Cyber Threat Breakdown September 2023

Here is the September 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app. Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc. Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution. Novel RAT discovered SuperBear targeting journalist covering geopolitics of Asia Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers Threat Actors Target MSSQL Servers in DBJAMMER to Deliver FreeWorld Ransomware Exposing RocketMQ CVE-2023-33246 Payloads New Agent Tesla Variant Being Spread by Crafted Excel Document New Attack Vector In The Cloud Attackers caught exploiting Object Storage Services Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 Mac users targeted in new malvertising campaign delivering Atomic Stealer APT37 Distributes Backdoor Via Malicious LNK BlueShell malware used in APT attacks targeting Korea and Thailand Analysis of Cuba ransomware gang activity and tooling Technical Analysis Of Sponsor Backdoor DarkGate Loader Malware Delivered via Microsoft Teams Ransomware GandCrab poses as Super Mario EV Certificates Abused To Deliver RedLine Vidar And Knight Ransomware ShroudedSnooper Targets Telecommunications Firms In The Middle East With Custom Backdoors Cert IL Alert – Medical institutions in Israel are under attack Cert IL Alert – Medical institutions in Israel are under attack – v2 StopRansomware Snatch Ransomware CISA Kmrox Ransomware OilRigs Outer Space and Juicy Mix Same olrig new drill pipes Sandman APT Targeting Telcos With A LuaJIT Toolkit GOLD MELODY Profile of an Initial Access Broker Gallium APT Group Suspected To Be Behind Southeast Asian Government Attacks Backchannel Diplomacy APT29s Rapidly Evolving Diplomatic Phishing Operations A multi-ransomware cybercriminal group Stealth Falcon Preying Over Middle Eastern Skies with Deadglyph Warning Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack ZenRAT Malware Brings More Chaos Than Calm Stealing More Than Towels The New InfoStealer Campaign Hitting Hotels and Travel Agencies

Novel RAT discovered SuperBear targeting journalists covering the geopolitics of Asia

After initial compromise the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT which we dubbed SuperBear due to naming conventions in the code. We believe this to be a new campaign targeting civil society groups.

IoCs

Novelbgjdgacajh1_browsingExe·exe SHA1: 557820050eaed5f32241346caeefdfff0ce44745 MD5: e49aaa9a5933c48feca39f3080a7b94d SHA256: 282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb Novelbgjdgacajh1_edrExe·exe SHA1: 557820050eaed5f32241346caeefdfff0ce44745 MD5: e49aaa9a5933c48feca39f3080a7b94d SHA256: 282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb d5eb3924a89990cb0e_browsing7583376c02d9e1edcc3919e0a46b1c44be7c91f28fef0cXxX8Exe·exe SHA1: db6d481a4269e0c151f2450cd8c5534dcf298bfe MD5: f2b7a2f0425d0250e7ae87639d2351fb SHA256: d5eb3924a89990cb0e7583376c02d9e1edcc3919e0a46b1c44be7c91f28fef0c

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers

Fake browser updates lure users into executing malicious binaries which include a new IDAT loader which is utilized in order to execute infostealers on compromised systems including StealC and Lumma.

IoCs

Fakebgjdgacbdf19_browsingExe·exe SHA1: b8951b331eb965314c9bda6a592a8ecaf1560ffd MD5: 0af24b5d5b3994839917e083fcf10621 SHA256: a0319e612de3b7e6fbb4b71aa7398266791e50da0ae373c5870c3dcaa51abccf Fakebgjdgacbdf8_browsingExe·exe SHA1: 2106fc1e0f83df0f658934129a5a374948cc97a0 MD5: e07aa33f0e6aec02240a232e71b7e741 SHA256: c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48 60098db9f251bca8d40bf6b19e3defa1b81ff3bdc138_browsing76766988429a2e922a06XxX37Exe·exe SHA1: eb638e3786e79fc000986fe7fb4fc3b88ac50eca MD5: 689e40f5805fed0924ea12ee20a178cd SHA256: 60098db9f251bca8d40bf6b19e3defa1b81ff3bdc13876766988429a2e922a06

Threat Actors Target MSSQL Servers in DBJAMMER to Deliver FreeWorld Ransomware

Threat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads. One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used. Some of these tools include enumeration software, RAT payloads, exploitation, and credential stealing software, and finally ransomware payloads.

IoCs

Freeworldbgjdjcbhfi6_browsingExe·exe SHA1: 4f4e409278a9c069e6917ce44c3188d4495c2dff MD5: 764630841c96eaef0af17af9be00d83a SHA256: 95a73b9fda6a1669e6467dcf3e0d92f964ede58789c65082e0b75adf8d774d66 Freeworldbgjdjcbhfi2_browsingExe·exe SHA1: 4086107b3fb71fb02361306da6099a85be97ae1d MD5: d59aa49740acb5e45ecb65da070035e3 SHA256: 80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4

Exposing RocketMQ CVE-2023-33246 Payloads

A vulnerability in the RocketMQ messaging system has been exposed to the internet for more than a decade according to researchers at the University of California San Francisco and the Institute of Security Research.

