334d3d3358cebbaXxX64Exe·exe
SHA1: 87090405611573e0679617a9930ed33d6f8b81fa
MD5: a1fe65416c9291a85fbd24d227d0ae8d
SHA256: fba8fee602b5c3db46cbbb45ff2f8aa72791f47f8b8c6a556334d3d3358cebba

cd92bf9c3349b086eec621de24_browsing7bbb1bceebffb90863a46496c3b41fb13ec745XxX63Exe·exe
SHA1: 8616973f7386be0c1a0c3b10c538c8678cdf6e8b
MD5: 52026376e76ca95627a04bc765951a34
SHA256: cd92bf9c3349b086eec621de247bbb1bceebffb90863a46496c3b41fb13ec745

http://89·23·96·203/333/xwenxub285p83ecrzvft·exe
SHA1: nan
MD5: nan
SHA256: nan

Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability

Since early October 2023, researchers observed two North Korean nation-state threat actors, Diamond Sleet and Onyx Sleet, exploiting CVE-2023-42793, a remote code execution vulnerability affecting multiple versions of the JetBrains TeamCity server.
TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.

IoCs

000_browsing752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eeeXxX14Exe·exe
SHA1: fadbbb63e948b5b3bbbaeedc77e69472143a3b86
MD5: 19a05a559b0c478f3049cd414300a340
SHA256: 000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

f251144f_browsing7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486XxX17Dll·dll
SHA1: 5cb95a50e298fbd754bd42eec8666fd272d40de7
MD5: c42f28b2851dd63928ac76d74e536ba4
SHA256: f251144f7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486

http://162·19·71·175:7443/bottom·gif
SHA1: nan
MD5: nan
SHA256: nan

US Cert Alert – Royal Ransomware Updated

Since September 2022, Royal has targeted over 350 known victims worldwide, and ransomware demands have exceeded 275 million USD.
Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid.
Phishing emails are among the most successful vectors for initial access by Royal threat actors.
There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant.

IoCs

4cd00234b18e04dcd_browsing745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ceXxX6Txt·txt
SHA1: 1206bd44744d61f6c31aba2234c34d3e35b5bac7
MD5: 57bd8fba4aa26033fa080f390b31ed0e
SHA256: 4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce

8a99353662ccae11_browsing7d2bb22efd8c43d7169060450be413af763e8ad7522d2451XxX2Exe·exe
SHA1: 7902b08fb184cfb9580d0ad950baf048a795f7c1
MD5: 527c71c523d275c8367b67bbebf48e9f
SHA256: 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451

http://47·87·229·39
SHA1: nan
MD5: nan
SHA256: nan

IMPERIAL KITTEN Deploys Novel Malware Families

CrowdStrike Intelligence has identified an Iran-nexus adversary as the subject of a series of cyberattacks and strategic web compromise operations in the Middle East as well as a range of other targets.

IoCs

32c40964f_browsing75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827XxX32Exe·exe
SHA1: 01b4ed3e7d026f9b9038e93bb3313602256aaf2f
MD5: 6d02207c9ce1b3967077065c40eb1bb1
SHA256: 32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827

32c40964f_edr75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827XxX32Exe·exe
SHA1: 01b4ed3e7d026f9b9038e93bb3313602256aaf2f
MD5: 6d02207c9ce1b3967077065c40eb1bb1
SHA256: 32c40964f75c3e7b81596d421b5cefd0ac328e01370d0721d7bfac86a2e98827

http://95·164·61·254
SHA1: nan
MD5: nan
SHA256: nan

GhostSec – From Fighting ISIS to Possibly Targeting Israel with RaaS

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker.
They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel.
Presently, GhostSec is focusing its attacks on Israel.
This move represents a surprising departure from their past activities and stated agenda.

