diff --git a/2024/2024.02.13.Water_Hydra/CVE-2024-21412_ Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day.pdf b/2024/2024.02.13.Water_Hydra/CVE-2024-21412_ Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day.pdf new file mode 100644 index 0000000..1f15d43 Binary files /dev/null and b/2024/2024.02.13.Water_Hydra/CVE-2024-21412_ Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day.pdf differ diff --git a/2024/2024.02.13.Water_Hydra/ioc-list-water-hydra-cve-2024-21412.txt b/2024/2024.02.13.Water_Hydra/ioc-list-water-hydra-cve-2024-21412.txt new file mode 100644 index 0000000..24aaaa9 --- /dev/null +++ b/2024/2024.02.13.Water_Hydra/ioc-list-water-hydra-cve-2024-21412.txt @@ -0,0 +1,258 @@ +CVE-2024-21412: Water Hydra Targets Traders with Windows Defender SmartScreen Zero-Day +======================================================================================= +Indicators of Compromise +======================================================================================= + +[URL] +hxxp[://]84[.]32[.]189[.]74 +hxxp[://]84[.]32[.]189[.]74/xampp/ +hxxp[://]84[.]32[.]189[.]74/webdav/ +hxxps[://]fxbulls[.]ru +hxxps[://]fxbulls[.]ru/wp-content/uploads +hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]htm +hxxps[://]fxbulls[.]ru/wp-content/uploads/2023/12/photo_2023-12-29[.]jpg[.]html +hxxps[://]84[.]32[.]189[.]74@0[.]0[.]0[.]80/fxbulls/net/2[.]url + +hxxp[://]84[.]32[.]189[.]74/fxbulls +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/Thumbs[.]db +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/2[.]url +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip/a2[.]cmd +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/a2[.]zip +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/b3[.]dll +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]dll +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/7z[.]exe +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/photo_2023-12-29s[.]jpg +hxxp[://]84[.]32[.]189[.]74/fxbulls/pictures/My2[.]zip + +hxxp[://]84[.]32[.]189[.]74/fxbulls +hxxp[://]84[.]32[.]189[.]74/fxbulls/images +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29[.]jpg[.]url +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/Thumbs[.]db +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/2[.]url +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip/a2[.]cmd +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/a2[.]zip +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/b3[.]dll +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]dll +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/7z[.]exe +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/photo_2023-12-29s[.]jpg +hxxp[://]84[.]32[.]189[.]74/fxbulls/images/My2[.]zip + +hxxp[://]84[.]32[.]189[.]74/fxbulls/net +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29[.]jpg[.]url +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/Thumbs[.]db +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/2[.]url +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip/a2[.]cmd +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/a2[.]zip +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/b3[.]dll +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]dll +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/7z[.]exe +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/photo_2023-12-29s[.]jpg +hxxp[://]84[.]32[.]189[.]74/fxbulls/net/My2[.]zip + +hxxp[://]84[.]32[.]189[.]74/underwall/docs +hxxp[://]84[.]32[.]189[.]74/underwall/docs/7z.zip +hxxp[://]84[.]32[.]189[.]74/underwall/docs/passport.jpg.url +hxxp[://]84[.]32[.]189[.]74/underwall/docs/warop.url +hxxp[://]84[.]32[.]189[.]74/underwall/expand +hxxp[://]84[.]32[.]189[.]74/underwall/expand/7z.zip +hxxp[://]84[.]32[.]189[.]74/underwall/expand/photo_2023-12-26.jpg.url +hxxp[://]84[.]32[.]189[.]74/underwall/expand/warop.url +hxxp[://]84[.]32[.]189[.]74/underwall/society +hxxp[://]84[.]32[.]189[.]74/underwall/society/7z.zip +hxxp[://]84[.]32[.]189[.]74/underwall/society/photo_2023-12-26.jpg.url +hxxp[://]84[.]32[.]189[.]74/underwall/society/warop.url + +[PATHS] +/fxbulls +/fxbulls/pictures +/fxbulls/pictures/photo_2023-12-29[.]jpg[.]url +/fxbulls/pictures/Thumbs[.]db +/fxbulls/pictures/2[.]url +/fxbulls/pictures/a2[.]zip +/fxbulls/pictures/a2[.]zip/a2[.]cmd +/fxbulls/pictures/a2[.]zip +/fxbulls/pictures/b3[.]dll +/fxbulls/pictures/7z[.]dll +/fxbulls/pictures/7z[.]exe +/fxbulls/pictures/photo_2023-12-29s[.]jpg +/fxbulls/pictures/My2[.]zip + +/fxbulls +/fxbulls/images +/fxbulls/images/photo_2023-12-29[.]jpg[.]url +/fxbulls/images/Thumbs[.]db +/fxbulls/images/2[.]url +/fxbulls/images/a2[.]zip +/fxbulls/images/a2[.]zip/a2[.]cmd +/fxbulls/images/a2[.]zip +/fxbulls/images/b3[.]dll +/fxbulls/images/7z[.]dll +/fxbulls/images/7z[.]exe +/fxbulls/images/photo_2023-12-29s[.]jpg +/fxbulls/images/My2[.]zip + +/fxbulls/net +/fxbulls/net/photo_2023-12-29[.]jpg[.]url +/fxbulls/net/Thumbs[.]db +/fxbulls/net/2[.]url +/fxbulls/net/a2[.]zip +/fxbulls/net/a2[.]zip/a2[.]cmd +/fxbulls/net/a2[.]zip +/fxbulls/net/b3[.]dll +/fxbulls/net/7z[.]dll +/fxbulls/net/7z[.]exe +/fxbulls/net/photo_2023-12-29s[.]jpg +/fxbulls/net/My2[.]zip + +/underwall/docs +/underwall/docs/7z.zip +/underwall/docs/passport.jpg.url +/underwall/docs/warop.url + +/underwall/expand +/underwall/expand/7z.zip +/underwall/expand/photo_2023-12-26.jpg.url +/underwall/expand/warop.url + +/underwall/society +/underwall/society/7z.zip +/underwall/society/photo_2023-12-26.jpg.url +/underwall/society/warop.url + +[DOMAINS] +fxbulls[.]ru +87iavv[.]com +unfawjelesst322[.]com +p2oaviwt39ui[.]com + +[WEBDAV] +\\84[.]32[.]189[.]74@80 + +\\84[.]32[.]189[.]74@80 +\\84[.]32[.]189[.]74@80\pictures +\\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29[.]jpg[.]url +\\84[.]32[.]189[.]74@80\pictures\Thumbs[.]db +\\84[.]32[.]189[.]74@80\pictures\2[.]url +\\84[.]32[.]189[.]74@80\pictures\a2[.]zip +\\84[.]32[.]189[.]74@80\pictures\a2[.]zip\a2[.]cmd +\\84[.]32[.]189[.]74@80\pictures\a2[.]zip +\\84[.]32[.]189[.]74@80\pictures\b3[.]dll +\\84[.]32[.]189[.]74@80\pictures\7z[.]dll +\\84[.]32[.]189[.]74@80\pictures\7z[.]exe +\\84[.]32[.]189[.]74@80\pictures\photo_2023-12-29s[.]jpg +\\84[.]32[.]189[.]74@80\pictures\My2[.]zip + +\\84[.]32[.]189[.]74@80 +\\84[.]32[.]189[.]74@80\images +\\84[.]32[.]189[.]74@80\images\photo_2023-12-29[.]jpg[.]url +\\84[.]32[.]189[.]74@80\images\Thumbs[.]db +\\84[.]32[.]189[.]74@80\images\2[.]url +\\84[.]32[.]189[.]74@80\images\a2[.]zip +\\84[.]32[.]189[.]74@80\images\a2[.]zip\a2[.]cmd +\\84[.]32[.]189[.]74@80\images\a2[.]zip +\\84[.]32[.]189[.]74@80\images\b3[.]dll +\\84[.]32[.]189[.]74@80\images\7z[.]dll +\\84[.]32[.]189[.]74@80\images\7z[.]exe +\\84[.]32[.]189[.]74@80\images\photo_2023-12-29s[.]jpg +\\84[.]32[.]189[.]74@80\images\My2[.]zip + +\\84[.]32[.]189[.]74@80\net +\\84[.]32[.]189[.]74@80\net\photo_2023-12-29[.]jpg[.]url +\\84[.]32[.]189[.]74@80\net\Thumbs[.]db +\\84[.]32[.]189[.]74@80\net\2[.]url +\\84[.]32[.]189[.]74@80\net\a2[.]zip +\\84[.]32[.]189[.]74@80\net\a2[.]zip\a2[.]cmd +\\84[.]32[.]189[.]74@80\net\a2[.]zip +\\84[.]32[.]189[.]74@80\net\b3[.]dll +\\84[.]32[.]189[.]74@80\net\7z[.]dll +\\84[.]32[.]189[.]74@80\net\7z[.]exe +\\84[.]32[.]189[.]74@80\net\photo_2023-12-29s[.]jpg +\\84[.]32[.]189[.]74@80\net\My2[.]zip + +\\84[.]32[.]189[.]74@80\docs +\\84[.]32[.]189[.]74@80\docs\7z[.]zip +\\84[.]32[.]189[.]74@80\docs\passport[.]jpg[.]url +\\84[.]32[.]189[.]74@80\docs\warop[.]url + +\\84[.]32[.]189[.]74@80\expand +\\84[.]32[.]189[.]74@80\expand\7z[.]zip +\\84[.]32[.]189[.]74@80\expand\photo_2023-12-26[.]jpg[.]url +\\84[.]32[.]189[.]74@80\expand\warop[.]url + +\\84[.]32[.]189[.]74@80\society +\\84[.]32[.]189[.]74@80\society\7z[.]zip +\\84[.]32[.]189[.]74@80\society\photo_2023-12-26[.]jpg[.]url +\\84[.]32[.]189[.]74@80\society\warop[.]url + +[IP ADDRESSES] +84[.]32[.]189[.]74 +179[.]43[.]172[.]127 +179[.]43[.]172[.]191 +64[.]31[.]63[.]70 +64[.]31[.]63[.]194 + +[FILES] [DETECTION NAME] +1458a762332676f7807ab45f8f236c22a1a7bb0c21fcd8c779f972f2446a11d0 Trojan.HTML.CVE202421412.A +758c6364ab560fbeff2bfa8712a2e09132d85d0bf6918e6acc79fe12f5b71ec3 Trojan.HTML.CVE202421412.A +77d685e29c3dbe75fa8a82c69c68c731a09904020a76145ca27aeaf0058455cd Trojan.HTML.CVE202421412.A +b36dc329a5dc766c2645d5f5b6cdaa9542ec3b0aa1bc13dc1f899ce6d95d59fb Trojan.HTML.CVE202421412.A +d895fff3c909ea2eb6624fc5f154c924fe0af51c6c899fd9093dc3cd27a5dad2 Trojan.HTML.CVE202421412.A +008e57d62caa8cfa991f5519eabe3f15d79799b81ba8cc6b67cde6da0dbffdab Trojan.Win32.CVE202421412.A +087878208755420d5d7ae2eb6a84482768cb8972732911ac16096cd0c95fa0f7 