Remote Control Software Execution Remote Control Software Execution-mask

Cyber Threat Breakdown September 2023

Here is the September 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.

Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.

Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.

Novel RAT discovered SuperBear targeting journalist covering geopolitics of Asia

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers

Threat Actors Target MSSQL Servers in DBJAMMER to Deliver FreeWorld Ransomware

Exposing RocketMQ CVE-2023-33246 Payloads

New Agent Tesla Variant Being Spread by Crafted Excel Document

New Attack Vector In The Cloud Attackers caught exploiting Object Storage Services

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

Mac users targeted in new malvertising campaign delivering Atomic Stealer

APT37 Distributes Backdoor Via Malicious LNK

BlueShell malware used in APT attacks targeting Korea and Thailand

Analysis of Cuba ransomware gang activity and tooling

Technical Analysis Of Sponsor Backdoor

DarkGate Loader Malware Delivered via Microsoft Teams

Ransomware GandCrab poses as Super Mario

EV Certificates Abused To Deliver RedLine Vidar And Knight Ransomware

ShroudedSnooper Targets Telecommunications Firms In The Middle East With Custom Backdoors

Cert IL Alert – Medical institutions in Israel are under attack

Cert IL Alert – Medical institutions in Israel are under attack – v2

StopRansomware Snatch Ransomware CISA

Kmrox Ransomware

OilRigs Outer Space and Juicy Mix Same olrig new drill pipes

Sandman APT Targeting Telcos With A LuaJIT Toolkit

GOLD MELODY Profile of an Initial Access Broker

Gallium APT Group Suspected To Be Behind Southeast Asian Government Attacks

Backchannel Diplomacy APT29s Rapidly Evolving Diplomatic Phishing Operations

A multi-ransomware cybercriminal group

Stealth Falcon Preying Over Middle Eastern Skies with Deadglyph

Warning Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack

ZenRAT Malware Brings More Chaos Than Calm

Stealing More Than Towels The New InfoStealer Campaign Hitting Hotels and Travel Agencies

Novel RAT discovered SuperBear targeting journalists covering the geopolitics of Asia

After initial compromise the execution of an AutoIT script that was used to perform process injection using a process hollowing technique.
The injected process contained a novel RAT which we dubbed SuperBear due to naming conventions in the code.
We believe this to be a new campaign targeting civil society groups.

IoCs

Novelbgjdgacajh1_browsingExe·exe
SHA1: 557820050eaed5f32241346caeefdfff0ce44745
MD5: e49aaa9a5933c48feca39f3080a7b94d
SHA256: 282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb

Novelbgjdgacajh1_edrExe·exe
SHA1: 557820050eaed5f32241346caeefdfff0ce44745
MD5: e49aaa9a5933c48feca39f3080a7b94d
SHA256: 282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb

d5eb3924a89990cb0e_browsing7583376c02d9e1edcc3919e0a46b1c44be7c91f28fef0cXxX8Exe·exe
SHA1: db6d481a4269e0c151f2450cd8c5534dcf298bfe
MD5: f2b7a2f0425d0250e7ae87639d2351fb
SHA256: d5eb3924a89990cb0e7583376c02d9e1edcc3919e0a46b1c44be7c91f28fef0c

Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers

Fake browser updates lure users into executing malicious binaries which include a new IDAT loader which is utilized in order to execute infostealers on compromised systems including StealC and Lumma.

IoCs

Fakebgjdgacbdf19_browsingExe·exe
SHA1: b8951b331eb965314c9bda6a592a8ecaf1560ffd
MD5: 0af24b5d5b3994839917e083fcf10621
SHA256: a0319e612de3b7e6fbb4b71aa7398266791e50da0ae373c5870c3dcaa51abccf

Fakebgjdgacbdf8_browsingExe·exe
SHA1: 2106fc1e0f83df0f658934129a5a374948cc97a0
MD5: e07aa33f0e6aec02240a232e71b7e741
SHA256: c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48

60098db9f251bca8d40bf6b19e3defa1b81ff3bdc138_browsing76766988429a2e922a06XxX37Exe·exe
SHA1: eb638e3786e79fc000986fe7fb4fc3b88ac50eca
MD5: 689e40f5805fed0924ea12ee20a178cd
SHA256: 60098db9f251bca8d40bf6b19e3defa1b81ff3bdc13876766988429a2e922a06

Threat Actors Target MSSQL Servers in DBJAMMER to Deliver FreeWorld Ransomware

Threat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.
One of the things that makes DB#JAMMER stand out is how the attacker’s tooling infrastructure and payloads are used.
Some of these tools include enumeration software, RAT payloads, exploitation, and credential stealing software, and finally ransomware payloads.

IoCs

Freeworldbgjdjcbhfi6_browsingExe·exe
SHA1: 4f4e409278a9c069e6917ce44c3188d4495c2dff
MD5: 764630841c96eaef0af17af9be00d83a
SHA256: 95a73b9fda6a1669e6467dcf3e0d92f964ede58789c65082e0b75adf8d774d66

Freeworldbgjdjcbhfi2_browsingExe·exe
SHA1: 4086107b3fb71fb02361306da6099a85be97ae1d
MD5: d59aa49740acb5e45ecb65da070035e3
SHA256: 80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4

Exposing RocketMQ CVE-2023-33246 Payloads

A vulnerability in the RocketMQ messaging system has been exposed to the internet for more than a decade according to researchers at the University of California San Francisco and the Institute of Security Research.

