Here is the October 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.
Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.
Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.
Table of Contents
CloudKeys in the Air Tracking Malicious Operations of Exposed IAM Keys
BiBi-Linux Wiper Malware Targets Israeli Organizations
StripedFly Malware Flies Under The Radar
Revisiting Mystic Stealer And Revealing Recently Identified Modules
A cascade of compromise unveiling Lazarus new campaign
APT28 Breaches Numerous French Critical Networks
Rorschach A New Sophisticated and Fast Ransomware
Quasar RATs Dual DLL Sideloading Technique
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
WatchDog Mining Organizations Activity Analysis
Ransomware Attacks Target Unpatched WSFTP Servers CVE-2023-40044
Crambus Targets Middle Eastern Government With Custom Malware And Legitimate Tools
Updated MATA attacks industrial companies in Eastern Europe
Threat Actor Targets Italian Users Using Pure Clipper Malware
Ransomware Actor Attempts To Exploit Unsupported ColdFusion Flaw
Crambus New Campaign Targets Middle Eastern Government
Kimsuky APT Group Uses RevClient Malware For Control
Qubitstrike – An Emerging Malware Campaign Targeting Jupyter Notebooks
Sticky Werewolf Attacks Organizations In Russia And Belarus
StopRansomware AvosLocker Ransomware Update
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
New campaign targeting unpatched NetScaler Gateways CVE-2023-3519
ValleyRAT And Sainbox RAT Appear Across The Cybercrime Threat Landscape
India Cert Alert – NoEscape Ransomware
RedLine Stealer A new variant surfaces Deploying using Batch Script
Energy Industry Targeted With GuLoader
Typosquatting Campaign Delivers r77 Rootkit via npm
A cryptor a stealer and a banking trojan
BunnyLoader the newest Malware-as-a-Service
ZenRAT Malware Brings More Chaos Than Calm
Budworm APT Uses Updated Custom Tool In Attacks On Government And Telecoms
Vulnerable Openfire Messaging Servers Under Attack CVE-2023-32315
Ransomware attack to IFX Colombia
CloudKeys in the Air Tracking Malicious Operations of Exposed IAM Keys
Unit 42 researchers have identified an active campaign we are calling EleKtra-Leak which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories.
As a result of this the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations.
We believe these operations have been active for at least two years and are still active today.
IoCs
240fe01d9fcce5aae311e906b8311a19_browsing75f8c1431b83618f3d11aeaff10aede3XxX8Elf·elf
SHA1: 555332faa336ed0e06e9b04d998cd53c5e192f1f
MD5: 108027ef0a54f0d1c4d71ceb8d49d8d5
SHA256: 240fe01d9fcce5aae311e906b8311a1975f8c1431b83618f3d11aeaff10aede3
240fe01d9fcce5aae311e906b8311a19_edr75f8c1431b83618f3d11aeaff10aede3XxX8Elf·elf
SHA1: 555332faa336ed0e06e9b04d998cd53c5e192f1f
MD5: 108027ef0a54f0d1c4d71ceb8d49d8d5
SHA256: 240fe01d9fcce5aae311e906b8311a1975f8c1431b83618f3d11aeaff10aede3
BiBi-Linux Wiper Malware Targets Israeli Organizations
Security researchers have discovered a new Linux malware called BiBi-Linux Wiper which is a malicious x64 ELF executable lacking protection measures.
It can potentially destroy an entire operating system when executed with root permissions.
The malware allows attackers to specify target folders uses the “nohup” command to mitigate its extensive output and employs multiple threads and a queue to corrupt files concurrently making it faster and more widespread.
BiBi-Linux Wiper overwrites and renames files with a random string containing “BiBi” and excludes certain file types from corruption.
Unlike other malware it doesnt establish communication with remote servers or employ encryption for data theft.
Instead it corrupts files by overwriting their contents with random data rendering them unusable.
IoCs
23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d_browsing7d558efadXxX1So·so
SHA1: 0dbabdc1ae8c3c8a48224ee3c3e8b6a17f41d6e7
MD5: de9da4fcfb8320b9d34239effce1871a
SHA256: 23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad
23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d_edr7d558efadXxX1So·so
SHA1: 0dbabdc1ae8c3c8a48224ee3c3e8b6a17f41d6e7
MD5: de9da4fcfb8320b9d34239effce1871a
SHA256: 23bae09b5699c2d5c4cb1b8aa908a3af898b00f88f06e021edcb16d7d558efad
StripedFly Malware Flies Under The Radar
StripedFly is a sophisticated modular malware framework compatible with both Linux and Windows.
It utilizes a built-in TOR network tunnel for communication with command servers updating via trusted platforms like GitLab GitHub and Bitbucket and employs custom encrypted archives.
This malware has evaded detection for five years infecting over a million Windows and Linux systems.
It injects shellcode into the WININIT.EXE process has a lightweight TOR network client disables SMBv1 spreads through SSH and EternalBlue and uses a TOR-based command and control server.
For Windows persistence it adapts its tactics based on privileges and PowerShell presence creating hidden files or modifying system settings.
On Linux it goes by the name sd-pam and achieves persistence through systemd services .desktop files or by modifying various profile and startup files.
IoCs
3d90049_browsing714406292f10b21b9ccd11bf2a264396ac710e42518138e23c632e5f6XxX29Unkn·unkn
SHA1: 8b6c6fd39b298ac109da1eadf25b62a93bd99012
MD5: c04868dabd6b9ce132a790fdc02acc14
SHA256: 3d90049714406292f10b21b9ccd11bf2a264396ac710e42518138e23c632e5f6
4456ea66d1fc349fff139305e6d0939ea101b0f0b149d0108a09d00_browsing7fa2b611aXxX31Unkn·unkn
SHA1: de8e1785d227914d915ab1d69736b2fdd3fcc3df
MD5: 54dd5c70f67df5dc8d750f19ececd797
SHA256: 4456ea66d1fc349fff139305e6d0939ea101b0f0b149d0108a09d007fa2b611a
3d90049_edr714406292f10b21b9ccd11bf2a264396ac710e42518138e23c632e5f6XxX29Unkn·unkn
SHA1: 8b6c6fd39b298ac109da1eadf25b62a93bd99012
MD5: c04868dabd6b9ce132a790fdc02acc14
SHA256: 3d90049714406292f10b21b9ccd11bf2a264396ac710e42518138e23c632e5f6
Revisiting Mystic Stealer And Revealing Recently Identified Modules
The Mystic Stealer info stealer emerged in early 2023 it is known for targeting web browsers cryptocurrency wallets and Steam game credentials among other files on an infected system.
The malware is constantly being developed to include improved obfuscation techniques and communication methods.
In a recent change a shift from a custom binary TCP-based protocol to an HTTP-based one was seen likely to bypass network restrictions in corporate environments.
Behavior and obfuscation methods were also changed decrypting command and control (C2) communications after a specific date check and then use of a custom XTEA-based algorithm to decode a contained HTTP C2 list.
Once compromised infected systems are registered with the C2 server targeted data is collected including system information browser data browser extensions and browser-based database files that are parsed via a downloaded sqlite3.dll.
Additionally cookies certificates keys and browsing history are collected from Firefox and Chromium based browsers along with screen captures and cryptocurrency wallets.
Data is then Base64 encoded and an HTTP POST request is used for data exfiltration.
Loader functionality allows the malware to request second-stage executables that are received Base64 encoded and executed on the infected system.
