Smoke and Mirrors : Understanding The Workings of Wazawaka

The "Smoke and Mirrors: Understanding The Workings of Wazawaka" report provides a detailed analysis of Wazawaka, also known as Mikhail Pavlovich Matveev, and his alleged involvement in cybercriminal activities. The report delves into Wazawaka's background, affiliations, and tactics within the threat landscape, shedding light on his team and close relations with other threat actors. It is suggested that the contents of the report can be used as admissible proof before legal authorities. Wazawaka has recently gained prominence within the Threat Intelligence (TI) community, raising concerns across the cyber realm. The research is aimed at information security leaders seeking to enhance their risk management. The report is significant for understanding the dynamics of the digital threat landscape and the individuals and groups operating within it.

IoC

    IPv4

• 79.124.59.178

    MD5

• 11d211ce3fa615ce35bff30fa37e9251

    SHA1

• eba816d7dc084d5702ad5d222c9b6429755b25fd

    SHA256

• 040037bd66b2b9062cffd925999718af97d36685968b875433af2bf4fa81a7e6
• 048e32d46b1d6f55b66a5b28be17546593c5da2ce2fc1fe99dc08aab7523ccb1
• 0787a93d583bb25cae5aaee759e1ab725f6e12723c5d86d22f46c31749cce1ea
• 12f53ffe90611f2519a1f83fbde6f9e43bef30fae9a1094b4753ace971e91d5e
• 138d1a9a3083aa0ac951a519a454cb8cae330733d6cbade36afc565207557af5
• 15fa94281eef6141ea969d0f551d05d6a2bcb127fa53b76a52916c1216cbfe76
• 1df868f1cf6a25d55fc7968a400a807563b934023316a0ccd8f98365931f630f
• 22e937ff2ec6206fa37d7418c18bb0e65c71849b43b5f43e563125678856b1ba
• 39d76f2d68f3c37f9b4ff33f7268dc7b58da4bcf4181262128e81a97f5f78037
• 4090a0034626ad8b0c658f68df7fbba452bb7711109e3d2843a6b56aad41e36f
• 46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561
• 49badc9a57d097f70bc4ef377102b93bea75936ac341c5855e3910f308c46434
• 4a8e2484f09047a497ec077b1687eac12e02414640e4592a17e1cf154a4f4274
• 5748cf3f7a4b5b0a817c4c54ab0bea007a5e4b8149126f6e5dc05971243e57d3
• 602eaae3b2b19f55c5311c6966b135f1149f291f7f60fdebf9a1d2c6888ba7f6
• 6f35a245e42135a6f6ff15fc9b4058a3600ebcaacdbedddda01baaaaa5022b77
• 815e7f1fc846529ba84dd43d1c4a02fc572d6c953b2eba3a2b4e7f91e92a252f

REFERENCES

• https://resources.prodaft.com/wazawaka-report
• https://cert.gov.ua/article/3761104
• https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf
• https://otx.alienvault.com/pulse/658b00f1732e5418858a1b63

TAGS

ransomware, monti, tor, lockbit, raas, trigona, conti, vpn brute force, powershell

Android Banking Trojan Chameleon can now bypass any Biometric Authentication

The Android Banking Trojan Chameleon has recently been updated with new features, including the ability to bypass any biometric authentication. This variant of the Chameleon malware has been active since early 2023 and initially targeted mobile banking applications in Australia and Poland, but has since expanded its reach to the UK and Italy. The updated Chameleon variant has two notable new features:

Bypassing Biometric Authentication: The malware uses an HTML page to guide the victim through a manual step-by-step process to enable the Accessibility service on their device. This allows the malware to perform Device Takeover (DTO) and bypass biometric authentication, such as fingerprint locks. This bypass method provides underground actors with two advantages: the ability to steal PINs, passwords, or graphical keys through keylogging functionalities, as biometric data remains inaccessible to them, and the ability to unlock devices using previously stolen PINs or passwords.

Task Scheduling: The updated Chameleon variant introduces task scheduling using the AlarmManager, allowing the malware to perform unauthorized actions on the user's behalf at specific times.

These new features make the Chameleon malware more sophisticated and adaptable, posing a significant threat to the mobile security landscape. It is essential to maintain robust cybersecurity measures to mitigate the risk of malware delivery and social engineering attacks.

IoC

    SHA256

• 0a6ffd4163cd96d7d262be5ae7fa5cfc3affbea822d122c0803379d78431e5f6
• 2211c48a4ace970e0a9b3da75ac246bd9abaaaf4f0806ec32401589856ea2434

REFERENCES

• https://www.securityweek.com/chameleon-android-malware-can-bypass-biometric-security/
• https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action
• https://siliconangle.com/2023/12/24/new-chameleon-android-malware-variant-emerges-fingerprint-lock-bypass-capability/
• https://otx.alienvault.com/pulse/6585a108d98cf0b320927060

TAGS

android, chameleon, zombinder, device takeover, trojan, html page, chameleon banking

BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

The "BattleRoyal" cluster, as identified by Proofpoint researchers, is a cyber threat activity involving the use of DarkGate and NetSupport malware. The cluster has been associated with at least 20 email campaigns from September to November 2023, utilizing diverse delivery methods such as emails, Microsoft Teams, Skype, malvertising, and fake updates. The campaigns have demonstrated a transition from DarkGate to NetSupport, indicating a strategic shift or a response to the evolving threat landscape. The actor behind the BattleRoyal cluster has employed multiple attack chains, including the use of both email and compromised websites with fake update lures to deliver the DarkGate malware. This highlights a new trend among cybercriminals, showcasing increasingly creative and varied attack strategies. The campaigns have also been notable for their exploitation of CVE-2023-36025 and the use of a RogueRaticate fake update activity cluster. The threat posed by the BattleRoyal cluster underscores the importance of robust cybersecurity measures to mitigate the risk of malware delivery and social engineering attacks.