IoCs

Exposingbgjeacdfdc31_browsingElf·elf
SHA1: 54dfa949a1824ffd684632f6490cb66ad1656708
MD5: 23002a787e1a3254f3ed4c08755dc21e
SHA256: 1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac

Exposingbgjeacdfdc33_browsingElf·elf
SHA1: 42706af38e54e7f8c777092c8f0b77ae5203e31a
MD5: c85af2fc764c62dad2d107da460dce6e
SHA256: 12f84e4eab411366e4a9adcd3ac1ae92714c9d405670e10fbfb3ff1167b2ebbe

http://joinushealth·com
SHA1: nan
MD5: nan
SHA256: nan

New Agent Tesla Variant Being Spread by Crafted Excel Document

FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant.
This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access.
It is often used for Malware-as-a-Service (MaaS).

IoCs

Newbgjeacdgbc35_browsingExe·exe
SHA1: e2437078fe7f3abd635dacae65cf6ae2d10ef98e
MD5: c1ac31ebcbfb8dc95d4eea6d4c95a474
SHA256: 36b17c4534e34b6b22728db194292b504cf492ef8ae91f9dda7702820efcfc3a

Newbgjeacdgbc38_browsingXls·xls
SHA1: 9e8b6be2fe10a60732d72486514acc372604f9fd
MD5: 7745432624df29d55537746834728200
SHA256: fdc04dc72884f54a4e553b662f1f186697daf14ef8a2dc367bc584d904c22638

3cc_browsing739bb1882fc9dbb056f39ebe4965771aeca0ceb44e85da39d1ba7dade693fXxX242Exe·exe
SHA1: 8291929d6f3ede6ec025c21d1559a7fe9d30a9ce
MD5: b6bd8ff194d22d83a123a3ad48edad62
SHA256: 3cc739bb1882fc9dbb056f39ebe4965771aeca0ceb44e85da39d1ba7dade693f

New Attack Vector In The Cloud Attackers Caught Exploiting Object Storage Services

A new attack vector in the cloud is being exploited by attackers using non-native object storage services according to Security Joe’s Incident Response.

IoCs

Newbgjeacdggb49_browsingBat·bat
SHA1: a8e7f942ca57ef50aaca4c520c60a92375b82736
MD5: b44e57c257934bbeb38324a04d7fb6c2
SHA256: fffa85e27836fd556a06660ac0ad76a35ef02687652a81194821c538e847d58f

Newbgjeacdggb49_edrBat·bat
SHA1: a8e7f942ca57ef50aaca4c520c60a92375b82736
MD5: b44e57c257934bbeb38324a04d7fb6c2
SHA256: fffa85e27836fd556a06660ac0ad76a35ef02687652a81194821c538e847d58f

18cc4c15_browsing77a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5aXxX122Dll·dll
SHA1: ca1ef3aeed9c0c5cfa355b6255a5ab238229a051
MD5: db2d9d2704d320ecbd606a8720c22559
SHA256: 18cc4c1577a5b3793ecc1e14db2883ffc6bf7c9792cf22d953c1482ffc124f5a

Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics techniques and procedures (TTPs) IOCs and methods to detect and protect against similar exploitation.

IoCs

Multiplebgjebbgije4_browsingExe·exe
SHA1: bbda2ad0634aa535b9df40dc39a2d4dfdd763476
MD5: b8967a33e6c1aee7682810b6b994b991
SHA256: 334c2d0af191ed96b15095a4a098c400f2c0ce6b9c66d1800f6b74554d59ff4b

Multiplebgjebbgije2_browsingExe·exe
SHA1: 82885f8c57cf4460f52db0a85e183d372f0aeb7e
MD5: 76adb0e36aac40cae0ebeb9f4bd38b52
SHA256: 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63

36e661edc1ad4e44ba38d8f_browsing7a6bd00c2b4bc32e9fae8b955b1b4c6355aa6abedXxX795Aspx·aspx
SHA1: 097d74c369fe5e7cfb8b9a889564773c73eac627
MD5: 7edef26e5dfa9ee11bcdc06aad010ee3
SHA256: 36e661edc1ad4e44ba38d8f7a6bd00c2b4bc32e9fae8b955b1b4c6355aa6abed

Mac users targeted in new malvertising campaign delivering Atomic Stealer

Malicious ads for Google searches are targeting Mac users.
Phishing sites trick victims into downloading what they believe is the app they want.
The malware is bundled in an ad-hoc signed app so it cannot be revoked by Apple

IoCs

Macbgjebbhdei59_browsingMacho·macho
SHA1: ad8be4808f7dd910cec11d7eed88933e3f50132a
MD5: 7287f328f3acb1774ecc42606e2da598
SHA256: ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a

Macbgjebbhdei59_edrMacho·macho
SHA1: ad8be4808f7dd910cec11d7eed88933e3f50132a
MD5: 7287f328f3acb1774ecc42606e2da598
SHA256: ce3c57e6c025911a916a61a716ff32f2699f3e3a84eb0ebbe892a5d4b8fb9c7a

