2024.02.13.Water_Hydra
This commit is contained in:
ziv chang
parent
903a6f3a25
commit
f018b6fb93
Binary file not shown.
|
|
@ -0,0 +1,258 @@
|
|||
CVE-2024-21412: Water Hydra Targets Traders with Windows Defender SmartScreen Zero-Day
|
||||
=======================================================================================
|
||||
Indicators of Compromise
|
||||
=======================================================================================
|
||||
|
||||
[URL]
|
||||
hxxp[://]84[.]32[.]189[.]74
|
||||
hxxp[://]84[.]32[.]189[.]74/xampp/
|
||||
hxxp[://]84[.]32[.]189[.]74/webdav/
|
||||
hxxps[://]fxbulls[.]ru
|
||||
hxxps[://]fxbulls[.]ru/wp-content/uploads
|
||||
hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]htm
|
||||
hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]html
|
||||
hxxps[://]84[.]32[.]189[.]74@0[.]0[.]0[.]80/fxbulls/net/2[.]url
|
||||
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/Thumbs[.]db
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/2[.]url
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip/a2[.]cmd
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/b3[.]dll
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]dll
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]exe
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29s[.]jpg
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/My2[.]zip
|
||||
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29[.]jpg[.]url
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/Thumbs[.]db
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/2[.]url
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip/a2[.]cmd
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/b3[.]dll
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]dll
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]exe
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29s[.]jpg
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/images/My2[.]zip
|
||||
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29[.]jpg[.]url
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/Thumbs[.]db
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/2[.]url
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip/a2[.]cmd
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/b3[.]dll
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]dll
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]exe
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29s[.]jpg
|
||||
hxxp[://]84[.]32[.]189[.]74/fxbulls/net/My2[.]zip
|
||||
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/docs
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/docs/7z.zip
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/docs/passport.jpg.url
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/docs/warop.url
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/expand
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/expand/7z.zip
