2021 Fall/Winter Threat Update
Common Information
| Type | Value |
|---|---|
| UUID | 5f87795f-e77e-44a1-baca-c19af4f819ab |
| Fingerprint | 1a4325baa9f24c6074bd80f537fde3070e259876da50405c3c212bd6f8bd4717 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Nov. 18, 2021, 7:42 p.m. |
| Added to db | March 12, 2024, 5:56 p.m. |
| Last updated | Aug. 31, 2024, 3:56 a.m. |
| Headline | 2021 Fall/Winter Threat Update |
| Title | 2021 Fall/Winter Threat Update |
| Detected Hints/Tags/Attributes | 89/3/236 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 202 | proofpoint.com |
|
| Details | Domain | 246 | mail.ru |
|
| Details | Domain | 2 | vscode-plug.c1.biz |
|
| Details | Domain | 2 | softlay-ware.c1.biz |
|
| Details | Domain | 2 | deioncube.biz |
|
| Details | Domain | 119 | yandex.ru |
|
| Details | Domain | 2 | konni.ae |
|
| Details | Domain | 2 | acount-pro.club |
|
| Details | Domain | 2 | acount-pro.live |
|
| Details | Domain | 2 | anlysis-info.xyz |
|
| Details | Domain | 2 | asia-studies.net |
|
| Details | Domain | 4 | bignaver.com |
|
| Details | Domain | 3 | carnegieinsider.com |
|
| Details | Domain | 3 | change-pw.com |
|
| Details | Domain | 2 | clonesec.us |
|
| Details | Domain | 4 | cloudnaver.com |
|
| Details | Domain | 2 | cloudocument.com |
|
| Details | Domain | 3 | cloudsecurityservice.net |
|
| Details | Domain | 2 | dailycloudservice.com |
|
| Details | Domain | 2 | daumhelp.net |
|
| Details | Domain | 2 | daum-protect.com |
|
| Details | Domain | 2 | delivernaver.com |
|
| Details | Domain | 2 | delivers-security.com |
|
| Details | Domain | 2 | delivers-security.net |
|
| Details | Domain | 2 | diplomatictraining.com |
|
| Details | Domain | 2 | document-package.online |
|
| Details | Domain | 2 | documentpackages.link |
|
| Details | Domain | 2 | documentpackages.online |
|
| Details | Domain | 2 | documentpackage.space |
|
| Details | Domain | 2 | documentpackages.space |
|
| Details | Domain | 2 | documentpackages.store |
|
| Details | Domain | 4 | documentserver.site |
|
| Details | Domain | 3 | down-error.com |
|
| Details | Domain | 3 | download-apks.com |
|
| Details | Domain | 3 | downloader-hanmail.net |
|
| Details | Domain | 2 | download-live.com |
|
| Details | Domain | 3 | emailnaver.com |
|
| Details | Domain | 2 | globalcloudservices.org |
|
| Details | Domain | 2 | gooapi.online |
|
| Details | Domain | 2 | google-acount.com |
|
| Details | Domain | 2 | goolg-e.com |
|
| Details | Domain | 2 | goolge.space |
|
| Details | Domain | 2 | govermentweb.site |
|
| Details | Domain | 2 | help-master.online |
|
| Details | Domain | 2 | helpnaver.host |
|
| Details | Domain | 2 | helpnaver.link |
|
| Details | Domain | 2 | helpnaver.online |
|
| Details | Domain | 2 | help-naver.site |
|
| Details | Domain | 2 | helpnaver.site |
|
| Details | Domain | 2 | help-secure.info |
|
| Details | Domain | 2 | hpronto-login.com |
|
| Details | Domain | 2 | itamaraty.net |
|
| Details | Domain | 2 | knowledgeofworld.org |
|
| Details | Domain | 2 | lnfo-master.com |
|
| Details | Domain | 2 | login-protect.club |
|
| Details | Domain | 2 | login-protect.online |
|
| Details | Domain | 2 | mail-master.online |
