Associated Press, ESPN, CBS among top sites serving fake virus alerts

The recent malvertising campaign involving the spread of fake virus alerts has impacted prominent publishers including the Associated Press, ESPN, and CBS. This campaign, orchestrated by a group known as ScamClub, involves unsuspecting readers being automatically redirected to fake security alerts that are connected to a malicious McAfee affiliate.

ScamClub, known for its resourcefulness, has had a significant impact on the advertising ecosystem. These fake McAfee alerts and other malvertising attacks have been a recurring issue, and despite being flagged numerous times over the years, McAfee has reportedly not taken action against this malicious affiliate.

Confiant, a firm that has been tracking ScamClub's activities, released a comprehensive report in September 2023, which also contributed to disrupting their activities. However, ScamClub continues to pose a threat through these deceptive practices, exploiting ad exchanges and targeting high-profile news sites.

This campaign represents a critical challenge in the digital advertising space, where legitimate websites unknowingly become conduits for distributing malware and fake security threats. Users browsing these affected sites may suddenly encounter fake antivirus alerts, potentially leading to further security risks.

For internet users, it's essential to be aware of such malvertising tactics and exercise caution, especially when encountering unexpected security alerts while browsing. It's also important for publishers and ad networks to strengthen their defenses against such malvertising campaigns to protect their audiences.

IoC

DOMAIN

• xyzcreators.xyz
• vulnerabilityassessments.life
• trkmyclk.xyz
• trk-server.xyz
• trackmenow.life
• trackmaster.cc
• tracklinker.space
• trackinghub.info
• trackify.world
• threatdetectorhub.online

REFERENCES

•  https://www.malwarebytes.com/blog/threat-intelligence/2023/11/associated-press-espn-cbs-among-top-sites-serving-fake-virus-alerts#:~:text=The%20list%20of%20affected%20publishers,impact%20on%20the%20ad%20ecosystem
•  https://www.techtarget.com/searchsecurity/news/366561652/ScamClub-spreads-fake-McAfee-alerts-to-ESPN-AP-CBS-sites#:~:text=ScamClub%20spreads%20fake%20McAfee%20alerts,Director%20Published%3A%2030%20Nov%202023
•  https://otx.alienvault.com/pulse/6568c03a3d2441b93d7e4401

TAGS

Malvertising, ScamClub, Mobile

New SugarGh0st RAT targets Uzbekistan government and South Korea

The new SugarGh0st Remote Access Trojan (RAT) has been identified as targeting the Uzbekistan government and entities in South Korea. Cisco Talos, a leading cybersecurity research group, discovered this malicious campaign which likely started around August 2023. SugarGh0st is assessed to be a new, customized variant of the well-known Gh0st RAT, a trojan that has been active for over a decade. This RAT has been customized with specific commands to facilitate remote operations and espionage activities.

SugarGh0st represents a new evolution of the Gh0st RAT malware, maintaining its reputation as a significant threat in global cybersecurity. The RAT has been specifically identified in attacks targeting the Ministry of Foreign Affairs in Uzbekistan and various South Korean targets. The involvement of a Chinese group, referred to as "C.Rufus," has been indicated in these attacks.

The deployment of SugarGh0st marks a convergence of crime and espionage tactics, reflecting an ongoing trend in cyber threats where sophisticated tools are used for espionage and data theft. This campaign underscores the increasing complexity and adaptability of cyber threats, particularly those targeting government entities and critical infrastructure in specific geopolitical regions.

Given the critical nature of these threats, organizations in the targeted regions, especially government and diplomatic entities, are advised to remain vigilant and bolster their cybersecurity defenses against such sophisticated threats. Regular updates, vigilant monitoring, and advanced threat detection mechanisms are essential in protecting against these evolving cyber espionage tools.

IoC

IPv4

• 42.121.111.112
• 199.231.186.249
• 185.122.204.197
• 173.214.167.155

SHA256

• f75cb3e540b96cd54a966c512c854c832807e354772ae1a326b758394b01b607
• f5a36570506bfaff60b684cd26dde3a64a3db4eaa9da78a1434cfd4b390ef3d5
• ed09f95f4b4b482207bb300ff6ec15ed8ca5fdde97af02fa9fbe01adaaf7673b
• dbf8ba47a5973c86fef32c2d696b09e1930a8384087c62ace1aa5c4084ee1a3f
• d8f55bbbcc20e81e46b9bf78f93b73f002c76a8fcdb4dc2ae21b8609445c14f9
• bfce7938591dd9fa3e1368d7eb86fc7f11e935349437fc11de4f124bbbc16dee

REFERENCES

• https://blog.talosintelligence.com/new-sugargh0st-rat/#:~:text=New%20SugarGh0st%20RAT%20targets%20Uzbekistan,%E2%80%9D
• https://allinfosecnews.com/item/new-sugargh0st-rat-targets-uzbekistan-government-and-south-korea-2023-11-30--1/#:~:text=We%20assess%20with%20high%20confidence,to%20facilitate%20the%20remote%20%E2%80%A6
• https://www.darkreading.com/threat-intelligence/new-spookier-gh0st-rat-uzbekistan-south-korea
• https://www.darkreading.com/threat-intelligence/why-we-need-to-reinvent-how-we-catalogue-malware
• https://otx.alienvault.com/pulse/6568b12aaabf4058f1f19eb5

TAGS

botnets, apache, CVE-2023-46604, gotitan, sliver, kinsing

GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ

The GoTitan Botnet represents a critical cybersecurity threat, exploiting a vulnerability in Apache ActiveMQ. This botnet, which is Go-based, along with a .NET program known as PrCtrl Rat, enables remote attackers to gain control over infected hosts. The vulnerability being exploited is CVE-2023-46604, which involves the deserialization of untrusted data in Apache ActiveMQ. This vulnerability is a critical security flaw that affects any operating system running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3.

The exploit typically involves the attacker causing the system to unmarshal a class under their control by sending a crafted packet. This is achieved through the use of the OpenWire protocol, which establishes a connection with the vulnerable ActiveMQ server. The severity of this issue is high, as it allows remote attackers to gain control of the vulnerable systems, impacting any organization using the affected versions of Apache ActiveMQ.

Organizations using Apache ActiveMQ are advised to update to the latest versions that are not affected by this vulnerability to mitigate the risk of exploitation by the GoTitan Botnet and associated malware.