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/expand/photo_2023-12-26.jpg.url
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/expand/warop.url
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/society
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/society/7z.zip
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/society/photo_2023-12-26.jpg.url
|
||||
hxxp[://]84[.]32[.]189[.]74/underwall/society/warop.url
|
||||
|
||||
[PATHS]
|
||||
/fxbulls
|
||||
/fxbulls/pictures
|
||||
/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url
|
||||
/fxbulls/pictures/Thumbs[.]db
|
||||
/fxbulls/pictures/2[.]url
|
||||
/fxbulls/pictures/a2[.]zip
|
||||
/fxbulls/pictures/a2[.]zip/a2[.]cmd
|
||||
/fxbulls/pictures/a2[.]zip
|
||||
/fxbulls/pictures/b3[.]dll
|
||||
/fxbulls/pictures/7z[.]dll
|
||||
/fxbulls/pictures/7z[.]exe
|
||||
/fxbulls/pictures/photo_2023-12-29s[.]jpg
|
||||
/fxbulls/pictures/My2[.]zip
|
||||
|
||||
/fxbulls
|
||||
/fxbulls/images
|
||||
/fxbulls/images/photo_2023-12-29[.]jpg[.]url
|
||||
/fxbulls/images/Thumbs[.]db
|
||||
/fxbulls/images/2[.]url
|
||||
/fxbulls/images/a2[.]zip
|
||||
/fxbulls/images/a2[.]zip/a2[.]cmd
|
||||
/fxbulls/images/a2[.]zip
|
||||
/fxbulls/images/b3[.]dll
|
||||
/fxbulls/images/7z[.]dll
|
||||
/fxbulls/images/7z[.]exe
|
||||
/fxbulls/images/photo_2023-12-29s[.]jpg
|
||||
/fxbulls/images/My2[.]zip
|
||||
|
||||
/fxbulls/net
|
||||
/fxbulls/net/photo_2023-12-29[.]jpg[.]url
|
||||
/fxbulls/net/Thumbs[.]db
|
||||
/fxbulls/net/2[.]url
|
||||
/fxbulls/net/a2[.]zip
|
||||
/fxbulls/net/a2[.]zip/a2[.]cmd
|
||||
/fxbulls/net/a2[.]zip
|
||||
/fxbulls/net/b3[.]dll
|
||||
/fxbulls/net/7z[.]dll
|
||||
/fxbulls/net/7z[.]exe
|
||||
/fxbulls/net/photo_2023-12-29s[.]jpg
|
||||
/fxbulls/net/My2[.]zip
|
||||
|
||||
/underwall/docs
|
||||
/underwall/docs/7z.zip
|
||||
/underwall/docs/passport.jpg.url
|
||||
/underwall/docs/warop.url
|
||||
|
||||
/underwall/expand
|
||||
/underwall/expand/7z.zip
|
||||
/underwall/expand/photo_2023-12-26.jpg.url
|
||||
/underwall/expand/warop.url
|
||||
|
||||
/underwall/society
|
||||
/underwall/society/7z.zip
|
||||
/underwall/society/photo_2023-12-26.jpg.url
|
||||
/underwall/society/warop.url
|
||||
|
||||
[DOMAINS]
|
||||
fxbulls[.]ru
|
||||
87iavv[.]com
|
||||
unfawjelesst322[.]com
|
||||
p2oaviwt39ui[.]com
|
||||
|
||||
[WEBDAV]
|
||||
\\84[.]32[.]189[.]74@80
|
||||
|
||||
\\84[.]32[.]189[.]74@80
|
||||
\\84[.]32[.]189[.]74@80\pictures
|
||||
\\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29[.]jpg[.]url
|
||||
\\84[.]32[.]189[.]74@80\pictures\Thumbs[.]db
|
||||
\\84[.]32[.]189[.]74@80\pictures\2[.]url
|
||||
\\84[.]32[.]189[.]74@80\pictures\a2[.]zip
|
||||
\\84[.]32[.]189[.]74@80\pictures\a2[.]zip\a2[.]cmd
|
||||
\\84[.]32[.]189[.]74@80\pictures\a2[.]zip
|
||||
\\84[.]32[.]189[.]74@80\pictures\b3[.]dll
|
||||
\\84[.]32[.]189[.]74@80\pictures\7z[.]dll
|
||||
\\84[.]32[.]189[.]74@80\pictures\7z[.]exe
|
