Blog | Scenario

Agent Tesla RAT

ByDetecteam 2023-08-102023-08-10

TLP

TLP CLEAR

Author

Sebastien TRICAUD

Summary

Agent Tesla RAT is a potent remote access trojan designed to infiltrate systems discreetly. Employed by threat actors, it facilitates unauthorized access to compromised systems, enabling data theft, surveillance, and control. Operating since 2014, it is notorious for its keylogging capabilities, recording keystrokes to gather sensitive information like passwords and credentials. Agent Tesla employs various distribution methods, often exploiting phishing emails and malicious attachments. Once activated, it evades detection through encryption, frequently altering its code to bypass security measures. Its multifunctional nature, including screen capturing and file exfiltration, makes it a preferred choice for cyber espionage and criminal activities.

DATA

windows_sysmon_nxlog.json_Download

TIMELINE

references

https://www.zscaler.com/blogs/security-research/agent-tesla-rat-delivered-quantum-builder-new-ttps

MITRE ATT&CK

Blog | Scenario

Nokoyawa
ByDetecteam 2023-09-282023-09-28

TLP TLP TLP CLEAR Author Jordi M. Lobo, David Deflache, Sebastien Tricaud Summary Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and…

Read More Nokoyawa
Blog | Scenario

Vice Society Ransomware
ByDetecteam 2023-08-242023-08-24

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Vice Society ransomware group gained notoriety in late 2022 and early 2023 for launching attacks across various sectors, including San Francisco’s transit system. While education and healthcare were their primary targets, Trend Micro’s data reveals manufacturing industry infiltration in Brazil, Argentina, Switzerland, and Israel. Exploiting…

Read More Vice Society Ransomware
Blog | Scenario

The Trigona ransomware
ByDetecteam 2023-10-112023-10-11

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Trigona ransomware, emerging in late 2022, has rapidly evolved with continuous updates. By April 2023, it started targeting MSSQL servers through brute force methods. This threat is linked to the CryLock ransomware group and possibly ALPHV (BlackCat), though their involvement remains uncertain. The US and…

Read More The Trigona ransomware
Blog | Scenario

Adobe Coldfusion Exploitation (CVE-2023-29298) data
ByDetecteam 2023-07-182023-07-18

TLP TLP TLP CLEAR Authors Sebastien Tricaud Summary Active Exploitation of Adobe Coldfusion CVE-2023-29298. We are providing data to help teams quickly detect and react to this ongoing threat. DATA TIMELINE CATEGORY Exploit references https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/

Read More Adobe Coldfusion Exploitation (CVE-2023-29298) data
Blog | Scenario

Critical Vulnerabilities in WS_FTP Server
ByDetecteam 2023-10-252023-10-25

TLP TLP TLP CLEAR Author Sebastien Tricaud Summary Caitlin Condon, an expert at Rapid7, has highlighted critical vulnerabilities in WS_FTP Server, a secure file transfer solution. These vulnerabilities, notably CVE-2023-40044 and CVE-2023-42657, were disclosed by Progress Software on September 27, 2023. CVE-2023-40044, a .NET deserialization flaw, allows remote code execution with a single HTTPS POST…

Read More Critical Vulnerabilities in WS_FTP Server
Blog | Scenario

Volt Typhoon
ByDetecteam 2023-10-052023-10-05

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary Microsoft has uncovered a stealthy and targeted malicious campaign led by Volt Typhoon, a state-sponsored actor from China, with a focus on post-compromise credential access and network system discovery. Their primary targets are critical infrastructure organizations in the United States, including sectors such as communications, manufacturing,…

Read More Volt Typhoon

TLP