05d5fa365498651bcbb8a356cd580b255cd4fd_browsing735e59f81d0c595b06ee61ad10XxX286Exe·exe
SHA1: 2dfe49db47d7e6ca0d7c5f3641da4911675baa25
MD5: 8addc16baeb0474d41ba2d3805665969
SHA256: 05d5fa365498651bcbb8a356cd580b255cd4fd735e59f81d0c595b06ee61ad10

APT37 Distributes Backdoor Via Malicious LNK

APT37 is a sophisticated advanced persistent threat (APT) that has been operating since 2012 and targeting victims across the globe to achieve its objectives.
In this campaign the threat actor used a novel technique to distribute a backdoor via malicious LNK files and uploaded malware within a compressed zip file to a regular website.
The victim executed a benign document named Status Survey Table.xlsx.lnk that subsequently created a benign document titled Status Survey Table.xlsx and a malicious script within a temporary folder.
A registry run key was created for persistence while information was collected and exfiltrated to a command-and-control server.

IoCs

Apt3_browsing7bgjebdbddg7Lnk·lnk
SHA1: b93c13204acb4819c7688f847b1470ac25df52b3
MD5: 0eb8db3cbde470407f942fd63afe42b8
SHA256: a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4

Apt3_browsing7bgjebdbddg5Html·html
SHA1: 0c91f681090b1917264c4f53cee1572f2e0fa43c
MD5: 27f74072d6268b5d96d73107c560d852
SHA256: 562a4d8980acda8411fc1f830cb9bb5bdafd3dd586f871485a27e996bb07ac07

https://mode·encagil·com
SHA1: nan
MD5: nan
SHA256: nan

BlueShell malware used in APT attacks targeting Korea and Thailand

BlueShell is a backdoor malware developed in the Go language released on GitHub and supports Windows Linux and Mac operating systems.
Currently, the original GitHub repository is believed to have been deleted but BlueShell’s source code can still be obtained from other repositories.
The ReadMe file containing the explanation is in Chinese which suggests that the creator may be a Chinese user.

IoCs

Blueshellbgjeeeefij33_browsingExe·exe
SHA1: 52e10752ed1218ce78bd1bbd1319c70c2d682a78
MD5: 31c4a3f16baa5e0437fdd4603987b812
SHA256: afcaf51bef195d4959f934bcec0a9aebd8e7747f21e0bfba769b5f28708de0eb

Blueshellbgjeeeefij51_browsingElf·elf
SHA1: 1dc679ec200f5d8a901c36c536ec35c6de737f94
MD5: 3f022d65129238c2d34e41deba3e24d3
SHA256: 872075f3546c1556e56bc92dc323f6168b7dc6976e65fdf3e7bc1961e5656576

5_browsing7fd32c39c64d9f58846fa91b19c3086b66b0e733ebbc30f917a1f5063389691XxX16Exe·exe
SHA1: 1de4810a10fa2d73cc589ca403a4390b02c6da5e
MD5: f6f2345c131a3cc8642e22d300efac75
SHA256: 57fd32c39c64d9f58846fa91b19c3086b66b0e733ebbc30f917a1f5063389691

Analysis of Cuba ransomware gang activity and tooling

IoCs

Analysisbgjeejbidb82_browsingExe·exe
SHA1: cc06eea3cbe46235972916a6dabd4f5f4ee70e42
MD5: b23f8703583fa2b854a13eaa8b040ded
SHA256: c286130a992d0f416b103cd5a79b521a0a871146c0fda2912732341b77a463f9

Analysisbgjeejbidb81_browsingExe·exe
SHA1: f4026aaca69bbb02891156d8b9fc1f8e105c4a78
MD5: 2e16baf13ba06d209c57a47d9b08c7c6
SHA256: 2f3953e5ae4916478f17b4dffc1cfed88a6ab2fbd2b3ab521ac20345c6091634

Technical Analysis Of Sponsor Backdoor

Researchers have recently uncovered a new campaign attributed to APT35 which targeted automotive engineering healthcare insurance law financial manufacturing retail technological and telecommunication organizations in Brazil Israel and the United Arab Emirates (UAE).
This campaign employed a newly discovered backdoor malware called “Sponsor” along with different open-source tools and malware such as SQLDump Mimikatz Plink GOST Chisel ProcDump RevSocks Host2IP and WebBrowserPassView.

The initial access for this campaign was obtained by exploiting known vulnerabilities in Microsoft Exchange servers exposed to the internet highlighting the group’s method of identifying and exploiting weaknesses.
While some victims were specifically selected, others seemed to be victims of opportunity suggesting that APT35 engaged in scanning and exploiting vulnerable systems that were accessible.

The Sponsor backdoor itself is written in C++ and exhibits different versions with specific compilation timestamps and Program Database (PDB) paths.
It operates as a service and relies on encrypted configuration files for communication with command and control servers.
Information about the host system is gathered and reported to the C&C server with node IDs assigned for tracking.