IoC

    CVE

CVE-2023-36025

    SHA256

• 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
• 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
• 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
• e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
• ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
• fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4

    IPv4

• 5.181.159.29
• 79.110.62.96

    DOMAIN

• heilee.com
• kairoscounselingmi.com
• nathumvida.org
• searcherbigdealk.com
• zxcdota2huysasi.com

    URL

• http://5.181.159.29:80/Downloads/12.url
• http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
• http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
• http://searcherbigdealk.com:2351/msizjbicvmd
• http://searcherbigdealk.com:2351/zjbicvmd
• https://heilee.com/qxz3l

REFERENCES

• https://www.infosecurity-magazine.com/news/battleroyal-cluster-signals/
• https://cyware.com/news/battleroyal-threat-cluster-spread-darkgate-rat-via-email-and-fake-browser-updates-99a80b43
• https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
• https://otx.alienvault.com/pulse/65855c8bd0709c708a894ca2

TAGS

BattleRoyal, DarkGate, Fake Browser Updates

New MetaStealer malvertising

The "New MetaStealer" malvertising campaigns involve the distribution of a piece of malware called MetaStealer through malicious online advertisements. MetaStealer is a type of info-stealer malware that is designed to exfiltrate sensitive information from infected systems. The campaigns have been observed leveraging previous code base from RedLine and have been distributed through various channels, including malspam and malvertising. The developers of MetaStealer have announced the release of a new and improved version of the malware, indicating ongoing development and potential future threats. The campaigns have targeted users through ads for popular software such as Notepad++ and AnyDesk. These malvertising campaigns represent a significant threat to online security, as they can lead to the compromise of sensitive information and the potential for further malicious activity.

IoC

    MD5

• 2a4b0b65897e7fd494ad0aced7f42aeb
• 8ba7059cc766798bc3993b720f561c11

    SHA1

• 7cdcbd78194eeaa4e3793c5b19d84537ff71bb3c
• 891ad3e89d469f55245738a99c3e71e8a2a4fa42

    SHA256

• 949c5ae4827a3b642132faf73275fb01c26e9dce151d6c5467d3014f208f77ca
• 99123063690e244f95b89d96759ec7dbc28d4079a56817f3152834047ab047eb
• c5597da40dee419696ef2b32cb937a11fcad40f4f79f9a80f6e326a94e81a90f

    URL

• http://rawnotepad.com/notepad++.zip
• http://startworkremotely.com/Anydesk.zip

    DOMAIN

• cewgwsyookogmmki.xyz

REFERENCES

• https://cyware.com/news/new-metastealer-malvertising-campaigns-spotted-f4f882cc
• https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns
• https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metastealer-malvertising-campaigns/amp
• https://otx.alienvault.com/pulse/658469e72f85cfbf44de42a6

TAGS

metastealer, malvertising

Modus operandi UAC-0177 (JokerDPR) on the example of one of the cyber attacks

The provided links do not contain the specific details of the "Modus operandi UAC-0177 (JokerDPR)" cyber attack. As a result, I'm unable to provide the example of the cyber attack. If you have access to other sources that provide details about this cyber attack, I would be happy to help you analyze the information and provide insights.

IoC

    IPv4

• 179.43.162.29
• 185.196.9.215
• 80.78.22.194

    URL

• http://edisk.ukr.net.ssl2.link/shared/

    DOMAIN

• authcheck.in
• authssl.in
• authssl.link
• authssl.online
• authssl.org
• authssl.site
• certifiedauth.in
• connectssl.in
• exmo.day
• getssl.click
• getssl.ink
• goaccount.link
• hsts.online
• personlog.in
• ssl1.online
• ssl1.site
• ssl2.in
• ssl2.link
• ssl2.online
• ssl2.site
• ssl3.online
• ssl3.site
• ssl4.online
• ssl4.site

    HOSTNAME

• account.certifiedauth.in
• account.coinbase.exmo.day

REFERENCES

• https://cert.gov.ua/article/6276799
• https://otx.alienvault.com/pulse/6584684fa9224d5643a0e891

TAGS

phishing, credential stealing

CALISTO doxxing: Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets

According to a blog post by Sekoia.io, their technical investigation confirmed the link between the previously known intrusion set Star Blizzard (aka CALISTO) and Andrey Korinets, who was recently sanctioned by the USA and UK governments for his involvement in CALISTO operations. Sekoia.io's investigation was based on Korinets' emails and a former CALISTO infrastructure, which allowed them to identify several email addresses used by Korinets associated with it. The investigation disclosed links between Korinets' activities and a large technical cluster composed of dozens of CALISTO phishing domains and multiple servers. Sekoia.io's findings concurred with Reuters' investigation on FSB-related Andrey Korinets`

IoC

    IPv4

• 185.72.179.132
• 37.1.206.114
• 95.171.17.36
• 139.162.145.184
• 158.69.149.52
• 185.212.128.28
• 185.99.134.22
• 86.110.117.172
• 95.213.194.163

DOMAIN

• accounts-mail.asia
• anabol.in
• auth-login.top
• authentification-request.top
• be-strong.org
• drive-aoi.icu
• drive-meet-goodle.ru
• emailapp.pw
• en-microsofl.live
• en-office365.club
• eu-office365.co
• eu-office365.com
• expert-service.tech
• file-sharing.online
• file-sharing.site
• gmail-techdoc.pw
• google-plus.top
• hghshop.top
• icloud-service.pw
• live-login.info
• login-access.top

REFERENCES

• https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/
• https://otx.alienvault.com/pulse/65845530e91ba2f86699a818

TAGS

star blizzard, phishing

Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets

Malicious JavaScript is increasingly being used to steal sensitive information, including passwords and credit card numbers. Researchers at Unit 42 have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting, and web chat APIs. In some campaigns, attackers created chatbots registered to someone noteworthy, such as an Australian footballer. Other malware campaigns included web skimmers injected into compromised sites and traditional phishing sites.

The malware tries to evade traditional static and dynamic analysis by using obfuscation, unusual Document Object Model (DOM) interactions, and selective payload detonation. Researchers have identified campaigns that collect passwords and credit card information using JavaScript malware sandboxes.

To protect yourself from malicious JavaScript, it's essential to be cautious when clicking on links, especially in emails or on social media. Make sure to verify the legitimacy of the website and the information it provides. Additionally, keep your software and applications up-to-date to minimize the risk of infection.