IoC

IPv4

• 42.121.111.112
• 199.231.186.249
• 185.122.204.197
• 173.214.167.155

SHA256

• f75cb3e540b96cd54a966c512c854c832807e354772ae1a326b758394b01b607
• f5a36570506bfaff60b684cd26dde3a64a3db4eaa9da78a1434cfd4b390ef3d5
• ed09f95f4b4b482207bb300ff6ec15ed8ca5fdde97af02fa9fbe01adaaf7673b
• dbf8ba47a5973c86fef32c2d696b09e1930a8384087c62ace1aa5c4084ee1a3f
• d8f55bbbcc20e81e46b9bf78f93b73f002c76a8fcdb4dc2ae21b8609445c14f9
• bfce7938591dd9fa3e1368d7eb86fc7f11e935349437fc11de4f124bbbc16dee

REFERENCES

• https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq#:~:text=GoTitan%20Botnet%20,vulnerable%20systems%20Severity%20Level%3A%20Critical
• https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html#:~:text=The%20recently%20disclosed%20critical%20security,remotely%20commandeering%20the%20infected%20hosts
• https://cybersecuritynews.com/apache-activemq-vulnerability/#:~:text=GoTitan%20Botnet%20%E2%80%93%20Ongoing%20Exploitation,by%20sending%20a%20crafted%20packet
• https://otx.alienvault.com/pulse/6567c0e6d66026b734340b59

TAGS

botnets, apache, cve202346604, gotitan, sliver, kinsing

The Mahagrass Organization (APT-Q-36) uses the Spyder downloader to deliver the Remcos Trojan

The Mahagrass Organization, known as APT-Q-36, has been using the Spyder downloader to deliver the Remcos Trojan. This group, also identified by other names such as Maha Gras, Patchwork, Hangover, Dropping Elephant, and White Elephant, has been active since at least November 2009 and primarily targets Asian countries. The Spyder downloader, which the group uses, has seen several updates in a short period. These updates indicate the group's efforts to evade detection by security protection software and successfully carry out their intelligence-stealing missions

The Qi’anxin Threat Intelligence Center has recently identified new activities by the APT-Q-36 group. Notably, some key strings in the Spyder downloader have been encrypted, and adjustments have been made to the communication data format between the malware and its command and control (C2) servers. This suggests a level of sophistication and adaptability in their approach to cyber espionage and malware deployment.

IoC

DOMAIN

• www.wingtiptoys.com
• omeri12oncloudd.com
• morimocanab.com
• mfaturk.com
• grand123099ggcarnivol.com
• firebasebackups.com

SHA256

• fbd567c08b493a4c406fcd4d9a6d7403dc572f9b4c50fc4a56d37982c25dc457
• 27b2cbb45e866e8db8bf8933d6749164dc97995351704f0d33f62982a9abf955

SHA1

• af42866f0a4fbd9d481a845120cadb1dbad289d1
• 4169a82c81633f9cae0cc5a65cd26bc1959aeeec

REFERENCES

• https://www.securitricks.com/the-mahagrass-organization-apt-q-36-uses-the-spyder-downloader-to-deliver-the-remcos-trojan-tuesday-november-28-2023/#:~:text=The%20Mahagrass%20Organization%20%28APT,intelligence%2C%20according%20to%20MP%20Weixin
• https://securityonline.info/south-asian-cyber-threat-persists-apt-q-36-upgrades-spyder-loader-targets-remcos-delivery/#:~:text=Cyber%20Security%20South%20Asian%20Cyber,Patchwork%2C%20Hangover%2C%20and%20Dropping%20Elephant
• https://securityonline.info/south-asian-cyber-threat-persists-apt-q-36-upgrades-spyder-loader-targets-remcos-delivery/#:~:text=Cyber%20Security%20South%20Asian%20Cyber,Patchwork%2C%20Hangover%2C%20and%20Dropping%20Elephant
• https://www.difesaesicurezza.com/en/cyber-en/cybercrime-maha-grass-is-using-spyder-to-deliver-remcos/#:~:text=Maha%20Grass%20is%20using%20Spyder,Elephant%2C%20Hangover%2C%20Droping%20Elephant
• https://otx.alienvault.com/pulse/6566312bddcfb0e7f0991687

TAGS

spyder, remcos, http, malware, c2 server, RC4 decpryption

Telekopye: Hunting Mammoths using Telegram bot

Telekopye is a malicious toolkit operating as a Telegram bot, designed to aid scammers in their fraudulent activities, particularly targeting online marketplaces. This toolkit is primarily, but not exclusively, used in Russia as per ESET researchers. Telekopye's functionality centers around creating phishing web pages using premade templates, which are then used to deceive potential victims, referred to as "Mammoths" by the criminals.

The name Telekopye is a portmanteau of "Telegram" and "kopye," which means "spear" in Russian. This reflects its function as an automated tool for crafting phishing web pages. It employs these ready-made templates to replicate legitimate sites, thereby luring victims into entering their sensitive information, such as payment details. The emergence of Telekopye highlights an innovative approach in cybercriminal activities, leveraging popular messaging platforms like Telegram to conduct large-scale phishing scams

IoC

DOMAIN

• youla.id7423.ru
• sbazar.id7423.ru
• olx.id7423.ru
• kufar.id7423.ru
• izi.id7423.ru
• cdek.id7423.ru
• boxberry.id7423.ru
• avito.id7423.ru
• avito-rent.id7423.ru
• pay-sacure4ds.ru

REFERENCES

• https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/
• https://www.securitricks.com/telekopye-hunting-mammoths-using-telegram-bot-monday-november-27-2023/#:~:text=Here%20is%20the%20latest%20malware,Russia%20according%20to%20eset%20researchers
• https://otx.alienvault.com/pulse/6564d0af3b26263e9db591d9

TAGS

Telegram, Telekopye

DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads

The DPRK (Democratic People's Republic of Korea) state-linked cyber actors have been involved in sophisticated cyber activities, including software supply chain attacks and crypto theft. These activities have been noted for their improved capabilities in malware and evasion techniques.

RustBucket Malware: Researchers have identified an updated version of a macOS malware called RustBucket, which has enhanced capabilities to establish persistence and avoid detection by security software. RustBucket is one of the tools in the arsenal of DPRK cyber actors, illustrating their focus on developing and utilizing sophisticated malware.

