Briefing Malware - 04/01/2022
4th of January 2022 - Winners of the 1st week : Redline, NjRAT and AsyncRAT.
Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.
Threat statistics report
TLP : WHITE
NjRAT (ID Mitre: S0385)
Crowdstrike Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
Since the discovery of Log4Shell vulnerabilities (#CVE-2021-44228, #CVE-2021-45105) in December 2021, all cyber security teams are dealing with multiple threats starting with the exploitation of those ones. In this context, #Crowstrike Falcon OverWatch claims to have disrupted a recent malware campaign based on an early detect of the exploitation attempt through a vulnerable #Apache Tomcat process. The attacker tried to execute suspicious Linux commands before connect to an infrastructure managed by a poorly known threat actor dubbed #Aquatic Panda. Overwatch has observed through investigation that #Aquatic Panda tried to figure out after downloading several scripts from remote, then they tried to understand and harvested information about the server such as credentials, system or domain information.
#Aquatic Panda is a Chinese Advanced Persistent Threat (#APT) with intelligence gathering and industrial espionage missions first spotted around May 2020. They heavily relied on Cobalt Strike as well as unique tools like a famous Cobalt Strike downloader, #FishMaster. They have been observed dropping #NjRAT, a remote access trojan (#RAT) which has information gathering or process/registry manipulation capabilities.