This is a weekly threat intelligence report review from RST Cloud. We have analysed 41 threat intelligence reports this week and have created concise summaries of the reports with extracted metadata. You can find below a short summary of each report, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.
Title: Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions
Link: https://asec.ahnlab.com/ko/62771
Summary: AhnLab Security Intelligence Center (ASEC) has discovered that the Andariel group is targeting South Korean companies using tactics such as installing MeshAgent to gain remote control over systems, utilizing the AndarLoader malware to download executable data from a Command and Control server, and employing ModeLoader to install additional malicious code. The group also uses keylogger malware for keylogging and clipboard logging, post-infection activities involving remote screen control, and tools like MeshAgent and RDP for access. Along with other threat groups like Kimsuky and Lazarus, the Andariel group poses a significant cyber threat to South Korea, evolving from seeking security-related information to financial gain through attacks involving spear phishing, watering hole attacks, and software vulnerabilities exploitation.
Threats: andariel_group meshagent andarloader andardoor koivm dotfuscator_tool mimikatz_tool wevtutil_tool kimsuky_group frpc_tool lazarus_group spear-phishing_technique watering_hole_technique Backdoor/JS.ModeLoader.SC197310 Trojan/Win.Generic.C5384741 Trojan/Win.KeyLogger.C5542383 Trojan/Win32.RL_Mimikatz.R366782
Indicators of compromise:
-------------------------
ip: 84.38.129.21
domain: privacy.hopto.org:443, privatemake.bounceme.net:443
url: http://www.ipservice.kro.kr/index.php, http://www.ipservice.kro.kr/view.php, http://www.ipservice.kro.kr/moderead.php, http://panda.ourhome.o-r.kr/view.php, http://panda.ourhome.o-r.kr/moderead.php, http://panda.ourhome.o-r.kr/modeview.php, http://www.mssrv.kro.kr/view.php, http://www.mssrv.kro.kr/modeview.php, http://www.mssrv.kro.kr/moderead.php, http://www.mssrv.kro.kr/modewrite.php
hash:
- md5=a714b928bbc7cd480fed85e379966f95,
- md5=4f1b1124e34894398aa423200a8ab894,
- md5=2c69c4786ce663e58a3cc093c6d5b530,
- md5=29efd64dd3c7fe1e2b022b7ad73a1ba5Title: Evasive Panda leverages Monlam Festival to target Tibetans
Summary: ESET researchers discovered a cyberespionage campaign by the Evasive Panda APT group targeting Tibetans through strategic web compromises and supply-chain attacks, deploying Nightdoor and MgBot malware via trojanized Tibetan language translation software and watering hole attacks on websites related to the Monlam Festival and a Tibetan software company. The threat actors, Chinese-speaking with a custom malware framework, have targeted individuals and government entities in several countries in Asia and Africa since at least September 2023, utilizing techniques to evade detection and establishing persistence on compromised systems, with the Nightdoor backdoor communicating with its C&C server through either UDP or the Google Drive API, marking significant enhancements compared to previous campaigns.
Threats: daggerfly_group supply_chain_technique watering_hole_technique nightdoor_backdoor mgbot aitm_technique dll_sideloading_technique process_injection_technique
Indicators of compromise:
-------------------------
ip: 188.208.141.204
domain: update.devicebug.com
url: https://www.kagyumonlam.org/media/vendor/jquery/js/jquery.js?3.6.3, https://update.devicebug.com/getversion.php, https://update.devicebug.com/fixtools/certificate.exe, https://update.devicebug.com/assets_files/config.json, https://www.monlamit.com/monlam-app-store/monlam-bodyig3.zip, https://www.monlamit.com/monlam-app-store/monlam_grand_tibetan_dictionary_2018.zip, https://www.monlamit.com/monlam-app-store/deutsch-tibetisches_w%c3%b6rterbuch_installer_windows.zip, https://www.monlamit.com/monlam-app-store/monlam-bodyig-mac-os.zip, https://www.monlamit.com/monlam-app-store/monlam-grand-tibetan-dictionary-for-mac-os-x.zip, https://www.monlamit.com/sites/default/files/softwares/updatefiles/monlam_grand_tibetan_dictionary_2018/updateinfo.dat, https://tibetpost.net/templates, http://188.208.141.204:5040
hash:
- md5=3c5739c25a9b85e82e0969ee94062f40,
- md5=0c64c2baef534c8e9058797bcd783de5,
- sha1=77dbcdface92513590b7c3a407be2717c19094e0,
- md5=6014b56e4fff35dc4c948452b77c9aa9, sha1=d4938cb5c031ec7f04d73d4e75f5db5c8a5c04ceTitle: BianLian GOs for PowerShell After TeamCity Exploitation
Link: https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation
Summary: Avast's decryptor for the BianLian ransomware group led them to switch to extortion-based operations, monitored by GuidePoint's Research and Intelligence Team (GRIT) and DFIR team. After compromising a client's network via a TeamCity server using CVE vulnerabilities, the threat actor employed various techniques including deploying legitimate files, leveraging native Windows commands for lateral movement, using BITSAdmin for tool deployment, employing FuzzySecurity's PowerShell Suite for credential dumping, and ultimately implementing a PowerShell backdoor mimicking their standard GO backdoor functionality. The PowerShell backdoor operated within an encrypted tunnel with networking capabilities, intricate SSL certificate validation, and communication with a C2 server, resembling BianLian's GO trojan characteristics and demonstrating the threat group's evolving tactics and adaptability in exploiting vulnerabilities.