KandyKorn Malware Campaign: A new macOS malware named 'KandyKorn' has been attributed to the North Korean Lazarus hacking group. This group targets blockchain engineers of cryptocurrency exchange platforms. The attackers are known to impersonate members of the cryptocurrency community on Discord channels, spreading Python-based modules that trigger multi-stage attacks. This approach indicates a strategic targeting of individuals and entities in the cryptocurrency sector.

Tactics, Techniques, and Procedures (TTPs): The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. These tactics span various phases, from acquiring and purchasing infrastructure to concealing DPRK affiliation. This includes acquiring infrastructure, obfuscating identity, and purchasing VPNs and VPSs to gain access to target networks. This demonstrates a comprehensive and multi-faceted approach to cyber operations.

Operation In(ter)ception: There have been instances, such as Operation In(ter)ception, where job vacancies at cryptocurrency exchanges like Coinbase and Crypto.com were used as lures to infect macOS users with malware. This variant of the campaign indicates a continuing and evolving threat targeting the cryptocurrency sector, leveraging social engineering tactics to infiltrate networks.

The ongoing cyber activities of DPRK state-linked actors, including sophisticated malware campaigns and targeted ransomware attacks, underscore the evolving landscape of state-sponsored cyber threats. The focus on cryptocurrency platforms and the use of advanced malware suggest a strategic approach aimed at financial gain and intelligence gathering.

IoC

DOMAIN

• tp-globa.xyz
• swissborg.blog
• on-global.xyz

IPv4

• 23.254.226.90
• 192.119.64.43
• 104.168.214.151

SHA256

• 927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6
• 8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4
• 8a8de435d71cb0b0ae6d4b15d58b7c85ce3ef8f06b24266c52b2bc49217be257
• 3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940

REFERENCES

• https://otx.alienvault.com/pulse/64a2b6a638a683d6da50262c
• https://otx.alienvault.com/browse/global/pulses?q=lazarus&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=lazarus
• https://otx.alienvault.com/pulse/6564cd4faeaeaa1291c57bde

TAGS

KandyKorn, RustBucket, Sugarloader, Hloader, macOS

DPRK state-linked cyber actors conduct software supply chain attacks

  

Cybersecurity agencies have issued warnings about the increasing volume and sophistication of software supply chain attacks conducted by Democratic People's Republic of Korea (DPRK) state-linked cyber actors. These attacks have been steadily growing, employing advanced techniques to gain access to victims’ systems.

The National Cyber Security Centre (NCSC) of the United Kingdom and the National Intelligence Service (NIS) of the Republic of Korea have jointly published an advisory highlighting the critical nature of these attacks. The DPRK state-linked cyber actors have been using increasingly sophisticated methods in their operations, targeting software supply chain products widely used by government organizations and other entities.

These supply chain attacks pose a significant threat due to their ability to infiltrate various systems through trusted software channels. The joint advisory from the UK's NCSC and South Korea's NIS underscores the necessity for heightened vigilance and robust cybersecurity measures to counter these sophisticated cyber threats.

The coordinated effort by these national cybersecurity organizations to raise awareness and combat these threats demonstrates the seriousness with which these attacks are being treated at an international level

IoC

SHA256

• 6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59
• a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67
• e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

SHA1

• 9e9a5f8d86356796162cee881c843cde9eaedfb3
• 769383fc65d1386dd141c960c9970114547da0c2
• 3dc840d32ce86cebf657b17cef62814646ba8e98

MD5

• 5faf36ca90f6406a78124f538a03387a
• 660ea9b8205fbd2da59fefd26ae5115c
• d5101c3b86d973a848ab7ed79cd11e5a

DOMAIN

• sbmsa.wiki

REFERENCES

• https://www.ibtimes.co.uk/cybersecurity-agencies-warn-growing-dprk-state-linked-cyber-attacks-via-software-supply-chains-1721812#:~:text=Supply%20chain%20attacks%20orchestrated%20by,actors%20employ%20tactics%20such%20as
• https://www.linkedin.com/feed/update/urn:li:activity:7133419138240110594/
• https://otx.alienvault.com/pulse/6564c1dd6b56dfd223dd7d80

TAGS

DPRK, 3CX

Unveiling Parallax RAT: A Journey from Infection to Lateral Movement

The Parallax Remote Access Trojan (RAT) is a sophisticated piece of malware that first appeared on hacking forums in 2019. It was initially developed using MASM (Microsoft Macro Assembler) and boasts a range of capabilities, such as keylogging, password theft, screenshot capture, file upload and execution, as well as the exfiltration of files from File Manager and remote control. The latest known version of Parallax RAT is 1.0.7.

In a recent incident tracked by eSentire's Threat Response Unit (TRU), Parallax RAT was involved in an attack sequence that began with a drive-by download. The user, while searching for a Fortinet VPN client on Bing, clicked on an advertisement leading to an imposter page, resulting in the download of Parallax RAT (MD5: 9a82d1499ef3649d2603780fe30db0b5). This RAT was then used to deploy PsExec, a lightweight telnet-replacement tool that enables threat actors to execute processes on other systems. This allowed for lateral movement to the Domain Controller within a two-hour window following the RAT's execution. Additionally, the threat actors attempted to run NetSupport RAT via PsExec.

One of the early signs of the attack was a suspicious VBS script named “gatheringNetworkInfo.vbs” running NetSupport RAT from the %windir%\system32 path on the Domain Controller. NetSupport RAT is known for allowing unauthorized remote access and control over a victim's computer or network, providing attackers with a wide range of capabilities, including remote control, data theft, and surveillance.

