Dashboard Global

ASERT Security Intelligence

Summary: Advanced Threat Activity of Note this week includes activity by groups dubbed ScarCruft, Dubnium, and Mofang. Threat actors are now starting to use more OLE (object linking and embedding) technology to execute content instead of macros, however the end result is basically the same - a malware payload is executed on the target system. Kaspersky labs researchers discovered an underground Russian forum that sold access to compromised servers. Threat actors purportedly belonging to two of Russia’s premier intelligence agencies, FSB and GRU, were recently implicated in targeted exploitation efforts against the U.S. Democratic National Committee’s networks. After releasing a version capable of defeating Microsoft’s EMET on Windows 7 boxes, Angler Exploit Kit appears to have gone offline.

[more]

Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]
Wed, 09 Mar 2016 15:21:37 +0000

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]
Wed, 02 Mar 2016 11:00:15 +0000

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]
Wed, 10 Feb 2016 11:00:54 +0000

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]
Wed, 10 Feb 2016 11:00:16 +0000

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]
Mon, 11 Jan 2016 11:00:24 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
SSH brute-force login attempts 58.16 +8.4 %
25.8%
VNC network scanning activity 54.91 -90.2 %
24.3%
ntpdx overflow attempt 34.36 -50.9 % CVE-2001-0414
15.2%
MYSQL brute-force login attempts 21.43 -22.8 %
9.5%
ping attempt 13.19 +71.6 %
5.8%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
EXPLOIT MS-SQL DOS bouncing packets 1.39 +100.0 %
0.6%
ASN.1 constructed bit string 0.61 +100.0 % CVE-2005-1935
0.3%
Microsoft Windows ASN.1 Library buffer overflow attempt 0.60 +100.0 % CVE-2003-0818
0.3%
SIP TCP/IP message flooding directed to SIP proxy 0.43 +100.0 %
0.2%
ping attempt 13.19 +71.6 %
5.8%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/23 (telnet) 160.82 kB -60.7 % CVE-2007-0956
26.8%
UDP/5060 (sip) 140.36 kB -11.3 % CVE-2006-0189
23.4%
UDP/53413 60.45 kB -50.0 %  
10.1%
TCP/5900 48.80 kB -84.1 % CVE-2006-4309
8.1%
TCP/22 (ssh) 20.44 kB -21.2 % CVE-2002-0639
3.4%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/53 (domain) 5.04 kB +inf % CVE-2008-1447
0.8%
TCP/4028 (dtserver-port) 4.38 kB +inf %  
0.7%
UDP/6509 (mgcs-mfp-port) 3.99 kB +inf %  
0.7%
ICMP/8 3.17 kB +inf %  
0.5%
UDP/1027 3.07 kB +inf %  
0.5%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 114 139.32 kB 3 5542 1001
CN (China) 2 52 158.56 kB 1 86 143
KR (South Korea) 3 186 72.46 kB 1 0 502
CA (Canada) 4 4 72.86 kB 0 343 90
DE (Germany) 5 2 53.73 kB 1 731 38
GB (Great Britain) 6 5 6.91 kB 1 1141 30
BR (Brazil) 7 1 29.35 kB 0 151 213
PT (Portugal) 8 0 33.25 kB 0 6 0
NL (Netherlands) 9 19 8.25 kB 2 587 39
RU (Russian Federation) 10 6 22.27 kB 0 214 11
VN (Viet Nam) 11 7 29.30 kB 0 0 17
AU (Australia) 12 0 396.89 B 0 660 70
PL (Poland) 13 0 4.31 kB 0 576 2
CO (Colombia) 14 0 22.23 kB 1 41 7
IN (India) 15 1 8.49 kB 0 148 156
FR (France) 16 0 13.00 kB 10 222 14
RO (Romania) 17 0 6.29 kB 0 314 66
TW (Taiwan) 18 2 19.50 kB 0 0 3
SG (Singapore) 19 0 5.30 kB 1 162 103
TR (Turkey) 20 1 13.71 kB 0 103 3
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS26496 (AS-26496-GO-DADDY-COM-LLC) 1 0 34.39 kB 0 983 9
AS4812 (CHINANET-SH-AP) 2 0 67.92 kB 0 0 0
AS8560 (ONEANDONE-AS) 3 0 56.83 kB 0 197 0
AS4134 (CHINANET-BACKBONE) 4 20 49.84 kB 1 30 35
AS9318 (HANARO-AS) 5 147 43.27 kB 0 0 36
AS36351 (SOFTLAYER) 6 1 0 B 0 918 31
AS3243 (Unknown) 7 0 32.33 kB 0 0 0
AS39572 (Unknown) 8 0 0 B 0 614 0
AS8972 (PLUSSERVER-AS) 9 0 21.49 kB 0 0 0
AS47583 (HOSTINGER-AS) 10 0 0 B 0 602 0
AS24446 (NETREGISTRY-AS-AP) 11 0 0 B 0 557 0
AS4837 (CHINA169-BACKBONE) 12 6 18.33 kB 0 0 5
AS6805 (TDDE-ASN1) 13 0 17.19 kB 0 0 0
AS6939 (HURRICANE) 14 16 15.24 kB 0 0 20
AS42267 (Unknown) 15 0 0 B 0 470 0
AS12824 (HOMEPL-AS) 16 0 0 B 0 464 0
AS30083 (SERVER4YOU) 17 0 14.88 kB 0 24 0
AS3462 (HINET) 18 0 15.65 kB 0 0 0
AS19994 (RACKSPACE) 19 41 11.47 kB 0 60 0
AS10911 (INTERNAP-BLK) 20 0 13.71 kB 0 0 0