IoC

    SHA256

• 13429eebb74575523b242e16b51eacf287a351c6de04557ec3cc343812aae0cb
• acf325dad908534bd97f6df0926f30fc7938a1ac6af1cec00aa45bcf63699e24
• bf3ab10a5d37fee855a9336669839ce6ad3862ad32f97207d4e959faaba0a3ed
• da416dd6d35e2b779d164f06d4798ca2d9a3d3867e7708b11bf6a863a5e7ffc2
• db346adb1417340e159c45c5e4fdaea039c0edbca6e62ad46aa9aec1cf1273a1
• f82ef9a948b4eaf9b7d8cda13c5fa8170c20b72fde564f7d3a0f271644c73b92

REFERENCES

• https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-data/
• https://otx.alienvault.com/pulse/658439e86a451e98d57ca3d8

TAGS

malicious javascript, api abuse

Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk

According to a blog post by Intezer, Operation HamsaUpdate is a sophisticated campaign that puts Israeli infrastructure at risk by delivering wipers. The campaign was discovered after the Israel National Cyber Directorate released an urgent alert warning about a phishing campaign targeting Israeli customers using F5's network devices. The campaign features the deployment of a newly developed wiper malware that targets both Windows and Linux servers. Attackers use a convincingly written email in Hebrew and utilize sophisticated social engineering techniques to pressure victims to execute the harmful code residing on their servers. The final attack delivers a complex, multi-stage loader or a destructive wiper, each variant customized for either Linux or Windows environments. The Hamsa Wiper campaign represents a highly targeted attack on Israeli infrastructure, and the attackers have used advanced social engineering techniques to deliver a multi-faceted malware package, ultimately wiping data across Windows and Linux servers. The Israel National Cyber Directorate has made public the Indicators of Compromise (IOCs) associated with this campaign, including variants of the wiper malware. During the analysis, researchers also discovered a second wiper, dubbed "Hatef," which is a Windows variant of the malware. 

IoC

    IPv4

• 31.192.237.207

    MD5

• 8f69c9bb80b210466b887d2b16c68600

    SHA256

• 336167b8c5cfc5cd330502e7aa515cc133656e12cbedb4b41ebbf847347b2767
• 454e6d3782f23455875a5db64e1a8cd8eb743400d8c6dadb1cd8fd2ffc2f9567
• 5d741f9af9da7ce79132daa37a200afed1cb0c28e47de35d127113d69cbab13d
• 64c5fd791ee369082273b685f724d5916bd4cad756750a5fe953c4005bb5428c
• 6f79c0e0e1aab63c3aba0b781e0e46c95b5798b2d4f7b6ecac474b5c40b840ad
• aae989743dddc84adef90622c657e45e23386488fa79d7fe7cf0863043b8acd4
• ad66251d9e8792cf4963b0c97f7ab44c8b68101e36b79abc501bee1807166e8a
• ca9bf13897af109cb354f2629c10803966eb757ee4b2e468abc04e7681d0d74a
• e28085e8d64bb737721b1a1d494f177e571c47aab7c9507dba38253f6183af35
• f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
• fe07dca68f288a4f6d7cbd34d79bb70bc309635876298d4fde33c25277e30bd2

REFERENCES

• https://intezer.com/blog/research/stealth-wiper-israeli-infrastructure/
• https://otx.alienvault.com/pulse/6584316b9546f2e5af862d6f

TAGS

wiper, APT, hatef, hamsa, handala, israel

Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa

Seedworm, also known as Muddywater, is an Iranian espionage group that has been targeting organizations operating in the telecommunications sector in Egypt, Sudan, and Tanzania.

The group has been active since at least 2017 and is known for targeting organizations in the Middle East, with a strong focus on African organizations in recent campaigns. In November 2023, Seedworm used various tools in its attacks, including the MuddyC2Go infrastructure, PowerShell launcher, SimpleHelp remote access tool, and Venom Proxy.

Some key points about Seedworm and its attacks on telecom organizations include:

• Seedworm has a history of targeting telecommunications organizations, as many cyberespionage groups do
• The group's strong focus on African organizations in this campaign is notable, as it generally primarily focuses on organizations in the Middle East
• The attackers used a variety of tools in the November 2023 campaign, including the MuddyC2Go infrastructure, PowerShell launcher, SimpleHelp remote access tool, and Venom Proxy
• Symantec researchers have warned about Seedworm targeting telecoms organizations in North and East Africa
• The group has shown a consistent interest in telecommunications, which is a common focus for many cyberespionage groups

Organizations in the telecommunications sector should be aware of Seedworm's activities and take necessary precautions to protect their networks and systems.

IoC

    IPv4

• 45.67.230.91
• 94.131.109.65
• 146.70.124.102
• 45.150.64.39
• 94.131.3.160
• 94.131.98.14
• 95.164.38.99
• 95.164.46.199

SHA256

• 1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca
• 3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230
• eac8e7989c676b9a894ef366357f1cf8e285abde083fbdf92b3619f707ce292f

REFERENCES

• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms
• https://otx.alienvault.com/pulse/6581f2b87f29f4e500192412

TAGS

seedworm, simplehelp, powershell, muddyc2go, venom proxy, middle east, anydesk, muddywater, APT34

PikaBot distributed via malicious search ads

According to Malwarebytes, PikaBot is a new malware family that appeared in early 2023 and is distributed via malvertising. The campaign targets Google searches for the remote application AnyDesk, and users are tricked into downloading a zip archive containing a malicious JavaScript. PikaBot's core module is then injected into the legitimate SearchProtocolHost.exe process, making the malware very stealthy. PikaBot is being used by a threat actor known as TA577, who has been associated with ransomware distribution and has delivered payloads such as QakBot, IcedID, SystemBC, and Cobalt Strike. The distribution of PikaBot via malvertising is part of an increase in the use of malicious ads to drop malware targeting businesses. Criminals have found success in acquiring new victims thanks to search ads, and there are specialized services that help malware distributors and affiliates to bypass Google's security measures and set up a decoy infrastructure. 

IoC

    SHA256

• 0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5
• 69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320
• da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff

    IPv4

• 139.99.222.29
• 172.232.162.198
• 172.232.164.77
• 172.232.186.251
• 54.37.79.82
• 57.128.108.132
• 57.128.109.221
• 57.128.164.11
• 57.128.83.129

REFERENCES

• https://www.bankinfosecurity.com/pikabot-targets-enterprises-via-malicious-search-ads-a-23921
• https://www.malwarebytes.com/blog/threat-intelligence/2023/12/pikabot-distributed-via-malicious-ads?&web_view=true
• https://otx.alienvault.com/pulse/65819f633436715278bf719e

TAGS

PikaBot, Search Ads

StopRansomware: Play Ransomware

StopRansomware: Play Ransomware is a type of ransomware that encrypts files on a device, rendering any files and the systems that rely on them unusable. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint Cybersecurity Advisory (CSA) as part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. The advisory recommends prioritizing remediating known exploited vulnerabilities, enabling multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems, regularly patching and updating software and applications to their latest versions, and conducting regular vulnerability assessments. Victims of ransomware should report to federal law enforcement via IC3 or a Secret Service Field and can request technical assistance or provide information to help others by contacting CISA. Organizations are encouraged to implement best practices to better prepare and protect their personnel and customers from cybersecurity threats.