IoCs
21a8db193093caf6acbcd14ba64c98a1c9f16998cade8f60fa0fb4dc63e33bd2_browsingXxX84Exe·exe
SHA1: fcfc7aeab4ab58d4db2df38f113b5984526bcd8f
MD5: 4d5049062d20b7ff9e78c3dadec7ccb8
SHA256: 21a8db193093caf6acbcd14ba64c98a1c9f16998cade8f60fa0fb4dc63e33bd2
6203249bebf_browsing7248535ff5ef70a7c5a57688b399d91ac63c9d73441af6e65f184XxX86Exe·exe
SHA1: c1b5a7dd8b4671047cd5a3e41becc6f5fe57f93b
MD5: 4a4e7a05de84f8bd515203009169e23a
SHA256: 6203249bebf7248535ff5ef70a7c5a57688b399d91ac63c9d73441af6e65f184
http://5·42·92·211/loghub/master
SHA1: nan
MD5: nan
SHA256: nan
A cascade of compromise unveiling Lazarus new campaign
Security firm Kaspersky has identified and identified the malware used in a series of attacks carried out by the group known as Lazarus which has previously targeted high-profile companies and the cryptocurrency industry.
IoCs
04bc903a0f44c31e9_browsing76a2a090d8b846d68c3d87122293f8ce0c2d20a1978e37eXxX5Dll·dll
SHA1: ea406685ff90286a526b0164ceecdcbe454bebb3
MD5: 9b62352851c9f82157d1d7fcafeb49d3
SHA256: 04bc903a0f44c31e976a2a090d8b846d68c3d87122293f8ce0c2d20a1978e37e
04bc903a0f44c31e9_edr76a2a090d8b846d68c3d87122293f8ce0c2d20a1978e37eXxX5Dll·dll
SHA1: ea406685ff90286a526b0164ceecdcbe454bebb3
MD5: 9b62352851c9f82157d1d7fcafeb49d3
SHA256: 04bc903a0f44c31e976a2a090d8b846d68c3d87122293f8ce0c2d20a1978e37e
http://www·friendmc·com/upload/board/asp20062107·asp
SHA1: nan
MD5: nan
SHA256: nan
APT28 Breaches Numerous French Critical Networks
The Russian APT28 hacking group also known as Strontium or Fancy Bear has been actively targeting various entities in France since the second half of 2021.
APT28 associated with Russias military intelligence service GRU has been linked to exploiting security vulnerabilities including CVE-2023-38831 in WinRAR and CVE-2023-23397 in Microsoft Outlook.
Instead of traditional backdoors these hackers have compromised peripheral devices on critical French organization networks to evade detection.
They employ techniques such as brute-forcing and using leaked credentials to breach accounts and Ubiquiti routers.
In a recent case from April 2023 APT28 utilized a phishing campaign to trick victims into running PowerShell scripts revealing system configurations and running processes.
Theyve also exploited other vulnerabilities including CVE-2022-30190 CVE-2020-12641 CVE-2020-35730 and CVE-2021-44026.
Their initial attack tools include Mimikatz and the reGeorg traffic relaying tool as well as Mockbin and Mocky open-source services.
APT28 uses a variety of VPN clients including SurfShark ExpressVPN ProtonVPN and others.
Data access and exfiltration are central to APT28s goals and they retrieve authentication information steal sensitive emails and use CVE-2023-23397 to trigger an SMB connection for NetNTLMv2 authentication hash retrieval.
They operate command and control servers using legitimate cloud services like Microsoft OneDrive and Google Drive to avoid detection.
APT28 also employs the CredoMap implant to target information in victims web browsers such as authentication cookies and uses Mockbin and the Pipedream service for data exfiltration.
IoCs
eedae202980c0569_browsing7a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321faXxX36Msg·msg
SHA1: 1842348089c440827b6fd15f0de2dc558f44b66f
MD5: 3d4362e8fe86d2f33acb3e15f1dad341
SHA256: eedae202980c05697a21a5c995d43e1905c4b25f8ca2fff0c34036bc4fd321fa
89ba3_browsing78281ea8544b17a0d41cf67a351a400a50e94c8e4d1206a6be82df44019XxX38Msg·msg
SHA1: f680a171cebfb1c1cb23143f863a7bc1e624a10b
MD5: 238334590d0f62d2a089bd87ad71b730
SHA256: 89ba378281ea8544b17a0d41cf67a351a400a50e94c8e4d1206a6be82df44019
3f5db4a238_browsing7646ac3ec64b8476579f389f74c30ff483cfe51fb4ff1cc9cb4ddaXxX40Msg·msg
SHA1: fd80c80aacb6b7c9aae3f39dcd2a6c24d77281a2
MD5: 43a0441b35b3db061cde412541f4d1e1
SHA256: 3f5db4a2387646ac3ec64b8476579f389f74c30ff483cfe51fb4ff1cc9cb4dda
Rorschach A New Sophisticated and Fast Ransomware
Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain which was dubbed Rorschach deployed against a US-based company.
Rorschach ransomware appears to be unique sharing no overlaps that could easily attribute it to any known ransomware strain.
In addition it does not bear any kind of branding which is a common practice among ransomware groups.
The ransomware is partly autonomous carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment such as creating a domain group policy (GPO).
In the past similar functionality was linked to LockBit 2.0.
The ransomware is highly customizable and contains technically unique features such as the use of direct syscalls rarely observed in ransomware.
Moreover due to different implementation methods Rorschach is one of the fastest ransomware observed by the speed of encryption.
The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool a signed commercial security product a loading method which is not commonly used to load ransomware.
The vulnerability was properly reported to Palo Alto Networks.
IoCs
52ffbbeea3e35fc5d0046bdd_browsing729e4c25b8070e474656b1f372ae828f17ec77a0XxX2Dll·dll
SHA1: e77b4b69ac5480f063c0cfc427536bac32cd7f88
MD5: 4a03423c77fe2c8d979caca58a64ad6c
SHA256: 52ffbbeea3e35fc5d0046bdd729e4c25b8070e474656b1f372ae828f17ec77a0
52ffbbeea3e35fc5d0046bdd_edr729e4c25b8070e474656b1f372ae828f17ec77a0XxX2Dll·dll
SHA1: e77b4b69ac5480f063c0cfc427536bac32cd7f88
MD5: 4a03423c77fe2c8d979caca58a64ad6c
SHA256: 52ffbbeea3e35fc5d0046bdd729e4c25b8070e474656b1f372ae828f17ec77a0
Quasar RATs Dual DLL Sideloading Technique
Given the prevalence of sideloading techniques in malware campaigns its vital to understand their mechanisms to defend against them effectively.
The case of QuasarRAT provides an insightful example.
IoCs
04_browsing79ca2ab203a75a4c9664063e6b4997feca51c132582f1baf21c88f5784a061XxX18Exe·exe
SHA1: f235afdde92069aa7f05a61b85220dc6bfa0a29d
MD5: 532af2db4c10352b2199724d528f535f
SHA256: 0479ca2ab203a75a4c9664063e6b4997feca51c132582f1baf21c88f5784a061
4958c30b3bf3288ff5ed3e8356a069b9c5ea_browsing72cca6076af60dfb9c34f8f07352XxX19Dll·dll
SHA1: 37c498392689608c709fc4532fea6fdfa6d35b3e
MD5: b0db6ada5b81e42aadb82032cbc5fd60
SHA256: 4958c30b3bf3288ff5ed3e8356a069b9c5ea72cca6076af60dfb9c34f8f07352
04_edr79ca2ab203a75a4c9664063e6b4997feca51c132582f1baf21c88f5784a061XxX18Exe·exe
SHA1: f235afdde92069aa7f05a61b85220dc6bfa0a29d
MD5: 532af2db4c10352b2199724d528f535f
SHA256: 0479ca2ab203a75a4c9664063e6b4997feca51c132582f1baf21c88f5784a061
Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
ESET Research discover campaigns by the Winter Vivern APT group that exploit a zero-day XSS vulnerability in the Roundcube Webmail server and target governmental entities and a think tank in Europe.
