Threat Intel Banner

   
   Trends

  • The top attacker country was China with 42681 unique attackers (38.23%).
  • The top Trojan C&C server detected was Oski with 26 instances detected.
  • The top phishing campaign detected was against Facebook with 46 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 42681 38.23%
United States 32607 29.20%
Singapore 20074 17.98%
Russia 5983 5.36%
India 1789 1.60%
South Korea 1456 1.30%
Hong Kong 1219 1.09%
Vietnam 926 0.83%
France 920 0.82%
United Arab Emirates 685 0.61%
Mexico 684 0.61%
Chile 601 0.54%
Peru 589 0.53%
Poland 534 0.48%
Germany 480 0.43%
Argentina 424 0.38%
Italy 397 0.36%
Paraguay 385 0.34%
 
Top Attackers by CountryChinaUnited StatesSingaporeRussiaOther38%9.9%17.9%29%
Country Percentage of Attacks
China 42,681
United States 32,607
Singapore 20,074
Russia 5,983
India 1,789
South Korea 1,456
Hong Kong 1,219
Vietnam 926
France 920
United Arab Emirates 685
Mexico 684
Chile 601
Peru 589
Poland 534
Germany 480
Argentina 424
Italy 397
Paraguay 385

   
   Threat Geo-location

38542,681

   
   Top Attacking Hosts

Host Occurrences
137.220.134.169 18993
222.186.160.214 17553
61.177.173.16 11759
149.7.241.56 9934
172.20.29.251 3557
45.143.200.34 1915
69.162.124.234 1354
165.192.101.197 1141
42.200.151.1 1059
192.241.139.160 979
87.241.1.186 830
112.85.42.72 794
194.48.155.243 792
119.82.135.244 690
209.141.55.110 689
187.174.65.4 684
51.15.167.103 650
213.108.200.11 630
129.226.170.156 593
164.77.117.10 592
103.205.7.116 592
119.45.170.150 592


   Top Network Attackers

ASN Country Name
64050 Japan BCPL-SG BGPNET Global ASN, SG
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
47110 Czechia CLOUD4COM-AS, CZ
212283 Bulgaria ROZA-AS, BG
46475 United States LIMESTONENETWORKS, US
36351 Japan SOFTLAYER, US
4760 Hong Kong SAR China HKTIMS-AP HKT Limited, HK
14061 United States DIGITALOCEAN-ASN, US
8220 Italy COLT COLT Technology Services Group Limited, GB
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
35196 Russia IHOR-AS, RU
45903 Vietnam CMCTELECOM-AS-VN CMC Telecom Infrastructure Company, VN
53667 United States PONYNET, US
28513 Mexico Uninet S.A. de C.V., MX
12876 France Online SAS, FR
49749 Russia VMS-AS, RU
132203 Singapore TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue, CN
6471 Chile ENTEL CHILE S.A., CL
23650 China CHINANET-JIANGSU-PROVINCE-IDC AS Number for CHINANET jiangsu province backbone, CN
45090 China CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 3 103.114.107.28 , 185.174.174.220 , 94.237.67.97
Amadey 6 176.111.174.114 , 176.111.174.66 , 185.215.113.57 , 45.155.205.172 , 78.46.187.68 , umbrocels345.space
Askar 1 212.192.241.136
Azorult 1 45.180.172.235
BlackNet 3 167.172.170.114 , 167.172.170.114 , 89.252.185.4
Collector 4 141.8.192.151 , 141.8.192.169 , 141.8.193.236 , 195.161.41.50
EvilBear 3 203.28.246.111 , 212.192.241.97 , 45.144.225.86
LittleThief 1 107.178.112.38
LokiBot 6 104.21.51.229 , 104.21.88.207 , 172.67.181.37 , 172.67.190.159 , 172.67.217.241 , 5.180.186.227
Oski 26 0.0.0.0 , 144.91.89.80 , 162.214.123.127 , 172.67.162.172 , 172.67.200.94 , 172.81.116.15 , 192.185.26.241 , 194.87.232.197 , 198.54.126.118 , 198.98.49.140 , 198.98.60.43 , 203.159.80.65 , 205.185.120.57 , 209.141.49.199 , 212.192.241.220 , 31.210.21.154 , 45.144.225.201 , 45.15.143.157 , 45.180.172.14 , 45.85.90.14 , 80.78.23.56 , 92.53.124.88 , cgibin.online , duiy.xyz , tbyt.club , zvv.asia
Plague 1 141.8.192.151
RedLine 24 176.121.14.43 , 178.32.113.201 , 18.191.226.63 , 185.118.167.224 , 185.125.18.43 , 185.173.36.208 , 185.230.141.234 , 185.230.143.52 , 194.233.74.11 , 195.123.208.194 , 198.98.49.129 , 213.183.41.60 , 45.134.225.35 , 45.144.225.163 , 45.144.29.212 , 45.67.231.8 , 49.12.42.196 , 51.38.208.16 , 62.182.159.35 , 80.92.205.137 , 87.251.71.226 , 91.194.11.86 , 94.103.93.224 , 95.181.155.231
SmokeLoader 2 172.67.171.107 , 179.43.140.174
 
Trojan C&C Servers DetectedAgentTeslaAmadeyBlackNetCollectorEvilBearLokibotOskiRedLineRedLineOther7.4%7.4%29.6%32.1%BlackNet3 (3.7%)
Name Number Discovered
AgentTesla 3
Amadey 6
Askar 1
Azorult 1
BlackNet 3
Collector 4
EvilBear 3
LittleThief 1
Lokibot 6
Oski 26
Plague 1
RedLine 24
RedLine 2

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
52ed8d8b8f1d37b7db0319a3351f6a16 https://www.virustotal.com/gui/file/583418f8f4c156be56ae65b932ca1d8e431e8f845806d0fc814f40562241fbc4/details smbscanlocal2705.exe N/A W32.Auto:583418f8f4.in03.Talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
d709ea22945c98782dc69e996a98d643 https://www.virustotal.com/gui/file/3bc24c618151b74ebffb9fbdaf89569fadcce6682584088fde222685079f7bb9/details FlashHelperService.exe Flash Helper Service W32.Auto:3bc24c6181.in03.Talos
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg


   Top Phishing Campaigns

Phishing Target Count
Other 1190
Visa 3
Facebook 46
Google 3
PayPal 6
Microsoft 3
Rakuten 5
Steam 3
Amazon.com 3
AT&T 1
LinkedIn 1
Hermes 1
DocuSign 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2021-26937

Denial of Service Vulnerability in GNU Screen

Gnu, Debian, and Fedora Project

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 02/09/2021 05/26/2021

CVE-2021-26120

Code Injection Vulnerability in Smarty

Smarty, Debian

Smarty before 3.1.39 allows code injection via an unexpected function name after a {function name= substring. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 02/21/2021 05/26/2021

CVE-2021-20231

Memory Corruption Vulnerability in Gnutls

Gnu, Redhat, NetApp, and Fedora Project

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences. Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/12/2021 06/01/2021

CVE-2021-31800

Arbitrary Code Execution Vulnerability in SMbserver Instance

SecureAuth, Fedora Project

Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing /etc/shadow or an SSH authorized key. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/05/2021 05/26/2021

CVE-2021-29921

Weak Authentication Control in Python Version < 3,9,5

Python

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/06/2021 06/01/2021

CVE-2021-28799

Weak Authorization Vulnerability in QNAP

Qnap

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 . 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/12/2021 06/01/2021

CVE-2021-31474

Arbitrary Code Execution Vulnerability in SolarWinds

Solarwinds

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/21/2021 06/07/2021