IoC

    CVE

• CVE-2018-13379
• CVE-2020-12812
• CVE-2022-41040
• CVE-2022-41082
• CVE-2023-26360

    MD5

• 09f341874f72a5cfcedbca707bfd1b3b
• 57bcb8cfad510109f7ddedf045e86a70 (Win32:RansomX-gen\ [Ransom])

    SHA1

• 6e8582faeaf34f63fbe0083a811bcce1aa6c31de
• e6c381859f53d0c0db9fcd30fa601ecb935b93e0 (Win32:RansomX-gen\ [Ransom])

    SHA256

• 453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
• 47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57 (Win32:RansomX-gen\ [Ransom])
• 75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
• 7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
• 7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8
• 7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
• c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c
• e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74
• e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da

• REFERENCES
• https://www.cisa.gov/stopransomware
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
• https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3403814/stopransomware-guide-released-by-nsa-and-partners/
• https://otx.alienvault.com/pulse/65819d8b1d340924fb83e7b0

TAGS

Play, Ransomware, AdFind, BloodHound, Cobalt Strike

Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains

The blog post from Malwarebytes, titled "Malvertisers zoom in on cryptocurrencies and initial access," details a rise in malicious ads targeting software like Zoom, often used by those interested in cryptocurrencies and corporate networks. Two specific cases were highlighted: HiroshimaNukes, a new malware loader, and FakeBat, a loader tracked via a new control panel called Hunting panel 1.40. The report outlines the methods, distribution, and specific indicators of compromise for these malvertising campaigns, emphasizing the continued threat they pose and the efforts to protect users from such attacks.

IoC

    SSLCertFingerprint

• 18:ff:07:f3:05:a7:6a:c2:7a:38:89:c5:06:fd:d7:b8:d9:06:88:ab
• 6a:21:31:8b:f4:0a:04:40:fa:37:46:15:a3:ce:1f:0a:c5:0a:93:c3
• 89:29:97:5e:e9:f7:14:d9:95:16:9b:b3:74:33:0c:7b:d0:8f:98:30
• b6:74:45:84:0c:ff:81:05:c2:28:0f:ef:91:23:d8:a0:e8:ed:3a:2e

    DOMAIN

• 222camo.com
• baronessabernesemountaindogpuppies.com
• delivery-usps.ren
• delivery-usps.vip
• delivery-usps.wiki
• erinemailbiz.com

REFERENCES

• https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/
• https://otx.alienvault.com/pulse/658181bc828850f35f6b26c7

TAGS

Phishing

Malvertisers zoom in on cryptocurrencies and initial access

The blog post from Malwarebytes, titled "Malvertisers zoom in on cryptocurrencies and initial access," details a rise in malicious ads targeting software like Zoom, often used by those interested in cryptocurrencies and corporate networks. Two specific cases were highlighted: HiroshimaNukes, a new malware loader, and FakeBat, a loader tracked via a new control panel called Hunting panel 1.40. The report outlines the methods, distribution, and specific indicators of compromise for these malvertising campaigns, emphasizing the continued threat they pose and the efforts to protect users from such attacks.

IoC

    SHA256

• 30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c
• 44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5
• 462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c
• 5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b
• dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893
• fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762

    IPv4

• 94.131.110.127

    URL

• http://l.hyros.com/c8KqPHYKdt
• http://scheta.site/apps.store/ZoomInstaller.msix
• http://windows-rars.shop/bootstrap/Zoom-x64.msix

REFERENCES

• https://www.malwarebytes.com/blog/threat-intelligence/2023/12/malvertisers-zoom-in-on-cryptocurrencies-and-initial-access
• https://otx.alienvault.com/pulse/65817e4c05cbf5d0fa336908 

TAGS

Malvertisers, Zoom, cryptocurrencies, FakeBat

Operation HAECHI IV emphasizes the key role of INTERPOL in enabling police worldwide to address the growing complexity of cyber-enabled scams

Operation HAECHI IV, a transcontinental crackdown led by INTERPOL, culminated in the arrest of nearly 3,500 suspects and the seizure of USD 300 million in assets across 34 countries. Targeting a spectrum of cyber-enabled scams, the six-month operation highlighted the importance of international cooperation and innovative tactics in combating online financial crimes. The significant results of this operation demonstrate the global commitment to tackling the complex and evolving threat of cybercrime, emphasizing the need for continuous vigilance and adaptation in law enforcement strategies.

REFERENCE

 https://www.interpol.int/en/News-and-Events/News/2023/USD-300-million-seized-and-3-500-suspects-arrested-in-international-financial-crime-operation

FBI and Justice Department Disrupt Prolific ALPHV/Blackcat Ransomware Operation

The U.S. Justice Department, in a landmark operation, has successfully disrupted the BlackCat ransomware group, known as ALPHV or Noberus. This ransomware variant, emerging as one of the most prolific in the world, has targeted over 1,000 networks globally, including critical U.S. infrastructure.

In a strategic move, the FBI developed and distributed a decryption tool to more than 500 affected victims worldwide. This decisive action prevented ransom demands totaling approximately $68 million, significantly mitigating the group's financial impact.

BlackCat, operating on a ransomware-as-a-service model, has been notorious for its multiple extortion tactics. The affiliates first exfiltrate sensitive data before encrypting victim systems, intensifying pressure for ransom payment. Failure to pay often leads to public disclosure of the stolen data on dark web leak sites.

The operation's success highlights the FBI's commitment to combating cybercrime, with Deputy Director Paul Abbate emphasizing the agency's dedication to bringing cybercriminals to justice and providing assistance to victims. Acting Assistant Attorney General Nicole M. Argentieri reiterated this stance, promising continued efforts to dismantle cybercrime ecosystems.

The Justice Department urges any BlackCat ransomware victims to contact their local FBI office for assistance and information. The FBI has also released technical details about the malware, aiming to aid organizations in mitigating its effects.