IoCs
05ae4c495c10835af5_browsing7430ca2dfed387aad221ff0651bbe17fc75bbd1f96369aXxX2Js·js
SHA1: 97ed594ef2b5755f0549c6c5758377c0b87cfae0
MD5: 4115431725abf3ccba92535cbdeb7e5d
SHA256: 05ae4c495c10835af57430ca2dfed387aad221ff0651bbe17fc75bbd1f96369a
05ae4c495c10835af5_edr7430ca2dfed387aad221ff0651bbe17fc75bbd1f96369aXxX2Js·js
SHA1: 97ed594ef2b5755f0549c6c5758377c0b87cfae0
MD5: 4115431725abf3ccba92535cbdeb7e5d
SHA256: 05ae4c495c10835af57430ca2dfed387aad221ff0651bbe17fc75bbd1f96369a
http://recsecas·com
SHA1: nan
MD5: nan
SHA256: nan
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
Cluster25 observed and analyzed several phishing-based attacks to be linked to a Russia-nexus nation-State threat actor.
The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831.
IoCs
0_browsing72afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7XxX11Zip·zip
SHA1: 9e630c9879e62dc801ac01af926fbc6d372c8416
MD5: 89939a43c56fe4ce28936ee76a71ccb0
SHA256: 072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7
91dec1160f3185cec4cb_browsing70fee0037ce3a62497e830330e9ddc2898f45682f63aXxX12Bat·bat
SHA1: bd44774417ba5342d30a610303cde6c2f6a54f64
MD5: 9af76e61525fe6c89fe929ac5792ab62
SHA256: 91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a
0_edr72afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7XxX11Zip·zip
SHA1: 9e630c9879e62dc801ac01af926fbc6d372c8416
MD5: 89939a43c56fe4ce28936ee76a71ccb0
SHA256: 072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7
WatchDog Mining Organizations Activity Analysis
Recently Antian CERT has captured a number of active WatchDog data samples.
The organization mainly uses exposed Docker Engine API endpoints and Redis servers to launch attacks.
The WatchDog cryptojacking org has been discovered since January 2019 and is still active.
IoCs
3_browsing7a6daacb88c2642ab736d72256257945f8ab2b53203f00c704650da5efa721eXxX22Elf·elf
SHA1: 884953853fc249f58392b2575e7efc23ae236e34
MD5: bdb81ac3eb3a8ac27e11f3ab7703783d
SHA256: 37a6daacb88c2642ab736d72256257945f8ab2b53203f00c704650da5efa721e
2cb4590f03b0f2809a692f55c4db1b0b9_browsing7f2500cd18d808a8059f58e24e7f1dbXxX23Bat·bat
SHA1: 15a9f431d64e74d93b2944e0c15f4421903b0041
MD5: fadd08a8e50e14078387806d70cba3a0
SHA256: 2cb4590f03b0f2809a692f55c4db1b0b97f2500cd18d808a8059f58e24e7f1db
c2fdab2_browsing784d3107fdba3c401dd5b744dc607c997a0c695726f7af037317a67a0XxX24Exe·exe
SHA1: 7bac511d3e2d36db90eea80572c229c71e2509c7
MD5: 6b1b5830e221865c1b80f08f6bae9a01
SHA256: c2fdab2784d3107fdba3c401dd5b744dc607c997a0c695726f7af037317a67a0
Ransomware Attacks Target Unpatched WSFTP Servers CVE-2023-40044
Internet-exposed unpatched WS_FTP servers are being targeted in ransomware attacks due to a severe vulnerability (CVE-2023-40044) in the Ad Hoc Transfer Module which allows remote execution of commands through unauthenticated HTTP requests.
The Reichsadler Cybercrime Group in a recent incident attempted to deploy ransomware using a stolen LockBit 3.0 builder but their attempt was foiled.
They also tried privilege escalation with the GodPotato tool.
Progress Software released security updates on September 27 to address the critical WS_FTP Server vulnerability advising administrators to update their vulnerable instances.
IoCs
302_browsing7a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858XxX1Exe·exe
SHA1: 232a0585a7cb6c54e15d5410c96aac5913038e7f
MD5: 5f3dd0514c98bab7172a4ccb2f7a152d
SHA256: 3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858
ea43332c0f8b5_browsing7ab52808498dd213b601ffe36d4188624e0f56ecfdb28934e08XxX5Exe·exe
SHA1: 34e4d070aafbaddb99d2851e0c08ba0b49ccf7c5
MD5: a9c14f31587ade5cf70a2689edbd136d
SHA256: ea43332c0f8b57ab52808498dd213b601ffe36d4188624e0f56ecfdb28934e08
302_edr7a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858XxX1Exe·exe
SHA1: 232a0585a7cb6c54e15d5410c96aac5913038e7f
MD5: 5f3dd0514c98bab7172a4ccb2f7a152d
SHA256: 3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858
Crambus Targets Middle Eastern Government With Custom Malware And Legitimate Tools
In early 2023 the Iranian Crambus espionage group also known as OilRig MuddyWater and APT34 conducted an extensive eight month long cyber intrusion against a Middle Eastern government.
They stole files and passwords installed a PowerShell backdoor on one occasion to monitor and control an Exchange Servers incoming emails and covertly forwarded the results to their own servers.
This malicious activity was detected on multiple computers and theres evidence that the attackers deployed backdoors and keyloggers on numerous other systems.
In their efforts the attackers utilized the publicly available network administration tool Plink to configure port-forwarding rules enabling remote access through the Remote Desktop Protocol (RDP).
They also manipulated Windows firewall rules to facilitate remote access.
Their toolkit included various malware such as the Tokel backdoor for executing PowerShell commands and downloading files the Dirps trojan for file enumeration and executing PowerShell commands and Clipog for stealing clipboard data logging keystrokes and monitoring keystroke entry processes.
Additionally they employed the PowerExchange backdoor for accessing Exchange Servers with hardcoded credentials and monitoring emails used Mimikatz to extract credentials and utilized Plink to establish SSH tunnels to command-and-control servers.
IoCs
758_browsing78356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372XxX35Exe·exe
SHA1: 56df507f945d6149a1f0090a19c71254cc08c84e
MD5: 576a1d9e79bf32120d74eabae45f17ab
SHA256: 75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372
758_edr78356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372XxX35Exe·exe
SHA1: 56df507f945d6149a1f0090a19c71254cc08c84e
MD5: 576a1d9e79bf32120d74eabae45f17ab
SHA256: 75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372
Updated MATA attacks industrial companies in Eastern Europe
Expanding Kasperskys research scope Kaspersky investigated and discovered additional new active actor campaigns with full infection chains including an implant designed to work within air-gapped networks over USB sticks as well as a Linux MATA backdoor.
IoCs
cd36bea923c35_browsing7ee2a0452019494155c2b822e2dffa7934cfc077dd65a0a31ceXxX63Exe·exe
SHA1: 175f0df57893369b5d3f4f9ae6a48b3fe2bdc805
MD5: 5c3a88073824a1bce4359a7b69ed0a8d
SHA256: cd36bea923c357ee2a0452019494155c2b822e2dffa7934cfc077dd65a0a31ce
5360bba34aa2a_browsing7c2e74d3f556ab94713e5a2391980090081f7a926abf3a9c183XxX69Exe·exe
SHA1: b63db6f53ac507fbfd4d052a0217fe146302509e
MD5: 108854ed57caeeeaeefc20182ea67e94
SHA256: 5360bba34aa2a7c2e74d3f556ab94713e5a2391980090081f7a926abf3a9c183
2ba653faef1_browsing7d9ea623be1138f6f420be27c95d8ad7ee1ea0d15ae718895176dXxX80Dll·dll
SHA1: bf8f0b845c8f13b4386b7204add3c5d2e504b4c6
MD5: 4d1e16e2b914243e0c63017676956a73
SHA256: 2ba653faef17d9ea623be1138f6f420be27c95d8ad7ee1ea0d15ae718895176d
Threat Actor Targets Italian Users Using Pure Clipper Malware
A threat actor targeted Italian-speaking users using a Tor Browser phishing website.
