每周高级威胁情报解读(2024.11.15~11.21)
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 87e05670-29cb-4e8d-bc3b-5c31b54fc180 |
| Fingerprint | 37f8f98cb53644e9 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Nov. 15, 2024, midnight |
| Added to db | Nov. 22, 2024, 12:49 p.m. |
| Last updated | Dec. 18, 2024, 10:13 a.m. |
| Headline | 每周高级威胁情报解读(2024.11.15~11.21) |
| Title | 每周高级威胁情报解读(2024.11.15~11.21) |
| Detected Hints/Tags/Attributes | 37/2/64 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 267 | ✔ | 奇安信威胁情报中心 | https://wechat2rss.xlab.app/feed/b93962f981247c0091dad08df5b7a6864ab888e9.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 13 | cve-2024-48990 |
|
| Details | CVE | 12 | cve-2024-48991 |
|
| Details | CVE | 12 | cve-2024-48992 |
|
| Details | CVE | 13 | cve-2024-11003 |
|
| Details | CVE | 11 | cve-2024-10224 |
|
| Details | Domain | 227 | mp.weixin.qq.com |
|
| Details | Domain | 56 | cyble.com |
|
| Details | Domain | 146 | research.checkpoint.com |
|
| Details | Domain | 5 | editproai.pro |
|
| Details | Domain | 5 | editproai.org |
|
| Details | Domain | 265 | blog.talosintelligence.com |
|
| Details | Domain | 62 | blog.sekoia.io |
|
| Details | Domain | 239 | unit42.paloaltonetworks.com |
|
| Details | Domain | 16 | blog.lumen.com |
|
| Details | Domain | 12 | intezer.com |
|
| Details | 1 | 这些邮件来自一个欺诈性地址alert@il-cert.net |
||
| Details | File | 1 | 的计划任务用于持久化且请求下一阶段sostener.vbs |
|
| Details | File | 3 | dllskyfal.txt |
|
| Details | File | 2 | 便在计算机内%temp%目录下创建一个名为xxx.ps1 |
|
| Details | File | 2 | 和xx2.vbs |
|
| Details | File | 2 | 运行andeloader将dcrat注入到regsvcs.exe |
|
| Details | File | 4 | signedconnection.zip |
|
| Details | File | 1 | 如signedconnection.exe |
|
| Details | File | 4 | signedconnection.exe |
|
| Details | File | 1 | 实际为onedrive相关程序filecoauth.exe |
|
| Details | File | 1 | 它运行后会通过dll侧加载的方式运行同目录下的secur32.dll |
|
| Details | File | 1 | 而secur32.dll |
|
| Details | File | 1 | 原压缩包中的qt5core.dll |
|
| Details | File | 1 | 发现恶意压缩包signedconnection.zip |
|
| Details | File | 2 | 其中db.txt |
|
| Details | File | 2 | 以从远程的github地址下载info1.txt |
|
| Details | File | 2 | up1.txt |
|
| Details | File | 2 | 和down1.txt |
|
| Details | File | 2 | down1.txt |
|
| Details | File | 2 | 解密后的info1.txt |
|
| Details | File | 1 | %appdata%\ahnlab\avira.txt |
|
| Details | File | 2 | 解密后的up1.txt |
|
| Details | File | 2 | 主要负责将包含受害者系统信息的avira.txt |
|
| Details | File | 2 | 解密后的down1.txt |
|
| Details | File | 1 | %appdata%\utf8settings.ini |
|
| Details | File | 1 | 并伪造成cmd.exe |
|
| Details | File | 1 | 并重命名为cmd.exe |
|
| Details | File | 1 | 木马程序xclient.exe |
|
| Details | File | 1 | 在virustotal上被多款杀毒引擎检测为trojan.msi |
|
| Details | File | 1 | 攻击的核心在于background.js |
|
| Details | File | 1 | 文章还提到一个名为go-encrypt.exe |
|
| Details | File | 1 | 虽然不能确认go-encrypt.exe |
|
| Details | Threat Actor Identifier - APT-C | 91 | APT-C-36 |
|
| Details | Threat Actor Identifier - APT-C | 16 | APT-C-55 |
|
| Details | Url | 2 | https://mp.weixin.qq.com/s/ddccjhbjuta7ia4hggsa1a |
|
| Details | Url | 1 | https://mp.weixin.qq.com/s/n4rycel4ajtqx7e9tvdyag |
|
| Details | Url | 1 | https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing |
|
| Details | Url | 1 | https://mp.weixin.qq.com/s/gzmor8jkjelzuj5bphpjya |
|
| Details | Url | 2 | https://research.checkpoint.com/2024/wezrat-malware-deep-dive |
|
| Details | Url | 1 | https://mp.weixin.qq.com/s/t5rw9poiz7al-nct5rle5g |
|
| Details | Url | 1 | https://www.bitdefender.com/en-us/blog/labs/inside-bitdefender-labs-investigation-of-a-malicious-facebook-ad-campaign-targeting-bitwarden-users |
|
| Details | Url | 1 | https://www.bleepingcomputer.com/news/security/fake-ai-video-generators-infect-windows-macos-with-infostealers |
|
| Details | Url | 1 | https://blog.talosintelligence.com/new-pxa-stealer |
|
| Details | Url | 1 | https://mp.weixin.qq.com/s/kpphc1mvlkr5qvi9pfbhpw |
|
| Details | Url | 1 | https://blog.sekoia.io/helldown-ransomware-an-overview-of-this-emerging-threat |
|
| Details | Url | 1 | https://unit42.paloaltonetworks.com/frostygoop-malware-analysis |
|
| Details | Url | 2 | https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet |
|
| Details | Url | 1 | https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader |
|
| Details | Url | 1 | https://blog.qualys.com/vulnerabilities-threat-research/2024/11/19/qualys-tru-uncovers-five-local-privilege-escalation-vulnerabilities-in-needrestart |