IoCs

663ac2d88_browsing7df18e6da97dd358ebd2bca55404fd4a1c8c1c51215834fc6d11b33XxX5Exe·exe
SHA1: 57067dc15355c91fbbacf4f0f8b74555aae2dfd3
MD5: bdc119efae38ea528c10adbd4c9000e4
SHA256: 663ac2d887df18e6da97dd358ebd2bca55404fd4a1c8c1c51215834fc6d11b33

ee22_browsing7cd0ef308287bc536a3955fd81388a16a0228ac42140e9cf308ae6343a3fXxX7Exe·exe
SHA1: 57b54340bb46950a708d0cb773101a77a9da0d95
MD5: dfbaa667c07fdd5ad2543ce98d097027
SHA256: ee227cd0ef308287bc536a3955fd81388a16a0228ac42140e9cf308ae6343a3f

http://195·2·79·117
SHA1: nan
MD5: nan
SHA256: nan

Stealthy Flax Typhoon hackers use LOLBins to evade detection

Microsoft has identified a new hacking group it now tracks as Flax Typhoon that targets government agencies and education critical manufacturing and information technology organizations likely for espionage purposes.
The threat actor does not rely much on malware to gain and maintain access to the victim network and prefers using mostly components already available on the operating system, the so-called living-off-the-land binaries or LOLBins, and legitimate software.
Operating since at least mid-2021, Flax Typhoon mainly targeted organizations in Taiwan, although Microsoft discovered some victims in Southeast Asia, North America, and Africa.

IoCs

05eda38_browsing7de52fbad830dc6166483cf24247f0084137dda4534718cdd9afd8eb1XxX1Exe·exe
SHA1: 16d366e2a2e421652414f81ce9b57ab620593a32
MD5: b19ceba22473bad92a46d2f9d4e7893f
SHA256: 05eda387de52fbad830dc6166483cf24247f0084137dda4534718cdd9afd8eb1

e8c_browsing7d7f8c4084e5b7f56d8b20726544ad7d5946bef0fe4116509fac9ca4be90bXxX2Exe·exe
SHA1: 089fce9aa80662c655e07dfc5185ecdae23250c9
MD5: a1bcf57d667a392148a69eb5846cf6ba
SHA256: e8c7d7f8c4084e5b7f56d8b20726544ad7d5946bef0fe4116509fac9ca4be90b

http://45·195·149·224
SHA1: nan
MD5: nan
SHA256: nan

SysAid Zero-Day Path Traversal Vulnerability Exploited CVE-2023-47246

A new vulnerability (CVE-2023-47246) in SysAid on-prem software was discovered by researchers.
The exploit carried out by a group called DEV-0950 (Lace Tempest) involved uploading a malicious archive into the webroot, leading to unauthorized access.
The attacker then used a WebShell to control the system, deploying a PowerShell script to execute a malware loader (user.exe) loading the GraceWire trojan into specific processes.
To cover their tracks, a second PowerShell script was used to erase evidence from the disk and SysAid on-prem server logs.

IoCs

b5acf14cdac40be590318dee95425d0_browsing746e85b1b7b1cbd14da66f21f2522bf4dXxX1Exe·exe
SHA1: 30d083734c44641f35079498faa1bfffdad37434
MD5: c9d5934e996e50b1417ac5ba5fb87103
SHA256: b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d

b5acf14cdac40be590318dee95425d0_edr746e85b1b7b1cbd14da66f21f2522bf4dXxX1Exe·exe
SHA1: 30d083734c44641f35079498faa1bfffdad37434
MD5: c9d5934e996e50b1417ac5ba5fb87103
SHA256: b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d

http://45·155·37·105
SHA1: nan
MD5: nan
SHA256: nan

MuddyC2Go Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel

A previously unreported C2 framework suspected to be in use by the MuddyWater APT group is now being used by an unknown group.