They distributed an obfuscated .Net binary employing SmartAssembly which acted as a dropper.
This dropper installed both a legitimate Tor installer and a malicious payload named “Pure Clipper.” The threat actor used “PureCrypter” as a loader and crypter for the Clipper payload and it employed a fileless malware technique by storing its binary data in the Windows Registry enhancing its stealth and persistence.
To ensure continuous operation in the background the malware created a Task Scheduler entry running a Base64-encoded PowerShell script to retrieve and execute the binary data from the Registry.
The Clipper payload interacted with a command-and-control server when a user copied or pasted a cryptocurrency address.
It replaced the address with the attackers address captured a screenshot and sent the stolen data to the threat actors Discord webhook for exfiltration.
IoCs
cfa592b0128bc126fbf3fb66c551a8d8_browsing7223b196f5e0cd87e60b88bdc688c6e0XxX20Exe·exe
SHA1: 392ccfa22f19f6e466a973ac654e450a62391572
MD5: 43c29e5e42f4870fa4bbb30abad26012
SHA256: cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
cfa592b0128bc126fbf3fb66c551a8d8_edr7223b196f5e0cd87e60b88bdc688c6e0XxX20Exe·exe
SHA1: 392ccfa22f19f6e466a973ac654e450a62391572
MD5: 43c29e5e42f4870fa4bbb30abad26012
SHA256: cfa592b0128bc126fbf3fb66c551a8d87223b196f5e0cd87e60b88bdc688c6e0
https://torprojectdownloadfree·site/
SHA1: nan
MD5: nan
SHA256: nan
Ransomware Actor Attempts To Exploit Unsupported ColdFusion Flaw
Researchers observed multiple attempts by an unknown actor to exploit vulnerabilities in outdated unsupported versions of Adobes ColdFusion Server software.
The aim was to gain access to Windows servers running this software and then deploy ransomware.
Although these attacks were unsuccessful they provided valuable telemetry enabling researchers to attribute them to a single actor or group and retrieve the payload they were attempting to use.
The retrieved files revealed an attempt to deploy ransomware which was created using leaked source code from the LockBit 3.0 ransomware family.
This new ransomware variant is associated with a group or individual called “BlackDog 2023” and appears to be a distinct ransomware family with potential ties to the leaked LockBit 3.0 source code.
This connection is evident when examining properties of the static executable file and similarities in the unpacked code in memory triggering the same in-memory protection as the source code Mem/Lockbit-B.
IoCs
0f1e223eaf8b6d_browsing71f65960f8b9e14c98ba62e585334a6349bcd02216f4415868XxX33Ps1·ps1
SHA1: 6be4f82c2f5dc46ebfa74a77fb550448fcac12d5
MD5: 4c1a115f740c1c111c9f51b3ba7dada9
SHA256: 0f1e223eaf8b6d71f65960f8b9e14c98ba62e585334a6349bcd02216f4415868
0f1e223eaf8b6d_edr71f65960f8b9e14c98ba62e585334a6349bcd02216f4415868XxX33Ps1·ps1
SHA1: 6be4f82c2f5dc46ebfa74a77fb550448fcac12d5
MD5: 4c1a115f740c1c111c9f51b3ba7dada9
SHA256: 0f1e223eaf8b6d71f65960f8b9e14c98ba62e585334a6349bcd02216f4415868
Crambus New Campaign Targets Middle Eastern Government
A long-running Iranian espionage group staged an eight-month cyber attack against a government in the Middle East according to a report from security firm Symantec which assessed the extent of the attack.
IoCs
758_browsing78356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372XxX130Exe·exe
SHA1: 56df507f945d6149a1f0090a19c71254cc08c84e
MD5: 576a1d9e79bf32120d74eabae45f17ab
SHA256: 75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372
758_edr78356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372XxX130Exe·exe
SHA1: 56df507f945d6149a1f0090a19c71254cc08c84e
MD5: 576a1d9e79bf32120d74eabae45f17ab
SHA256: 75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372
http://91·132·92·90
SHA1: nan
MD5: nan
SHA256: nan
Kimsuky APT Group Uses RevClient Malware For Control
The Kimsuky threat group employs a range of tactics to compromise and control infected systems.
They often use open-source malware like xRAT and their own custom malware alongside legitimate tools to establish backdoors and steal sensitive information.
Remote Desktop Protocol (RDP) is their preferred method of remote control and if not available they use RDP Wrapper.
Theyve recently used spear phishing attacks to deploy BabyShark and various RDP-related malware.
Additionally a new malware called “RevClient” has been discovered which allows the threat actor to add user accounts and enable port forwarding based on received commands from the command-and-control server.
IoCs
9d2468e5c289f3d012ad0_browsing71602e149f7f07f1d1f1c1046691689233e68a91d24XxX7Exe·exe
SHA1: b55e6d671ba98d96a6b1496373ee40ecf8937f9b
MD5: 02804d632675b2a3711e19ef217a2877
SHA256: 9d2468e5c289f3d012ad071602e149f7f07f1d1f1c1046691689233e68a91d24
2eaea4a3a9fdb_browsing7f5c5f00a8ddefde8d343ea0036047c4fff75290f1cff89efa5XxX13Exe·exe
SHA1: c13b2446f690dba17c7e3a6a2f814bec9e260b99
MD5: 7313dc4d9d6228e442fc6ef9ba5a1b9a
SHA256: 2eaea4a3a9fdb7f5c5f00a8ddefde8d343ea0036047c4fff75290f1cff89efa5
ef900_browsing7ea0cc0572215b2d57a4321fabd40bdd1b4dee850947144c33fef9bb4f0XxX11Exe·exe
SHA1: 0b77a896425db987ccda146f3eb183be4c187fe5
MD5: 2dbe8e89310b42e295bfdf3aad955ba9
SHA256: ef9007ea0cc0572215b2d57a4321fabd40bdd1b4dee850947144c33fef9bb4f0
Qubitstrike – An Emerging Malware Campaign Targeting Jupyter Notebooks
Cado Security Labs researchers have discovered a new cryptojacking campaign targeting exposed Jupyter Notebooks.
The malware includes relatively sophisticated command and control (C2) infrastructure with the controller using Discords bot functionality to issue commands on compromised nodes and monitor the progress of the campaign.
After successful compromise Qubitstrike hunts for a number of hardcoded credential files for popular cloud services (including AWS and Google Cloud) and exfiltrates these via the Telegram Bot API.
Cado researchers were alerted to the use of one such credential file demonstrating the attackers intent to pivot to cloud resources after using Qubitstrike to retrieve the appropriate credentials.
The payloads for the Qubitstrike campaign are all hosted on codeberg[.]org an alternative Git hosting platform providing much of the same functionality as Github.
This is the first time Cado researchers have encountered this platform in an active malware campaign.
IoCs
20a0864cb_browsing7dac55c184bd86e45a6e0acbd4bb19aa29840b824d369de710b6152XxX1So·so
SHA1: c0cab89a9dc3eb30f99d3577ffd82defda7dd03b
MD5: 199b790d05724170f3e6583500799db1
SHA256: 20a0864cb7dac55c184bd86e45a6e0acbd4bb19aa29840b824d369de710b6152
96de9c6bcb_browsing75e58a087843f74c04af4489f25d7a9ce24f5ec15634ecc5a68cd7XxX2Gz·gz
SHA1: a0b99443caca40f2063811c537b8a6ba53d8037a
MD5: 1bd59ff76a72584bd583be938e251eac
SHA256: 96de9c6bcb75e58a087843f74c04af4489f25d7a9ce24f5ec15634ecc5a68cd7
96de9c6bcb_edr75e58a087843f74c04af4489f25d7a9ce24f5ec15634ecc5a68cd7XxX2Gz·gz
SHA1: a0b99443caca40f2063811c537b8a6ba53d8037a
MD5: 1bd59ff76a72584bd583be938e251eac
SHA256: 96de9c6bcb75e58a087843f74c04af4489f25d7a9ce24f5ec15634ecc5a68cd7
Ransomware Roundup – Akira
Akira is a relatively new ransomware variant with Windows and Linux versions that came out in April 2023.