This decisive action against BlackCat ransomware marks a significant stride in the fight against global cybercrime, showcasing the effectiveness of law enforcement in disrupting sophisticated cyber threats.

IoC

    MD5

• 861738dd15eb7fb50568f0e39a69e107
• 9f60dd752e7692a2f5c758de4eab3e6f
• 09bc47d7bc5e40d40d9729cec5e39d73
• f5ef5142f044b94ac5010fd883c09aa7
• 84e3b5fe3863d25bb72e25b10760e861
• 9f2309285e8a8471fce7330fcade8619
• 6c6c46bdac6713c94debbd454d34efd9
• e7ee8ea6fb7530d1d904cdb2d9745899
• 815bb1b0c5f0f35f064c55a1b640fca5
• 6c2874169fdfb30846fe7ffe34635bdb
• 20855475d20d252dda21287264a6d860
• 82db4c04f5dcda3bfcd75357adf98228
• fcf3a6eeb9f836315954dae03459716d
• 91625f7f5d590534949ebe08cc728380

REFERENCE

• https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
• https://thehackernews.com/2023/12/fbi-takes-down-blackcat-ransomware.html?m=1

A pernicious potpourri of Python packages in PyPI

ESET Research has uncovered a significant cybersecurity threat involving a cluster of malicious Python projects distributed through PyPI, the official Python package repository. This threat, identified in late 2023, has been particularly concerning due to its scale and the techniques used.

Key Findings from ESET Research:

Malicious Package Discovery: ESET Research discovered 116 malicious packages uploaded in 53 projects on PyPI. These packages have been downloaded over 10,000 times, with a download rate of approximately 80 per day since May 2023.

Target Systems: The threat targets both Windows and Linux systems. The final payload usually involves a custom backdoor, but in some cases, it includes variants of the W4SP Stealer or a simple clipboard monitor designed to steal cryptocurrency.

Malware Techniques: The operators behind this campaign employed three primary techniques to insert malicious code into Python packages:

Malicious test.py Module: A 'test' module with lightly obfuscated code was embedded in the package, designed to handle both Windows and Linux systems.

PowerShell in setup.py: PowerShell code was embedded in the setup.py file of packages, which is typically run automatically by package managers like pip. This script was responsible for downloading and executing further stages of the malware.

Direct Malware Inclusion: In some cases, packages only contained malicious code, with no effort to include legitimate code. This code was often lightly obfuscated and written into temporary files for execution.

Persistence Mechanisms:

On Windows, persistence was achieved using a VBScript Encoded (VBE) file, written to a specific directory and scheduled to run every five minutes.

On Linux, a malicious desktop entry was placed in the autostart directory to ensure persistence. This entry mimicked legitimate software to reduce suspicion.

Final Payload Characteristics: The backdoor component of the malware, implemented in Python for Windows and Go for Linux, enabled remote command execution, file exfiltration, and sometimes the ability to take screenshots. The backdoor created a TCP socket connection to a command and control server and could handle various commands or run other commands in a separate process.

Alternate Payloads: In some cases, the malware payload was a variant of the W4SP Stealer or a clipboard monitor targeting cryptocurrencies like Bitcoin, Ethereum, Monero, and Litecoin. The clipboard monitor used the pyperclip package to identify wallet addresses and replace them with attacker-controlled addresses.

Countermeasures: Most of these malicious packages were taken down by PyPI at the time of the research. ESET communicated with PyPI to ensure the removal of the remaining malicious packages, and all known malicious packages are now offline.

This situation highlights the ongoing challenges in maintaining the security of software repositories like PyPI, especially given their open nature and the sophistication of modern cyber attackers. It underscores the need for constant vigilance and robust security measures both by repository maintainers and users downloading packages from such repositories.

IoC

    HOSTNAME

• blazywound.ignorelist.com

    IPv4

• 204.152.203.78

    SHA256

• 104a5192cf032cee44b732d33458a27909cef45d7391e092b9c13acd5779bb39

    SHA1

• ef59c159d3fd668c3963e5ade3c726b8771e6f54
• b94e493579cc1b7864c70fafb43e15d2ed14a16b
• b0c8d6beee80813c8181f3038e42adacc3848e68
• ae3072a72f8c54596dcbcde9cfe74a4146a4ef52
• 70c271f79837b8cc42bd456a22ec51d1261ed0ca
• 439a5f553e4ee15edca1cfb77b96b02c77c5c388
• 07204ba8d39b20f5fcdb9c0242b112fadffa1bb4

REFERENCES

• https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/
• https://otx.alienvault.com/pulse/657b710c1b313b8547fa4145

TAGS

pypi, linux, w4sp stealer, persistence, oilrig, kryptocibule, w4sp

Gaza Cybergang | Unified Front Targeting Hamas Opposition

The Gaza Cybergang, active since at least 2012, is a group known for its cyber activities primarily targeting Palestinian entities. In recent years, particularly over 2022 and 2023, the group has shown a sustained focus on these targets, with their operations revealing no significant changes in dynamics since the beginning of the Israel-Hamas war. The group has been consistently upgrading its malware arsenal, including the introduction of a backdoor named Pierogi++, first used in 2022 and continuing its presence throughout 2023.

This backdoor represents an evolution in the group's capabilities, showcasing their ability to enhance their existing malware tools and create new implementations. The Gaza Cybergang's activities are characterized by the use of sophisticated tactics, techniques, and procedures (TTPs), and their ability to adapt and evolve their malware indicates a high level of technical expertise and resourcefulness.

The intertwined nature of the Gaza Cybergang's constituent sub-groups and their unified front in targeting opposition, particularly within the Palestinian context, suggest a complex and organized cyber operation. Their activities reflect a broader trend of state and quasi-state actors increasingly engaging in targeted cyber operations, which continue to pose significant challenges to cybersecurity efforts globally.