IoCs

f2189e5d10_browsing7981a6e7584427a5a542e479a8a63d3dfc8ac7567688725b48887fXxX7Ps1·ps1
SHA1: cdb048d11f8ef68a7c0e2656f767ba681b3c9dc6
MD5: 3c6486dfb691fc6642f1d35bdf247b90
SHA256: f2189e5d107981a6e7584427a5a542e479a8a63d3dfc8ac7567688725b48887f

ffbcafc28eb2e836034_browsing79882a17f04c4df0a9a2cbe952724c4279fc347906df0XxX10Ps1·ps1
SHA1: 9b72725074836bcaf45954ec8a6fac482094240d
MD5: 57641ce5af4482038c9ea27afcc087ee
SHA256: ffbcafc28eb2e83603479882a17f04c4df0a9a2cbe952724c4279fc347906df0

http://45·150·64·23
SHA1: nan
MD5: nan
SHA256: nan

Cert IL Alert – Exela Stealer

Recently, an increase in the use of InfoStealer malware has been observed around the world.
In light of this trend, the National Cyber Agency was notified of a phishing campaign in Israel using InfoStealer malware.
This phishing campaign operates against government offices and government bodies private companies, law enforcement organizations, and non-profit organizations.
Similar campaigns have been identified around the world using scripts and executable files in corporate networks to mine cryptocurrencies, steal information, and gain a persistent foothold in corporate networks by embedding backdoors in these systems.

IoCs

76164b2c3428931693853216b2e00c46a0_browsing747e8b6295435efd863928ad338757XxX1Exe·exe
SHA1: 2d7829afd587d68a40e9a2f6a2906935ca81827a
MD5: c8afc499ffcc240e41dfb15423da6ba9
SHA256: 76164b2c3428931693853216b2e00c46a0747e8b6295435efd863928ad338757

76164b2c3428931693853216b2e00c46a0_edr747e8b6295435efd863928ad338757XxX1Exe·exe
SHA1: 2d7829afd587d68a40e9a2f6a2906935ca81827a
MD5: c8afc499ffcc240e41dfb15423da6ba9
SHA256: 76164b2c3428931693853216b2e00c46a0747e8b6295435efd863928ad338757

https://t·me/ExelaStealer
SHA1: nan
MD5: nan
SHA256: nan

BlueNoroff strikes again with new macOS malware

Researchers have identified a new malware variant attributed to the BlueNoroff APT group.
BlueNoroffs campaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms, and banks.

IoCs

5b39_browsing7f36a764f210c1cbd249c3370e9f5bab1d66dc5d9b433f666ac67b4d3e7eXxX4Macho·macho
SHA1: 677b119edfa1335b6eb9b7307b034bee512dbc1a
MD5: 74dc52345a60001098ff92a1d50bbd06
SHA256: 5b397f36a764f210c1cbd249c3370e9f5bab1d66dc5d9b433f666ac67b4d3e7e

b8c_browsing751694945bff749b6a0cd71e465747402cfd25b18dc233c336e417b3e1525XxX2Macho·macho
SHA1: 588d84953ae992c5de61d3774ce86e710ed42d29
MD5: a446402c1de5dfddd50b77a95fcfc671
SHA256: b8c751694945bff749b6a0cd71e465747402cfd25b18dc233c336e417b3e1525

http://104·168·214·151
SHA1: nan
MD5: nan
SHA256: nan

From DarkGate To DanaBot

Researchers have identified two instances of DarkGate infections targeting the finance and manufacturing industries.
The stealer is distributed through drive-by downloads disguised as fake installers and document reports.
DarkGate is a loader developed in Borland Delphi and was introduced for sale on a Russian-speaking hacking forum in early June 2023 with the developer claiming to have worked on it since 2017.
It boasts a wide range of features, including hVNC AnyDesk credential theft, crypto mining rootkit, reverse proxy keylogger, and remote desktop access.
DarkGate is available for $1000 for one day’s use or $15000 for monthly access.

The loader is initially delivered in formats like LNK VBS and MSI, which execute an AutoIt script.
The initial access happens through drive-by downloads where users looking for unclaimed money inadvertently download a fake report as a ZIP archive containing the malicious VBS script.
After infection, DarkGate establishes persistence in the host Startup folder, running the malicious AutoIt script in the ProgramData folder.
It can manipulate browser data, delete shadow copies (if the user has administrative rights), and initiate a host shutdown.