Like many attackers the gang behind this variant only uses the ransomware to encrypt files after first breaking into a network and stealing data.
This group also employs a double extortion tactic demanding a ransom from victims in exchange for file decryption and not leaking stolen information to the public.
IoCs
6cadab96185dbe6f3a_browsing7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360XxX125Exe·exe
SHA1: 941d001e2974c9762249b93496b96250211f6e0f
MD5: 0885b3153e61caa56117770247be0444
SHA256: 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
7b295a10d54c8_browsing70d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488XxX110Exe·exe
SHA1: f070a115100559dcaf31ce34d9e809a3134b2511
MD5: af95fbcf9da33352655f3c2bab3397e2
SHA256: 7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488
2b282_browsing70c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2XxX118Exe·exe
SHA1: e27521c7158c6af3aa58f78fcbed64b17c946f70
MD5: 2cda932f5a9dafb0a328d0f9788bd89c
SHA256: 2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2
Threat Actor Leverages WinRAR Vulnerability To Deploy Mythic Athena Agent To Russian Semi-Conductor Suppliers
An unidentified threat actor exploited a WinRAR vulnerability (CVE-2023-38831) to target Russian semiconductor suppliers and dropped the Mythic C2 Framework Athena agent.
Access to the systems was gained through a spear-phishing attachment that contained a PDF file and CMD script file.
A malicious script was executed that included a Base64 PowerShell script that fetched the agent and saved it within the compromised system.
The malware subsequently gathered sensitive information by executing pre-defined commands and exfiltrated the data to adversarial command and control (C2) servers.
IoCs
860_browsing79a2d12b28a340281453efa0a7fd31c65ead11bab98edd94fe19aaff436ebXxX72Exe·exe
SHA1: 9bc49d61c502f0a8d7a86ef51dc94d9f8b00951d
MD5: 9771562248968eaf28c14819106f2287
SHA256: 86079a2d12b28a340281453efa0a7fd31c65ead11bab98edd94fe19aaff436eb
0fead8db0ee2_browsing7f906d054430628bd8fd3b09ca75ff6067720a5b179f6a674c12XxX74Eml·eml
SHA1: 87ec3909fef152b17c5c0e0687ad1b336882f1fa
MD5: c054b55b0f66424ff74cbf72b33518ba
SHA256: 0fead8db0ee27f906d054430628bd8fd3b09ca75ff6067720a5b179f6a674c12
http://162·159·122·233
SHA1: nan
MD5: nan
SHA256: nan
Sticky Werewolf Attacks Organizations In Russia And Belarus
The cyber group known as Sticky Werewolf has been conducting a series of attacks on public organizations in Russia and Belarus since April 2023 using the NetWire RAT.
To enhance the effectiveness of their malware they employ protectors like Themida making analysis difficult.
They initially access target systems through phishing emails containing links to malicious downloads generated with the help of IP Logger.
This tool not only created the phishing links but also gathered information about victims such as timestamp IP address location browser and operating system versions.
This data allowed the group to profile potentially compromised systems and select significant ones avoiding sandboxes and unrelated countries.
Additionally IP Logger enabled the use of their domain names to make the phishing links appear more authentic.
These links contained malicious files disguised as Microsoft Word or PDF documents which when opened installed the NetWire RAT.
IoCs
0_browsing78859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bbXxX3Exe·exe
SHA1: a70ae8967ba471d65a2946fa99cf0f055051eb02
MD5: 75fd9018433f5cbd2a4422d1f09b224e
SHA256: 078859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bb
9162ccb4816d889_browsing787a7e25ba680684afca1d7f3679c856ceedaf6bf8991e486XxX1Exe·exe
SHA1: 5ee694301a0d8388f7dd35b1df3e7319fce4fab0
MD5: 842f8064a81eb5fc8828580a08d9b044
SHA256: 9162ccb4816d889787a7e25ba680684afca1d7f3679c856ceedaf6bf8991e486
0_edr78859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bbXxX3Exe·exe
SHA1: a70ae8967ba471d65a2946fa99cf0f055051eb02
MD5: 75fd9018433f5cbd2a4422d1f09b224e
SHA256: 078859c7dee046b193786027d5267be7724758810bdbc2ac5dd6da0ebb4e26bb
Dissecting Snake Keylogger
ANY.RUN analyzed the info stealer malware Snake Keylogger.
Written in the .NET programming language it is a type of malicious software designed to covertly record a users keystrokes on a compromised computer or device.
The Snake Keylogger steals various information from the victim such as saved credentials clipboard data keystrokes and screenshots of the victims screen.
Snake Keylogger is typically delivered through phishing emails which are crafted to appear legitimate and often contain malicious attachments or links.
Once activated the keylogger runs in the background capturing all keystrokes made by the user including login credentials credit card information and other sensitive data.
The malware also checks and collects system information which includes the systems hostname username IP address geolocation date and time and more.
It then exfiltrates the collected information through protocols such as FTP SMTP and Telegram.
The captured information is sent to a remote server controlled by the attacker who can use it for various malicious purposes such as identity theft or unauthorized access to accounts.
Snake Keylogger poses a significant threat to individuals and organizations making it crucial to maintain strong cybersecurity practices to prevent infection and promptly detect and remove such threats.
IoCs
d483d48c15f_browsing797c92c89d2eafcc9fc7cbe0c02cabe1d9130bb9069e8c897c94cXxX13Exe·exe
SHA1: a663c9ecf8f488d6e07b892165ae0a3712b0e91f
MD5: 1a0f4cc0513f1b56fef01c815410c6ea
SHA256: d483d48c15f797c92c89d2eafcc9fc7cbe0c02cabe1d9130bb9069e8c897c94c
d13a_browsing7eaaf07c924159ea7bb8f297dab1d8da0f9af46e82e24052d6a9bf5e4087XxX11Eml·eml
SHA1: 1d17dd1688a903cbe423d8de58f8a7ab7ece1ea5
MD5: 60d00c17d3ea15910893eef868de7a65
SHA256: d13a7eaaf07c924159ea7bb8f297dab1d8da0f9af46e82e24052d6a9bf5e4087
ad24b345eac98_browsing76a65fb6b0d2eda0da669c3b23aaa969db9ce913f8a63c0a5f1XxX15Rar·rar
SHA1: cf13df73eff74b9ceb6d837c1d7cc9d01fe918db
MD5: a448bda0002ecd968b6ae9526617c974
SHA256: ad24b345eac9876a65fb6b0d2eda0da669c3b23aaa969db9ce913f8a63c0a5f1
StopRansomware AvosLocker Ransomware Update
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs TTPs and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.
AvosLocker operates under a ransomware-as-a-service (RaaS) model.
AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States affecting Windows Linux and VMware ESXi environments.
AvosLocker affiliates compromise organizations networks by using legitimate software and open-source remote system administration tools.
AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.
IoCs
e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d_browsing7cd49ca0fXxX1Ps1·ps1
SHA1: efdd72befa913e0a44504435ba5c61196abc2e64
MD5: d06f32bbfa0cf5939045896d5232d025
SHA256: e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f
e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d_edr7cd49ca0fXxX1Ps1·ps1
SHA1: efdd72befa913e0a44504435ba5c61196abc2e64
MD5: d06f32bbfa0cf5939045896d5232d025
SHA256: e68f9c3314beee640cc32f08a8532aa8dcda613543c54a83680c21d7cd49ca0f
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
In September 2023 our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits.