|
| Details | Domain | 2 | mail.summitz.com |
|
| Details | Domain | 2 | microsoft-pro.host |
|
| Details | Domain | 2 | microsoft-pro.live |
|
| Details | Domain | 2 | microsoft-pro.site |
|
| Details | Domain | 2 | microsoft-pro.space |
|
| Details | Domain | 3 | midsecurity.org |
|
| Details | Domain | 2 | mid-service.com |
|
| Details | Domain | 2 | mid-service.org |
|
| Details | Domain | 2 | myethrvvallet.com |
|
| Details | Domain | 3 | mysoftazure.com |
|
| Details | Domain | 2 | naverhelp.com |
|
| Details | Domain | 2 | naversecurity.us |
|
| Details | Domain | 3 | nicnaver.com |
|
| Details | Domain | 2 | nidnaver.host |
|
| Details | Domain | 2 | nidnaver.press |
|
| Details | Domain | 2 | nidnaver.site |
|
| Details | Domain | 2 | nidnaver.store |
|
| Details | Domain | 2 | noreply-cc.online |
|
| Details | Domain | 2 | noreply-goolge.com |
|
| Details | Domain | 2 | noreply-sec.online |
|
| Details | Domain | 2 | noreply-yahoo.com |
|
| Details | Domain | 3 | oaass-torrent.com |
|
| Details | Domain | 3 | proattachfile.com |
|
| Details | Domain | 2 | pronto-login.info |
|
| Details | Domain | 2 | pw-change.com |
|
| Details | Domain | 3 | resetpolicy.com |
|
| Details | Domain | 4 | resetprofile.com |
|
| Details | Domain | 2 | rfa.news |
|
| Details | Domain | 4 | rnaii.com |
|
| Details | Domain | 3 | rnail-inbox.com |
|
| Details | Domain | 3 | rnailm.com |
|
| Details | Domain | 2 | rnail-suport.site |
|
| Details | Domain | 4 | rneail.com |
|
| Details | Domain | 2 | secureaction.ru |
|
| Details | Domain | 3 | securelevel.site |
|
| Details | Domain | 2 | security-acount.info |
|
| Details | Domain | 3 | securitycounci1report.org |
|
| Details | Domain | 2 | security-delivers.com |
|
| Details | Domain | 2 | securityforcastreport.com |
|
| Details | Domain | 2 | security-lnfo.com |
|
| Details | Domain | 2 | security-nid.space |
|
| Details | Domain | 2 | security-pro.me |
|
| Details | Domain | 2 | security-pro.online |
|
| Details | Domain | 2 | securitysettings.info |
|
| Details | Domain | 7 | seoulhobi.biz |
|
| Details | Domain | 2 | servicenaver.com |
|
| Details | Domain | 4 | servicenidnaver.com |
|
| Details | Domain | 2 | sinoforecast.com |
|
| Details | Domain | 3 | softfilemanage.com |
|
| Details | Domain | 2 | ssidnaver.com |
|
| Details | Domain | 2 | stategov.biz |
|
| Details | Domain | 2 | support-info.network |
|
| Details | Domain | 2 | unosa.org |
|
| Details | Domain | 2 | voakorea.news |
|
| Details | Domain | 2 | voakoreas.com |
|
| Details | Domain | 2 | voipgoogle.com |
|
| Details | Domain | 2 | vpsino.org |
|
| Details | Domain | 2 | webofknowledg.com |
|
| Details | Domain | 2 | xfindphoneloc.com |
|
| Details | Domain | 2 | xn--mcrosoft-online-hic.com |
|
| Details | Domain | 2 | 0member-services.hol.es |
|
| Details | Domain | 2 | attachdown.000webhostapp.com |
|
| Details | Domain | 2 | attachdownload.99on.com |
|
| Details | Domain | 3 | dnsservice.esy.es |
|
| Details | Domain | 2 | emailru.99on.com |
|
| Details | Domain | 3 | firefox-plug.c1.biz |
|
| Details | Domain | 2 | koryogroup.1apps.com |
|
| Details | Domain | 2 | lookyes.c1.biz |
|
| Details | Domain | 2 | north-korea.medianewsonline.com |