Despite the Parallax RAT project being shut down in 2020 by its developers for personal reasons, the malware has been cracked and is now freely available in the wild. It employs RC4 encryption to obscure the names of loaded DLL libraries and its configuration, along with unconditional jump instructions as an anti-disassembly technique. These features make it a potent tool for cybercriminals and a significant security threat​

IoC

HOSTNAME

• websyncapi.eu
• websyncapi.click
• startus2.com
• startus1.com
• fortionlinevpn.com
• apipkg.click

IPv4

• 104.194.222.123

MD5

• 9a82d1499ef3649d2603780fe30db0b5
• 06a27959b25a8ea9196ffb72200e94aa

REFERENCES

• https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement
• https://otx.alienvault.com/pulse/6564bdc3ca670f9b0d224d84

TAGS

Parallax RAT, NetSupport RAT

Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker

The SysJoker malware, initially an unattributed multi-platform backdoor, has been linked to targeted attacks by a Hamas-affiliated Advanced Persistent Threat (APT) group targeting Israel. This association has been identified amid the ongoing tensions in the Israel-Hamas conflict. Check Point Research has been actively tracking the evolution of SysJoker, and their findings reveal significant developments in the malware's capabilities and methods. Key aspects of the SysJoker malware include:

Evolution of SysJoker: SysJoker has undergone major changes, most notably the shift to the Rust programming language. This indicates a complete code rewrite while retaining similar functionalities. This evolution suggests a significant advancement in the malware's sophistication and effectiveness.

Cybersecurity Research on SysJoker: Cybersecurity researchers have been closely monitoring SysJoker and its deployment in the region. Their efforts are aimed at discovering, attributing, and mitigating relevant regional threats, particularly those associated with the Israel-Hamas conflict.

Use of SysJoker in Targeted Attacks: The malware has been used in targeted attacks during the conflict, leveraging its capabilities as a multi-platform backdoor. This has raised concerns about its potential impact and the scale of its use in cyber warfare.

Hamas-Affiliation: The linkage of SysJoker to a Hamas-affiliated threat actor underscores the use of cyberattacks as a tool in broader geopolitical conflicts. It highlights the increasing role of sophisticated malware in state-affiliated or state-sponsored cyber operations.

The information about SysJoker's involvement in the Israel-Hamas war and its evolution into a more advanced cyber threat illustrates the dynamic nature of cyber warfare and the ongoing need for vigilant cybersecurity efforts in conflict region IoC

HOSTNAME

• sharing-u-file.com
• filestorage-short.org
• audiosound-visual.com

IPv4

• 85.31.231.49
• 62.108.40.129

SHA256

• e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836
• d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72
• 96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f
• 79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1
• 6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95
  

REFERENCES

• https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/#:~:text=Israel,affiliated%20APT%20to%20target%20Israel
• https://www.cybersecurity-review.com/news-november-2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/#:~:text=Israel,and%20mitigate%20relevant%20regional%20threats
• https://thehackernews.com/2023/11/hamas-linked-cyberattacks-using-rust.html#:~:text=Nov%2024%2C%202023%20Newsroom%20Cyber,ongoing%20war%20in%20the%20region
• https://otx.alienvault.com/pulse/6564bb8418af8424b8befa1b

TAGS SysJoker

Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing

The recent activities indicating the possible return of Genesis Market, a known website for facilitating fraud, involve the abuse of Node.js and Extended Validation (EV) Code Signing. These techniques were identified by the Trend Micro Managed XDR team, who observed malicious operations that mirrored the strategies previously employed by Genesis Market.

Key aspects of this attack include:

Use of Node.js: The attackers have been exploiting Node.js, a popular JavaScript runtime, using it as a platform to install backdoors on the infected systems. This abuse of Node.js represents a strategic approach to gaining and maintaining access within compromised environments.

Legitimate Code Signing Certificates: A critical part of the infection chain involved the installation of an old but legitimate version of Node.js that was bundled with a valid and legitimate code signing certificate. This approach is particularly insidious because it does not rely on the victims using outdated software; rather, the threat actor actively installs the vulnerable module, making it harder for users to detect the intrusion.

EV Code Signing for Defense Evasion: Extended Validation Code Signing is being used by threat actors for defense evasion. This technique leverages the trust granted to software that has been signed with an EV certificate to bypass security measures, allowing the malware to operate under the guise of legitimacy.

Possible Use of Google Colab: The threat actor behind these operations may also be using Google Colab to host search engine-optimized download sites. This tactic would allow them to distribute malicious payloads more effectively by leveraging Google's powerful search engine capabilities to reach a wider audience.

Genesis Market's Tactics: The similarities in techniques with those used by Genesis Market suggest a sophisticated level of operational capability and an understanding of effective cyber fraud methodologies.

This development underscores the ongoing evolution of cyber threats and the sophistication of tactics used by cybercriminals. The use of legitimate tools and platforms for malicious purposes highlights the need for heightened vigilance and advanced cybersecurity measures

IoC

HOSTNAME

• trojan.win32.cookiemonster.jcb
• 230927151335115.mxb.ewk48.shop
• ps1-local.com
• fast-difficult.monster
• https://ps1-local.com/obfs3ip2.bs64
• https://fast-difficult.monster/api7.php?name=microsoft_barcode_control_16.0_download
• http://230927151335115.mxb.ewk48.shop/f/fvgs30927001.msi

SHA256

• f30b39f5e722cb106f37d1738fff7ad20fa8e312d82e246d4a6e2175685b963b
• d9ca193b5da85a3841ec749b67168c906e21bbaac40f0a0bff40839efb3a74c1
• 3b0defb024e41af699b5dfc424a9ff276409f447edd24af024b34941f5ab62a9

REFERENCES

• https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html#:~:text=Malware%20Attack%20Signals%20Possible%20Return,taken%20down%20in%20April%202023
• https://www.threatshub.org/blog/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing/
• https://www.securitricks.com/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing-friday-november-24-2023/
• https://otx.alienvault.com/pulse/65609160cddfd2987cac2ef3

TAGS

genesis market, lu0bot, malicious chrome extension

InfectedSlurs Botnet Spreads Mirai via Zero-Days

The InfectedSlurs Botnet, which leverages the Mirai malware, is a sophisticated cyber threat recently identified by the Akamai Security Incident Response Team (SIRT). This botnet has been exploiting two zero-day remote code execution (RCE) vulnerabilities to infect routers and Network Video Recorders (NVRs). The main goal of this botnet is to build a distributed denial-of-service (DDoS) botnet.

Key aspects of the InfectedSlurs Botnet include:

Exploitation of Zero-Day Vulnerabilities: InfectedSlurs has been using two zero-day RCE vulnerabilities to infiltrate and infect devices. These vulnerabilities are unpatched, making them particularly effective for malicious purposes.

Deployment of Mirai Malware: The botnet deploys the popular Mirai malware, known for its role in large-scale DDoS attacks. Mirai is notorious for exploiting insecure IoT devices and forming them into a botnet to launch DDoS attacks.