Threats: bianlian_group nltest_tool bitsadmin credential_dumping_technique scriptblock
Indicators of compromise:
-------------------------
ip: 136.0.3.71, 88.169.109.111, 165.227.151.123, 77.75.230.164, 164.92.243.252, 64.176.229.97, 164.92.251.25, 126.126.112.143, 38.207.148.147, 101.53.136.60, 188.166.236.38, 185.174.137.26
domain:
url: http://136.0.3.71:8001/win64.exe, http://136.0.3.71:8001/64.dll
hash:
- sha256=7981cdb91b8bad8b0b894cfb71b090fc9773d830fe110bd4dd8f52549152b448, md5=977ff17cd1fbaf0753d4d5aa892af7aa, sha1=1af5616fa3b4d2a384000f83e450e4047f04cb57Title: Breaking down Atomic MacOS Stealer (AMOS). Background
Link: https://medium.com/@dineshdevadoss04/breaking-down-atomic-macos-stealer-amos-8cd5eea56024
Summary: A cyber threat intelligence analyst discovers the malicious macOS stealer named Atomic MacOS Stealer (AMOS) through a sample Slack.dmg file, initially mistaken for a red teaming payload. AMOS evades current XProtect signatures and targets macOS users to extract sensitive data from various browsers, wallets, and applications. The stealer masquerades as Privilege Helper using Apple Script to trick users into providing login passwords and exfiltrates the stolen data to a Command and Control server stealthily. The malware includes a File Grabber functionality to gather specific files, monitors for virtualization software strings, and emphasizes the importance of proactive security measures to defend against evolving threats targeting macOS users. Ongoing research and monitoring for AppleScript execution are key for detection and response to such threats.
Threats: amos_stealer applescript
Indicators of compromise:
-------------------------
ip: 5.42.65.107
domain:
url: http://5.42.65.107/joinsystem
hash:
- sha1=008afff67ec8e20b9164c74a5e962dc520466b2d,
- sha1=1f763ac756ed13f0c08d3ef3c27654a62d3204e9,
- sha1=474a0150b3eac4a7242ffdcbd32ad9b478e25017,
- sha1=28566de2edf33187ee6de111360d2e4d0fa30be4,
- sha1=2d494cdc9d58d3c64ad1dd0b8dd36a539704a47e,
- sha1=90dd36ac3a4896b51ae89b298f2cdc949631d4a7,
- sha1=4a2f08ae92e00b60381d4c3b1ab2da96b6c9d232,
- sha1=68ed3cb921454d7f0e7fde46aea1831ba6c3b4bb,
- sha1=985340ec68c3ccf0a2a4d6fae42b4b121de1db7a,
- sha1=fb50216347e2017592d2915c21eec50bd2e5facb,
- sha1=300d2951e80c9c2eef51d34155fb98f034f9d0d4Title: Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns
Link: https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal
Summary: X-Force has been tracking phishing campaigns by the cyber threat group ITG05 since February 2024, using lure documents mimicking authentic government and non-governmental documents across regions like Europe, the South Caucasus, Central Asia, and North and South America. The group introduced new techniques including the search-ms URI handler to lead victims to download malware from actor-controlled WebDAV servers, employed new backdoors like MASEPIE and OCEANMAP, and replaced older tools like CREDOMAP with STEELHOOK. ITG05, a Russian state-sponsored group linked to APT28 and Fancy Bear, targets entities globally with evolving tactics, involving impersonation of government entities and utilizing services like firstcloudit.com to host malicious payloads.
