 PassiveTotal Threat Intel Digest2022-07-18This digest highlights OSINT and original research that RiskIQ has gathered and enriched weekly. ARTICLES (10)Transparent Tribe Begins Targeting Education Sector in Latest Campaign Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. Typically, this APT group focuses on targeting government (government employees, military personnel) and pseudo-government entities (think tanks, conferences, etc.) using remote access trojans (RATs) such as CrimsonRAT and ObliqueRAT. However, in this new campaign dating back to December 2021, the adversary is targeting students of universities and colleges in India. This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users. MalDoc Malware CrimsonRAT ObliqueRAT TransparentTribe 37 Indicators 37 Public |
| Climbing Mount Everest: Black-Byte Bytes Back? NccGroup reports have linked Everest ransomware as part of the Everbe 2.0 family, which is composed of Embrace, PainLocker, EvilLocker and Hyena Locker ransomware. However, after recovering and analyzing an Everest ransomware file, NccGroup assesses with medium confidence that Everest ransomware is related to Black-Byte. Ransomware BlackByte Everest NccGroup Everbe 2.0 12 Indicators 12 Public |
| Luna Moth: The Actors Behind the Recent False Subscription Scams The Sygnia Incident Response team identified a relatively new threat group, which has been operating since the end of March 2022. Sygnia refers to this threat actor as 'Luna Moth' or TG2729. 'Luna Moth' focuses on Data Breach extortion attacks, threatening to leak stolen information if the demanded ransom is not paid. The initial compromise is achieved by deceiving victims in a phishing campaign under the theme of Zoho MasterClass and Duolingo subscriptions, leading to the installation of an initial tool on the compromised host. The group uses commercial remote administration tools (RATs) and publicly available tools to operate on compromised devices and maintain persistency, demonstrating once more the simplicity and effectiveness of ransom attacks. The group acts and operates in an opportunistic way: even if there are no assets or devices to compromise in the network, they exfiltrate any data that is accessible; this emphasizes the importance of managing sensitive corporate information. Sygnia LunaMoth RAT Extortion Phishing 189 Indicators 176 Public 13 RiskIQ |
| Attackers Use AiTM Phishing Sites as Entry Point to Further Financial Fraud A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Phishing BEC AiTM 51 Indicators 51 Public |
| An Analysis of Infrastructure linked to the Hagga Threat Actor Team Cymru researchers describe how thet were able to pivot in threat telemetry, using IOCs from Yoroi Security’s blog as seeds, to identify several other C2s. From the starting point of an IP address (69.174.99.181) associated with an Agent Tesla command and control server, it was possible to pivot and identify a backend server hosting a MySQL database operated by the threat actor Hagga. From this point a further pivot led Team Cymru researchers to the identification of additional C2s hosting the Mana Tools C2 panel along with a common certificate that can be used to increase confidence in attributing future infrastructure to this threat actor. ManaTools Hagga TeamCymru AgentTesla Malware 38 Indicators 38 Public |
| | | | OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow New malware targeting Linux named OrBit, because of one of the filenames that is being used to temporarily store the output of executed commands. It can be installed either with persistence capabilities or as a volatile implant. The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine. Linux Linux Malware OrBit Intezer 2 Indicators 2 Public |
| Ransomware Spotlight: BlackByte BlackByte is a ransomware family that has been building a name for itself since 2021. Like its contemporaries, it has gone after critical infrastructure for a higher chance of a getting a payout. Blackbyte Initial versions used symmetric keys, it has multiple variants, archives files using WinRAR, uses trojanized legitimate tools, and involves phishing emails or a known ProxyShell vulnerability for initial access. Ransomware TrendMicro BlackByte RaaS 8 Indicators 7 Public 1 RiskIQ |
|
|
|
Comments
Post a Comment