Monitoring Campaign: Akamai SIRT has been monitoring this botnet since late 2022 through custom-built honeypots. They have observed increased activity targeting a rarely used TCP port, indicating a strategic approach to finding vulnerable systems.

JenX Mirai Variant: InfectedSlurs is identified as a variant of the JenX Mirai malware, which first came to light in January 2018. The botnet has been codenamed 'InfectedSlurs' due to the use of racial and offensive language in its command-and-control (C2) servers and hard-coded strings.

Undisclosed Perpetrators: The perpetrators behind these attacks have not yet been identified. This anonymity adds to the threat's complexity, as it hampers efforts to track and mitigate the botnet's spread.

This botnet's activities highlight the ongoing risk posed by zero-day vulnerabilities and the importance of securing IoT devices against such sophisticated attacks. The use of Mirai malware and its variants in these attacks underlines the continued relevance of this malware in the cyber threat landscape

IoC

DOMAIN

• cnc.kintaro.cc
• skid.uno
• sdfsd.xyz
• rwziag.pirate
• pqahzam.ink
• ksarpo.parody
• jiggaboojones.tech
• infectedchink.online
• infectedchink.cat

REFERENCES

• https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days#:~:text=These%20vulnerabilities%20are%20being%20actively,the%20popular%20malware%20family%20Mirai
• https://www.bleepingcomputer.com/news/security/new-botnet-malware-exploits-two-zero-days-to-infect-nvrs-and-routers/#:~:text=November%2022%2C%202023,infect%20routers%20and%20video
• https://gridinsoft.com/blogs/infectedslurs-botnet-mirai-malware/#:~:text=InfectedSlurs%20Botnet%20Exploits%20Zero,SIRT%20in%20a%20recent%20development
• https://otx.alienvault.com/pulse/6560a2629741c6dccf310fd3

TAGS

mirai, infectedslurs, jenx, hailbot

The Continued Evolution of the DarkGate Malware-as-a-Service

The DarkGate malware, which has evolved into a Malware-as-a-Service (MaaS) offering, has seen significant developments in its distribution and operational tactics. Initially, DarkGate Loader was primarily disseminated via traditional email malspam campaigns, similar to those used by the infamous Emotet malware. However, since June 2023, there has been a notable increase in malspam campaigns involving DarkGate Loader, following its advertisement as a MaaS on popular cybercrime forums.

Telekom Security has identified the DarkGate malware family as being used by various cybercrime groups. These groups rent out the malware to a select group of affiliates, indicating a structured and collaborative approach to its deployment. DarkGate is expected to continue posing a significant threat for years to come.

One of the notable aspects of the DarkGate campaign is its use of instant messaging platforms like Skype and Microsoft Teams to deliver its payload. Between July and September, the campaign, detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA, utilized these platforms to distribute a Visual Basic for Applications (VBA) loader script to victims. This script then downloaded and executed a second-stage payload consisting of an AutoIT scripting language, a tactic that illustrates the malware's evolving approach to infiltration and spread.

The features and capabilities of DarkGate include phone unlocking, total command and control, data dumping, remote access, creation of hidden users, privilege escalation, malware spreading, tracking, defacement, libel, and harassment. This wide range of capabilities showcases DarkGate's versatility and effectiveness as a tool for various malicious activities.

Overall, the continued evolution of the DarkGate Malware-as-a-Service underscores the dynamic nature of cyber threats and the importance of continuous monitoring and updating of cybersecurity measures to protect against such sophisticated and adaptable malware

IoC

SHA256

• fffa5abebf578cfc2200b4856889e397e412e56c5bff0032d2d7565d9286685f
• feeddfb2a7cc4945eaedd8f75907c42ff097252c3e38d7ef2006bd7a191f09ae
• fa0a47360f68f211413d582d2c73035594a9191c2399c52612c940b45402065f
• f8fcf37ab1e391d1809c4b5baf00d669c4263682d99230432c5199bde5914a60
• f1fa42c3d50d4468b9ac3f7e5cdb1160c8f7ed7bbb6e4017859b837dac7e8d93
• f02928ec21ad8c600eef3e3a006581a3af858975cbc2ad29ba3dfdd1a78d3cb9
• e7b76e11101e35c46a7199851f82c69e819a3d856f6f68fa3af0636c3efde0ca
• de2064d4363a3ccbda5518c619f1c803393b0876e349530583a72b1d1643c16a
• da27475894815900fefb9d383de0d255bfa3b7a22927b2912a2d614742b3109c
• d2b24a51e7e12fded160344bbac9ee1a9082b690d0c6f326170ea8a224038215

REFERENCES

• https://otx.alienvault.com/pulse/64f09671ab42514bf1db37a3
• https://otx.alienvault.com/pulse/64ff2147a9c6a0ac000ebf2f
• https://otx.alienvault.com/pulse/6560841a3ac666c2f0862496

TAGS

DarkGate, Malware-as-a-Service, RastaFarEye

MetaStealer - Redline's Doppelgänger

 MetaStealer, which emerged on Russian hacking forums on March 7, 2022, is a sophisticated piece of malware often referred to as Redline's Doppelgänger. It is designed to emulate the functionality, code, and control panel of the well-known Redline Stealer malware. The developers of MetaStealer claim to have made significant improvements to the payload's stub, enhancing its effectiveness and stealth capabilities.

Key aspects of MetaStealer include:

Functionality: It incorporates similar features to Redline Stealer, which is known for its data-stealing capabilities. This includes the theft of personal information, credentials, and potentially financial data from infected systems.

Development and Availability: The malware was made available for purchase on hacking forums, indicating its role in the cybercrime-as-a-service ecosystem. It is priced at $150 per month, which is consistent with the pricing model of Redline Stealer.

Target and Operation: As a malware similar to Redline, MetaStealer is likely to target a broad range of systems, with a particular focus on those with valuable data and credentials. Its operation involves stealthy infiltration and data exfiltration.

Cybersecurity Community's Response: The cybersecurity community has been actively working on understanding MetaStealer, its detection, and the development of countermeasures. It's considered a part of the same malware family as Redline, underscoring the ongoing challenge of detecting and combating such threats.

MetaStealer's emergence and its similarities to Redline Stealer exemplify the ongoing evolution of malware tools and tactics in the cybercriminal world. It highlights the importance of continuous vigilance, advanced cybersecurity measures, and the need for regular updates and monitoring to protect against such evolving threats

IoC

SHA256

• de01e17676ce51e715c6fc116440c405ca4950392946a3aa3e19e28346239abb
• c90a887fc1013ea0b90522fa1f146b0b33d116763afb69ef260eb51b93cf8f46
• c2f2293ce2805f53ec80a5f9477dbb44af1bd403132450f8ea421a742e948494
• 941cc18b46dd5240f03d438ff17f19d946a8037fbe765ae4bc35ffea280df976
• 8502a5cbc33a50d5c38aaa5d82cd2dbf69deb80d4da6c73b2eee7a8cb26c2f71
• 78a04c5520cd25d9728becca1f032348b2432a3a803c6fed8b68a8ed8cca426f
• 727d823f0407659f3eb0c017e25023784a249d76c9e95a288b923abb4b2fe0dd
• 65f76d89860101aa45eb3913044bd6c36c0639829f863a85f79b3294c1f4d7bb
• 5f690cddc7610b8d4aeb85b82979f326373674f9f4032ee214a65758f4e479be

REFERENCES

• https://russianpanda.com/2023/11/20/MetaStealer-Redline's-Doppelganger/#:~:text=RussianPanda%20Research%20Blog%20MetaStealer%20,the%20stub%20of%20the%20payload
• https://www.securitricks.com/metastealer-redlines-doppelganger-friday-november-24-2023/
• https://otx.alienvault.com/pulse/656081565b87ed05ff3c7d55

TAGS

MetaStealer, Redline

Tracking Vidar Infrastructure with Censys

The Vidar malware, an evolution of the Arkei information stealer, is notable for its capability to extract information from 2FA Software and the Tor Browser. Vidar's Command and Control (C2) servers are known to use HTTP over TLS, a secure communication protocol, and they include hardcoded subject and issuer-distinguished names on their certificates. This technique enhances the stealthiness of the malware's communications and makes it more challenging to detect and analyze its network activities.

Censys, a cybersecurity platform that specializes in tracking and analyzing internet assets and infrastructures, has been instrumental in tracking the infrastructure used by the Vidar malware. This tracking is a part of a broader strategy in cybersecurity known as Advanced Persistent Infrastructure Tracking. The use of Open Source Intelligence (OSINT) services, like those offered by Censys, is critical in identifying and monitoring the servers and other internet infrastructure that malicious actors use to conduct their activities.

This kind of infrastructure tracking is essential in understanding the scope and methodology of large-scale cyber campaigns. The more extensive the campaign, the more servers and other internet infrastructure are typically required. By monitoring these infrastructures, cybersecurity experts can gain insights into the scale of an attack, the methods used by attackers, and potential ways to mitigate these threats.

The Vidar malware's use of sophisticated techniques for data exfiltration and its ability to target secure software such as 2FA and the Tor Browser highlight the increasing complexity of threats in the cyber landscape. Such threats necessitate advanced tools and methodologies for detection and analysis, emphasizing the importance of platforms like Censys in modern cybersecurity operations

IoC

URL

• www.avisclair.com
• join.naxtm.cfd

IPv4

• 95.217.244.44
• 94.130.188.233
• 89.38.135.11
• 65.108.152.136
• 49.12.119.148
• 195.201.46.42
• 189.116.12.49
• 173.251.201.195

REFERENCES

• https://censys.com/tracking-vidar-infrastructure/#:~:text=Tracking%20Vidar%20Infrastructure%20Vidar%2C%20a,distinguished%20names%20%28DNs%29%20on%20certificates
• https://www.securitricks.com/tracking-vidar-infrastructure-with-censys-friday-november-24-2023/#:~:text=Tracking%20Vidar%20Infrastructure%20with%20Censys,24T11%3A01%3A45.850Z.%20Modified
• https://censys.com/advanced-persistent-infrastructure-tracking/#:~:text=Advanced%20Persistent%20Infrastructure%20Tracking%20December,the%20more%20servers%20are%20needed
• https://otx.alienvault.com/pulse/6560829a84f4d4c9903e5443

TAGS

Vidar

ParaSiteSnatcher How Malicious Chrome Extensions Target Brazil

ParaSiteSnatcher is a malicious Chrome extension specifically designed to target users in Latin America, with a particular focus on Brazil. This extension has been crafted to exploit the capabilities of the Google Chrome API, allowing it to monitor, intercept, and exfiltrate sensitive data from victims. Its modular framework consists of highly obfuscated components, showcasing the sophistication of its design.

Key characteristics of ParaSiteSnatcher include:

Targeted Browsers: While it primarily targets Google Chrome, it is also designed to function on other Chromium-based browsers like Microsoft Edge, Brave, and Opera, and potentially compatible with Firefox and Safari.

Capabilities: Once installed, ParaSiteSnatcher leverages extensive permissions granted through the Chrome extension. This enables the malware to manipulate web sessions, web requests, and track user interactions across multiple tabs. This is facilitated using the Chrome tabs API.

Data Exfiltration: The framework of ParaSiteSnatcher allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources. This includes the ability to intercept and exfiltrate all POST requests containing sensitive data.

Targets: The primary targets of this malicious extension include users' personal information, with a significant focus on banking websites and payment systems, indicating a financial motivation behind the attacks.

The discovery of ParaSiteSnatcher underlines the growing trend of attackers using seemingly legitimate extensions as a vector for sophisticated cyber attacks. This serves as a reminder of the importance of scrutinizing extensions and the permissions they request, particularly in regions like Latin America where such targeted attacks are becoming more prevalent.