Threats: fancy_bear_group masepie_tool oceanmap steelhook headlace forest_blizzard_group beacon poshc2_tool ironjaw
Indicators of compromise:
-------------------------
ip: 172.114.170.18:55155, 194.126.178.8:55555, 148.252.42.42:54467, 74.124.219.71
domain: firstcloudit.com, webhook.site, webmail.facadesolutionsuae.com, wody-info-files.firstcloudit.com, kzgw-wody.firstcloudit.com, nas-files.firstcloudit.com, e-nas.firstcloudit.com, ua-calendar.firstcloudit.com, calendarua.firstcloudit.com, calendar-ua.firstcloudit.com, e-gov-am.firstcloudit.com, e-gov.firstcloudit.com, info-mod.firstcloudit.com, e-mod.firstcloudit.com, rada-zakon.firstcloudit.com, militarysupport.firstcloudit.com, sgg-files.firstcloudit.com, sgg-gov.firstcloudit.com, presidencia-docs.firstcloudit.com, files-presidencia.firstcloudit.com, e-presidencia.firstcloudit.com, presidencia-files.firstcloudit.com, presidencia-gov.firstcloudit.com, presidencia-gob.firstcloudit.com, gcsd.firstcloudit.com, emod.firstcloudit.com, e-military.firstcloudit.com, dls-gov.firstcloudit.com, eecommission.firstcloudit.com, eecommission-drive.firstcloudit.com
url:
hash:
- sha256=18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6,
- sha256=451f3d427ac21632f38619ef96dece25798918866d44fe82ff1ed30996f998dc,
- sha256=40a7fd89b9e51b0a515ac2355036d203357be90a2200b9c506b95c12db54c7aa,
- sha256=24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04,
- sha256=64b0037dde987c78edf807a1bd7f09cdfac072ec2a59954cc4918828b7e608a3Title: BIPClip: Malicious PyPI packages target crypto wallet recovery passwords
Summary: ReversingLabs has discovered the BIPClip malicious campaign targeting cryptocurrency wallets by stealing mnemonic phrases. The campaign, utilizing open source Python packages on the Python Package Index, involves tactics such as malicious file dependencies and name squatting to evade detection. The threat is designed to exploit developers utilizing the BIP39 standard for creating Bitcoin wallets and highlights the risks posed by supply chain attacks in the cryptocurrency ecosystem.
Threats: bipclip_campaign typosquatting_technique supply_chain_technique
Indicators of compromise:
-------------------------
ip: 5.42.92.191, 194.163.154.242, 65.109.70.235
domain:
url: https://github.com/hashsnake/backendapi/raw/main/settings, https://raw.githubusercontent.com/hashsnake/backendapi/main/settings
hash:
- sha1=a23db65079ef310b87d1f017742149addbb53a81,
- sha1=03baa36c6551d1414d9907775b4600c873421b34,
- sha1=45130c7a2d92282ee9c0b066206f235198b5ddfb,
- sha1=087d325c24a5b28ad5342f097c3ebce3653e9ced,
- sha1=46d3a5b3627e7de58c78f41eed4c95c6112245e7,
- sha1=f2aadcd5bd1ba46b056e2d9e4b53e21a18b61b2a,
- sha1=f6bb6216caf96246f07e3fd9ffcb5f0d83bd6f41,
- sha1=e50864e1db37a75b99596aea6538981991bf4915,
- sha1=a88802edce3d5e70ac2d79272f98c0891c793f2a,
- sha1=c3822c1f181d8f6f12325a00b5bd6cca0c18d124,
- sha1=c1dc8d26946d52a1014ccc6c02156449e8e1e3b6,
- sha1=b74c24938595fe4ccc6efe845d2b095d126ed3fc,
- sha1=7ed9e234384e564e6d41da156bc472d5f369727e,
- sha1=ed1eb28a139c456e520726307e280a26b789b367,
- sha1=db61022dd75a63e99544bb5096c2e30d4348608e,
- sha1=65dab94f5ba56b891ed9bfe20d2b1f21c2d00ee1,
- sha1=570e483dfdc6389e1d4a87f987c9b3e5a0d886ce,
- sha1=1619a6fce00eecf5946750ef47d1c5748e963456,
- sha1=f4ff1fe54132ca91ecdf7f4b48fc16b231047b96,
- sha1=a875e313026a5400a920767038d953398b4afcb6,
- sha1=4a39462ce7b3e2cda9998fb9fd42aeab3d5eb4a3,
