RiskIQ Threat Intel Digest 7/18/2022



PassiveTotal Threat Intel Digest


This digest highlights OSINT and original research that RiskIQ has gathered and enriched weekly.


Transparent Tribe Begins Targeting Education Sector in Latest Campaign

Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. Typically, this APT group focuses on targeting government (government employees, military personnel) and pseudo-government entities (think tanks, conferences, etc.) using remote access trojans (RATs) such as CrimsonRAT and ObliqueRAT. However, in this new campaign dating back to December 2021, the adversary is targeting students of universities and colleges in India. This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users.

MalDoc Malware CrimsonRAT ObliqueRAT TransparentTribe

37 Indicators      37 Public     


Climbing Mount Everest: Black-Byte Bytes Back?

NccGroup reports have linked Everest ransomware as part of the Everbe 2.0 family, which is composed of Embrace, PainLocker, EvilLocker and Hyena Locker ransomware. However, after recovering and analyzing an Everest ransomware file, NccGroup assesses with medium confidence that Everest ransomware is related to Black-Byte.

Ransomware BlackByte Everest NccGroup Everbe 2.0

12 Indicators      12 Public     


Luna Moth: The Actors Behind the Recent False Subscription Scams

The Sygnia Incident Response team identified a relatively new threat group, which has been operating since the end of March 2022. Sygnia refers to this threat actor as 'Luna Moth' or TG2729. 'Luna Moth' focuses on Data Breach extortion attacks, threatening to leak stolen information if the demanded ransom is not paid. The initial compromise is achieved by deceiving victims in a phishing campaign under the theme of Zoho MasterClass and Duolingo subscriptions, leading to the installation of an initial tool on the compromised host. The group uses commercial remote administration tools (RATs) and publicly available tools to operate on compromised devices and maintain persistency, demonstrating once more the simplicity and effectiveness of ransom attacks. The group acts and operates in an opportunistic way: even if there are no assets or devices to compromise in the network, they exfiltrate any data that is accessible; this emphasizes the importance of managing sensitive corporate information.

Sygnia LunaMoth RAT Extortion Phishing

189 Indicators      176 Public      13 RiskIQ


Attackers Use AiTM Phishing Sites as Entry Point to Further Financial Fraud

A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.

Phishing BEC AiTM

51 Indicators      51 Public     


An Analysis of Infrastructure linked to the Hagga Threat Actor

Team Cymru researchers describe how thet were able to pivot in threat telemetry, using IOCs from Yoroi Security’s blog as seeds, to identify several other C2s. From the starting point of an IP address ( associated with an Agent Tesla command and control server, it was possible to pivot and identify a backend server hosting a MySQL database operated by the threat actor Hagga. From this point a further pivot led Team Cymru researchers to the identification of additional C2s hosting the Mana Tools C2 panel along with a common certificate that can be used to increase confidence in attributing future infrastructure to this threat actor.

ManaTools Hagga TeamCymru AgentTesla Malware

38 Indicators      38 Public     


RiskIQ: Newly Observed Sliver C2 Servers Observed 2022/07/01 - 2022/07/10

This post provides a list of IP addresses observed hosting Sliver command and control (C2) servers from 2022/07/01 - 2022/07/10.


26 Indicators      0 Public      26 RiskIQ


ABCsoup: The Malicious Adware Extension with 350 Variants - Zimperium Mobile Security Blog

Recently, Zimperium discovered and began monitoring the growth of a wide range of malicious browser extensions with the same extension ID as Google Translate. This family, codenamed ABCsoup, targets three popular browsers: Google Chrome, Opera, and Firefox.

Zimperium ABCsoup Malware Google Chrome ChromeWebStore

212 Indicators      212 Public     


Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs

Chinese-linked phishing campaign seeks to compromise Russian targets with custom malware designed for espionage.

China Russia Phishing Malware

16 Indicators      16 Public     


OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow

New malware targeting Linux named OrBit, because of one of the filenames that is being used to temporarily store the output of executed commands. It can be installed either with persistence capabilities or as a volatile implant. The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.

Linux Linux Malware OrBit Intezer

2 Indicators      2 Public     


Ransomware Spotlight: BlackByte

BlackByte is a ransomware family that has been building a name for itself since 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of a getting a payout. Blackbyte Initial versions used symmetric keys, it has multiple variants, archives files using WinRAR, uses trojanized legitimate tools, and involves phishing emails or a known ProxyShell vulnerability for initial access.

Ransomware TrendMicro BlackByte RaaS

8 Indicators      7 Public      1 RiskIQ

RiskIQ | 22 Battery Street, 10th Floor | San Francisco, CA 94111
© Copyright 2022 RiskIQ, Inc. All rights reserved.