IoC

URL

• https://ucee667c79a6c55d864febd411be.dl.dropboxusercontent.com/cd/0/get/CGJ3qwC1u0jLr4CMzA6xZ77B9wEwh0nsM6QbQmwau3W0r-QUrhwEOFMEtcKTaPiNvaz-wngORZmw9w_Bc0ljndJu1OFJJa-1qoI66JNdBmu8fa9dNvM64fbOYZohfqjDQpHDQbkFXU7ffTWOXkk8ZlEk/file?dl=1
• https://uc8bf39dfd51f19eca022ff937cc.dl.dropboxusercontent.com/cd/0/get/CGra8cbuRwTG62ccNRWQK3CHk96XzuTfm16q2nC1og5CiCXTPrwXZtf0TTJ3u6QelROuT3GllV05RL60fow_mvq9BpmNUeM0f6c1tUpdVEVYS3KaTHf-At7aLzI6ET-6MxKFT2NlOE9tgzXNEMIy3Ouy/file?dl=1
• https://uccbf6a90286e6acc2a790729260.dl.dropboxusercontent.com/cd/0/get/CGqsvrqOuB4FhGVeZWMyQmSofO8uNJ8EV_sB9CypG92ekXY38jFAv9xQxx7QHpViLjUiEO7JzJ_eQurMhVA9ptRY0qTFFHQC0PkKvO64jHHju7RjYSIJo9vkJkoN7l5HPojdhpe-rLIy1U_oZboMSkgH/file?dl=1
  
• http://www.dropbox.com/scl/fi/8otjw9dhf4kpb7s5vzxdu/1698746809.zip?rlkey=1w2k81ure5hm9ut5owezxa2gg&dl=1
• http://www.dropbox.com/scl/fi/cx975utps1os4gw38q73b/1698022264.zip?rlkey=tqmsmhjonobx8ise21lp35601&dl=1

DOMAIN

• webgoalarm.online
• nonbrowm.com
• mnksystem.online
• backmnk.online

SHA256

• ec22d946dc9538100875b86d2f6035f3541f5e3f08698304b9591efeea7d09a2

TAGS

parasitesnatcher, malicious chrome extension, stealer

REFERENCES

• https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html#:~:text=ParaSiteSnatcher%3A%20How%20Malicious%20Chrome%20Extensions,3275%20words
• https://www.hivepro.com/threat-advisory/parasitesnatcher-a-silent-threat-to-latin-america/#:~:text=ParaSiteSnatcher%20is%20a%20malicious%20Google,compatibility%20with%20Firefox%20and%20Safari
• https://www.threatshub.org/blog/parasitesnatcher-how-malicious-chrome-extensions-target-brazil/#:~:text=Once%20installed%2C%20the%20extension%20manifests,content%20scripts%20that%20enable
• https://otx.alienvault.com/pulse/65607dfd5aa46bd47238155f

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

The WailingCrab malware represents a sophisticated and evolving cyber threat, characterized by its multi-component nature and advanced communication techniques. Since mid-2023, a significant development in its operation has been the adoption of the MQTT (Message Queuing Telemetry Transport) protocol for Command and Control (C2) communications. MQTT is a lightweight messaging protocol primarily used in Internet-of-Things (IoT) applications. This protocol offers a level of stealth for the malware by utilizing a publish/subscribe architecture and a centralized broker, making it more challenging to detect and intercept its communications.

This change in communication strategy indicates a focused effort by the operators of WailingCrab to enhance stealth and avoid detection. Notably, newer variants of the malware have removed previous methods of payload retrieval, such as callouts to Discord, further increasing its ability to operate undetected.

The use of MQTT for C2 communications is a significant tactical shift, underscoring the malware's adaptability and the threat actor's sophistication in leveraging less conventional means for their malicious activities. Such developments highlight the need for ongoing vigilance and adaptation in cybersecurity defenses, especially considering the increasing complexity and stealthiness of emerging malware variants like WailingCrab

IoC

URL

• https://vivalisme.fr/forms/forms/kiikxnmlogx/frrydjqb/vendor/9818hd218hd21.php?id=1
• https://tournadre.dc1-mtp.fr/wp-content/plugins/kona-instagram-feed-for-gutenbargwfn/4dionaq9d0219d.php?id=1
• https://rgjllc.pro/wp-content/themes/sydney/inc/notices/uiqbw123udibjk1d2.php?id=1
• https://inspiration-canopee.fr/vendor/fields/assets/idnileeal/sifyhewmiyq/3jnd9021j9dj129.php?id=1
• https://advocates4consumerprotection.com/wp-includes/js/tinymce/skins/iudjh9iwd182.php?id=1
• https://www.p-e-c.nl/wp-content/themes/twentytwentyone/hudiiiwj1.php?id=1
• https://epikurgroup.com/plugins/content/jw_allvideos/jw_allvideos/tmpl/Responsive/oiyqnk182.php?id=1

HOSTNAME

• broker.emqx.io

SHA256

• 9d80eb4be1e9139a03a6aa3f053fec14ed1880251b1f13d85d84d7d64dddd581
• 50810e4696dd075ca23349e3e1c3a87fc7b46ab89f4b1eb093a5cfb74f84cc51

REFERENCES

• https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
• https://cybersecuritynews.com/wailingcrab-abuse-messaging-protocol/#:~:text=WailingCrab%20Malware%20Abuse%20Messaging%20Protocol,Things%20%28IoT%29%20messaging%20protocol
• https://thehackernews.com/2023/11/alert-new-wailingcrab-malware-loader.html#:~:text=,payloads%2C%20further%20increasing%20its%20stealthiness
• https://otx.alienvault.com/pulse/655f0e65bf8eca4a87a2144d

TAGS

wailingcrab, mqtt, backdoor, loader, hive0133, ta544

Diamond Sleet supply chain compromise distributes a modified CyberLink installer

The "Diamond Sleet" supply chain compromise is a sophisticated cyber attack attributed to a North Korea-based threat actor, also known as ZINC or Lazarus Group. This attack involves a maliciously modified version of a legitimate software application installer developed by CyberLink Corp., a company specializing in multimedia software products.

Microsoft Threat Intelligence has uncovered this supply chain attack, revealing that the compromised CyberLink installer is being used to distribute LambLoad malware. This malware is part of a broader strategy employed by the Lazarus Group to infiltrate and compromise systems globally. The modified installer acts as a conduit for the malware, exploiting the trust in legitimate software to gain unauthorized access to systems and networks.