IoCs

Exposingbgjeacdfdc31_browsingElf·elf SHA1: 54dfa949a1824ffd684632f6490cb66ad1656708 MD5: 23002a787e1a3254f3ed4c08755dc21e SHA256: 1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac Exposingbgjeacdfdc33_browsingElf·elf SHA1: 42706af38e54e7f8c777092c8f0b77ae5203e31a MD5: c85af2fc764c62dad2d107da460dce6e SHA256: 12f84e4eab411366e4a9adcd3ac1ae92714c9d405670e10fbfb3ff1167b2ebbe http://joinushealth·com SHA1: nan MD5: nan SHA256: nan

New Agent Tesla Variant Being Spread by Crafted Excel Document

FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access. It is often used for Malware-as-a-Service (MaaS).

IoCs

Newbgjeacdgbc35_browsingExe·exe SHA1: e2437078fe7f3abd635dacae65cf6ae2d10ef98e MD5: c1ac31ebcbfb8dc95d4eea6d4c95a474 SHA256: 36b17c4534e34b6b22728db194292b504cf492ef8ae91f9dda7702820efcfc3a Newbgjeacdgbc38_browsingXls·xls SHA1: 9e8b6be2fe10a60732d72486514acc372604f9fd MD5: 7745432624df29d55537746834728200 SHA256: fdc04dc72884f54a4e553b662f1f186697daf14ef8a2dc367bc584d904c22638 3cc_browsing739bb1882fc9dbb056f39ebe4965771aeca0ceb44e85da39d1ba7dade693fXxX242Exe·exe SHA1: 8291929d6f3ede6ec025c21d1559a7fe9d30a9ce MD5: b6bd8ff194d22d83a123a3ad48edad62 SHA256: 3cc739bb1882fc9dbb056f39ebe4965771aeca0ceb44e85da39d1ba7dade693f

New Attack Vector In The Cloud Attackers Caught Exploiting Object Storage Services

A new attack vector in the cloud is being exploited by attackers using non-native object storage services according to Security Joe’s Incident Response.

IoCs

Newbgjeacdggb49_browsingBat·bat SHA1: a8e7f942ca57ef50aaca4c520c60a92375b82736 MD5: b44e57c257934bbeb38324a04d7fb6c2 SHA256: fffa85e27836fd556a06660ac0ad76a35ef02687652a81194821c538e847d58f Newbgjeacdggb49_edrBat·bat SHA1: a8e7f942ca57ef50aaca4c520c60a92375b82736 MD5: b44e57c257934bbeb38324a04d7fb6c2 SHA256: fffa85e27836fd556a06660ac0ad76a35ef02687652a81194821c538e847d58f 18cc4c15_browsing77a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5aXxX122Dll·dll SHA1: ca1ef3aeed9c0c5cfa355b6255a5ab238229a051 MD5: db2d9d2704d320ecbd606a8720c22559 SHA256: 18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics techniques and procedures (TTPs) IOCs and methods to detect and protect against similar exploitation.

IoCs

Multiplebgjebbgije4_browsingExe·exe SHA1: bbda2ad0634aa535b9df40dc39a2d4dfdd763476 MD5: b8967a33e6c1aee7682810b6b994b991 SHA256: 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b Multiplebgjebbgije2_browsingExe·exe SHA1: 82885f8c57cf4460f52db0a85e183d372f0aeb7e MD5: 76adb0e36aac40cae0ebeb9f4bd38b52 SHA256: 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63 36e661edc1ad4e44ba38d8f_browsing7a6bd00c2b4bc32e9fae8b955b1b4c6355aa6abedXxX795Aspx·aspx SHA1: 097d74c369fe5e7cfb8b9a889564773c73eac627 MD5: 7edef26e5dfa9ee11bcdc06aad010ee3 SHA256: 36e661edc1ad4e44ba38d8f7a6bd00c2b4bc32e9fae8b955b1b4c6355aa6abed

Mac users targeted in new malvertising campaign delivering Atomic Stealer

Malicious ads for Google searches are targeting Mac users. Phishing sites trick victims into downloading what they believe is the app they want. The malware is bundled in an ad-hoc signed app so it cannot be revoked by Apple