IoCs

f99935_browsing7a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58feXxX17Exe·exe
SHA1: 99c7b5827df89b4fafc2b565abed97c58a3c65b8
MD5: 053778713819beab3df309df472787cd
SHA256: f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

2a99cf_browsing7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8fXxX1Exe·exe
SHA1: 764eb6ca3752576c182fc19cff3e86c38dd51475
MD5: 5b32c3fdcb78f06cf79ed3497538f72b
SHA256: 2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f

28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd_browsing76b8c4acff7cXxX9Exe·exe
SHA1: f97f8f78abb205dda329d89143aae34ba04d13df
MD5: c95c81ca4e6b8153b458d29186e696bc
SHA256: 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c

DarkGate Loader Malware Delivered via Microsoft Teams

Malspam campaigns involving DarkGate Loader have been on the rise since its author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums in June 2023.
Until now DarkGate Loader was seen delivered via traditional email malspam campaigns similar to those of Emotet.
In August an operator started using Microsoft Teams to deliver the malware via HR-themed social engineering chat messages.

IoCs

09904d65e59f3fbbbf38932ae_browsing7bff9681ac73b0e30b8651ec567f7032a94234fXxX210Zip·zip
SHA1: 6a6f9ea7f16fea5a24597937d8ba51e39479c863
MD5: deec192a82b84a683fd0ff4449699f88
SHA256: 09904d65e59f3fbbbf38932ae7bff9681ac73b0e30b8651ec567f7032a94234f

4c21_browsing711de81bb5584d35e744394eed2f36fef0d93474dfc5685665a9e159eef1XxX213Vbs·vbs
SHA1: a33d7c5de81a77ee76b4f873176eb194bc0f30fd
MD5: aff562f83effcbea96568037516d742e
SHA256: 4c21711de81bb5584d35e744394eed2f36fef0d93474dfc5685665a9e159eef1

2f8a32618e3a0c63350ae6fb2c4cd334e3_edr770d395eafe622988a62688dc76cf9XxX1Exe·exe
SHA1: 0a6276e86b6cd12c8b2c9352d3bf11e926d9d504
MD5: a08a64a1d3001371c232ed23c6152ba1
SHA256: 2f8a32618e3a0c63350ae6fb2c4cd334e3770d395eafe622988a62688dc76cf9

Ransomware GandCrab poses as Super Mario

Researchers from Bromium have discovered a malicious Excel spreadsheet that generates a PowerShell command from pixels that form the Super Mario Bros image.
When executed it downloads and installs the dangerous GandCrab ransomware.
The attack is aimed at users located in Italy and is delivered through an email pretending to be a payment notice.

IoCs

0c8c2_browsing7f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362XxX2Png·png
SHA1: 883d4c52049627edecf590be9a2b16c072a9e640
MD5: 664602818438c6a2d813840977f94a92
SHA256: 0c8c27f06a0acb976b8f12ff6749497d4ce1f7a98c2a161b0a9eb956e6955362

3849381059d9e8bbcc59c253d2cbe1c92f_browsing7e1f1992b752d396e349892f2bb0e7XxX1Xls·xls
SHA1: 7e84a6fa7c0a290e1d52a74600901c53f8ad5c99
MD5: 0cda12fa42ebaeeb9a4718b753912bd5
SHA256: 3849381059d9e8bbcc59c253d2cbe1c92f7e1f1992b752d396e349892f2bb0e7

Freeworldbgjfcaaaeg1_edrExe·exe
SHA1: d78ff12ef7970fb02949fc58253d0df802cd1eb6
MD5: 076d10123ed712262b27c57dad0ea31b
SHA256: af263d19858ce5a0aceb3ff9b94a000a86368b71629b6db2e536c42246f36879

EV Certificates Abused To Deliver RedLine Vidar And Knight Ransomware

Trend Micro’s latest investigations show that the threat actors behind RedLine and Vidar now distribute ransomware payloads with the same delivery techniques they use to spread info stealers. This suggests that the threat actors are streamlining operations by making their techniques multipurpose. In this particular case, they investigated, the victim initially received a piece of info stealer malware with Extended Validation (EV) code signing certificates. After some time, however, they started receiving ransomware payloads via the same route.

IoCs

9123e42cdd3421e8f2_browsing76ac711988fb8a8929172fa76674ec4de230e6d528d09aXxX4Exe·exe
SHA1: b872b9a817c2e6cfd507a7a57f1f34b433bbb14a
MD5: adc2dde69189f2d357d5c423bd16a611
SHA256: 9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a

a6258d_browsing70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956XxX6Exe·exe
SHA1: fcf03e2cdd96f41e489ef5866781e82b101a3f29
MD5: 31146a1095452f8f15ebad9f7e3c6efa
SHA256: a6258d70bc0b5d5c87368c5024d3f23585790b14227b8c59333413082524a956

911_browsing7bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0cebXxX73Dll·dll
SHA1: 6ec0c1d6311656c76787297775a8d0cb0aa6c4c7
MD5: da0085a97c38ead734885e5cced1847f
SHA256: 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb

ShroudedSnooper Targets Telecommunications Firms In The Middle East With Custom Backdoors

ShroudedSnooper was discovered targeting telecommunication providers in the Middle East with two distinct malware variants labeled as HTTPSnoop and PipeSnoop.
HTTPSnoop is a backdoor that employs innovative methods to interact with Windows HTTP kernel drivers and devices.
This allows it to intercept incoming requests for specific HTTP(S) URLs and execute the associated content on the compromised device.
PipeSnoop is designed to receive arbitrary shellcode via a named pipe and execute it on the infected system.
Both HTTPSnoop and PipeSnoop come in two forms DLL and EXE versions and they disguise themselves as legitimate security software components particularly extended detection and response (XDR) agents.
The primary objective of ShroudedSnooper appears to be gaining initial access to internet-facing servers often by mimicking Microsofts Exchange Web Services (EWS) platform with specific HTTP URL patterns.