IoC

    DOMAIN

• zakaria-chotzen.info
• wayne-lashley.com
• wanda-bell.website
• swsan-lina-soso.info
• stgeorgebankers.com
• spgbotup.club
• porthopeminorhockey.net
• overingtonray.info
• nicoledotson.icu
• nicoledotso.icu
• lindamullins.info
• jane-chapman.com
• izocraft.com
• escanor.live
• delooyp.com
• claire-conway.com
• bruce-ess.com
• beatricewarner.com
• aracaravan.com

    SHA256

• fa98139b94cc56890af27e6dd02deb4da64b930e801492a966e0f13103808e2f
• e1f52ea30d25289f7a4a5c9d15be97c8a4dfe10eb68ac9d031edcc7275c23dbc
• d5e0e54391818df52966eabde9398d35dda1f7c66598880f87603c8d542bc6f3
• cb9fb42bfcae30b849fcc210d1ac4b39a12e32c6dc9d8523fcf9883632d7135e
• c4fdbfd6608748d7f675a83f392cd923e86a6d491395a611a3d651c3385708b8
• af87a91c71b3cca1184b4b1250cacec041430264d0f8ac56bde3a6b1173e84a2
• 884dad1ef6f5dfc2ee2d4e22cc64a97042637d79ce678038b5c00e56dc9241f0
• 8605a33115947343057847aba7ef0cbf57265e88b080a973b59960c2dbd0a003
• 83e0db0fa3feaf911a18c1e2076cc40ba17a185e61623a9759991deeca551d8b
• 602a53d05280240c2075924af5c0bb4f4d5e86b90ae92eb3e33003d60b1ea685
• 4d6e8eb2eb04da1efbd0a0fd6dddad39ead99dfcb391ef57668e4286232127f4
• 36037040711231986f7509a2aa2af74b33022defac4669fb0eb14beba7caff39
• 32d9d85b2105392eeb6109b27eb58c7a0ea84e7804fc19cba63fffa69d63daa4
• 27f4e0c718d4614543c95125d670f4420b1b0990a5fdb1da9e71fa3585045968
• 247bebcb221ba87b9198aa8f4102b4239e63bc2bf4bb97554c96a586b8c66007
• 1b1eb1c9ff1b60ba0643a80698404f9169d0006469303aa77e235ee8dd00d213
• 0a253739465b77c313e3127b3969b58d08674f2fc3fea7449e6dfbba7c4deafd

REFERENCES

• https://www.sentinelone.com/labs/gaza-cybergang-unified-front-targeting-hamas-opposition/#:~:text=,Hamas%20war
• https://www.globalsecuritymag.com/spip.php?page=article&id_article=146567#:~:text=%23%20%E3%80%901%E2%80%A0Gaza%20Cybergang%20,groups
• https://allinfosecnews.com/item/gaza-cybergang-unified-front-targeting-hamas-opposition-2023-12-14/#:~:text=,Hamas%20%E2%80%A6
• https://thecyberwire.com/newsletters/daily-briefing/12/237
• https://www.globalsecuritymag.fr/spip.php?page=article&id_article=146567#:~:text=%23%20%E3%80%9013%E2%80%A0Gaza%20Cybergang%20,primarily%20targeting%20Palestinian%20entities
• https://otx.alienvault.com/pulse/657b6fc5f21adc5b57300979

TAGS

gaza cybergang, pierogi, arid viper, wirte, barbwire, big bang, c2 server, israelhamas war, micropsia, delphi, stark, sharpstage, cybergang, pymicropsia, dropbook, lastconn, ta401, bigbang, prev sandman

Kaspersky crimeware report: FakeSG, Akira and AMOS

Kaspersky's recent crimeware report highlights the emergence of three significant threats: FakeSG, Akira ransomware, and AMOS macOS stealer.

FakeSG

FakeSG is a new distribution campaign for the NetSupport RAT, named for its similarity to the SocGholish campaign. It involves infected legitimate websites displaying notifications for browser updates. Clicking on these notifications results in the download of a malicious file, which is a JavaScript file containing obfuscated code. This code executes another script to set a cookie, prompts for a browser update, and then automatically downloads additional scripts, including a batch script that downloads more batch scripts, a 7z file, and the 7z executable. The second batch script ensures persistence by creating a scheduled task named “VCC_runner2,” and it also extracts and copies the malware. A notable aspect of the 7z file is a malicious configuration file containing the C2 address.

Akira Ransomware

Akira is a relatively new ransomware variant, first detected in April. Written in C++, it targets both Windows and Linux environments. The attackers have already infected over 60 organizations globally, choosing larger organizations across various industries. Akira shares several common characteristics with other ransomware families, such as deleting shadow copies, encrypting logical drives, and skipping certain file types and directories. It also has a communication site on the TOR network. Unique to Akira is its similarity to the Conti ransomware in aspects like the list of folders excluded from the encryption process. Its C2 panel is also notably different, using the JQuery Terminal library to create a minimalistic site protected with security measures to prevent analysis.

AMOS macOS Stealer

Discovered in April 2023, AMOS initially targeted macOS and was leased to cybercriminals via Telegram. The original version, written in Go, had features typical of a stealer, such as stealing passwords, files, and browser data. It also generated fake password prompts to acquire the system password. The latest version of AMOS, now written in C, uses malvertising as its infection vector. It lures users into downloading malware by cloning popular software sites. The malware retrieves the user's name and checks for password requirements. If a password is required, it prompts the user to enter it. AMOS collects various data types, including notes, documents, browser-related data, cryptocurrency wallets, and instant messaging data, which it then zips and sends to the C2 over HTTP.

These developments in the crimeware landscape demonstrate the evolving nature of cyber threats and the continuous efforts of cybercriminals to exploit different platforms and technologies.

IoC

    SHA256

• 9bf7692f8da52c3707447deb345b5645050de16acf917ae3ba325ea4e5913b37
• 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
• 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87
• 3d13fae5e5febfa2833ce89ea1446607e8282a2699aafd3c8416ed085266e06f
• 2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2

    SHA1

• e27521c7158c6af3aa58f78fcbed64b17c946f70
• ba9de479beb82fd97bbdfbc04ef22e08224724ba
• 941d001e2974c9762249b93496b96250211f6e0f

    MD5

• c60ac6a6e6e582ab0ecb1fdbd607705b
• 2cda932f5a9dafb0a328d0f9788bd89c
• 0885b3153e61caa56117770247be0444
• 00141f86063092192baf046fd998a2d1

REFERENCES

• https://securelist.com/crimeware-report-fakesg-akira-amos/111483/
• https://otx.alienvault.com/pulse/657b34f330a288e473f448c0

TAGS

apple macos, cross-platform malware, ransomware, rat trojan, trojan, amos, akira, redline, fakesg campaign, amos stealer, powershell, raccoon, exodus, netsupportmanagerrat, amos macos, infostealer, industrial

OilRig’s persistent attacks using cloud service-powered downloaders

Throughout 2022, the Iranian threat group OilRig developed a series of new downloaders that utilized legitimate cloud storage and cloud-based email services for command and control (C&C) as well as data exfiltration. These downloaders were specifically targeted against entities in Israel, with many of these targets having been previously compromised by other OilRig tools. This approach suggests that OilRig favored these lightweight yet effective downloaders to maintain access to networks of interest. The downloaders included SC5k, OilBooster, ODAgent, and OilCheck, which differed from other backdoors like MrPerfectionManager and PowerExchange by using attacker-controlled cloud service accounts rather than the victim’s internal infrastructure. This shift to legitimate cloud service providers for C&C communication aimed to conceal malicious communication and obscure the group’s network infrastructure.