IoCs

Macbgjebbhdei59_browsingMacho·macho SHA1: ad8be4808f7dd910cec11d7eed88933e3f50132a MD5: 7287f328f3acb1774ecc42606e2da598 SHA256: ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a Macbgjebbhdei59_edrMacho·macho SHA1: ad8be4808f7dd910cec11d7eed88933e3f50132a MD5: 7287f328f3acb1774ecc42606e2da598 SHA256: ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a 05d5fa365498651bcbb8a356cd580b255cd4fd_browsing735e59f81d0c595b06ee61ad10XxX286Exe·exe SHA1: 2dfe49db47d7e6ca0d7c5f3641da4911675baa25 MD5: 8addc16baeb0474d41ba2d3805665969 SHA256: 05d5fa365498651bcbb8a356cd580b255cd4fd735e59f81d0c595b06ee61ad10

APT37 Distributes Backdoor Via Malicious LNK

APT37 is a sophisticated advanced persistent threat (APT) that has been operating since 2012 and targeting victims across the globe to achieve its objectives. In this campaign the threat actor used a novel technique to distribute a backdoor via malicious LNK files and uploaded malware within a compressed zip file to a regular website. The victim executed a benign document named Status Survey Table.xlsx.lnk that subsequently created a benign document titled Status Survey Table.xlsx and a malicious script within a temporary folder. A registry run key was created for persistence while information was collected and exfiltrated to a command-and-control server.

IoCs

Apt3_browsing7bgjebdbddg7Lnk·lnk SHA1: b93c13204acb4819c7688f847b1470ac25df52b3 MD5: 0eb8db3cbde470407f942fd63afe42b8 SHA256: a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4 Apt3_browsing7bgjebdbddg5Html·html SHA1: 0c91f681090b1917264c4f53cee1572f2e0fa43c MD5: 27f74072d6268b5d96d73107c560d852 SHA256: 562a4d8980acda8411fc1f830cb9bb5bdafd3dd586f871485a27e996bb07ac07 https://mode·encagil·com SHA1: nan MD5: nan SHA256: nan

BlueShell malware used in APT attacks targeting Korea and Thailand

BlueShell is a backdoor malware developed in the Go language released on GitHub and supports Windows Linux and Mac operating systems. Currently, the original GitHub repository is believed to have been deleted but BlueShell’s source code can still be obtained from other repositories. The ReadMe file containing the explanation is in Chinese which suggests that the creator may be a Chinese user.

IoCs

Blueshellbgjeeeefij33_browsingExe·exe SHA1: 52e10752ed1218ce78bd1bbd1319c70c2d682a78 MD5: 31c4a3f16baa5e0437fdd4603987b812 SHA256: afcaf51bef195d4959f934bcec0a9aebd8e7747f21e0bfba769b5f28708de0eb Blueshellbgjeeeefij51_browsingElf·elf SHA1: 1dc679ec200f5d8a901c36c536ec35c6de737f94 MD5: 3f022d65129238c2d34e41deba3e24d3 SHA256: 872075f3546c1556e56bc92dc323f6168b7dc6976e65fdf3e7bc1961e5656576 5_browsing7fd32c39c64d9f58846fa91b19c3086b66b0e733ebbc30f917a1f5063389691XxX16Exe·exe SHA1: 1de4810a10fa2d73cc589ca403a4390b02c6da5e MD5: f6f2345c131a3cc8642e22d300efac75 SHA256: 57fd32c39c64d9f58846fa91b19c3086b66b0e733ebbc30f917a1f5063389691

Analysis of Cuba ransomware gang activity and tooling

IoCs

Analysisbgjeejbidb82_browsingExe·exe SHA1: cc06eea3cbe46235972916a6dabd4f5f4ee70e42 MD5: b23f8703583fa2b854a13eaa8b040ded SHA256: c286130a992d0f416b103cd5a79b521a0a871146c0fda2912732341b77a463f9 Analysisbgjeejbidb81_browsingExe·exe SHA1: f4026aaca69bbb02891156d8b9fc1f8e105c4a78 MD5: 2e16baf13ba06d209c57a47d9b08c7c6 SHA256: 2f3953e5ae4916478f17b4dffc1cfed88a6ab2fbd2b3ab521ac20345c6091634

Technical Analysis Of Sponsor Backdoor

Researchers have recently uncovered a new campaign attributed to APT35 which targeted automotive engineering healthcare insurance law financial manufacturing retail technological and telecommunication organizations in Brazil Israel and the United Arab Emirates (UAE). This campaign employed a newly discovered backdoor malware called “Sponsor” along with different open-source tools and malware such as SQLDump Mimikatz Plink GOST Chisel ProcDump RevSocks Host2IP and WebBrowserPassView. The initial access for this campaign was obtained by exploiting known vulnerabilities in Microsoft Exchange servers exposed to the internet highlighting the group’s method of identifying and exploiting weaknesses. While some victims were specifically selected, others seemed to be victims of opportunity suggesting that APT35 engaged in scanning and exploiting vulnerable systems that were accessible. The Sponsor backdoor itself is written in C++ and exhibits different versions with specific compilation timestamps and Program Database (PDB) paths. It operates as a service and relies on encrypted configuration files for communication with command and control servers. Information about the host system is gathered and reported to the C&C server with node IDs assigned for tracking.