IoCs

e1ad1_browsing73e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9dXxX69Exe·exe
SHA1: c0afb5797e6873bbee69f9bf0aa7a9dd3a1c6fff
MD5: 31f2369d2e38c78f5b3f2035dba07c08
SHA256: e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d

7495c1ea421063845eb8f4599a1c1_browsing7c105f700ca0671ca874c5aa5aef3764c1cXxX71Exe·exe
SHA1: 9c58ec8f7ce75ba1b629c9ef84ab069a32313288
MD5: 4abcf21b63781a53bbc1aa17bd8d2cbc
SHA256: 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c

9123e42cdd3421e8f2_edr76ac711988fb8a8929172fa76674ec4de230e6d528d09aXxX4Exe·exe
SHA1: b872b9a817c2e6cfd507a7a57f1f34b433bbb14a
MD5: adc2dde69189f2d357d5c423bd16a611
SHA256: 9123e42cdd3421e8f276ac711988fb8a8929172fa76674ec4de230e6d528d09a

Cert IL Alert – Medical institutions in Israel are under attack

Recent reports indicate that medical institutions in Israel are currently facing a targeted cyberattack.

IoCs

Freeworldbgjfcaaaeg2_browsingExe·exe
SHA1: eaa1d2577c58ea5bfa91b3683c0efad6caa02f6e
MD5: 6e7cca54eeb4db382f2e8ea923c3e71a
SHA256: 00cb23693cb50c9c3abd37ce9b9b84c0724009d4ebf339781ab62f3fb3ca8292

Freeworldbgjfcaaaeg1_browsingExe·exe
SHA1: d78ff12ef7970fb02949fc58253d0df802cd1eb6
MD5: 076d10123ed712262b27c57dad0ea31b
SHA256: af263d19858ce5a0aceb3ff9b94a000a86368b71629b6db2e536c42246f36879

630b6f15c_browsing770716268c539c5558152168004657beee740e73ee9966d6de1753fXxX4Exe·exe
SHA1: 2e28b2a506a310ce7353b9754f80f1453c9ec851
MD5: f00375613ef24bfef74243d8b758f2f7
SHA256: 630b6f15c770716268c539c5558152168004657beee740e73ee9966d6de1753f

Cert IL Alert – Medical institutions in Israel are under attack – v2

Recent reports indicate that medical institutions in Israel are currently facing targeted cyberattacks.
As the attacks progress, new Indicators of Compromise (IOCs) are emerging.

IoCs

2f8a32618e3a0c63350ae6fb2c4cd334e3_browsing770d395eafe622988a62688dc76cf9XxX1Exe·exe
SHA1: 0a6276e86b6cd12c8b2c9352d3bf11e926d9d504
MD5: a08a64a1d3001371c232ed23c6152ba1
SHA256: 2f8a32618e3a0c63350ae6fb2c4cd334e3770d395eafe622988a62688dc76cf9

d34c981c4e6504c2ae9065a1bc324a1_browsing706890c263f7f6704e8327bede1bc4370XxX2Exe·exe
SHA1: ddfc67baf9f852eea5f05b4aac5afc56af81bc7f
MD5: a33ab1093d0777e05ca3bcea6530ed34
SHA256: d34c981c4e6504c2ae9065a1bc324a1706890c263f7f6704e8327bede1bc4370

0c59f568da43_browsing731e3212b6461978e960644be386212cc448a715dbf3f489d758XxX211Zip·zip
SHA1: b79b60124b1c7231f359d011465d72ad9f3c0246
MD5: c7a8d36e367812d298b4abc13fa03c96
SHA256: 0c59f568da43731e3212b6461978e960644be386212cc448a715dbf3f489d758

StopRansomware Snatch Ransomware CISA

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.

IoCs

0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c_browsing78d0559cd6da653bf740fXxX5Bat·bat
SHA1: 4115d2d15614503456aea14db61d71a756cc7b8c
MD5: 2202e846ba05d7f0bb20adbc5249c359
SHA256: 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

5950b4e2_browsing7554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcdXxX7Exe·exe
SHA1: 5ad94f5303aed57a9d4f0055f15076454840064a
MD5: 3d29e9cdd2a9d76e57e8a3f9e6ed3643
SHA256: 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd

2c_browsing7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3XxX3Exe·exe
SHA1: c4bc1a5a02f8ac3cf642880dc1fc3b1e46e4da61
MD5: 2d58339560255dd2d3cc1f9fe058373e
SHA256: 2c7a96d79b97ec59ff8d18f5bb6404c36af25c513428a82db429b6e5648db2b3

Kmrox Ransomware

According to Cyclonis Kmrox, ransomware is a Phobos family member.
During the examination of new file sample submissions, Cyclonis researchers came across another variant of Phobos ransomware called Kmrox.