Thirteen payloads were included in this variant including D-Link devices Netis wireless router Sunhillo SureLine Geutebruck IP camera Yealink Device Management Zyxel devices TP-Link Archer Korenix Jetwave and TOTOLINK routers.
IoCs
73_browsing7ba9e84b5166134d491193be3305afa273733c35c028114d8b1f092940b9a3XxX36Elf·elf
SHA1: 60ff3f8b1f685a66c8a74539a424062a9ca865aa
MD5: 34edf77604f651e56ad0ca346ecc2423
SHA256: 737ba9e84b5166134d491193be3305afa273733c35c028114d8b1f092940b9a3
1e15d_browsing7cd0b4682a86620b3046548bdf3f39c969324a85755216c2a526d784c0dXxX62Elf·elf
SHA1: f9095595b1d8b9c1c649b1ec0b602e7a478e8f20
MD5: ca732733cd816e60655c82bce09bc715
SHA256: 1e15d7cd0b4682a86620b3046548bdf3f39c969324a85755216c2a526d784c0d
34628bcfc40218095c656_browsing78b52ce13cea4904ce966d0fd47e691c3cb039871ecXxX38Elf·elf
SHA1: 59d9c55be338a85dddbd53cc3546e2a4e7b9e704
MD5: 98edefbbe07e13d7348c10c2773d3cba
SHA256: 34628bcfc40218095c65678b52ce13cea4904ce966d0fd47e691c3cb039871ec
New campaign targeting unpatched NetScaler Gateways CVE-2023-3519
In September of 2023 X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials.
IoCs
2d53aaa2638f9a986_browsing779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9aXxX4Dll·dll
SHA1: eff94ae3fe0f678f19be5149eb74030ec2b0d096
MD5: 8b47edcf4d1070cdce44f06904f75b1e
SHA256: 2d53aaa2638f9a986779b9e36a7b6dfdaddf3cc06698f4aa9f558c1a0591dc9a
20e68a2_browsing76badbd6a38aa6d6e57d28c3e4c133256ef320b83848253f80ae7a1eeXxX15Php·php
SHA1: 55c83cb25be5c521e4874e22b1422c360abf0a29
MD5: c0b32901f9c6ce3f965b8552f7d058d4
SHA256: 20e68a276badbd6a38aa6d6e57d28c3e4c133256ef320b83848253f80ae7a1ee
ec89ec41f0e0a_browsing7e60fa3f6267d0197c7fa8568e11a2c564f6d59855ddd9e1d64XxX9Dll·dll
SHA1: af83e150039051d930ae3eec0dc8081b02719beb
MD5: ab41cac917bd44f0cbe192dac9539321
SHA256: ec89ec41f0e0a7e60fa3f6267d0197c7fa8568e11a2c564f6d59855ddd9e1d64
ValleyRAT And Sainbox RAT Appear Across The Cybercrime Threat Landscape
Since early 2023 a notable increase in email-based cybercrime activity suspected to originate from China has been observed.
This activity involves the distribution of malware including the Sainbox Remote Access Trojan (RAT) a variant of Gh0stRAT and a newly discovered malware called ValleyRAT.
The term “Chinese-themed” is used to describe content related to this malicious activity including lures malware targeting and metadata that contains Chinese language elements.
These campaigns are relatively low-volume and typically target global organizations with operations in China.
The emails are written in Chinese and revolve around business-related themes such as invoices payments and new products.
Targeted individuals often have Chinese-language names or company email addresses related to China.
There was one instance of a campaign targeting Japanese organizations indicating a potential expansion of activity.
These recent activity clusters use flexible delivery methods employing both simple and moderately complex techniques.
Email messages often contain URLs linking to compressed executables responsible for installing the malware.
Researchers also observed instances where Sainbox RAT and ValleyRAT are delivered through Excel and PDF attachments containing URLs to compressed executables.
The emergence and resurgence of Chinese-themed malware in 2023 represent a new trend in the threat landscape.
This combination of historical malware like Sainbox and the newly uncovered ValleyRAT may challenge the dominance of the Russian-speaking cybercrime market.
However at present Chinese-themed malware primarily targets Chinese-speaking users although there is ongoing monitoring for signs of expanded adoption in other languages.
IoCs
7f32ca98ce66a05_browsing7ae226ec78638db95feebc59295d3afffdbf407df12b5bc79XxX774Exe·exe
SHA1: 9b020978a1ddab1e949a631c4863e4a9d4328149
MD5: 4a711581b581513f960612161c958f9e
SHA256: 7f32ca98ce66a057ae226ec78638db95feebc59295d3afffdbf407df12b5bc79
4f01ffe98009a8090ea8a086d21c62c24219b21938ea3ec_browsing7da8072f8c4dcc7a6XxX776Exe·exe
SHA1: c8c51d0ef446c1d4e3c117225b1596f771bdbcc1
MD5: 9d6a5eecd0c3e290fe8f3cbdb7b2de7a
SHA256: 4f01ffe98009a8090ea8a086d21c62c24219b21938ea3ec7da8072f8c4dcc7a6
7f32ca98ce66a05_edr7ae226ec78638db95feebc59295d3afffdbf407df12b5bc79XxX774Exe·exe
SHA1: 9b020978a1ddab1e949a631c4863e4a9d4328149
MD5: 4a711581b581513f960612161c958f9e
SHA256: 7f32ca98ce66a057ae226ec78638db95feebc59295d3afffdbf407df12b5bc79
India Cert Alert – NoEscape Ransomware
NoEscape Ransomware, which is believed to be a rebrand of Avaddon, is targeting enterprises in a double-extortion attack
IoCs
9d346518330eeefbf288aeca_browsing7b2b6243bc158415c7fee3f2c19694f0e5f7d51cXxX6Exe·exe
SHA1: d38c613020cb4616783c8535380e28404f7eaebf
MD5: 47ae17d89c2d9b6acdc7458f5df1c6f7
SHA256: 9d346518330eeefbf288aeca7b2b6243bc158415c7fee3f2c19694f0e5f7d51c
21162bbd_browsing796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6daXxX4Elf·elf
SHA1: 30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624
MD5: c850f6816459e3364b2a54239642101b
SHA256: 21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da
0_browsing7c70968c66c93b6d6c9a90255e1c81a3b385632c83f53f69534b3f55212ced9XxX5Dll·dll
SHA1: 9cbc7417fa5ce2f6d87026337fc7892e4f485819
MD5: 473d65d1231ccdfa0099d463b09cf9b9
SHA256: 07c70968c66c93b6d6c9a90255e1c81a3b385632c83f53f69534b3f55212ced9
RedLine Stealer A new variant surfaces Deploying using Batch Script
RedLine stealer was first discovered in March 2020 and is one of the most popular stealer malwares.
It is designed to steal sensitive information from compromised systems.
It is being sold by cybercriminals on underground forums as MaaS (malware-as-a-service).
Threat actors are leveraging RedLine Stealer due to its availability and flexibility.
This malware is capable of harvesting information from web browsers such as saved credentials and payment card details.
It also looks over the system for information including username hardware configuration installed general and security software installed VPN client network configurations cryptocurrency related data and sends the stolen information to the adversary.