||||
\\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29s[.]jpg
|
||||
\\84[.]32[.]189[.]74@80\pictures\My2[.]zip
|
||||
|
||||
\\84[.]32[.]189[.]74@80
|
||||
\\84[.]32[.]189[.]74@80\images
|
||||
\\84[.]32[.]189[.]74@80\images\photo_2023-12-29[.]jpg[.]url
|
||||
\\84[.]32[.]189[.]74@80\images\Thumbs[.]db
|
||||
\\84[.]32[.]189[.]74@80\images\2[.]url
|
||||
\\84[.]32[.]189[.]74@80\images\a2[.]zip
|
||||
\\84[.]32[.]189[.]74@80\images\a2[.]zip\a2[.]cmd
|
||||
\\84[.]32[.]189[.]74@80\images\a2[.]zip
|
||||
\\84[.]32[.]189[.]74@80\images\b3[.]dll
|
||||
\\84[.]32[.]189[.]74@80\images\7z[.]dll
|
||||
\\84[.]32[.]189[.]74@80\images\7z[.]exe
|
||||
\\84[.]32[.]189[.]74@80\images\photo_2023-12-29s[.]jpg
|
||||
\\84[.]32[.]189[.]74@80\images\My2[.]zip
|
||||
|
||||
\\84[.]32[.]189[.]74@80\net
|
||||
\\84[.]32[.]189[.]74@80\net\photo_2023-12-29[.]jpg[.]url
|
||||
\\84[.]32[.]189[.]74@80\net\Thumbs[.]db
|
||||
\\84[.]32[.]189[.]74@80\net\2[.]url
|
||||
\\84[.]32[.]189[.]74@80\net\a2[.]zip
|
||||
\\84[.]32[.]189[.]74@80\net\a2[.]zip\a2[.]cmd
|
||||
\\84[.]32[.]189[.]74@80\net\a2[.]zip
|
||||
\\84[.]32[.]189[.]74@80\net\b3[.]dll
|
||||
\\84[.]32[.]189[.]74@80\net\7z[.]dll
|
||||
\\84[.]32[.]189[.]74@80\net\7z[.]exe
|
||||
\\84[.]32[.]189[.]74@80\net\photo_2023-12-29s[.]jpg
|
||||
\\84[.]32[.]189[.]74@80\net\My2[.]zip
|
||||
|
||||
\\84[.]32[.]189[.]74@80\docs
|
||||
\\84[.]32[.]189[.]74@80\docs\7z[.]zip
|
||||
\\84[.]32[.]189[.]74@80\docs\passport[.]jpg[.]url
|
||||
\\84[.]32[.]189[.]74@80\docs\warop[.]url
|
||||
|
||||
\\84[.]32[.]189[.]74@80\expand
|
||||
\\84[.]32[.]189[.]74@80\expand\7z[.]zip
|
||||
\\84[.]32[.]189[.]74@80\expand\photo_2023-12-26[.]jpg[.]url
|
||||
\\84[.]32[.]189[.]74@80\expand\warop[.]url
|
||||
|
||||
\\84[.]32[.]189[.]74@80\society
|
||||
\\84[.]32[.]189[.]74@80\society\7z[.]zip
|
||||
\\84[.]32[.]189[.]74@80\society\photo_2023-12-26[.]jpg[.]url
|
||||
\\84[.]32[.]189[.]74@80\society\warop[.]url
|
||||
|
||||
[IP ADDRESSES]
|
||||
84[.]32[.]189[.]74
|
||||
179[.]43[.]172[.]127
|
||||
179[.]43[.]172[.]191
|
||||
64[.]31[.]63[.]70
|
||||
64[.]31[.]63[.]194
|
||||
|
||||
[FILES] [DETECTION NAME]
|
||||
1458a762332676f7807ab45f8f236c22a1a7bb0c21fcd8c779f972f2446a11d0 Trojan.HTML.CVE202421412.A
|
||||
758c6364ab560fbeff2bfa8712a2e09132d85d0bf6918e6acc79fe12f5b71ec3 Trojan.HTML.CVE202421412.A
|
||||
77d685e29c3dbe75fa8a82c69c68c731a09904020a76145ca27aeaf0058455cd Trojan.HTML.CVE202421412.A
|
||||
b36dc329a5dc766c2645d5f5b6cdaa9542ec3b0aa1bc13dc1f899ce6d95d59fb Trojan.HTML.CVE202421412.A
|
||||
d895fff3c909ea2eb6624fc5f154c924fe0af51c6c899fd9093dc3cd27a5dad2 Trojan.HTML.CVE202421412.A
|
||||
008e57d62caa8cfa991f5519eabe3f15d79799b81ba8cc6b67cde6da0dbffdab Trojan.Win32.CVE202421412.A
|
||||
087878208755420d5d7ae2eb6a84482768cb8972732911ac16096cd0c95fa0f7 Trojan.Win32.CVE202421412.A
|
||||
1115e4bed3949493d8ab184e5c42f047355f13b9bf91c1621acb7971a148bea2 Trojan.Win32.CVE202421412.A