This type of malware falls under the category of ransomware which is designed to encrypt data and demand payment for its decryption.

IoCs

82881ebbc_browsing7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87XxX1Exe·exe
SHA1: eef03b43ce9d36e1e513ab1c3c0f9205b41a9148
MD5: 5b672f45d525b56eb0c4c146214f267e
SHA256: 82881ebbc7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87

82881ebbc_edr7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87XxX1Exe·exe
SHA1: eef03b43ce9d36e1e513ab1c3c0f9205b41a9148
MD5: 5b672f45d525b56eb0c4c146214f267e
SHA256: 82881ebbc7c5599d1e98006d7e97106a87983b78eeca0a7cdcdddfff981e0a87

OilRigs Outer Space and Juicy Mix Same Oilrig New Drill Pipes

ESET researchers document OilRigs Outer Space and Juicy Mix campaigns targeting Israeli organizations in 2021 and 2022

IoCs

64156f9ca51951a9bf91b5b_browsing74073d31c16873ca60492c25895c1f0f074787345XxX14Exe·exe
SHA1: c9d18d01e1ec96be952a9d7bd78f6bbb4dd2aa2a
MD5: 868da692036e86a2dc87ca551ad61dd5
SHA256: 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345

8a8a_browsing7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618XxX15Doc·doc
SHA1: 3d71d782b95f13ee69e96bcf73ee279a00eae5db
MD5: 64f8dfd92eb972483feaf3137ec06d3c
SHA256: 8a8a7a506fd57bde314ce6154f2484f280049f2bda504d43704b9ad412d5d618

Blueshellbgjeeeefij56_browsingExe·exe
SHA1: 26c15bd62bceb5b9305efa40d470f02412047151
MD5: f4ace89337c8448f13d6eb538a79ce30
SHA256: 011b4e296d0ff98c8f09764f5172778f8ca81719c4f9eb1534b9073311dc8c06

Sandman APT Targeting Telcos With A LuaJIT Toolkit

Researchers detected a new threat actor referred to as “Sandman” engaging in malicious activities primarily targeting telecommunication providers in the Middle East Western Europe and the South Asian subcontinent.
Sandman’s actions are characterized by strategic lateral movements and minimal engagements to avoid detection.
Sandman’s identity remains elusive but it is suspected to be a private contractor or mercenary group.
The geographical distribution of victims and malware development efforts suggest a focus on espionage.
The threat actor demonstrates a penchant for persistence and sophistication in their attacks making them a significant concern for targeted organizations.
Sandman has deployed a unique modular backdoor named “LuaDream” based on the LuaJIT platform indicating a sophisticated and actively developed project.
LuaDreams staging process is designed to evade detection and it communicates with a command-and-control server over various protocols.

IoCs

0b962ad02e8eef3c_browsing717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bfXxX864Dll·dll
SHA1: b9ea189e2420a29978e4dc73d8d2fd801f6a0db2
MD5: e8b2f80220b898cd34eb60600163a209
SHA256: 0b962ad02e8eef3c717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bf

0b962ad02e8eef3c_edr717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bfXxX864Dll·dll
SHA1: b9ea189e2420a29978e4dc73d8d2fd801f6a0db2
MD5: e8b2f80220b898cd34eb60600163a209
SHA256: 0b962ad02e8eef3c717ce6fcfda9587f92ebe9e7ed6ee93be6bc1103daa4e8bf

Apt3_browsing7bgjebdbddg9Bat·bat
SHA1: d9144b0da0d1ea7671667ffcd85448436e174486
MD5: 2d444b6f72c8327d1d155faa2cca7fd7
SHA256: ebd20c8c63690965267c97348f4db89cb73c9974c68a586862d73a339a05e677

GOLD MELODY Profile of an Initial Access Broker

SecureWorks Counter Threat Unit (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit.
This financially motivated group has been active since at least 2017 compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers.
The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage destruction or disruption.

IoCs

fd544bda416f0819df01b45_browsing7d42888af64f2652fd9a907fd4cfc129a5556e97bXxX267Pl·pl
SHA1: f7f4ca923b29964a8d081cea04db6f732940b32b
MD5: c6c1c3d7e25327a6d46039aa837491e5
SHA256: fd544bda416f0819df01b457d42888af64f2652fd9a907fd4cfc129a5556e97b

a3d5ead160614336a013f5de4cff65a5198b1d_browsing73238a5b456f558e70b503f52eXxX282Exe·exe
SHA1: 3e2ba059fe882ee4f8ec7ed2952ebee0f014bc95
MD5: 687157882f603897bf6d358d49a12064
SHA256: a3d5ead160614336a013f5de4cff65a5198b1d73238a5b456f558e70b503f52e

http://trabingviews·com
SHA1: nan
MD5: nan
SHA256: nan

Gallium APT Group Suspected To Be Behind Southeast Asian Government Attacks

A series of cyber intrusions targeting a Southeast Asian government entity occurred from early 2022 through 2023.
These attacks are moderately confident to be the work of Alloy Taurus a group associated with Chinese state interests.
The intrusions exploited vulnerabilities in Exchange Servers to deploy numerous web shells creating gateways for additional tools and malware.