IoCs
19_browsing7b50f15375335928e08c5cc5b6f50cd93864655237b8db85556d4057f3b988XxX226Exe·exe
SHA1: a211e5db983c0ceb6b90465a76a780fa0884ff5d
MD5: 28caece68c96bec864c5b61d09a8ad06
SHA256: 197b50f15375335928e08c5cc5b6f50cd93864655237b8db85556d4057f3b988
83db86d_browsing7872e467513f186adcc02f5408e50b6a3d3aa14cbf7dd5d1fb6affb34XxX227Exe·exe
SHA1: 6ee140e44a68794536993ee06970b9b20cbc10ff
MD5: 6018d10792d2e5717b4e3aaff9310a6a
SHA256: 83db86d7872e467513f186adcc02f5408e50b6a3d3aa14cbf7dd5d1fb6affb34
e0f0449aae4dc11_browsing7e34517e8c83fd49faf2b379dc4f2fd35ff291dd5003864e2XxX232Zip·zip
SHA1: 444a2609c5bf9d45799565f48615ca21a969782c
MD5: 8248867e6d42d41cfdea624f87e14fa6
SHA256: e0f0449aae4dc117e34517e8c83fd49faf2b379dc4f2fd35ff291dd5003864e2
Energy Industry Targeted With GuLoader
Researchers have uncovered a cluster of malicious activity focused on companies in the energy sector.
This activity involved spear phishing emails and domain typo squatting primarily targeting energy companies and their Liquified Natural Gas (LNG) branches along with generic domains related to the LNG industry.
The objective of these campaigns was to deploy GuLoader implants followed by Agent Tesla implants.
GuLoader is a loader used to avoid detection and analysis by employing various techniques including checking the execution environment and encrypting the payload it injects into infected systems.
The actor using GuLoader must provide a URL for the software they want to protect and load onto the system which must be encrypted and can be hosted on legitimate services like Google Drive or other domains.
GuLoader can be delivered in different file formats such as VBS scripts or NSIS installers.
IoCs
ec5be_browsing7c50c187de9346e381fe229eb22a3383dfd70bbac3568051af0ee25016cXxX37Exe·exe
SHA1: 69ab40f9b894499b4d8642da5a593fe104ca97a3
MD5: 2f570584d844c86b86f47a5492d2aed6
SHA256: ec5be7c50c187de9346e381fe229eb22a3383dfd70bbac3568051af0ee25016c
50f_browsing7d8503f51e02f52c3f666ad902900b2b90809df612c96e88cd51466416c0bXxX39Rtf·rtf
SHA1: ee1745bcc59059884d92f7569f8413eec5be6ab4
MD5: 5430331fef849a50410d743fea38c1ad
SHA256: 50f7d8503f51e02f52c3f666ad902900b2b90809df612c96e88cd51466416c0b
0c8625301_browsing7d45f1cf09b474135ab9a603584f4c6d1d8d22b9cbce7be46dfb019XxX41Exe·exe
SHA1: bbc66966e5fc6ffe99c587ab31f792b2d18ba566
MD5: c619a36e01a2da1b2857d98ceecfa64d
SHA256: 0c86253017d45f1cf09b474135ab9a603584f4c6d1d8d22b9cbce7be46dfb019
Typosquatting Campaign Delivers r77 Rootkit via npm
ReversingLabs researchers have identified a new malicious supply chain attack affecting the npm platform.
The typosquatting campaign first appeared in August and pushed a malicious package node-hide-console-windows which downloaded a Discord bot that facilitated the planting of an open source rootkit r77.
IoCs
02e28a2fa3904b5b1014e93ab8812_browsing74a9df5f8355fbab4b4424923f65ae4577dXxX2Exe·exe
SHA1: 1563b5814b7dd655892a80be3a6cc740dad282a3
MD5: 6f7302fadcfd25fd93ad44df9c6b46de
SHA256: 02e28a2fa3904b5b1014e93ab881274a9df5f8355fbab4b4424923f65ae4577d
82bfffb12f0094e01824df2b4c28e1_browsing72b6486cf006cd52af83a7cb4f524cd56eXxX3Exe·exe
SHA1: 43feaf19f1a7410358ab8cd51f00b2446d62e798
MD5: 1dba5ce8b8be1104637bc6cfe35ed997
SHA256: 82bfffb12f0094e01824df2b4c28e172b6486cf006cd52af83a7cb4f524cd56e
02e28a2fa3904b5b1014e93ab8812_edr74a9df5f8355fbab4b4424923f65ae4577dXxX2Exe·exe
SHA1: 1563b5814b7dd655892a80be3a6cc740dad282a3
MD5: 6f7302fadcfd25fd93ad44df9c6b46de
SHA256: 02e28a2fa3904b5b1014e93ab881274a9df5f8355fbab4b4424923f65ae4577d
A cryptor a stealer and a banking trojan
As long as cybercriminals want to make money theyll keep making malware and as long as they keep making malware well keep analyzing it publishing reports and providing protection.
Last month we covered a wide range of cybercrime topics.
For example we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader).
But theres more going on in the cybercrime landscape so we also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan.
This blog post contains excerpts from those reports.
IoCs
f65ba83c6db36_browsing72614119dca0ea2b948100f2d984e642c674a84d9d3498481cfXxX2Exe·exe
SHA1: 70517a53551269d68b969a9328842cea2e1f975c
MD5: 6b4c224c16e852bdc7ed2001597cde9d
SHA256: f65ba83c6db3672614119dca0ea2b948100f2d984e642c674a84d9d3498481cf
78_browsing73dddec4a46e7ad104de9b6bd68f590575b7680a1d20b9fe1329d1ad95348fXxX3Exe·exe
SHA1: 49f05e72d3462c0aa0be79f324c26c98006120dd
MD5: 844ab1b8a2db0242a20a6f3bbceedf6b
SHA256: 7873dddec4a46e7ad104de9b6bd68f590575b7680a1d20b9fe1329d1ad95348f
9b_browsing742a890aff9c7a2b54b620fe5e1fcfa553648695d79c892564de09b850c92bXxX6Exe·exe
SHA1: 9ac88b93fee8f888cabc3d0c9d81507c6dad7498
MD5: 5aac51312dfd99bf4e88be482f734c79
SHA256: 9b742a890aff9c7a2b54b620fe5e1fcfa553648695d79c892564de09b850c92b
Cyberespionage Events Targeting Southeast Asian Government Linked To Stately Taurus aka Mustang Panda
From mid-2021 to late 2023 the advanced persistent threat (APT) group Stately Taurus (aka Mustang Panda) targeted a Southeast Asian government that spanned multiple sectors from healthcare to financial administration.
This suspected Chinese-affiliated cyberespionage group executed intrusions exfiltrating sensitive data and secured long-term persistent access using unique tools like ToneShell.
During their extensive intrusions the group conducted detailed reconnaissance using tools like LadonGo and Impacket as well as used commodity credential-stealing malware like Mimikatz.
Additionally an undocumented variant of the ToneShell backdoor was identified and techniques were used to evade detection by manipulating security software present in the environment.
IoCs
8445aa54adf4d666e65084909a_browsing7b989a190ec6eca2844546c2e99a8cfb832fadXxX63Exe·exe
SHA1: a59bef14b569454fdefd43e60e555537c05ab88d
MD5: fbbfa07f54009c2a5ae8ef773c0fab3b
SHA256: 8445aa54adf4d666e65084909a7b989a190ec6eca2844546c2e99a8cfb832fad
011fe99_browsing74f07cb12ba30e69e7a84e5cb489ce14a81bced59a11031fc0c3681b7XxX65Dll·dll
SHA1: 718006ff145541384e22c04b067fa3358dfbc92f
MD5: 6d16883f9e456207023c2878dd2f0502
SHA256: 011fe9974f07cb12ba30e69e7a84e5cb489ce14a81bced59a11031fc0c3681b7
64ab1c1b19682026900d060b969ab3c3ab860988_browsing733b7e7bf3ba78a4ea0340b9XxX67Exe·exe
SHA1: 090ac7ea64241fc772abeefff477c1c1b409e86e
MD5: bb73aa01702047460ff66b953e698a36
SHA256: 64ab1c1b19682026900d060b969ab3c3ab860988733b7e7bf3ba78a4ea0340b9
BunnyLoader the newest Malware-as-a-Service
BunnyLoader is a new MaaS threat continuously evolving its tactics and adding new features to carry out successful campaigns against its targets.