|
||||
18b1dc2e00245cb017ebdedfe63881929d7542eeffa8f42ee0ad20cc2ebf181a Trojan.Win32.CVE202421412.A
|
||||
1956bcd3df47e76b2e9f396514f072311563d092ae02509f817c488567749998 Trojan.Win32.CVE202421412.A
|
||||
1fbc621a71578cb22d4e3a0feec68735321358a3aeb18adbe4a20630c7f788b8 Trojan.Win32.CVE202421412.A
|
||||
39fb9fb06910f1133f3b23c523a5139f61d243380802b0670a664473d00e1fa9 Trojan.Win32.CVE202421412.A
|
||||
3e420ce1dc1a8503f48815b880381dd23206e08be2474d151f1353df7df2d796 Trojan.Win32.CVE202421412.A
|
||||
4201ab8c0c4cf0f01f5a25d8e4e7221634776b5bad8c3faad5ad819ec58619ad Trojan.Win32.CVE202421412.A
|
||||
58b0f5da4a53e956b35e77f55ced641291a596e16067b1dab6ac54d9cb6a52a5 Trojan.Win32.CVE202421412.A
|
||||
5b16ac1edb747053ee5a085ab826c61218c5b471eaa04f2471dc2e80b5621023 Trojan.Win32.CVE202421412.A
|
||||
5c85a0fe230d351b35da364c797cc95557f5dcceec034eb648e1805237c7203b Trojan.Win32.CVE202421412.A
|
||||
5f4ef55201080ef3a62b0fbdc4c27e0ccdf4041f41c04471f35b127ff6515405 Trojan.Win32.CVE202421412.A
|
||||
61de01bc154b1118caacfed3839c996a795d6c21c2efbf1da6b926414f5d182d Trojan.Win32.CVE202421412.A
|
||||
65cc5594b307c2ac4e3c251aeae68dedf7d1f24ba3b0d7ab5ad3623e8a9fc865 Trojan.Win32.CVE202421412.A
|
||||
6793e0fbc2def9173bf8e2a6c1aa357ba7fc3e32dc1cf81107677166f175c890 Trojan.Win32.CVE202421412.A
|
||||
6bec457f83d0d98f6f6ea1243c2327e012db38fb61680f6bd68dbab0dc07170a Trojan.Win32.CVE202421412.A
|
||||
7058ae0f02e116b38536ee1ec20f47645aecf761361b5a5e85de2961f3cc88c6 Trojan.Win32.CVE202421412.A
|
||||
70b4c2d696a24a5ae2f5e5095dc44e68b4605e4690c8a49930194ee87eb80252 Trojan.Win32.CVE202421412.A
|
||||
73922ab0d048b45a01f13ba967f1423bc6cd6cc711f8e7d00a4cf2b1d3646f4e Trojan.Win32.CVE202421412.A
|
||||
761fa42bc4cc5332a640c7389240324242981176ca1626e4267cc8a00cf9545f Trojan.Win32.CVE202421412.A
|
||||
88bb1df99e02021801b08beeff87ec3ceb9e16c42f62904c5ac04c1a26213a48 Trojan.Win32.CVE202421412.A
|
||||
941cf63028bf8314bc7114a088f4d1f1dd995bec4a4b7c51fda34fbb3528667f Trojan.Win32.CVE202421412.A
|
||||
a45e0ea5a17ba6f3a2ce7258f6cc81c6f93f37873b49218a25ec638987da6f96 Trojan.Win32.CVE202421412.A
|
||||
a5096c4624a523a660242e3451c2f4d644431a35098e36b724fab9f7d88d145d Trojan.Win32.CVE202421412.A
|
||||
a9633da58719f07159702101474b6ba78f2ffee28b3f7ebda3feb36db4e2d0e9 Trojan.Win32.CVE202421412.A
|
||||
b0ab19986ab1297870854980f1287f1a4b8d003c540773a6c04fb3565e5701ee Trojan.Win32.CVE202421412.A
|
||||
b350a787c19a756c0824e14eec7e9d746450d1aafb28a5d15209ec9f34c58129 Trojan.Win32.CVE202421412.A
|
||||
b738e92afc95cba819aa7aebfad459de38743c478e9e8b8f29f9919697b495b0 Trojan.Win32.CVE202421412.A
|
||||
b8b6b6d98b7ea689f0c33d55a06afcf20482b25c51929ca9a1b302374290b337 Trojan.Win32.CVE202421412.A
|
||||
babbd9c94dedb94be8baac2ddc5b4714c44a8d0c60d49c0dc91708784bc0d57f Trojan.Win32.CVE202421412.A
|
||||
bbdf52481bd1a15710d75b89240c7a360450e2f4f00ba2cb140affba79ebec94 Trojan.Win32.CVE202421412.A
|
||||