IoCs

741_browsing7ee2722871b2c667174acc43dd3e79fcdd41bef9a48209eeae0ed43179e1fXxX118Exe·exe
SHA1: 415f9b8794e7a275df66a0bda548b83d22a8636e
MD5: 137215315ebf1a920f6ca96be486e358
SHA256: 7417ee2722871b2c667174acc43dd3e79fcdd41bef9a48209eeae0ed43179e1f

741_edr7ee2722871b2c667174acc43dd3e79fcdd41bef9a48209eeae0ed43179e1fXxX118Exe·exe
SHA1: 415f9b8794e7a275df66a0bda548b83d22a8636e
MD5: 137215315ebf1a920f6ca96be486e358
SHA256: 7417ee2722871b2c667174acc43dd3e79fcdd41bef9a48209eeae0ed43179e1f

http://dreamteamup·shop
SHA1: nan
MD5: nan
SHA256: nan

Cert IL Alert – Phishing campaign in Israel by Iranian Muddy Water

According to the Israeli CERT, there is an ongoing phishing campaign by an Iranian Muddy Water group

IoCs

9a_browsing785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfbXxX1Exe·exe
SHA1: 2f7056621e1a8ecb20a7639635d403e2c44e6135
MD5: 04afff1465a223a806774104b652a4f0
SHA256: 9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb

9a_edr785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfbXxX1Exe·exe
SHA1: 2f7056621e1a8ecb20a7639635d403e2c44e6135
MD5: 04afff1465a223a806774104b652a4f0
SHA256: 9a785f508890d250ab9e3a43f974a89f3311ebd0e85ec98b46c76bdb7bef7cfb

Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518

As of November 5, 2023, Rapid7 Managed Detection and Response (MDR) is observing the exploitation of Atlassian Confluence in multiple customer environments, including for ransomware deployment.

IoCs

4ed46b98d04_browsing7f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfeXxX2Elf·elf
SHA1: f4384ca1c2250d58a17e692ce2a8efd7dcc97a73
MD5: 9e0a8f1097176a5215648b9376db6611
SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

4ed46b98d04_edr7f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfeXxX2Elf·elf
SHA1: f4384ca1c2250d58a17e692ce2a8efd7dcc97a73
MD5: 9e0a8f1097176a5215648b9376db6611
SHA256: 4ed46b98d047f5ed26553c6f4fded7209933ca9632b998d265870e3557a5cdfe

http://j3qxmk6g5sk3zw62i2yhjnwmhm55rfz47fdyfkhaithlpelfjdokdxad·onion
SHA1: nan
MD5: nan
SHA256: nan

Agonizing Serpens Aka Agrius Targeting the Israeli Higher Education and Tech Sectors

Israeli researchers have identified and identified the Iranian-linked Agonizing Serpens cyber-attack group, which has been carrying out a series of destructive attacks on Israeli businesses since January 2023.

IoCs

e43d66b_browsing7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9XxX108Exe·exe
SHA1: d8d0990edbf63e63ceea553f7b83d361870ef7c2
MD5: 9adbaed8fe8106ae41229cca8bab7c83
SHA256: e43d66b7a4fa09a0714c573fbe4996770d9d85e31912480e73344124017098f9

18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f_browsing7XxX102Exe·exe
SHA1: 83506de48bd0c50ea00c9e889fe980f56e6c6e1b
MD5: a822b9e6eedf69211013e192967bf523
SHA256: 18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7

http://185·105·46·19
SHA1: nan
MD5: nan
SHA256: nan

Malware Dropped Through a ZPAQ Archive

A honeypot detected a phishing attempt that enticed a potential victim to open a “ZPAQ” archive.
This file format is not commonly seen, which could potentially allow it to bypass standard security controls.