- sha1=19d88ff3e9d32897becc33c07b4cc307871b426e,
- sha1=791e731b2db1551ccfc6df0990644ed405771aa6,
- sha1=9aa894169984cfb4835b01f5f5b49d9670818259,
- sha1=dddd55a60d5dcbec45c034330fe12b62e38a87a8,
- sha1=3e385f6b2c842a490c1729aee1b48b22a728e367,
- sha1=f2ed2e169bbe22aef73158e279e59d04a1f40ed9,
- sha1=633b858092f7e0eb435a73f5bc972baa4cf79452,
- sha1=3d82406f8e6ee1018bb39f6d40321940effeab2b,
- sha1=c05d35c4cc9038de3eae4e84fb9b7560f4112a3b,
- sha1=01b66f12e9f76342729c1260ff4f0da8fc1bbe01,
- sha1=d5400ef535a8effe8c23cb56c4cb1c2c569beb79,
- sha1=156610fff622481eb3c37e988a5c8ece20f93aef,
- sha1=3843c4add1c2960f280d07b047f0c780a7b65e4d,
- sha1=9c4d2bacc24f70112bc53742e8fe26dad1fa63d1,
- sha1=989276eb67d5179b5eda055390d850b47198cdd2,
- sha1=64cd50f3bc347c894cbf25a2013c04e73e85550a,
- sha1=206cd1758ceda4abc9622d4f50134444a639f925Title: FakeBat delivered via several active malvertising campaigns
Summary: In February, an uptick in search-based malvertising incidents was observed, with both known and new malware variants emerging, including the FakeBat family utilizing MSI installers with obfuscated PowerShell. Malvertisers initially exploited URL shorteners but later diversified tactics by leveraging legitimate websites for redirection, targeting a wider array of brands with malicious ad URLs. FakeBat's threat actor employs compromised websites and Google referer for conditional redirects, with ongoing campaigns targeting popular applications like OneNote and Epic Games hosted on a Russian provider. Despite efforts to combat the threat, FakeBat persists by deceiving users through fake software ads, requiring proactive defense measures like ThreatDown EDR to detect PowerShell executions and blocking ads at the source with tools like ThreatDown DNS Filter.
Threats: fakebat parsec_tool cloaking_technique
Indicators of compromise:
-------------------------
ip: 78.24.180.93
domain: cecar.com.ar, estiloplus.tur.ar, obs-software.cc, bandi-cam.cc, breavas.app, open-project.org, onenote-download.com, epicgames-store.org, blcnder.org, ads-pill.xyz, ads-pill.top, ads-tooth.top, ads-analyze.top
url:
hash:
- sha256=07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029,
- sha256=0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a,
- sha256=15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8,
- sha256=40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5,
- sha256=f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18Title: What s in your notepad? Infected text editors target Chinese users
Link: https://securelist.com/trojanized-text-editor-apps/112167
Summary: Malvertising is being used by cybercriminals to lead victims to malicious sites, with deceptive advertisement blocks placed at the top of search results to increase the likelihood of user clicks. A malvertising campaign spreading the RedLine stealer through Google Ads used tactics like typosquatting to mimic official websites. Recently, a similar threat targeting users of a popular Chinese search engine involved distributing modified versions of text editors through ads and search results, with malicious sites hosting downloads containing backdoors like Geacon, communicating with a C2 server named "dns.transferusee.com" for remote command execution capabilities. Ongoing research aims to uncover undisclosed stages of the threat and identifies Linux backdoors similar to the macOS version.