c86ba0da732e1fa1f06549d3ebc5ae6ae091199e95930681ac2a9152a8834184 Trojan.Win32.CVE202421412.A
|
||||
d6000a19198b8b9719fc17f7c06366e542802a8e7e232ba731b72c31226cc890 Trojan.Win32.CVE202421412.A
|
||||
d81e7d95004441ea4f5344215232db57f48579bf335c7ba4ed7f6ec6f9136ed0 Trojan.Win32.CVE202421412.A
|
||||
db1bc70c0d0c7121f1d4422a6fcd0e0668d9da786affb52dd77852641e425710 Trojan.Win32.CVE202421412.A
|
||||
ddda5737b2c3207d72d728bf40709a7296c31e7c50951dcad441f4707581ccb1 Trojan.Win32.CVE202421412.A
|
||||
e1b903eba88b920909876442306e1160eed9b69c69a05ea370cba2121e305ba1 Trojan.Win32.CVE202421412.A
|
||||
e49a7d9083b2e448274d117405c39b0c1b2c0c20ab5195bdf94aaeda7cc113d7 Trojan.Win32.CVE202421412.A
|
||||
f44964c8fdf6dbdb21c141df61b45467bba5a4482f7ab19fd6f1841fdb791f2a Trojan.Win32.CVE202421412.A
|
||||
f6b01df60d526f1de530230724d41b482adfff81084a1872bb97c316b76e45e3 Trojan.Win32.CVE202421412.A
|
||||
f701f500d348b63f3250239cd8305a8b38230e67d74456f3333c6efeeef85bbb Trojan.Win32.CVE202421412.A
|
||||
fb67be10a5a8b26ca86f8f79935ddd4a5b40379bb6d0af21d23f56af14bb2a90 Trojan.Win32.CVE202421412.A
|
||||
4307a067db6b6abd852441e6d70de29c3bd0e4d6a68f0449b403401518b7e037 Trojan.Win32.CVE202421412.B
|
||||
69fc5bed55acf559035f2c5550bf8807236b580f8e2db88966b3fc80c83914d3 Trojan.Win32.CVE202421412.B
|
||||
4c43b4575063d50ca5668e45a434aaf288970c89e8a4414812560ee787307f58 Trojan.Win32.CVE202421412.B
|
||||
135cfefe353ca57d24cfb7326f6cf99085f8af7d1785f5967b417985e8a1153c Trojan.Win32.DARKME.A
|
||||
252351cb1fb743379b4072903a5f6c5d29774bf1957defd9a7e19890b3f84146 Trojan.Win32.DARKME.A
|
||||
594e7f7f09a943efc7670edb0926516cfb3c6a0c0036ac1b2370ce3791bf2978 Trojan.Win32.DARKME.A
|
||||
6e825a6eb4725b82bd534ab62d3f6f37082b7dbc89062541ee1307ecd5a5dd49 Trojan.Win32.DARKME.A
|
||||
71d0a889b106350be47f742495578d7f5dbde4fb36e2e464c3d64c839b1d02bc Trojan.Win32.DARKME.A
|
||||
b69d36e90686626a16b79fa7b0a60d5ebfd17de8ada813105b3a351d40422feb Trojan.Win32.DARKME.A
|
||||
bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c Trojan.Win32.DARKME.A
|
||||
dc1b15e48b68e9670bf3038e095f4afb4b0d8a68b84ae6c05184af7f3f5ecf54 Trojan.Win32.DARKME.A
|
||||
|
|
@ -30,6 +30,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns.
|
|||
|
||||
|
||||
## 2024
|
||||
* Feb 13 - [[Trend Micro] CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day](https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html) | [:closed_book:](../../blob/master/2024/2024.02.13.Water_Hydra)
|
||||
* Jan 25 - [[KrCERT/CC] Lazarus Group’s Large-scale Threats
|
||||
via Watering Hole and Financial Software](https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf) | [:closed_book:](../../blob/master/2024/2024.01.25.Lazarus_Group)
|
||||
* Jan 24 - [[itochuci] The Endless Struggle Against APT10: Insights from LODEINFO](https://blog-en.itochuci.co.jp/entry/2024/01/24/134100) | [:closed_book:](../../blob/master/2024/2024.01.24.APT10_LODEINFO)
|
||||
|
|
|
|||
Loading…
Reference in New Issue