Among the tools developed by OilRig, OilBooster is notable. It is a 64-bit portable executable written in Microsoft Visual C/C++ with statically linked OpenSSL and Boost libraries. OilBooster uses the Microsoft Graph API to interact with a OneDrive account controlled by the attackers for C&C communication and exfiltration, unlike OilCheck, which uses the same API but interacts with an Outlook account. OilBooster's capabilities include downloading files from the remote server, executing files and shell commands, and exfiltrating results.

The SC5k v3 downloader, another tool in OilRig’s arsenal, uses a shared Exchange account for C&C communication. It indicates its active status to attackers by creating a new draft in the Exchange account with a specific From field. This keep-alive message is renewed with each connection to the remote Exchange server.

OilCheck, discovered in April 2022, is a C#/.NET downloader that also uses draft messages in a shared email account for C&C communication. Unlike SC5k, OilCheck manually builds API requests to access a shared Microsoft Office 365 Outlook email account using the REST-based Microsoft Graph API.

OilBooster's downloader loop involves connecting to the shared OneDrive account to retrieve files with specific extensions in a victim-specific subdirectory. If unsuccessful after multiple attempts, it connects to a fallback C&C server to acquire a new refresh token.

For processing downloaded files, OilBooster distinguishes between files with .doc and .docx extensions. Files with the .doc extension are actually JSON files with encrypted commands, which are executed on the compromised host. Files with the .docx extension are compressed and encrypted files that are unpacked on the compromised system.

In terms of exfiltration, OilBooster compresses and encrypts files from a local directory and uploads them to the victim’s folder on the shared OneDrive account.

ODAgent, a precursor to OilBooster, is another application developed by OilRig. It is a C#/.NET application that uses the Microsoft Graph API to access an attacker-controlled OneDrive account for similar purposes.

These tools, while not particularly sophisticated and somewhat noisy on the system, demonstrate OilRig's continuous development and testing of new variants. The group's experimentation with various cloud services and different programming languages, as well as its persistence in re-compromising the same targets, underscores the potential threat posed by OilRig in the cybersecurity landscape.

IoC

    URL

• http://host1.com/rt.ovf

    SHA1

• ea8c3e9f418dcf92412eb01fcdcdc81fdd591bf1
• e78830384ff14a58df36303602bc9a2c0334a2a4
• ddf0b7b509b240aab6d4ab096284a21d9a3cb910
• c225e0b256edb9a2ea919bacc62f29319de6cb11
• c04f874430c261aabd413f27953d30303c382953
• be9b6aca8a175df61f2c75932e029f19789fd7e3
• ba439d2fc3298675f197c8b17b79f34485271498
• aef3140cd0ee6f49bfcc41f086b7051908b91bdd
• aae958960657c52b848a7377b170886a34f4ae99
• a97f4b4519947785f66285b546e13e52661a6e6f
• a56622a6ef926568d0bdd56fedbff14bd218ad37
• 8d84d32df5768b0d4d2ab8b1327c43f17f182001
• 7e498b3366f54e936cb0af767bfc3d1f92d80687
• 7ad4dcda1c65accc9ef1e168162de7559d2fdf60
• 6001a008a3d3a0c672e80960387f4b10c0a7bd9b
• 51b6ec5de852025f63740826b8edf1c8d22f9261
• 3bf19ae7fb24fce2509623e7e0d03b5a872456d4
• 35e0e78ec35b68d3ee1805eeceea352c5fe62eb6
• 2236d4dcf68c65a822ff0a2ad48d4df99761ad07

REFERENCES

• https://www.welivesecurity.com/en/eset-research/oilrig-persistent-attacks-cloud-service-powered-downloaders/
• https://otx.alienvault.com/pulse/657b11ab57c4b75f5004b236

TAGS

oilrig, oilbooster, sc5k, odagent, oilcheck, victimid, python, milan, apt34, dnspionage, cmex, c#/.net, industrial

Routers Roasting on an Open Firewall: the KV-botnet Investigation

The blog post from Lumen Technologies' Black Lotus Labs discusses the KV-botnet, a botnet targeting small office/home office (SOHO) routers. This botnet, active since at least February 2022, is sophisticated with a complex infection process and a well-concealed command-and-control framework. It targets end-of-life routers, primarily Cisco RV320s, DrayTek Vigor routers, NETGEAR ProSAFE devices, and Axis IP cameras. The investigation reveals links to a Chinese state-sponsored actor and suggests the botnet's use in espionage and information gathering. For more details, you can read the full article at Lumen Technologies' blog.

IoC

    DOMAIN

• 2fgithub.com

    IPv4

• 66.42.124.155
• 45.156.21.172
• 216.128.180.232
• 193.36.119.48
• 174.138.56.21
• 159.203.72.166
• 159.203.113.25
• 144.202.49.189
• 144.202.43.124

REFERENCES

• https://github.com/blacklotuslabs/IOCs/blob/main/KVbotnet_IOCs.txt
• https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
• https://otx.alienvault.com/pulse/657b0af55af290155cda7016

TAGS

volt typhoon, prosafe, soho, kvbotnet, netgear prosafe, black lotus, cluster, syscall, sha256, payload server, accellion fta, lumen ip, mips, hiatusrat

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

The ITG05 group, which is believed to be a Russian state-sponsored entity, has been leveraging the Israel-Hamas conflict as a theme in phishing campaigns to deliver the Headlace malware. Here's a detailed overview of their operations based on information from IBM X-Force:

Campaign Overview: The group has been using lure documents featuring the ongoing Israel-Hamas war to deliver the Headlace backdoor. These campaigns target entities in at least 13 nations worldwide and use authentic documents from academic, finance, and diplomatic centers.