IoCs

1c33eef0d22dc54bb2a41af4850_browsing70612cd4579529e31b63be2141c4be9183eb6XxX2Unkn·unkn
SHA1: ee34091507162e77f08c9f08a334a58b70c3974d
MD5: 5ce58d3325f4f75c01aab605a44cf0fb
SHA256: 1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6

1c33eef0d22dc54bb2a41af4850_edr70612cd4579529e31b63be2141c4be9183eb6XxX2Unkn·unkn
SHA1: ee34091507162e77f08c9f08a334a58b70c3974d
MD5: 5ce58d3325f4f75c01aab605a44cf0fb
SHA256: 1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6

Cert IL Alert – New Phishing Campaign

This campaign is characterized by the delivery of emails from legitimate and recognized accounts to recipients, containing links to download malicious files. The content and subject line of the sent message is tailored to the sender’s address, encouraging recipients to activate the included link. The malicious files linked are, in fact, modified versions of legitimate and signed Remote Monitoring and Management (RMM) software, accompanied by a configuration file designed to establish contact with the attacker’s servers.

IoCs

aca2ef4528452d6cd5aed06d024632ca3ac4a36bb9_browsing7946b430f0b72ea53d4cd7XxX2Exe·exe
SHA1: 657e239c44e4263032b9cfc2b64c6dca8878198d
MD5: 08802238e1c7efac1c664b3e81bb2a85
SHA256: aca2ef4528452d6cd5aed06d024632ca3ac4a36bb97946b430f0b72ea53d4cd7

b0450638_browsing793d13f21a051eae481c82d6c0fa0f08bb9cfa6131cbf12f1bb6d55dXxX4Fpx·fpx
SHA1: 25a2c90143e0cd638aed8657e50933ba90952abf
MD5: 590753b3b08393c380f0c8519c693c12
SHA256: b0450638793d13f21a051eae481c82d6c0fa0f08bb9cfa6131cbf12f1bb6d55d

28fadc26a2bee90_mail7fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70eXxX5Zip·zip
SHA1: 11b14763023772cc2eebfa306aef0c9e946b491b
MD5: 1f0b9aed4b2c8d958a9b396852a62c9d
SHA256: 28fadc26a2bee907fbdbf1aaebac6c7e6f8aa95e8c312cd659d19b82d1dfa70e

Analysis Of Activities of Suspected APT-C-36 Blind Eagle Organization Launching Amadey Botnet Trojan

In daily hunting activities, Weixin discovered that the APT-C-36 organization recently attempted to add the Amadey botnet Trojan to its usual PDF spear phishing attack flow.
The Amadey botnet Trojan is a modular botnet Trojan that appeared for sale on Russian hacker forums around October 2018.
It has the capabilities of intranet traversal information theft, remote command execution, script execution, and DDoS attacks.

IoCs

f4862630f94ac5_browsing75f310edc6f8ddef9f6253f60f862808d6d56c4c514f562d02XxX367Exe·exe
SHA1: 73c31e665f02782a39cedb39efb088e7c620bd9c
MD5: 461a67ce40f4a12863244efeef5ebc26
SHA256: f4862630f94ac575f310edc6f8ddef9f6253f60f862808d6d56c4c514f562d02

393af4eb6a0e6228a12629303515b629424_browsing76ce6c56bc659b6cee17afa05dc3fXxX363Vbs·vbs
SHA1: 793e237a3e762e46852e8c8205726fee3e7339cc
MD5: 05b99bee0d8ba95f5ccb1d356939daa8
SHA256: 393af4eb6a0e6228a12629303515b62942476ce6c56bc659b6cee17afa05dc3f

http://213·226·123·14/8bmeVwqx/Plugins/cred64·dll
SHA1: nan
MD5: nan
SHA256: nan

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments.
In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations.
Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.
Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.