Threats: redline_stealer typosquatting_technique sea_turtle_group geacon cobalt_strike portscan_tool
Indicators of compromise:
-------------------------
ip:
domain: vnote-1321786806.cos.ap-hongkong.myqcloud.com, dns.transferusee.com, update.transferusee.com, vnote.info, vnotepad.com, vnote.fuwenkeji.cn
url: http://update.transferusee.com/onl/mac/<md5_hash>, http://update.transferusee.com/onl/lnx/<md5_hash>
hash:
- md5=00fb77b83b8ab13461ea9dd27073f54f,
- md5=6ace1e014863eee67ab1d2d17a33d146,
- md5=43447f4c2499b1ad258371adff4f503f,
- md5=5ece6281d57f16d6ae773a16f83568db,
- md5=47c9fec1a949e160937dd9f9457ec689Title: BlackCat Ransomware Affiliate TTPs
Link: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
Summary: The FBI revealed disruption of the ALPHV/BlackCat ransomware variant, a "ransomware-as-a-service" offering, with a decryption tool provided for affected organizations. ConnectWise flagged vulnerabilities in ScreenConnect version 23.9.8, leading to security advisories. Huntress detected a healthcare-associated endpoint with modified Ransomware Canary files indicating a compromised ScreenConnect instance, unauthorized activity by threat actor 'chlsln14', and ransomware deployment efforts aiming to disable security measures and spread within the network, underscoring the sophistication and dangers of RaaS variants.
Threats: blackcat connectwise_rat screenconnect_tool shadow_copies_delete_technique
Indicators of compromise:
-------------------------
ip: 94.131.109.54:6531
domain:
url: http://94.131.109.54:6531/iw0pjckezadktma5xkv8zxs6.exe
hash:
- sha256=d72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09dTitle: Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled
Link: https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware
Summary: The article delves into the BunnyLoader malware, unravelling its inception as a MaaS botnet and loader malware in September 2023 by the author "Player" aka "Player_Bunny." BunnyLoader's evolution led to the unveiling of BunnyLoader 3.0 in February 2024 with a plethora of enhanced features such as browser paths, keylogging capabilities, and encrypted communication, allowing threat actors to deliver sophisticated payloads and evade detection through tactics like packed binaries and filename obfuscation. Operating through various C2 servers and employing deceptive strategies using names of legitimate software, BunnyLoader 3.0 showcases a new array of modules for keylogging, data theft, clippering, and DoS attacks tailored to execute malicious activities on targeted machines.
Threats: bunnyloader purecryptor upx_tool themida_tool nanocore_rat player_bunny_group qakbot purelogs meduza nextronsystems_tool httpflood_technique tron
Indicators of compromise:
-------------------------
ip: 37.139.129.145, 185.241.208.83, 195.10.205.23, 172.105.124.34, 134.122.197.80, 91.92.254.31, 91.92.247.212, 185.241.208.104
domain:
url: http://ads.hostloads.xyz/baguvixju32i0/gate.php
hash:
- sha256=3a64f44275b6ff41912654ae1a4af1d9c629f94b8062be441902aeff2d38af3e,
- sha256=0f425950ceaed6578b2ad22b7baea7d5fe4fd550a97af501bca87d9eb551b825,
- sha256=82a3c2fd57ceab60f2944b6fea352c2aab62b79fb34e3ddc804ae2dbc2464eef,
- sha256=2ab21d859f1c3c21a69216c176499c79591da63e1907b0d155f45bb9c6aed4eb,
- sha256=c006f2f58784671504a1f2e7df8da495759227e64f58657f23efee4f9eb58216,
- sha256=52b7cdf5402f77f11ffebc2988fc8cdcd727f51a2f87ce3b88a41fd0fb06a124,
- sha256=5f09411395c8803f2a735b71822ad15aa454f47e96fd10acc98da4862524813a,
- sha256=cc2acf344677e4742b22725ff310492919499e357a95b609e80eaddc2b155b4b,
- sha256=ebc17dbf5970acb38c35e08560ae7b38c7394f503f227575cd56ba1a4c87c8a4,
- sha256=2d39bedba2a6fb48bf56633cc6943edc6fbc86aa15a06c03776f9971a9d2c550,
- sha256=2e9d6fb42990126155b8e781f4ba941d54bcc346bcf85b30e3348dde75fbeca1,
- sha256=74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994,
- sha256=fffdf51cdb54f707db617b29e2178bb54b67f527c866289887a7ada4d26b7563,
- sha256=62f041b12b8b4e0debd6e7e4556b4c6ae7066fa17e67900dcbc991dbd6a8443f,
- sha256=1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8,
- sha256=c80a63350ec791a16d84b759da72e043891b739a04c7c1709af83da00f7fdc3aThis article was generated with the assistance of an artificial intelligence language model, ChatGPT.