The attackers executed reconnaissance commands created administrative accounts and used scanners like Fscan and WebScan.
They introduced undocumented .NET backdoors named Reshell and Zapoa which opened an HTTP listener.

To maintain access the attackers installed SoftEther VPN software renaming it to evade detection.
They connected to various hosts downloaded tools such as Kerbrute LsassUnhooker and GoDumpLsass and attempted to gain domain credentials.

Methods included brute-forcing credentials stealing SAM Key Hive data retrieving locally stored passwords dumping the LSASS process and using credential harvesting tools like Mimikatz and LaZagne.
They also attempted an NTLM downgrade attack.

After obtaining credentials, the attackers targeted web servers and domain controllers.
They initially used SoftEther VPN and later abused the remote administration tool AnyDesk.
In addition to these actions, they attempted to install various other tools and malware including Cobalt Strike PuTTYs Plink HTran and the Quasar remote access Trojan (RAT).

IoCs

c1f43b_browsing7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1XxX791Aspx·aspx
SHA1: d8d3e6776330c665db1525f20f55a2efca470f3e
MD5: d6a82b866f7f9e1e01bf89c3da106d9d
SHA256: c1f43b7cf46ba12cfc1357b17e4f5af408740af7ae70572c9cf988ac50260ce1

009a9d1609592abe039324da2a8a69c4a305ca999920bf6bbef8392_browsing73516783aXxX793Aspx·aspx
SHA1: 21b1c62e16e7586665145256be84e9840e822f1e
MD5: 58b1c6e10db4b06a357a0f146f6c97c9
SHA256: 009a9d1609592abe039324da2a8a69c4a305ca999920bf6bbef839273516783a

Multiplebgjebbgije2_edrExe·exe
SHA1: 82885f8c57cf4460f52db0a85e183d372f0aeb7e
MD5: 76adb0e36aac40cae0ebeb9f4bd38b52
SHA256: 79a9136eedbf8288ad7357ddaea3a3cd1a57b7c6f82adffd5a9540e1623bfb63

Backchannel Diplomacy APT29s Rapidly Evolving Diplomatic Phishing Operations

APT29s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive pointing to the SVRs central role in collecting intelligence concerning the current pivotal phase of the war.

IoCs

c03292fca415b51d08da32e2f_browsing7226f66382eb391e19d53e3d81e3e3ba73aa8c1XxX118Iso·iso
SHA1: 52932be0bd8e381127aab9c639e6699fd1ecf268
MD5: 22adbffd1dbf3e13d036f936049a2e98
SHA256: c03292fca415b51d08da32e2f7226f66382eb391e19d53e3d81e3e3ba73aa8c1

a42dd6bea439b_browsing79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069XxX119Dll·dll
SHA1: 6382ae2061c865ddcb9337f155ae2d036e232dfe
MD5: 9159d3c58c5d970ed25c2db9c9487d7a
SHA256: a42dd6bea439b79db90067b84464e755488b784c3ee2e64ef169b9dcdd92b069

A multi-ransomware cybercriminal group

In March 2023 ANSSI reported to the university hospital in Brest the compromise of one of its servers.
The reactivity of the health facility has made it possible to rapidly isolate the Internet’s information system (IS) and to hamper the progress of attacker procedures (AMOs) preventing data exfiltration and SI encryption.
The discovery of links with a set of incidents observed on the French perimeter and reported in open sources made it possible to link this attack to the FIN12 cybercriminal MOA.

IoCs

e9_browsing7bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801befXxX236Exe·exe
SHA1: 28400c267815762e49c200e8b481a592c67f9cf7
MD5: 5a01695be573f95dfc0cf73ab6b5234d
SHA256: e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef

90cdcf54bbaeb9c5c4afc9b_browsing74b48b13e293746ee8858c033fc9d365fd4074018XxX239Dll·dll
SHA1: 1e0ec6994400413c7899cd5c59bdbd6397dea7b5
MD5: 30a6cd2673ef5b2cb18f142780a5b4a3
SHA256: 90cdcf54bbaeb9c5c4afc9b74b48b13e293746ee8858c033fc9d365fd4074018

https://23·95·128·195
SHA1: nan
MD5: nan
SHA256: nan

Stealth Falcon Preying Over Middle Eastern Skies with Deadglyph

ESET researchers have discovered a new sophisticated malware named Deadglyph used by the Stealth Falcon APT group for espionage in the Middle East.