IoCs

8c226e1f640b5_browsing70a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0XxX360Msi·msi
SHA1: 5fc62671aef4b355d2050bf2904c7615cb0795ea
MD5: c7198ed957a2e21b4a3349e9d2220690
SHA256: 8c226e1f640b570a4a542078a7db59bb1f1a55cf143782d93514e3bd86dc07a0

81_browsing77455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4XxX359Msi·msi
SHA1: 5ea03fa8326ed87a0c81740092c131f23bc5f651
MD5: 478dcb54e0a610a160a079656b9582de
SHA256: 8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4

http://172·245·16·125
SHA1: nan
MD5: nan
SHA256: nan

Elastic Catches DPRK Passing Out KANDYKORN

Elastic Security Labs is disclosing a novel intrusion targeting blockchain engineers of a crypto exchange platform.
The intrusion leveraged a combination of custom and open source capabilities for initial access and post-exploitation.

IoCs

92_browsing7b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6XxX378Dylib·dylib
SHA1: e68bfa72a4b4289a4cc688e81f9282b1f78ebc1f
MD5: 973225dc83f568ef6208d49fe2648fc0
SHA256: 927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6

3ea2ead8f3cec030906dcbffe3efd5c5d_browsing77d5d375d4a54cca03bfe8a6cb59940XxX377Macho·macho
SHA1: d28830d87fc71091f003818ef08ff0b723b3f358
MD5: 9ca5df575e5bd60035202dabd67b7af2
SHA256: 3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940

http://23·254·226·90
SHA1: nan
MD5: nan
SHA256: nan

Security Brief TA571 Delivers IcedID Forked Loader

Proofpoint researchers identified TA571 delivering the Forked variant of IcedID in two campaigns on 11 and 18 October 2023.
Both campaigns included over 6000 messages, each impacting over 1200 customers in a variety of industries globally.

IoCs

5d5bc4f49_browsing7406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1XxX1Dll·dll
SHA1: 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
MD5: 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA256: 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

0a61d_browsing734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4XxX3Vbs·vbs
SHA1: 9159cc10479a91d38bc9554fb374077842cb2a84
MD5: d1a959dad577d838505e6edca6255c0b
SHA256: 0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4

http://modalefastnow·com
SHA1: nan
MD5: nan
SHA256: nan

A Retrospective on AvosLocker

On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory for AvosLocker, which was a sophisticated double extortion Ransomware-as-a-Service (RaaS) group that was last active in May 2023.
Although the threat group is not currently active, the security community can learn how to counteract other threats that employ similar tactics and procedures (TTPs).

IoCs

fb544e1f_browsing74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706fXxX25Exe·exe
SHA1: e2bdef45d8dd4b1811396781b0bc94092d268a88
MD5: 76e177a94834b3f7c63257bc8011f60f
SHA256: fb544e1f74ce02937c3a3657be8d125d5953996115f65697b7d39e237020706f

43b_browsing7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856XxX28Exe·exe
SHA1: f6f94e2f49cd64a9590963ef3852e135e2b8deba
MD5: d285f1366d0d4fdae0b558db690497ea
SHA256: 43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad·onion
SHA1: nan
MD5: nan
SHA256: nan

From Albania to the Middle East, The Scarred Manticore is Listening

Check Point Research (CPR) is monitoring an ongoing Iranian espionage campaign by Scarred Manticore, an actor affiliated with the Ministry of Intelligence and Security (MOIS).

IoCs

911_browsing7bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0cebXxX25Dll·dll
SHA1: 6ec0c1d6311656c76787297775a8d0cb0aa6c4c7
MD5: da0085a97c38ead734885e5cced1847f
SHA256: 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb

1146b1f38e420936b_browsing7c5f6b22212f3aa93515f3738c861f499ed1047865549cbXxX16Exe·exe
SHA1: 6cafd44c86fff605b4c25582955b725b96c1d911
MD5: 85427a8a47c4162b48d8dfb37440665d
SHA256: 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb

e1ad1_edr73e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9dXxX31Exe·exe
SHA1: c0afb5797e6873bbee69f9bf0aa7a9dd3a1c6fff
MD5: 31f2369d2e38c78f5b3f2035dba07c08
SHA256: e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d

That is all for now!

Stay cyber safe and see you next month!