IoCs

f99935_browsing7a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58feXxX17Exe·exe SHA1: 99c7b5827df89b4fafc2b565abed97c58a3c65b8 MD5: 053778713819beab3df309df472787cd SHA256: f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe 2a99cf_browsing7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8fXxX1Exe·exe SHA1: 764eb6ca3752576c182fc19cff3e86c38dd51475 MD5: 5b32c3fdcb78f06cf79ed3497538f72b SHA256: 2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd_browsing76b8c4acff7cXxX9Exe·exe SHA1: f97f8f78abb205dda329d89143aae34ba04d13df MD5: c95c81ca4e6b8153b458d29186e696bc SHA256: 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

DarkGate Loader Malware Delivered via Microsoft Teams

Malspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023. Until now DarkGate Loader was seen delivered via traditional email malspam campaigns similar to those of Emotet. In August an operator started using Microsoft Teams to deliver the malware via HR-themed social engineering chat messages.

IoCs

09904d65e59f3fbbbf38932ae_browsing7bff9681ac73b0e30b8651ec567f7032a94234fXxX210Zip·zip SHA1: 6a6f9ea7f16fea5a24597937d8ba51e39479c863 MD5: deec192a82b84a683fd0ff4449699f88 SHA256: 09904d65e59f3fbbbf38932ae7bff9681ac73b0e30b8651ec567f7032a94234f 4c21_browsing711de81bb5584d35e744394eed2f36fef0d93474dfc5685665a9e159eef1XxX213Vbs·vbs SHA1: a33d7c5de81a77ee76b4f873176eb194bc0f30fd MD5: aff562f83effcbea96568037516d742e SHA256: 4c21711de81bb5584d35e744394eed2f36fef0d93474dfc5685665a9e159eef1 2f8a32618e3a0c63350ae6fb2c4cd334e3_edr770d395eafe622988a62688dc76cf9XxX1Exe·exe SHA1: 0a6276e86b6cd12c8b2c9352d3bf11e926d9d504 MD5: a08a64a1d3001371c232ed23c6152ba1 SHA256: 2f8a32618e3a0c63350ae6fb2c4cd334e3770d395eafe622988a62688dc76cf9

Ransomware GandCrab poses as Super Mario

Researchers from Bromium have discovered a malicious Excel spreadsheet that generates a PowerShell command from pixels that form the Super Mario Bros image. When executed it downloads and installs the dangerous GandCrab ransomware. The attack is aimed at users located in Italy and is delivered through an email pretending to be a payment notice.

IoCs

0c8c2_browsing7f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362XxX2Png·png SHA1: 883d4c52049627edecf590be9a2b16c072a9e640 MD5: 664602818438c6a2d813840977f94a92 SHA256: 0c8c27f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362 3849381059d9e8bbcc59c253d2cbe1c92f_browsing7e1f1992b752d396e349892f2bb0e7XxX1Xls·xls SHA1: 7e84a6fa7c0a290e1d52a74600901c53f8ad5c99 MD5: 0cda12fa42ebaeeb9a4718b753912bd5 SHA256: 3849381059d9e8bbcc59c253d2cbe1c92f7e1f1992b752d396e349892f2bb0e7 Freeworldbgjfcaaaeg1_edrExe·exe SHA1: d78ff12ef7970fb02949fc58253d0df802cd1eb6 MD5: 076d10123ed712262b27c57dad0ea31b SHA256: af263d19858ce5a0aceb3ff9b94a000a86368b71629b6db2e536c42246f36879

EV Certificates Abused To Deliver RedLine Vidar And Knight Ransomware

Trend Micro’s latest investigations show that the threat actors behind RedLine and Vidar now distribute ransomware payloads with the same delivery techniques they use to spread info stealers. This suggests that the threat actors are streamlining operations by making their techniques multipurpose. In this particular case, they investigated, the victim initially received a piece of info stealer malware with Extended Validation (EV) code signing certificates. After some time, however, they started receiving ransomware payloads via the same route.