IoCs

56_browsing71b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15XxX14Dll·dll
SHA1: 7f728d490ed6ea64a7644049914a7f2a0e563969
MD5: 64f47ce2f7528b48c6cc9cddc1f48fa3
SHA256: 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15

56_edr71b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15XxX14Dll·dll
SHA1: 7f728d490ed6ea64a7644049914a7f2a0e563969
MD5: 64f47ce2f7528b48c6cc9cddc1f48fa3
SHA256: 5671b3a89c0e88a9bfb0bd5bc434fa5245578becfdeb284f4796f65eecbd6f15

Exposingbgjeacdfdc34_browsingElf·elf
SHA1: cd74767c0d92a9b7cbed04e78824dd6b6985c3bd
MD5: 37bdd5eeb2d15eda624bdd87ca49548d
SHA256: 666ac17af53d0d21969751472f0d4147448aae52fff9fd759b319f2929a47de6

Warning Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack

After an in-depth study of the attack process NSFOCUS Security Labs found that this APT attacker is quite different from known attacker characteristics in terms of execution flow attack technology stack attack tools implementation details attack objectives behavior tendency and other main attribution indicators.
The technical level and cautious attitude shown by this attacker during this activity are also worthy of attention.

IoCs

5e914133503e60491b445e5a06f3fa8144463340a3c9dc6d8_browsing75bbfdcd6ff7f55XxX27Docx·docx
SHA1: 58fa5b8211a28e87415b57d89dd9a7e01b2f9bf4
MD5: 7195d7e4926a0a85fbe81e40ab7c0ca4
SHA256: 5e914133503e60491b445e5a06f3fa8144463340a3c9dc6d875bbfdcd6ff7f55

380f5069a6d9b4689058ba538_browsing76b0571a9f81cf8d1388d71ee555118a0d967c8XxX28Dll·dll
SHA1: 3350e2b3892b78dfd5b155c002f3c1b70ec3ac7b
MD5: ba85467ceff628be8b4f0e2da2a5990c
SHA256: 380f5069a6d9b4689058ba53876b0571a9f81cf8d1388d71ee555118a0d967c8

Freeworldbgjdjcbhfi4_browsingExe·exe
SHA1: dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
MD5: ac34ba84a5054cd701efad5dd14645c9
SHA256: c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

ZenRAT Malware Brings More Chaos Than Calm

Proofpoint Emerging Threats often receives tips from the community leading to the investigation and detection of novel malware.
On 10 August, 2023, Jrme Segura Senior Director of Threat Intelligence at Malwarebytes shared a malware sample that was being distributed as a part of a Windows software installation package.
The sample was initially discovered on a website pretending to be associated with Bitwarden bitwariden[.]com a very convincing lookalike to the real bitwarden.com.
Packaged with a standard Bitwarden installation package is a malicious .NET executable that we have dubbed ZenRAT.

IoCs

986aa8e20962b289_browsing71b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76XxX35Exe·exe
SHA1: 4805037977fb45f7ff98e96eed51422c813470ee
MD5: c9972ce41e4b27d88b66b39d520eb254
SHA256: 986aa8e20962b28971b3a5335ef46cf96c102fa828ae7486c2ac2137a0690b76

ba36d9d6e53_browsing7a1c1ecdf1ace9f170a3a13c19e77f582a5cae5c928a341c1be8dXxX36Exe·exe
SHA1: 491a0494d9e6538f24b09ab7bd2b419a5e8eb01b
MD5: 2421c4cd791b1eb1218bb07e2f734b9c
SHA256: ba36d9d6e537a1c1ecdf1ace9f170a3a13c19e77f582a5cae5c928a341c1be8d

http://ocmtancmi2c5t·xyz
SHA1: nan
MD5: nan
SHA256: nan

Stealing More Than Towels The New InfoStealer Campaign Hitting Hotels and Travel Agencies

Perception Points researchers have observed numerous variations of InfoStealer attacks all focusing on hotels and related businesses.
The common starting point? Booking a hotel reservation.
This serves as the entry point for adversaries to initiate their malicious activities.
But as you’ll see what follows is far from ordinary.

IoCs

5_browsing780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989aXxX2Exe·exe
SHA1: f551911393cf7e88b8f15f2101e15573092d02f5
MD5: 379656262d018e26ba6b07ca3bf10d50
SHA256: 5780ed8b0d40ad27404f10cd789f6b9e6bf58d78a046ad51a6bd9bb7c596989a

b63d41c60aa52cae9806a4fe233d9a55b0c2dfdc6_browsing7f215ab66c660503cc1a5f3XxX5Exe·exe
SHA1: 92e29c2f709aab4d6710d7e2c7d1131b557433c7
MD5: 26ace7baff5336943808674ae4fd06c2
SHA256: b63d41c60aa52cae9806a4fe233d9a55b0c2dfdc67f215ab66c660503cc1a5f3

http://hironchk·com
SHA1: nan
MD5: nan
SHA256: nan

That is all for now!

Stay cyber safe and see you next month!

 

 

Start a Free Trial

Related Resources

Whitepaper

APT-Ready in Four Steps: Your Action Plan

Learn how to establish a continuous, repeatable system to defend SMB and enterprise networks with Cymulate.

READ MORE arrow icon

Video

Defending Against Immediate Threats

With Cymulate’s technology, you can simulate the latest cyber threat to see if and how it penetrates your organization, giving you immediate answers to immediate threats.

WATCH NOW arrow icon

Case Study

Euronext Secures Trading with Breach and Attack Simulation

Learn how simulations of the latest immediate threats, across the company’s infrastructure, enable Euronext to benefit from breach and attack simulation.

READ MORE arrow icon