Target Audience and Lure Contents: The lures are designed to appeal to audiences interested in research and policy creation. The campaign targets entities influential in the allocation of humanitarian aid, primarily in Europe. The lures include legitimate documents associated with finance, think tanks, educational organizations, and NGOs.

Execution Chains for Headlace Malware: ITG05 has implemented three execution chains for the Headlace malware:

Via WinRAR Vulnerability: Exploiting CVE-2023-38831 in WinRAR. If a victim with a vulnerable WinRAR application opens the archive, the Headlace dropper is executed in the background while presenting a lure document.

Via DLL Hijacking: Delivering a legitimate Microsoft Calc.exe binary susceptible to DLL hijacking, which, when executed, loads a malicious DLL to run the Headlace CMD dropper.

Direct Execution: Directing victims to execute the Headlace CMD dropper disguised as a Windows update script.

Initial Lures and Infection Chain: Earlier ITG05 operations featuring Headlace used adult-themed lures. The recent shift to using official documents as lures indicates a focus on a specific target audience. The infection starts with phishing URLs leading to downloads from legitimate staging services, where a JavaScript-based browser enumeration script verifies the user agent and geolocation of the victim.

Follow-up Payloads and Data Exfiltration: Once the system is compromised, follow-up payloads are used to capture NTLM credentials or SMB hashes of user accounts for exfiltration via the TOR network. ITG05 also employs custom exfiltration tools such as Graphite and Credomap.

This analysis highlights the sophistication of ITG05's operations and the importance of being vigilant against state-sponsored cyber threats that leverage current events as lures for targeted cyber espionage activities.

IoC

    HOSTNAME

• run.mocky.io
• downloadingdoc.infinityfreeapp.com
• downloaddoc.infinityfreeapp.com
• document-c.infinityfreeapp.com

    DOMAIN

• mockbin.org
• infinityfreeapp.com

    URL

• https://mockbin.org/bin/92354a6a-ba1f-4a1a-abea-fba269cabd66
• https://mockbin.org/bin/902ca47f-644d-4d44-88ec-060fdb7acaa4
• https://mockbin.org/bin/7cc44695-0c31-4620-bed4-2e60adf0a4b6
• https://mockbin.org/bin/229f6d51-f534-466f-b642-e86811631083

REFERENCES

• https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
• https://otx.alienvault.com/pulse/6579b53c00375a2dcfaaf952

TAGS

itg05, september, ukraine, azerbaijan, israel, razumkov centre, belarus, service, winrar, nishang, graphite, credomap, gootloader, wailingcrab, mocky

Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally | CISA

The Russian Foreign Intelligence Service (SVR), also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, has been actively exploiting a vulnerability in JetBrains TeamCity software, identified as CVE-2023-42793. This activity has been ongoing since at least September 2023 and has been the subject of a joint government advisory issued by several cybersecurity and intelligence agencies. Here are the key details:

Targeting JetBrains TeamCity Software: SVR-affiliated cyber actors have been targeting servers hosting JetBrains TeamCity software. This enabled them to bypass authorization and conduct arbitrary code execution, which is a significant threat to cybersecurity integrity.

CVE-2023-42793 Exploitation: The vulnerability exploited by these actors, CVE-2023-42793, relates to a TeamCity server bypass authentication issue. This vulnerability was disclosed and patched in September, highlighting the importance of timely software updates and patch management in cybersecurity.

Global Hacking Campaign: Cozy Bear, linked with the SVR, has been conducting a global hacking campaign targeting these servers. This campaign has been acknowledged and warned against by government agencies in the US, UK, and Poland, underscoring the widespread nature of this threat.

Joint Advisory by Security Agencies: Agencies including the US Federal Bureau of Investigation (FBI), CISA, NSA, Poland's SKW, CERT Polska, and the UK's NCSC have issued warnings about this threat. The advisory indicates a coordinated effort to raise awareness and combat the exploitation of this vulnerability by SVR cyber actors.

The exploitation of CVE-2023-42793 by the SVR demonstrates the continuous need for vigilance in cybersecurity, especially concerning software vulnerabilities that can be leveraged by state-affiliated actors for espionage or other malicious activities. It also underscores the importance of collaboration among international cybersecurity agencies to address these global threats.

IoC

    DOMAIN

• poetpages.com
• matclick.com

    IPv4

• 65.21.51.58
• 103.76.128.34

    SHA256

• f6194121e1540c3553273709127dfa1daab96b0acfab6e92548bfb4059913c69
• f1b40e6e5a7cbc22f7a0bd34607b13e7e3493b8aad7431c47f1366f0256e23eb
• ebe231c90fad02590fc56d5840acc63b90312b0e2fee7da3c7606027ed92600e
• d724728344fcf3812a0664a80270f7b4980b82342449a8c5a2fa510e10600443
• cd3584d61c2724f927553770924149bb51811742a461146b15b34a26c92cad43

REFERENCES

• https://www.cisa.gov/news-events/alerts/2023/12/13/cisa-and-partners-release-advisory-russian-svr-affiliated-cyber-actors-exploiting-cve-2023-42793#:~:text=Since%20September%202023%2C%20Russian%20Foreign,and%20conduct%20arbitrary%20code%20execut
• https://www.cybersecurity-review.com/news-december-2023/russian-foreign-intelligence-service-svr-exploiting-jetbrains-teamcity-cve-globally/#:~:text=The%20US%20Federal%20Bureau%20of,JetBrains%20TeamCity%20software%20since%20Septem
• https://www.preludesecurity.com/advisories/aa23-347a#:~:text=December%2013%2C%202023%20What%20we,42793%29%20to%20target%20software%20developers
• https://www.techtarget.com/searchsecurity/news/366563365/Russian-APT-exploiting-JetBrains-TeamCity-vulnerability#:~:text=CISA%20issued%20a%20joint%20government,disclosed%20and%20patched%20in%20September
• https://www.infosecurity-magazine.com/news/cozy-bear-russia-jetbrains-teamcity/#:~:text=Cozy%20Bear%2C%20a%20threat%20group,in%20the%20US%2C%20the
• https://otx.alienvault.com/pulse/657a2c924ea0e3e9e95e9433

TAGS

cisa, ck techniques, graphicalproton, ncsc, cert polska, mimikatz, powersploit, cozybear, wellmess, wellmail, sorefang, encrypt, diplomatic orbiter