Threat Intel Banner


   Trends

  • The top attacker country was China with 30250 unique attackers (43.90%).
  • The top Trojan C&C server detected was SmokeLoader with 86 instances detected.
  • The top phishing campaign detected was against Facebook users with 47 campaigns detected.

   
  Top Attackers By Country

Country Occurences Percentage
China 30250 43.90%
United_States 21762 31.58%
Australia 5761 8.36%
South_Korea 2384 3.46%
Russia 2117 3.07%
United_Kingdom 1971 2.86%
India 1803 2.62%
Singapore 1672 2.43%
Brazil 1192 1.73%


   Top Attackers By Country


   Threat Geo-location

   Top Attacking Hosts

Host Occurrences
61.177.173.3 7787
20.43.87.67 2317
34.200.247.158 1983
115.85.129.125 1952
119.23.131.217 1745
47.88.33.190 1729
47.91.88.40 1218
218.92.0.201 1200
86.27.113.91 1194
118.137.214.185 552
103.192.253.218 529
167.71.203.215 511
218.201.111.58 466
103.145.13.120 457
186.206.129.189 456
50.115.174.106 455
106.55.240.252 448
111.230.136.231 440
81.70.96.13 420


Top Attackers

 
   Top Network Attackers

ASN Country Name
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
8075 Japan MICROSOFT-CORP-MSN-AS-BLOCK, US
14618 United States AMAZON-AES, US
17978 Australia SERVCORP SERVCORP AUSTRALIAN HOLDINGS LTD, AU
37963 China CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
45102 United States CNNIC-ALIBABA-US-NET-AP Alibaba (US) Technology Co., Ltd., CN
5089 United Kingdom NTL, GB
23700 Indonesia FASTNET-AS-ID Linknet-Fastnet ASN, ID
4812 China CHINANET-SH-AP China Telecom (Group), CN
14061 United States DIGITALOCEAN-ASN, US
24444 China CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited, CN
213371 Netherlands SQUITTER-NETWORKS, NL
28573 Brazil CLARO S.A., BR
32875 United States VIRP, US
45090 China CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN

   
   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 1 185.215.113.54
Azorult 3 195.245.112.115 , 45.85.90.188 , 54.39.213.205
BetaBot 1 82.148.14.165
BlackNet 8 109.95.212.28 , 144.202.31.227 , 198.54.116.131 , 34.95.184.102 , 45.156.27.127 , 51.195.133.62 , 78.198.121.158 , 91.234.99.171
Channel 1 101.36.107.74
CobaltStrike 39 101.32.41.189 , 101.32.44.155 , 101.99.91.39 , 103.138.12.53 , 103.206.122.150 , 103.215.49.100 , 104.194.215.192 , 109.230.199.98 , 129.226.116.247 , 13.80.156.175 , 139.162.52.38 , 139.180.205.101 , 141.164.42.234 , 143.110.180.217 , 152.32.174.250 , 158.247.219.80 , 160.116.58.141 , 174.138.12.231 , 18.163.206.185 , 185.163.45.238 , 185.193.126.166 , 185.206.145.170 , 194.36.191.12 , 195.123.222.5 , 198.13.41.82 , 198.44.189.54 , 204.44.88.211 , 217.12.218.46 , 23.105.215.36 , 27.102.106.226 , 3.1.85.72 , 34.92.190.159 , 45.32.14.36 , 45.76.141.142 , 45.76.51.72 , 51.195.115.231 , 54.196.90.66 , 54.238.122.97 , 96.45.182.23
Cryptbot 23 185.82.219.133 , 34.89.220.179 , 35.246.158.152 , 6.12.32.6 , 95.142.44.135 , deadq11.top , deafp22.top , dedrh13.top , dedyb24.top , degky25.top , dehyt15.top , dejbc17.top , dejys26.top , dekjb27.top , dephw21.top , deshj23.top , deswi12.top , deufd16.top , devfv14.top , morlisanik07.top , morsed01.top , morurt06.top , piluui06.top
DiamondFox 3 185.148.147.59 , 45.85.90.7 , 8.209.96.188
FakeCop 1 45.137.183.34
IAP2 1 185.186.245.130
KPOT 4 162.0.237.70 , 45.133.216.37 , 45.133.216.37 , kellylogeinc.com
Lokibot 13 103.94.135.216 , 104.21.21.125 , 104.21.21.233 , 104.21.48.77 , 104.21.57.192 , 104.21.7.70 , 104.21.89.222 , 185.208.180.121 , 192.185.154.249 , 193.135.12.14 , 193.135.12.15 , 193.135.12.17 , 193.135.12.18
Pony 2 2.57.89.36 , 78.198.121.158
Predator 2 185.50.25.17 , 185.50.25.27
Redirected 2 176.111.174.72 , 195.123.222.188
RedLine 26 104.217.62.116 , 135.125.212.239 , 142.202.240.22 , 147.78.67.95 , 176.96.238.230 , 178.20.40.83 , 185.180.231.94 , 185.244.216.74 , 193.203.203.138 , 198.58.116.14 , 199.195.248.115 , 217.12.209.160 , 45.128.150.56 , 45.128.150.56 , 45.142.214.174 , 45.150.67.48 , 45.153.184.188 , 45.67.228.131 , 45.67.231.78 , 5.101.66.180 , 5.101.66.180 , 78.47.210.127 , 86.105.252.27 , 87.251.71.113 , 93.115.20.12 , ttp
SmokeLoader 86 10022020besttest971-service1002012510022020.ru , 10022020clubtest561-service1002012510022020.ru , 10022020est213531-service100201242510022020.ru , 10022020infotest341-service1002012510022020.ru , 10022020kupitest451-service1002012510022020.ru , 10022020megatest251-service1002012510022020.ru , 10022020mytest151-service100201242510022020.ru , 10022020newfolder1002002231-service1002.space , 10022020newfolder1002002431-service1002.space , 10022020newfolder1002002531-service1002.space , 10022020newfolder1002-01252510022020.ml , 10022020newfolder1002-01262510022020.ga , 10022020newfolder1002-01272510022020.cf , 10022020newfolder1002-01282510022020.gq , 10022020newfolder1002-01292510022020.com , 10022020newfolder1002-0130251002202035.site , 10022020newfolder1002-0131251002202035.site , 10022020newfolder1002-0132251002202035.site , 10022020newfolder1002-0133251002202035.site , 10022020newfolder1002-0134251002202035.site , 10022020newfolder1002-0135251002202035.site , 10022020newfolder1002-0136251002202035.site , 10022020newfolder1002-0137251002202035.site , 10022020newfolder1002-0138251002202035.site , 10022020newfolder1002-0139251002202035.site , 10022020newfolder1002-0140251002202035.site , 10022020newfolder1002-0141251002202035.site , 10022020newfolder1002-0142251002202035.site , 10022020newfolder1002-0143251002202035.site , 10022020newfolder1002-0145251002202035.site , 10022020newfolder1002-0146251002202035.site , 10022020newfolder1002-0147251002202035.site , 10022020newfolder1002-0148251002202035.site , 10022020newfolder1002-0150251002202035.site , 10022020newfolder1002-0151251002202035.site , 10022020newfolder1002-0152251002202035.site , 10022020newfolder1002-0153251002202035.site , 10022020newfolder1002-0154251002202035.site , 10022020newfolder100221-service1022020.ru , 10022020newfolder100231-service1022020.ru , 10022020newfolder100241-service1002010022020.ru , 10022020newfolder1002-service100201blog2510022020.ru , 10022020newfolder1002-service100201life2510022020.ru , 10022020newfolder1002-service100201shop2510022020.ru , 10022020newfolder241-service1002012510022020.ru , 10022020newfolder3100231-service1002.space , 10022020newfolder351-service1002012510022020.ru , 10022020newfolder4561-service1002012510022020.ru , 10022020newfolder471-service1002012510022020.ru , 10022020newfolder481-service1002012510022020.ru , 10022020newfoldert161-service100201242510022020.ru , 10022020oopoest361-service1002012510022020.ru , 10022020proftest981-service1002012510022020.ru , 10022020rest21-service1002012510022020.eu , 10022020rustest213-service1002012510022020.ru , 10022020shoptest871-service1002012510022020.ru , 10022020test11-service1002012510022020.press , 10022020test125831-service1002012510022020.space , 10022020test12671-service1002012510022020.online , 10022020test13461-service1002012510022020.net , 10022020test134831-service1002012510022020.space , 10022020test13561-service1002012510022020.su , 10022020test146831-service1002012510022020.space , 10022020test14781-service1002012510022020.info , 10022020test147831-service1002012510022020.space , 10022020test15671-service1002012510022020.tech , 10022020test231-service1002012510022020.fun , 10022020test261-service1002012510022020.space , 10022020test281-service1002012510022020.ru , 10022020test391-service1002012510022020.ru , 10022020test41-service100201pro2510022020.ru , 10022020test461-service1002012510022020.host , 10022020test481-service1002012510022020.ru , 10022020test51-service1002012510022020.xyz , 10022020test571-service1002012510022020.pro , 10022020test61-service1002012510022020.website , 10022020tostest371-service1002012510022020.ru , 10022020uest71-service100201dom2510022020.ru , 10022020utest1341-service1002012510022020.ru , 10022020yes1t3481-service1002012510022020.ru , 10022020yest31-service100201rus2510022020.ru , 10022020yirtest231-service1002012510022020.ru , 10022020yomtest251-service1002012510022020.ru , 137.74.151.17 , 179.43.158.179 , funzel.info
Taurus 1 172.67.129.228
Zeus 1 78.198.121.158