Trojan.Win32.CVE202421412.A +1115e4bed3949493d8ab184e5c42f047355f13b9bf91c1621acb7971a148bea2 Trojan.Win32.CVE202421412.A +18b1dc2e00245cb017ebdedfe63881929d7542eeffa8f42ee0ad20cc2ebf181a Trojan.Win32.CVE202421412.A +1956bcd3df47e76b2e9f396514f072311563d092ae02509f817c488567749998 Trojan.Win32.CVE202421412.A +1fbc621a71578cb22d4e3a0feec68735321358a3aeb18adbe4a20630c7f788b8 Trojan.Win32.CVE202421412.A +39fb9fb06910f1133f3b23c523a5139f61d243380802b0670a664473d00e1fa9 Trojan.Win32.CVE202421412.A +3e420ce1dc1a8503f48815b880381dd23206e08be2474d151f1353df7df2d796 Trojan.Win32.CVE202421412.A +4201ab8c0c4cf0f01f5a25d8e4e7221634776b5bad8c3faad5ad819ec58619ad Trojan.Win32.CVE202421412.A +58b0f5da4a53e956b35e77f55ced641291a596e16067b1dab6ac54d9cb6a52a5 Trojan.Win32.CVE202421412.A +5b16ac1edb747053ee5a085ab826c61218c5b471eaa04f2471dc2e80b5621023 Trojan.Win32.CVE202421412.A +5c85a0fe230d351b35da364c797cc95557f5dcceec034eb648e1805237c7203b Trojan.Win32.CVE202421412.A +5f4ef55201080ef3a62b0fbdc4c27e0ccdf4041f41c04471f35b127ff6515405 Trojan.Win32.CVE202421412.A +61de01bc154b1118caacfed3839c996a795d6c21c2efbf1da6b926414f5d182d Trojan.Win32.CVE202421412.A +65cc5594b307c2ac4e3c251aeae68dedf7d1f24ba3b0d7ab5ad3623e8a9fc865 Trojan.Win32.CVE202421412.A +6793e0fbc2def9173bf8e2a6c1aa357ba7fc3e32dc1cf81107677166f175c890 Trojan.Win32.CVE202421412.A +6bec457f83d0d98f6f6ea1243c2327e012db38fb61680f6bd68dbab0dc07170a Trojan.Win32.CVE202421412.A +7058ae0f02e116b38536ee1ec20f47645aecf761361b5a5e85de2961f3cc88c6 Trojan.Win32.CVE202421412.A +70b4c2d696a24a5ae2f5e5095dc44e68b4605e4690c8a49930194ee87eb80252 Trojan.Win32.CVE202421412.A +73922ab0d048b45a01f13ba967f1423bc6cd6cc711f8e7d00a4cf2b1d3646f4e Trojan.Win32.CVE202421412.A +761fa42bc4cc5332a640c7389240324242981176ca1626e4267cc8a00cf9545f Trojan.Win32.CVE202421412.A +88bb1df99e02021801b08beeff87ec3ceb9e16c42f62904c5ac04c1a26213a48 Trojan.Win32.CVE202421412.A +941cf63028bf8314bc7114a088f4d1f1dd995bec4a4b7c51fda34fbb3528667f Trojan.Win32.CVE202421412.A +a45e0ea5a17ba6f3a2ce7258f6cc81c6f93f37873b49218a25ec638987da6f96 Trojan.Win32.CVE202421412.A +a5096c4624a523a660242e3451c2f4d644431a35098e36b724fab9f7d88d145d Trojan.Win32.CVE202421412.A +a9633da58719f07159702101474b6ba78f2ffee28b3f7ebda3feb36db4e2d0e9 Trojan.Win32.CVE202421412.A +b0ab19986ab1297870854980f1287f1a4b8d003c540773a6c04fb3565e5701ee Trojan.Win32.CVE202421412.A +b350a787c19a756c0824e14eec7e9d746450d1aafb28a5d15209ec9f34c58129 Trojan.Win32.CVE202421412.A +b738e92afc95cba819aa7aebfad459de38743c478e9e8b8f29f9919697b495b0 Trojan.Win32.CVE202421412.A +b8b6b6d98b7ea689f0c33d55a06afcf20482b25c51929ca9a1b302374290b337 Trojan.Win32.CVE202421412.A +babbd9c94dedb94be8baac2ddc5b4714c44a8d0c60d49c0dc91708784bc0d57f Trojan.Win32.CVE202421412.A +bbdf52481bd1a15710d75b89240c7a360450e2f4f00ba2cb140affba79ebec94 Trojan.Win32.CVE202421412.A +c86ba0da732e1fa1f06549d3ebc5ae6ae091199e95930681ac2a9152a8834184 Trojan.Win32.CVE202421412.A +d6000a19198b8b9719fc17f7c06366e542802a8e7e232ba731b72c31226cc890 Trojan.Win32.CVE202421412.A +d81e7d95004441ea4f5344215232db57f48579bf335c7ba4ed7f6ec6f9136ed0 Trojan.Win32.CVE202421412.A +db1bc70c0d0c7121f1d4422a6fcd0e0668d9da786affb52dd77852641e425710 Trojan.Win32.CVE202421412.A +ddda5737b2c3207d72d728bf40709a7296c31e7c50951dcad441f4707581ccb1 Trojan.Win32.CVE202421412.A +e1b903eba88b920909876442306e1160eed9b69c69a05ea370cba2121e305ba1 Trojan.Win32.CVE202421412.A +e49a7d9083b2e448274d117405c39b0c1b2c0c20ab5195bdf94aaeda7cc113d7 Trojan.Win32.CVE202421412.A +f44964c8fdf6dbdb21c141df61b45467bba5a4482f7ab19fd6f1841fdb791f2a Trojan.Win32.CVE202421412.A +f6b01df60d526f1de530230724d41b482adfff81084a1872bb97c316b76e45e3 Trojan.Win32.CVE202421412.A +f701f500d348b63f3250239cd8305a8b38230e67d74456f3333c6efeeef85bbb Trojan.Win32.CVE202421412.A +fb67be10a5a8b26ca86f8f79935ddd4a5b40379bb6d0af21d23f56af14bb2a90 Trojan.Win32.CVE202421412.A +4307a067db6b6abd852441e6d70de29c3bd0e4d6a68f0449b403401518b7e037 Trojan.Win32.CVE202421412.B +69fc5bed55acf559035f2c5550bf8807236b580f8e2db88966b3fc80c83914d3 Trojan.Win32.CVE202421412.B +4c43b4575063d50ca5668e45a434aaf288970c89e8a4414812560ee787307f58 Trojan.Win32.CVE202421412.B +135cfefe353ca57d24cfb7326f6cf99085f8af7d1785f5967b417985e8a1153c Trojan.Win32.DARKME.A +252351cb1fb743379b4072903a5f6c5d29774bf1957defd9a7e19890b3f84146 Trojan.Win32.DARKME.A +594e7f7f09a943efc7670edb0926516cfb3c6a0c0036ac1b2370ce3791bf2978 Trojan.Win32.DARKME.A +6e825a6eb4725b82bd534ab62d3f6f37082b7dbc89062541ee1307ecd5a5dd49 Trojan.Win32.DARKME.A +71d0a889b106350be47f742495578d7f5dbde4fb36e2e464c3d64c839b1d02bc Trojan.Win32.DARKME.A +b69d36e90686626a16b79fa7b0a60d5ebfd17de8ada813105b3a351d40422feb Trojan.Win32.DARKME.A +bf9c3218f5929dfeccbbdc0ef421282921d6cbc06f270209b9868fc73a080b8c Trojan.Win32.DARKME.A +dc1b15e48b68e9670bf3038e095f4afb4b0d8a68b84ae6c05184af7f3f5ecf54 Trojan.Win32.DARKME.A diff --git a/README.md b/README.md index aef88b8..fba2bc1 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ Please fire issue to me if any lost APT/Malware events/campaigns. ## 2024 +* Feb 13 - [[Trend Micro] CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day](https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html) | [:closed_book:](../../blob/master/2024/2024.02.13.Water_Hydra) * Jan 25 - [[KrCERT/CC] Lazarus Group’s Large-scale Threats via Watering Hole and Financial Software](https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf) | [:closed_book:](../../blob/master/2024/2024.01.25.Lazarus_Group) * Jan 24 - [[itochuci] The Endless Struggle Against APT10: Insights from LODEINFO](https://blog-en.itochuci.co.jp/entry/2024/01/24/134100) | [:closed_book:](../../blob/master/2024/2024.01.24.APT10_LODEINFO)