IoCs

9123e42cdd3421e8f2_browsing76ac711988fb8a8929172fa76674ec4de230e6d528d09aXxX4Exe·exe SHA1: b872b9a817c2e6cfd507a7a57f1f34b433bbb14a MD5: adc2dde69189f2d357d5c423bd16a611 SHA256: 9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a a6258d_browsing70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956XxX6Exe·exe SHA1: fcf03e2cdd96f41e489ef5866781e82b101a3f29 MD5: 31146a1095452f8f15ebad9f7e3c6efa SHA256: a6258d70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956 911_browsing7bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0cebXxX73Dll·dll SHA1: 6ec0c1d6311656c76787297775a8d0cb0aa6c4c7 MD5: da0085a97c38ead734885e5cced1847f SHA256: 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb

ShroudedSnooper Targets Telecommunications Firms In The Middle East With Custom Backdoors

ShroudedSnooper was discovered targeting telecommunication providers in the Middle East with two distinct malware variants labeled as HTTPSnoop and PipeSnoop. HTTPSnoop is a backdoor that employs innovative methods to interact with Windows HTTP kernel drivers and devices. This allows it to intercept incoming requests for specific HTTP(S) URLs and execute the associated content on the compromised device. PipeSnoop is designed to receive arbitrary shellcode via a named pipe and execute it on the infected system. Both HTTPSnoop and PipeSnoop come in two forms DLL and EXE versions and they disguise themselves as legitimate security software components particularly extended detection and response (XDR) agents. The primary objective of ShroudedSnooper appears to be gaining initial access to internet-facing servers often by mimicking Microsofts Exchange Web Services (EWS) platform with specific HTTP URL patterns.

IoCs

e1ad1_browsing73e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9dXxX69Exe·exe SHA1: c0afb5797e6873bbee69f9bf0aa7a9dd3a1c6fff MD5: 31f2369d2e38c78f5b3f2035dba07c08 SHA256: e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d 7495c1ea421063845eb8f4599a1c1_browsing7c105f700ca0671ca874c5aa5aef3764c1cXxX71Exe·exe SHA1: 9c58ec8f7ce75ba1b629c9ef84ab069a32313288 MD5: 4abcf21b63781a53bbc1aa17bd8d2cbc SHA256: 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c 9123e42cdd3421e8f2_edr76ac711988fb8a8929172fa76674ec4de230e6d528d09aXxX4Exe·exe SHA1: b872b9a817c2e6cfd507a7a57f1f34b433bbb14a MD5: adc2dde69189f2d357d5c423bd16a611 SHA256: 9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a

Cert IL Alert – Medical institutions in Israel are under attack

Recent reports indicate that medical institutions in Israel are currently facing a targeted cyberattack.

IoCs

Freeworldbgjfcaaaeg2_browsingExe·exe SHA1: eaa1d2577c58ea5bfa91b3683c0efad6caa02f6e MD5: 6e7cca54eeb4db382f2e8ea923c3e71a SHA256: 00cb23693cb50c9c3abd37ce9b9b84c0724009d4ebf339781ab62f3fb3ca8292 Freeworldbgjfcaaaeg1_browsingExe·exe SHA1: d78ff12ef7970fb02949fc58253d0df802cd1eb6 MD5: 076d10123ed712262b27c57dad0ea31b SHA256: af263d19858ce5a0aceb3ff9b94a000a86368b71629b6db2e536c42246f36879 630b6f15c_browsing770716268c539c5558152168004657beee740e73ee9966d6de1753fXxX4Exe·exe SHA1: 2e28b2a506a310ce7353b9754f80f1453c9ec851 MD5: f00375613ef24bfef74243d8b758f2f7 SHA256: 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f

Cert IL Alert – Medical institutions in Israel are under attack – v2

Recent reports indicate that medical institutions in Israel are currently facing targeted cyberattacks. As the attacks progress, new Indicators of Compromise (IOCs) are emerging.

IoCs

2f8a32618e3a0c63350ae6fb2c4cd334e3_browsing770d395eafe622988a62688dc76cf9XxX1Exe·exe SHA1: 0a6276e86b6cd12c8b2c9352d3bf11e926d9d504 MD5: a08a64a1d3001371c232ed23c6152ba1 SHA256: 2f8a32618e3a0c63350ae6fb2c4cd334e3770d395eafe622988a62688dc76cf9 d34c981c4e6504c2ae9065a1bc324a1_browsing706890c263f7f6704e8327bede1bc4370XxX2Exe·exe SHA1: ddfc67baf9f852eea5f05b4aac5afc56af81bc7f MD5: a33ab1093d0777e05ca3bcea6530ed34 SHA256: d34c981c4e6504c2ae9065a1bc324a1706890c263f7f6704e8327bede1bc4370 0c59f568da43_browsing731e3212b6461978e960644be386212cc448a715dbf3f489d758XxX211Zip·zip SHA1: b79b60124b1c7231f359d011465d72ad9f3c0246 MD5: c7a8d36e367812d298b4abc13fa03c96 SHA256: 0c59f568da43731e3212b6461978e960644be386212cc448a715dbf3f489d758