Trojan C&C Servers Detected

   Common Malware

SHA 256 MD5 VirusTotal FileName Claimed Product Detection Name
c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e 9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5 8c80dd97c37525927c1e549cb59bcbf3 https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection Eternalblue-2.2.0.exe N/A Win.Exploit.Shadowbrokers::5A5226262.auto.talos
8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9 34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f b8a582da0ad22721a8f66db0a7845bed https://www.virustotal.com/gui/file/5901ce0f36a875e03e4d5e13e728a2724b8eff3c61cc24eb810be3df7508997f/details flashhelperservice.exe Flash Helper Service W32.Auto:5901ce0f36.in03.Talos
5522994647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b482ffa389321df9b05740c1b92 f37167c1e62e78b0a222b8cc18c20ba7 https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details flashhelperservice.exe Flash Helper Service W32.4647F1A085.in12.Talos

   Top Phishing Campaigns

Phishing Target Count
Other 1335
RuneScape 3
Vodafone 3
Facebook 47
Itau 1
Microsoft 4
Steam 1
Amazon.com 9
Rakuten 2
Caixa 1
PayPal 2
MyEtherWallet 1
Google 2
Netflix 1
Allegro 2
Twitter 1
Dropbox 2
Instagram 2

 
   CVEs with Recently Discovered Exploits

      This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score

CVE-2021-3148

Command Injection Vulnerability in SaltStack

Saltstack

 An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py. CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2021-28041

Double-Free Memory Corruption Vulnerability in OpenSSH

Openbsd

 ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host. CVSS v3.1 Base Score: 7.3 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

CVE-2021-27886

Command Injection Vulnerability in Docker Dashboard

Docker Dashboard Project

 rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product. CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2021-27730

Argument Injection Vulnerability in Accellion FTA

Accellion

 Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later. CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2021-25283

Server Side Template Injection Vulnerability in Saltstack

Saltstack

 An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server-side template injection attacks. CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2021-25281

Remote Unauthentication Vulnerability in Saltstack

Saltstack

 An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master. CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2021-2047

Unauthenticated Access Vulnerability in Oracle WebLogic Server

Oracle

 This vulnerability is in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Details
Date Published
March 26, 2021
Category
Threat Intelligence