One Article Review
| Source |  RedTeam PL |
|---|---|
| Identifiant | 1798880 |
| Date de publication | 2020-06-12 21:35:46 (vue: 2020-07-09 15:05:42) |
| Titre | Black Kingdom ransomware (TTPs & IOC) |
| Texte | We would like to share with the community the following TTPs and IOC related to Black Kingdom ransomware and threat actors using it.Attackers gained initial access to the infrastructure via Pulse Secure VPN vulnerability [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510].For persistence they use a scheduled task [https://attack.mitre.org/techniques/T1053/]. Task name is GoogleUpdateTaskMachineUSA, which resembles a legitimate task of |
| Envoyé | Oui |
| Condensat | $updateafter $updatepath: 0a981d2e0c79 11510 14f5 179/reverse 179the 2019 4544 8d04 :$update :set about access actors address address:198 also analysis any artifacts attackers attackers: attacks base64 because bin/cvename black blackingdom@gszmail bypass cache caches can cannot cgi chrome code:iex code:powershell com/fwlink/ comfiles community contains content cversions decoding disabled downloadstring enc encrypted end ends events:logname=microsoft exe exec executes execution executionpolicy file following found from gained google googleupdatetaskmachineusa have hidden http://198 https://any https://attack https://cve https:/go identified information infrastructure initial ioc kingdom legitimate like linkid=135170 loaded mail malicious message microsoft mitre more name name=cve net network new nologo nologo not object observed org/cgi org/techniques/t1053/ originated payload payload:screenshot persistence policies powershell powershell/operationalsourcename=microsoft powershelleventcode=4100eventtype=3message=error powershelleventcode=4104eventtype=3message=creating programdata ps1 ps1we public pulse ransomware related resembles run run/report/63d6c419a8229bc7fc2089a2899d27bac746de0e96368e2a49d7c7754abd29f4/649fff18 running same scheduled script:$update scriptblock scripts secure see share sqbfafgakaboaguadwatae8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqblag4adaapac4arabvahcabgbsag8ayqbkafmadabyagkabgbnacgajwboahqadabwadoalwavadeaoqa4ac4amqazac4anaa5ac4amqa3adkalwbyaguadgblahiacwblac4acabzadeajwapaa== system task text threat ttps usa use used using vpn vulnerability webclient which windows windowstyle with: would ~logname=microsoft |
| Tags | Ransomware Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.