The Lazarus Group, well-known in the cybersecurity industry, has a history of conducting sophisticated cyber attacks. This recent supply chain compromise against CyberLink users underlines the group's continued focus on exploiting vulnerabilities in widely used software to facilitate their malicious objectives, including espionage, data theft, and other cybercrimes. This attack not only highlights the evolving tactics of advanced threat actors but also underscores the importance of stringent security measures in software supply chains​

IoC

URL

• https://zeduzeventos.busqueabuse.com/wpadmin/js/widgets/sub/wids.php
• https://www.webville.net/images/CL202966126.png
• https://mantis.jancom.pl/bluemantis/image/addon/addin.php

SHA256

• 915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1
• 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be
• 089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d
• 8aa3877ab68ba56dabc2f2802e813dc36678aef4

MD5

• 0a08d3601636378f0a7d64fd09e4a13b

REFERENCES

• https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/#:~:text=Microsoft%20Threat%20Intelligence%20has%20uncovered,that%20develops%20multimedia%20software%20products
• https://www.scmagazine.com/brief/trojanized-cyberlink-installer-used-in-global-lazarus-supply-chain-attack
• https://siliconangle.com/2023/11/22/cyberlink-targeted-supply-chain-attack-infamous-lazarus-hacking-group/#:~:text=The%20threat%20actor%2C%20called%20Diamond,used%20as%20a%20conduit
• https://otx.alienvault.com/pulse/655f0ab585a20bff0cac8b7c

TAGS

• diamond sleet, lambload, zinc, supply chain attack, cyberlink

HrServ – Previously unknown web shell used in APT attack

The HrServ web shell is a newly identified malicious tool that has been used in an Advanced Persistent Threat (APT) attack, primarily targeting the Afghan government. Discovered as a dynamic-link library (DLL) file named "hrserv.dll", HrServ exhibits sophisticated features, including custom encoding methods for client communication and the ability to execute code directly in memory.

Kaspersky researchers have analyzed HrServ and found that it possesses both APT and crimeware features. This web shell has likely been active since 2021 and represents a significant cybersecurity threat. It enables remote server administration, allowing attackers to gain unauthorized access and control over the affected systems. One of the key capabilities of HrServ is its ability to erase tracks, which makes detecting and tracing the activities of the attackers more challenging.

APT groups have been using HrServ to hack into Windows systems, exploiting its advanced features to carry out their malicious activities. The use of such sophisticated tools in APT attacks highlights the evolving nature of cybersecurity threats and the need for continuous vigilance and updated security measures

IoC

SHA256

• f38517692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0
• 8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5
• cb257e00a1082fc79debf9d1cb469bd250d8e026
• a5796a2cc31e1ab1a8a12131f803affe735a835f

MD5

• b9b7f16ed28140c5fcfab026078f4e2e
• 890fe3f9c7009c23329f9a284ec2a61b
• d0fe27865ab271963e27973e81b77bae
• 418657bf50ee32acc633b95bac4943c6

REFERENCES

• https://thehackernews.com/2023/11/new-hrservdll-web-shell-detected-in-apt.html#:~:text=A%20new%20web%20shell%20called,and%20execute%20code%20in%20memory
• https://securelist.com/hrserv-apt-web-shell/111119/#:~:text=In%20this%20report%20Kaspersky%20researchers,likely%20been%20active%20since%202021
• https://otx.alienvault.com/pulse/655e28718ae876cc76a77b6c

TAGS

apt, hrserv, webshell

Cryptojacking Attack Campaign Against Apache Web Servers Using Cobalt Strike

A recent cryptojacking attack campaign has been targeting Apache web servers, specifically those running on Windows. This campaign has been identified and monitored by the AhnLab Security Emergency Response Center (ASEC), a South Korean security agency. The attack involves installing XMRig Coinminer on the targeted servers. The threat actors behind this campaign have utilized the Cobalt Strike tool, a legitimate software used for penetration testing that has been repurposed by attackers, as a medium to launch these attacks. The campaign targets poorly managed or vulnerable web servers, particularly those with unpatched vulnerabilities. This represents a significant security threat, as Apache web servers are widely used in various environments, including Linux, though in this case, the focus has been on those running on Windows systems.

IoC

    URL

• http://www.beita.site/api/2:2053
• http://121.135.44.49:808/updates.rss
• http://121.135.44.49:808/ptj
• http://121.135.44.49:808/ga.js
• http://121.135.44.49:808/a4vR

hostname

• www.beita.site
• gd.one188.one

IPv4

• 202.30.19.218
• 121.135.44.49

SHA256

• ddc6ec41d3fb93bcdb6c6730f2b3d89fabe3623234cce15ea9fe1a78fc641e82

REFERECES

• https://www.securitricks.com/cryptojacking-attack-campaign-against-apache-web-servers-using-cobalt-strike-wednesday-november-22-2023/#:~:text=Cryptojacking%20Attack%20Campaign%20Against%20Apache,11
• https://otx.alienvault.com/pulse/655e17bd280ae5a6d043b267
• https://cybersecuritynews.com/hackers-attacking-apache-web-servers/#:~:text=November%2021%2C%202023%20An%20attack,systems%20with%20APT%20and%20ransomware

TAGS

• apache web server, xmrig, cobalt strike, gh0st rat

Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)

The Andariel group, identified as a South Korean threat actor and believed to be connected with or a subsidiary of the Lazarus group, has been involved in distributing malware via an attack exploiting an asset management program. This information has been analyzed and reported by AhnLab Smart Defense (ASD) and the ASEC analysis team. The Andariel group has been active since at least 2009 and is known for targeting South Korean government agencies, military organizations, and various domestic companies, along with conducting cyber financial operations against ATMs, banks, and cryptocurrency exchanges.

In their recent operations, Andariel has been exploiting vulnerabilities in numerous programs such as Log4Shell and Innorix Agent to attack targets across various sectors in South Korea. They have used malware like TigerRAT, NukeSped variants, Black RAT, and Lilith RAT in their attacks. Additionally, an attack targeting MS-SQL Server was also identified around the same time as these incidents

IoC

domains

• song.th

URL

• http://84.38.132.67:9479/netpass.png
• http://84.38.132.67:9479/fav.ico
• http://27.102.128.152:8098/load.png
• http://27.102.118.204:6099/fav.ico
• http://185.29.8.108:8585/view.php
• http://185.29.8.108:8585/load.html
• http://185.29.8.108:8080
• http://185.29.8.108:4443
• http://185.29.8.108:443

REFERECES

• https://asec.ahnlab.com/en/59073/
• https://otx.alienvault.com/pulse/655b181c20eca1d03e584eb2

TAGS andariel group, tigerrat, nukesped, black rat, lilith rat, type, c server, mssql server, nirsoft, malware, lazarus, netpass, kimsuky, downloader, andariel, html, golang, black, lilith