Threat Intel Banner

   
   Trends

  • The top attacker country was China with 115353 unique attackers (62.15%).
  • The top Trojan C&C server detected was CobaltStrike with 42 instances detected.
  • The top phishing campaign detected was against Facebook with 11 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 115353 62.15%
United States 42824 62.15%
Brazil 5894 23.07%
Russia 4206 3.18%
South Korea 2554 2.27%
Vietnam 2264 1.38%
Liberia 2055 1.22%
Germany 1945 1.11%
Hong Kong 1782 1.05%
India 1607 0.96%
Malaysia 1296 0.87%
Argentina 956 0.70%
Colombia 774 0.52%
Croatia 643 0.42%
Seychelles 401 0.35%
Ecuador 356 0.22%
Ghana 346 0.19%
Paraguay 344 0.19%
Top Attackers by CountryChinaUnited StatesBrazilRussiaOther9.3%23.1%62.2%
Country Percentage of Attacks
China 115,353
United States 42,824
Brazil 5,894
Russia 4,206
South Korea 2,554
Vietnam 2,264
Liberia 2,055
Germany 1,945
Hong Kong 1,782
India 1,607
Malaysia 1,296
Argentina 956
Colombia 774
Croatia 643
Seychelles 401
Ecuador 356
Ghana 346
Paraguay 344

   
   Threat Geo-location

344115,353

   
   Top Attacking Hosts

Host Occurrences
222.186.59.199 34721
61.177.173.16 30790
120.155.11.19 9248
103.100.29.81 5051
183.61.19.75 3055
61.177.173.3 2861
69.162.124.234 2826
164.160.9.243 2055
49.149.73.181 1977
138.185.255.164 1960
87.164.36.69 1475
216.245.221.84 1126
89.175.29.126 720
209.141.61.155 668


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Amadey 1 185.215.113.17
Azorult 1 18.157.168.193
Cobalt 1 84.38.182.41
CobaltStrike 42 195.123.222.5, 5.34.181.12, 185.14.29.42, 195.123.217.45, 195.123.220.206, 185.14.29.72, 195.123.222.12, 195.123.222.12, 104.193.252.197, 92.63.105.58, 217.12.202.110, 193.239.84.253, 193.239.84.254, 3.1.196.18, 103.27.109.249, 18.217.215.212, 204.48.23.19, 35.177.179.101, 104.194.215.184, 193.239.84.224, 127.0.0.1, 193.239.84.210, 114.215.86.71, 159.89.199.64, 3.1.196.18, 18.217.215.212, 35.177.179.101, 101.200.178.253, 23.106.124.95, 35.182.255.225, 128.199.115.88, 152.32.227.250, 45.147.54.18, 104.168.166.124, 104.168.166.124, 104.168.166.124, 47.103.212.53, 108.178.50.74, 142.93.224.7, 47.95.205.52, 212.114.52.213, 188.166.52.194
KeitaroTDS 1 87.236.16.241
LokiBot 26 172.67.209.115, 148.66.138.116, 27.122.57.174, 54.227.98.220, 54.227.98.220, 23.253.46.64, 23.253.46.64, 54.227.98.220, 45.77.226.209, 172.67.190.183, 203.170.84.89, 193.56.29.165, 23.227.196.14, 84.38.129.125, 176.74.27.137, 197.242.126.229, 172.67.153.81, 54.227.98.220, 185.208.180.121, 185.208.180.121, 104.21.75.81, 172.67.153.81, 185.208.180.121, 104.21.75.81, 159.148.38.167, 172.67.195.49
Oski 1 212.192.241.91
Redline 7 85.192.56.35, 87.251.71.25, 65.21.122.45, 185.118.165.94, 185.234.247.50, 95.179.244.63, 209.250.245.216
SmokeLoader 1 5.61.35.193
Trojan C&C Servers DetectedCobaltStrikeLokiBotRedlineOther7.4%8.6%32.1%51.9%
Name Number Discovered
Amadey 1
Azorult 1
Cobalt 1
CobaltStrike 42
KeitaroTDS 1
LokiBot 26
Oski 1
Redline 7
SmokeLoader 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
84452e3633c40030e72c9375c8a3cacb https://www.virustotal.com/gui/file/f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4/details sqhost.exe N/A W32.Auto:f0a5b257f1.in03.Talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
39e14b83d48ab362c9a5e03f885f5669 https://www.virustotal.com/gui/file/302f58da597128551858e8d53229340941457cad6729af0d306ebfa18a683769/details SqlServerWorks.Runner.exe SqlServerWorks.Runner W32.302F58DA59-95.SBX.TG


   Top Phishing Campaigns

Phishing Target Count
Other 312
Facebook 11
RuneScape 2
PayPal 1
Vodafone 1
Steam 3


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-0796

Remote Code Execution Vulnerability in Microsoft SMB

Microsoft

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 03/12/2020 07/21/2021

CVE-2020-1953

Malicious File Upload Vulnerability in Apache Commons

Apache

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 03/13/2020 07/21/2021

CVE-2020-26821

Weak Authentication Vulnerability in SAP Solution Manager

SAP

SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H) 11/10/2020 07/21/2021

CVE-2021-35211

Remote Code Execution Vulnerability in SolarWind’s Serv-U

Solarwinds

Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability. 9.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) 07/14/2021 07/26/2021

CVE-2020-6102

Code Execution Vulnerability in Shader Functionality – AMD Radeon Directx Driver

AMD

An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). 9.9(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 07/20/2020 07/21/2021