|
| Details | Domain | 2 | online-manual.c1.biz |
|
| Details | Domain | 3 | romanovawillkillyou.c1.biz |
|
| Details | Domain | 2 | securitydownload.99on.com |
|
| Details | Domain | 2 | silverlog.hol.es |
|
| Details | Domain | 4 | takemetoyouheart.c1.biz |
|
| Details | Domain | 3 | taketodjnfnei898.c1.biz |
|
| Details | Domain | 3 | taketodjnfnei898.ueuo.com |
|
| Details | Domain | 3 | upsrv.16mb.com |
|
| Details | Domain | 2 | win10-ms.c1.biz |
|
| Details | Domain | 2 | 1006ieudneu.atwebpages.com |
|
| Details | Domain | 2 | 1995ieudneu.atwebpages.com |
|
| Details | Domain | 3 | fd-com.fr |
|
| Details | Domain | 2 | influencer.jvproduccionessv.com |
|
| Details | Domain | 2 | mail.apm.co.kr |
|
| Details | Domain | 2 | oaass.co.kr |
|
| Details | Domain | 2 | rabadaun.com |
|
| Details | Domain | 2 | simple.kswebdesign.eu |
|
| Details | Domain | 2 | www.acl-medias.fr |
|
| Details | Domain | 2 | u13448720.ct.sendgrid.net |
|
| Details | Domain | 2 | u19402039.ct.sendgrid.net |
|
| Details | Domain | 2 | u7747409.ct.sendgrid.net |
|
| Details | Domain | 2 | u8253848.ct.sendgrid.net |
|
| Details | Domain | 2 | u9810308.ct.sendgrid.net |
|
| Details | Domain | 189 | asec.ahnlab.com |
|
| Details | Domain | 37 | blog.alyac.co.kr |
|
| Details | Domain | 53 | blogs.blackberry.com |
|
| Details | Domain | 261 | blog.talosintelligence.com |
|
| Details | Domain | 4 | download.ahnlab.com |
|
| Details | Domain | 19 | cyberint.com |
|
| Details | Domain | 434 | medium.com |
|
| Details | Domain | 8 | redalert.nshc.net |
|
| Details | Domain | 224 | unit42.paloaltonetworks.com |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 184 | www.fireeye.com |
|
| Details | Domain | 41 | www.freebuf.com |
|
| Details | Domain | 103 | www.mcafee.com |
|
| Details | Domain | 604 | www.trendmicro.com |
|
| Details | Domain | 370 | www.proofpoint.com |
|
| Details | 2 | donaldxxxtrump@yandex.ru |
||
| Details | File | 2 | star-send.php |
|
| Details | File | 3 | victory.exe |
|
| Details | File | 11 | pdf.js |
|
| Details | File | 1 | トのブラウザはdownload.php |
|
| Details | File | 1 | htmlと.exe |
|
| Details | File | 1204 | index.php |
|
| Details | File | 2 | fatboy.dll |
|
| Details | File | 1 | 以下のデータをすべてxtong.txt |
|
| Details | File | 2 | xtong.txt |
|
| Details | File | 1 | certutilを使用してxtong.txt |
|
| Details | File | 2 | chk.bat |
|
| Details | File | 2 | fatboy32.dll |
|
| Details | File | 2 | fatboy64.dll |
|
| Details | File | 51 | install.bat |
|
| Details | File | 2 | wupelv32.dll |
|
| Details | File | 2 | wupelv64.dll |
|
| Details | File | 1 | ではwupelv32.dll |
|
| Details | File | 1 | 昇格した特権でinstall.bat |
|
| Details | File | 1 | インプラントの実行とクリーンアップに使用されるinstall.bat |
|
| Details | File | 2 | ball.bat |
|
| Details | File | 1 | cのurlを渡すためのball.bat |
|
| Details | File | 1 | 侵害されたデバイスの偵察を目的としたdf.vbs |
|
| Details | File | 2 | df.vbs |
|
| Details | File | 2 | %username%.bin |
|
| Details | File | 2 | mt4managre.exe |
|
| Details | File | 2 | fontdrv.exe |
|
| Details | File | 1 | 次のcmd.exe |
|
| Details | File | 156 | 1.exe |
|
| Details | File | 3 | konni-malware-under-radar-for-years.html |
|