StopRansomware Snatch Ransomware CISA

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

IoCs

0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c_browsing78d0559cd6da653bf740fXxX5Bat·bat SHA1: 4115d2d15614503456aea14db61d71a756cc7b8c MD5: 2202e846ba05d7f0bb20adbc5249c359 SHA256: 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f 5950b4e2_browsing7554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcdXxX7Exe·exe SHA1: 5ad94f5303aed57a9d4f0055f15076454840064a MD5: 3d29e9cdd2a9d76e57e8a3f9e6ed3643 SHA256: 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd 2c_browsing7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3XxX3Exe·exe SHA1: c4bc1a5a02f8ac3cf642880dc1fc3b1e46e4da61 MD5: 2d58339560255dd2d3cc1f9fe058373e SHA256: 2c7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3

Kmrox Ransomware

According to Cyclonis Kmrox, ransomware is a Phobos family member. During the examination of new file sample submissions, Cyclonis researchers came across another variant of Phobos ransomware called Kmrox. This type of malware falls under the category of ransomware which is designed to encrypt data and demand payment for its decryption.

IoCs

82881ebbc_browsing7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87XxX1Exe·exe SHA1: eef03b43ce9d36e1e513ab1c3c0f9205b41a9148 MD5: 5b672f45d525b56eb0c4c146214f267e SHA256: 82881ebbc7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87 82881ebbc_edr7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87XxX1Exe·exe SHA1: eef03b43ce9d36e1e513ab1c3c0f9205b41a9148 MD5: 5b672f45d525b56eb0c4c146214f267e SHA256: 82881ebbc7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87

OilRigs Outer Space and Juicy Mix Same Oilrig New Drill Pipes

ESET researchers document OilRigs Outer Space and Juicy Mix campaigns targeting Israeli organizations in 2021 and 2022

IoCs

64156f9ca51951a9bf91b5b_browsing74073d31c16873ca60492c25895c1f0f074787345XxX14Exe·exe SHA1: c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a MD5: 868da692036e86a2dc87ca551ad61dd5 SHA256: 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345 8a8a_browsing7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618XxX15Doc·doc SHA1: 3d71d782b95f13ee69e96bcf73ee279a00eae5db MD5: 64f8dfd92eb972483feaf3137ec06d3c SHA256: 8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618 Blueshellbgjeeeefij56_browsingExe·exe SHA1: 26c15bd62bceb5b9305efa40d470f02412047151 MD5: f4ace89337c8448f13d6eb538a79ce30 SHA256: 011b4e296d0ff98c8f09764f5172778f8ca81719c4f9eb1534b9073311dc8c06

Sandman APT Targeting Telcos With A LuaJIT Toolkit

Researchers detected a new threat actor referred to as “Sandman” engaging in malicious activities primarily targeting telecommunication providers in the Middle East Western Europe and the South Asian subcontinent. Sandman’s actions are characterized by strategic lateral movements and minimal engagements to avoid detection. Sandman’s identity remains elusive but it is suspected to be a private contractor or mercenary group. The geographical distribution of victims and malware development efforts suggest a focus on espionage. The threat actor demonstrates a penchant for persistence and sophistication in their attacks making them a significant concern for targeted organizations. Sandman has deployed a unique modular backdoor named “LuaDream” based on the LuaJIT platform indicating a sophisticated and actively developed project. LuaDreams staging process is designed to evade detection and it communicates with a command-and-control server over various protocols.

IoCs

0b962ad02e8eef3c_browsing717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bfXxX864Dll·dll SHA1: b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 MD5: e8b2f80220b898cd34eb60600163a209 SHA256: 0b962ad02e8eef3c717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bf 0b962ad02e8eef3c_edr717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bfXxX864Dll·dll SHA1: b9ea189e2420a29978e4dc73d8d2fd801f6a0db2 MD5: e8b2f80220b898cd34eb60600163a209 SHA256: 0b962ad02e8eef3c717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bf Apt3_browsing7bgjebdbddg9Bat·bat SHA1: d9144b0da0d1ea7671667ffcd85448436e174486 MD5: 2d444b6f72c8327d1d155faa2cca7fd7 SHA256: ebd20c8c63690965267c97348f4db89cb73c9974c68a586862d73a339a05e677

GOLD MELODY Profile of an Initial Access Broker

SecureWorks Counter Threat Unit (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017 compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers. The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage destruction or disruption.

IoCs

fd544bda416f0819df01b45_browsing7d42888af64f2652fd9a907fd4cfc129a5556e97bXxX267Pl·pl SHA1: f7f4ca923b29964a8d081cea04db6f732940b32b MD5: c6c1c3d7e25327a6d46039aa837491e5 SHA256: fd544bda416f0819df01b457d42888af64f2652fd9a907fd4cfc129a5556e97b a3d5ead160614336a013f5de4cff65a5198b1d_browsing73238a5b456f558e70b503f52eXxX282Exe·exe SHA1: 3e2ba059fe882ee4f8ec7ed2952ebee0f014bc95 MD5: 687157882f603897bf6d358d49a12064 SHA256: a3d5ead160614336a013f5de4cff65a5198b1d73238a5b456f558e70b503f52e http://trabingviews·com SHA1: nan MD5: nan SHA256: nan

Gallium APT Group Suspected To Be Behind Southeast Asian Government Attacks

A series of cyber intrusions targeting a Southeast Asian government entity occurred from early 2022 through 2023. These attacks are moderately confident to be the work of Alloy Taurus a group associated with Chinese state interests. The intrusions exploited vulnerabilities in Exchange Servers to deploy numerous web shells creating gateways for additional tools and malware. The attackers executed reconnaissance commands created administrative accounts and used scanners like Fscan and WebScan. They introduced undocumented .NET backdoors named Reshell and Zapoa which opened an HTTP listener. To maintain access the attackers installed SoftEther VPN software renaming it to evade detection. They connected to various hosts downloaded tools such as Kerbrute LsassUnhooker and GoDumpLsass and attempted to gain domain credentials. Methods included brute-forcing credentials stealing SAM Key Hive data retrieving locally stored passwords dumping the LSASS process and using credential harvesting tools like Mimikatz and LaZagne. They also attempted an NTLM downgrade attack. After obtaining credentials, the attackers targeted web servers and domain controllers. They initially used SoftEther VPN and later abused the remote administration tool AnyDesk. In addition to these actions, they attempted to install various other tools and malware including Cobalt Strike PuTTYs Plink HTran and the Quasar remote access Trojan (RAT).

IoCs

c1f43b_browsing7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1XxX791Aspx·aspx SHA1: d8d3e6776330c665db1525f20f55a2efca470f3e MD5: d6a82b866f7f9e1e01bf89c3da106d9d SHA256: c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1 009a9d1609592abe039324da2a8a69c4a305ca999920bf6bbef8392_browsing73516783aXxX793Aspx·aspx SHA1: 21b1c62e16e7586665145256be84e9840e822f1e MD5: 58b1c6e10db4b06a357a0f146f6c97c9 SHA256: 009a9d1609592abe039324da2a8a69c4a305ca999920bf6bbef839273516783a Multiplebgjebbgije2_edrExe·exe SHA1: 82885f8c57cf4460f52db0a85e183d372f0aeb7e MD5: 76adb0e36aac40cae0ebeb9f4bd38b52 SHA256: 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63

Backchannel Diplomacy APT29s Rapidly Evolving Diplomatic Phishing Operations

APT29s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive pointing to the SVRs central role in collecting intelligence concerning the current pivotal phase of the war.

IoCs

c03292fca415b51d08da32e2f_browsing7226f66382eb391e19d53e3d81e3e3ba73aa8c1XxX118Iso·iso SHA1: 52932be0bd8e381127aab9c639e6699fd1ecf268 MD5: 22adbffd1dbf3e13d036f936049a2e98 SHA256: c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1 a42dd6bea439b_browsing79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069XxX119Dll·dll SHA1: 6382ae2061c865ddcb9337f155ae2d036e232dfe MD5: 9159d3c58c5d970ed25c2db9c9487d7a SHA256: a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069

A multi-ransomware cybercriminal group

In March 2023 ANSSI reported to the university hospital in Brest the compromise of one of its servers. The reactivity of the health facility has made it possible to rapidly isolate the Internet’s information system (IS) and to hamper the progress of attacker procedures (AMOs) preventing data exfiltration and SI encryption. The discovery of links with a set of incidents observed on the French perimeter and reported in open sources made it possible to link this attack to the FIN12 cybercriminal MOA.

IoCs

e9_browsing7bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801befXxX236Exe·exe SHA1: 28400c267815762e49c200e8b481a592c67f9cf7 MD5: 5a01695be573f95dfc0cf73ab6b5234d SHA256: e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef 90cdcf54bbaeb9c5c4afc9b_browsing74b48b13e293746ee8858c033fc9d365fd4074018XxX239Dll·dll SHA1: 1e0ec6994400413c7899cd5c59bdbd6397dea7b5 MD5: 30a6cd2673ef5b2cb18f142780a5b4a3 SHA256: 90cdcf54bbaeb9c5c4afc9b74b48b13e293746ee8858c033fc9d365fd4074018 https://23·95·128·195 SHA1: nan MD5: nan SHA256: nan

Stealth Falcon Preying Over Middle Eastern Skies with Deadglyph

ESET researchers have discovered a new sophisticated malware named Deadglyph used by the Stealth Falcon APT group for espionage in the Middle East.

IoCs

56_browsing71b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15XxX14Dll·dll SHA1: 7f728d490ed6ea64a7644049914a7f2a0e563969 MD5: 64f47ce2f7528b48c6cc9cddc1f48fa3 SHA256: 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15 56_edr71b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15XxX14Dll·dll SHA1: 7f728d490ed6ea64a7644049914a7f2a0e563969 MD5: 64f47ce2f7528b48c6cc9cddc1f48fa3 SHA256: 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15 Exposingbgjeacdfdc34_browsingElf·elf SHA1: cd74767c0d92a9b7cbed04e78824dd6b6985c3bd MD5: 37bdd5eeb2d15eda624bdd87ca49548d SHA256: 666ac17af53d0d21969751472f0d4147448aae52fff9fd759b319f2929a47de6

Warning Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack

After an in-depth study of the attack process NSFOCUS Security Labs found that this APT attacker is quite different from known attacker characteristics in terms of execution flow attack technology stack attack tools implementation details attack objectives behavior tendency and other main attribution indicators. The technical level and cautious attitude shown by this attacker during this activity are also worthy of attention.

IoCs

5e914133503e60491b445e5a06f3fa8144463340a3c9dc6d8_browsing75bbfdcd6ff7f55XxX27Docx·docx SHA1: 58fa5b8211a28e87415b57d89dd9a7e01b2f9bf4 MD5: 7195d7e4926a0a85fbe81e40ab7c0ca4 SHA256: 5e914133503e60491b445e5a06f3fa8144463340a3c9dc6d875bbfdcd6ff7f55 380f5069a6d9b4689058ba538_browsing76b0571a9f81cf8d1388d71ee555118a0d967c8XxX28Dll·dll SHA1: 3350e2b3892b78dfd5b155c002f3c1b70ec3ac7b MD5: ba85467ceff628be8b4f0e2da2a5990c SHA256: 380f5069a6d9b4689058ba53876b0571a9f81cf8d1388d71ee555118a0d967c8 Freeworldbgjdjcbhfi4_browsingExe·exe SHA1: dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b MD5: ac34ba84a5054cd701efad5dd14645c9 SHA256: c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

ZenRAT Malware Brings More Chaos Than Calm

Proofpoint Emerging Threats often receives tips from the community leading to the investigation and detection of novel malware. On 10 August, 2023, Jrme Segura Senior Director of Threat Intelligence at Malwarebytes shared a malware sample that was being distributed as a part of a Windows software installation package. The sample was initially discovered on a website pretending to be associated with Bitwarden bitwariden[.]com a very convincing lookalike to the real bitwarden.com. Packaged with a standard Bitwarden installation package is a malicious .NET executable that we have dubbed ZenRAT.

IoCs

986aa8e20962b289_browsing71b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76XxX35Exe·exe SHA1: 4805037977fb45f7ff98e96eed51422c813470ee MD5: c9972ce41e4b27d88b66b39d520eb254 SHA256: 986aa8e20962b28971b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76 ba36d9d6e53_browsing7a1c1ecdf1ace9f170a3a13c19e77f582a5cae5c928a341c1be8dXxX36Exe·exe SHA1: 491a0494d9e6538f24b09ab7bd2b419a5e8eb01b MD5: 2421c4cd791b1eb1218bb07e2f734b9c SHA256: ba36d9d6e537a1c1ecdf1ace9f170a3a13c19e77f582a5cae5c928a341c1be8d http://ocmtancmi2c5t·xyz SHA1: nan MD5: nan SHA256: nan

Stealing More Than Towels The New InfoStealer Campaign Hitting Hotels and Travel Agencies

Perception Points researchers have observed numerous variations of InfoStealer attacks all focusing on hotels and related businesses. The common starting point? Booking a hotel reservation. This serves as the entry point for adversaries to initiate their malicious activities. But as you’ll see what follows is far from ordinary.

IoCs

5_browsing780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989aXxX2Exe·exe SHA1: f551911393cf7e88b8f15f2101e15573092d02f5 MD5: 379656262d018e26ba6b07ca3bf10d50 SHA256: 5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a b63d41c60aa52cae9806a4fe233d9a55b0c2dfdc6_browsing7f215ab66c660503cc1a5f3XxX5Exe·exe SHA1: 92e29c2f709aab4d6710d7e2c7d1131b557433c7 MD5: 26ace7baff5336943808674ae4fd06c2 SHA256: b63d41c60aa52cae9806a4fe233d9a55b0c2dfdc67f215ab66c660503cc1a5f3 http://hironchk·com SHA1: nan MD5: nan SHA256: nan That is all for now! Stay cyber safe and see you next month!