BunnyLoader features rapid iterations anti-sandbox tactics second-stage payload executions keylogging stealing capabilities and remote execution.
IoCs
9b8efc369c_browsing7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142fXxX1Exe·exe
SHA1: cdc11d2244321b850fad88a92e704a8ce2255ca7
MD5: 59ac3eacd67228850d5478fd3f18df78
SHA256: 9b8efc369c7ff541f885c605c462c7d5a16acfbdfef3b28adc4e5418e890142f
90e6ebc8_browsing79283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69XxX2Exe·exe
SHA1: 059d27dbb4777ed1f17b2aa42c0e7c19ad29b304
MD5: bbf53c2f20ac95a3bc18ea7575f2344b
SHA256: 90e6ebc879283382d8b62679351ee7e1aaf7e79c23dd1e462e840838feaa5e69
454bd68088f1_browsing7718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79XxX3Exe·exe
SHA1: c02d2a18eca78b91b4c4e9e7a45c8d17c8c5bbca
MD5: dbf727e1effc3631ae634d95a0d88bf3
SHA256: 454bd68088f17718527b300134cae3eed1c7db3ba7ed9e08d291ef7729229a79
ZenRAT Malware Brings More Chaos Than Calm
Proofpoint identified a new malware called ZenRAT being distributed via fake installation packages of the password manager Bitwarden.
IoCs
60098db9f251bca8d40bf6b19e3defa1b81ff3bdc138_browsing76766988429a2e922a06XxX1Exe·exe
SHA1: eb638e3786e79fc000986fe7fb4fc3b88ac50eca
MD5: 689e40f5805fed0924ea12ee20a178cd
SHA256: 60098db9f251bca8d40bf6b19e3defa1b81ff3bdc13876766988429a2e922a06
83_browsing78c6faf198f4182c55f85c494052a5288a6d7823de89914986b2352076bb12XxX2Exe·exe
SHA1: 3a5801a8e9424c24d80d33841e8c92b992d331f8
MD5: 19c8c8348810515b19946b3e17fd265f
SHA256: 8378c6faf198f4182c55f85c494052a5288a6d7823de89914986b2352076bb12
986aa8e20962b289_browsing71b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76XxX3Exe·exe
SHA1: 4805037977fb45f7ff98e96eed51422c813470ee
MD5: c9972ce41e4b27d88b66b39d520eb254
SHA256: 986aa8e20962b28971b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76
Budworm APT Uses Updated Custom Tool In Attacks On Government And Telecoms
The Budworm advanced persistent threat (APT) group also known as LuckyMouse Emissary Panda and APT27 has recently been discovered using an updated version of their SysUpdate backdoor to target a Middle Eastern telecommunications organization and an Asian government in August 2023.
SysUpdate is a unique tool exclusively used by Budworm.
In these attacks the group employed various living-off-the-land and publicly available tools primarily focusing on credential harvesting suggesting that the attacks might have been halted in their early stages.
Budworms technique involves executing SysUpdate on victim networks by DLL sideloading through the legitimate INISafeWebSSO application.
This method has been used by the group since at least 2018 and can help them avoid detection by exploiting the DLL search order mechanism in Windows.
SysUpdate is a versatile backdoor with multiple functionalities including managing services taking screenshots handling files browsing directories and executing commands.
Budworm has developed both Windows and Linux versions of SysUpdate to enhance its capabilities and evade detection.
In addition to SysUpdate Budworm utilized various legitimate or publicly available tools like AdFind Curl SecretsDump and PasswordDumper for network mapping and credential extraction in their campaign.
IoCs
f15_browsing7090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455eXxX56Exe·exe
SHA1: c2eaca8799d335954ef3d9a1867ec1b629ca4f1a
MD5: 5483da573c6a239f9a5d6e6552b307b0
SHA256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e
c3405d9c9d593d_browsing75d773c0615254e69d0362954384058ee970a3ec0944519c37XxX62Exe·exe
SHA1: af7c73c47c62d70c546b62c8e1cc707841ec10e3
MD5: 96ec8798bba011d5be952e0e6398795d
SHA256: c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37
f15_edr7090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455eXxX56Exe·exe
SHA1: c2eaca8799d335954ef3d9a1867ec1b629ca4f1a
MD5: 5483da573c6a239f9a5d6e6552b307b0
SHA256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e
Vulnerable Openfire Messaging Servers Under Attack CVE-2023-32315
A warning has been issued regarding the proliferation of malicious plugins targeting the Openfire messaging server.
Over 3000 servers globally running Openfire software have fallen victim to a vulnerability allowing hackers to compromise them turning them into botnet nodes.
An Investigation revealed that this was due to the CVE-2023-32315 vulnerability in Openfire software.
The exploit allowed unauthorized access to Openfires administrative interface where attackers created an admin account and then installed a malicious plugin which enabled the execution of arbitrary code ultimately deploying the encryption trojan.
A trojan called Kinsing was used for crypto mining.
Another trojan Tsunami allowed unauthorized access with a randomly generated admin account.
Attackers also used a malicious Openfire plugin to gather information about the compromised server including network connections IP addresses users and the systems kernel version.
All these malicious plugins were JSP.BackDoor.8 backdoors written in Java enabling various commands via GET and POST requests.
The Openfire vulnerability has been addressed in versions 4.6.8 and 4.7.5 and users are advised to update.
If not possible security measures like restricting network access modifying Openfire settings or using the AuthFilterSanitizer plugin are recommended.
IoCs
5d2530b809fd069f9_browsing7b30a5938d471dd2145341b5793a70656aad6045445cf6dXxX7Elf·elf
SHA1: e545ceffc8948e3ca9900212807cf3a862d33581
MD5: 2c44b4e4706b8bd95d1866d7867efa0e
SHA256: 5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d
a3f_browsing72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afceXxX9Elf·elf
SHA1: 61586a0c47e3ae120bb53d73e47515da4deaefbb
MD5: 1db40b7e18cf228169d2f5d73bf27ef7
SHA256: a3f72a73e146834b43dab8833e0a9cfee6d08843a4c23fdf425295e53517afce
http://185·17·0·226
SHA1: nan
MD5: nan
SHA256: nan
Ransomware attack to IFX Colombia
New Ransomware attack on IFX Colombia
IoCs
bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce_browsing70f82f2cXxX1Exe·exe
SHA1: 51cfd3290e562367bc5b0930eb5ad70586979b75
MD5: ef46880a8583da64cebea1e8f8cb1fb3
SHA256: bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce70f82f2c
8189c_browsing708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973XxX2Elf·elf
SHA1: 5b1541ee4ccfc020a081361ea8d6fe48d20e602a
MD5: d2853c1d92c73dc047cdb1f201900a99
SHA256: 8189c708706eb7302d7598aeee8cd6bdb048bf1a6dbe29c59e50f0a39fd53973
bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce_edr70f82f2cXxX1Exe·exe
SHA1: 51cfd3290e562367bc5b0930eb5ad70586979b75
MD5: ef46880a8583da64cebea1e8f8cb1fb3
SHA256: bfc9b956818efe008c2dbf621244b6dc3de8319e89b9fa83c9e412ce70f82f2c
That is all for now!
Stay cyber safe and see you next month!
Related Resources
Whitepaper
APT-Ready in Four Steps: Your Action Plan
Video
Defending Against Immediate Threats
Case Study
Euronext Secures Trading with Breach and Attack Simulation