| Details | File | 2 | analysis_report_operation_moneyholic.pdf |
|
| Details | File | 2 | cyberint_konni%20malware%202019%20campaign_report.pdf |
|
| Details | File | 2 | to-russia-with-apt.html |
|
| Details | File | 2 | sanny-cnc-backend-disabled.html |
|
| Details | File | 1 | recently-observed-attacks.html |
|
| Details | File | 2 | 262367.html |
|
| Details | File | 2 | rp-operation-oceansalt.pdf |
|
| Details | File | 2 | syscon-backdoor-uses-ftp-as-a-cc-channel.html |
|
| Details | IPv4 | 2 | 222.118.183.131 |
|
| Details | IPv4 | 2 | 192.109.119.6 |
|
| Details | IPv4 | 2 | 108.177.235.226 |
|
| Details | IPv4 | 2 | 108.62.12.11 |
|
| Details | IPv4 | 2 | 212.114.52.227 |
|
| Details | Pdb | 1 | e:\work\_spyware\virus_2020\release\dropper_exe_media.pdb |
|
| Details | Url | 2 | http://ksi/000/spy/jauur0.hta |
|
| Details | Url | 2 | http://vscode-plug.c1.biz/index.php |
|
| Details | Url | 1 | http://softlay-ware.c1.biz/ballからファイルのダウンロードに成功 |
|
| Details | Url | 2 | https://asec.ahnlab.com/ko/1251 |
|
| Details | Url | 3 | https://blog.alyac.co.kr/2061 |
|
| Details | Url | 2 | https://blog.alyac.co.kr/3014 |
|
| Details | Url | 3 | https://blog.alyac.co.kr/3390 |
|
| Details | Url | 2 | https://blog.alyac.co.kr/3550 |
|
| Details | Url | 2 | https://blogs.blackberry.com/en/2017/08/threat-spotlight-konni-stealthy-remote-access-trojan |
|
| Details | Url | 3 | https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html |
|
| Details | Url | 2 | https://download.ahnlab.com/kr/site/library/analysis_report_operation_moneyholic.pdf |
|
| Details | Url | 2 | https://e.cyberint.com/hubfs/cyberint_konni%20malware%202019%20campaign_report.pdf |
|
| Details | Url | 2 | https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b |
|
| Details | Url | 2 | https://redalert.nshc.net/2019/03/28/threat-actor-group-using-uac-bypass-module-to-run-bat-file |
|
| Details | Url | 1 | https://ti.qianxin.com/blog/articles/the-konni-apt-organization-uses-nuclear-issues-and-epidemics-as- |
|
| Details | Url | 1 | https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear- |
|
| Details | Url | 2 | https://unit42.paloaltonetworks.com/unit42-new-konni-malware-attacking-eurasia-southeast-asia |
|
| Details | Url | 1 | https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses- |
|
| Details | Url | 1 | https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to- |
|
| Details | Url | 2 | https://us-cert.cisa.gov/ncas/alerts/aa20-227a |
|
| Details | Url | 2 | https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html |
|
| Details | Url | 2 | https://www.fireeye.com/blog/threat-research/2013/03/sanny-cnc-backend-disabled.html |
|
| Details | Url | 1 | https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in- |
|
| Details | Url | 2 | https://www.freebuf.com/articles/network/262367.html |
|
| Details | Url | 1 | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee- |
|
| Details | Url | 2 | https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf |
|
| Details | Url | 2 | https://www.trendmicro.com/en_us/research/17/j/syscon-backdoor-uses-ftp-as-a-cc-channel.html |
|
| Details | Windows Registry Key | 41 | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |