threat-intelligence-report

Trends

  • The top attacker country was China with 310720 unique attackers (54%).
  • The top Trojan C&C server detected was Heodo with 77 instances detected.

Top Attackers By Country

Country Occurences Percentage
China 310720 54.00%
Australia 89132 15.00%
United States 34204 5.00%
Singapore 29399 5.00%
South Africa 23349 4.00%
United Kingdom 14822 2.00%
Chile 9043 1.00%
Russia 8680 1.00%
Netherlands 6884 1.00%
India 5752 1.00%
France 5687 0%
Canada 5154 0%
South Korea 5118 0%
Brazil 2096 0%
Indonesia 1877 0%
Germany 1373 0%
Mexico 1192 0%
Pakistan 921 0%
Switzerland 461 0%
Barbados 393 0%

Top Attackers by CountryChinaAustraliaUnited StatesSingaporeSouth AfricaUnited KingdomOther6.6%17.2%59.8%
Country Percentage of Attacks
China 310,720
Australia 89,132
United States 34,204
Singapore 29,399
South Africa 23,349
United Kingdom 14,822
Chile 9,043
Russia 8,680

Threat Geo-location

393310,720

Top Attacking Hosts

Host Occurrences
112.85.42.187 46004
49.88.112.116 30064
223.25.69.98 27124
14.200.151.138 26806
202.161.116.141 26801
196.250.39.188 23095
218.92.0.191 19445
86.161.125.172 13431
112.85.42.189 13392
Top Attackers112.85.42.18749.88.112.116223.25.69.9814.200.151.138202.161.116.141196.250.39.188218.92.0.19186.161.125.172112.85.42.189020,00040,00060,000
Host Occurences
112.85.42.187 46,004
49.88.112.116 30,064
223.25.69.98 27,124
14.200.151.138 26,806
202.161.116.141 26,801
196.250.39.188 23,095
218.92.0.191 19,445
86.161.125.172 13,431
112.85.42.189 13,392

Top Network Attackers

ASN Country Name
4837 China CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
56300 Singapore MYREPUBLIC-SG MyRepublic Ltd., SG
7545 Australia TPG-INTERNET-AP TPG Telecom Limited, AU
37515 South Africa iCONNECT, ZA
2856 United Kingdom BT-UK-AS BTnet UK Regional network, GB

Remote Access Trojan C&C Servers Found

Name Number Discovered Location
Azorult 1 194.147.35.109
BuerLoader 1 94.142.142.55
DarkLoader 1 92.63.203.197
Heodo 77 100.14.117.137 , 100.38.11.243 , 103.9.145.19 , 108.184.9.44 , 110.142.38.16 , 110.143.84.202 , 111.125.71.22 , 113.61.76.239 , 115.179.91.58 , 118.36.70.245 , 119.57.36.54 , 120.51.83.89 , 12.176.19.218 , 1.33.230.137 , 138.59.177.106 , 164.68.115.146 , 173.91.11.142 , 174.57.150.13 , 175.103.239.50 , 175.127.140.68 , 178.134.1.238 , 179.13.185.19 , 181.46.176.38 , 186.67.208.78 , 186.84.173.136 , 190.146.14.143 , 190.161.67.63 , 190.171.135.235 , 200.41.121.69 , 200.7.243.108 , 201.173.217.124 , 202.186.240.165 , 218.44.21.114 , 223.255.148.134 , 2.42.173.240 , 24.27.122.202 , 37.183.121.32 , 37.59.24.177 , 41.77.74.214 , 45.50.177.164 , 46.105.128.215 , 47.156.70.145 , 47.6.15.79 , 5.88.27.67 , 58.93.151.148 , 64.147.15.138 , 64.53.242.181 , 66.34.201.20 , 66.76.63.99 , 67.171.182.231 , 67.254.196.78 , 68.174.15.223 , 73.214.99.25 , 73.60.8.210 , 74.105.102.97 , 75.80.148.244 , 76.221.133.146 , 78.186.102.195 , 78.187.204.70 , 79.7.114.1 , 80.11.158.65 , 85.109.190.235 , 85.152.208.146 , 85.235.219.74 , 85.72.180.68 , 86.6.123.109 , 86.70.224.211 , 86.98.157.3 , 87.9.181.247 , 88.247.26.78 , 89.215.225.15 , 91.117.31.181 , 91.74.175.46 , 93.67.154.252 , 96.234.38.186 , 96.38.234.10 , 96.61.113.203
LokiBot 1 185.239.50.98
PredatorTheThief 3 5.188.231.110 , 5.188.231.150 , 5.188.231.89
TrickBot 26 103.209.178.208 , 114.8.133.71 , 119.252.165.75 , 121.100.19.18 , 172.82.152.136 , 184.164.137.190 , 185.117.119.169 , 185.14.30.135 , 185.14.30.176 , 185.186.77.243 , 192.227.232.116 , 192.227.232.21 , 192.227.232.50 , 193.37.212.139 , 194.5.250.58 , 195.123.241.207 , 195.123.245.122 , 198.46.161.213 , 198.46.161.216 , 23.94.70.12 , 45.9.250.244 , 5.182.210.132 , 5.2.75.137 , 64.44.51.106 , 85.143.218.118 , 93.189.42.185
UAdmin 1 176.121.14.204
Trojan C&C Servers DetectedHeodoPredatorTheThiefTrickBotOther23.4%69.4%
Name Number Discovered
Azorult 1
BuerLoader 1
DarkLoader 1
Heodo 77
LokiBot 1
PredatorTheThief 3
TrickBot 26
TrickBot 1


 

Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
42143a5
3581e0
304b08
f61c2ef
8032d7		 https://www.
virustotal.com/
gui/file/64f36
33e0096507
08c070751b
d7c7c28cd12
7b7a65d4ab
4907dbe8dd
aa01ec8b
/details		 myfile
.exe		 N/A Pdf.Phishing.
Phishing::
malicious.tht.talos
c5608e
40f6f47
ad84e2
98580
4957c
342		 https://www.
virustotal.com/
gui/file/f917be
677daab5ee9
1dd3e9ec3f8f
d027a583715
24f46dd314a
13aefc78b2d
dc/details		 Flash
Helper
Services
.exe		 Flash
Helper
Service		 PUA:
2144FlashPlayer
-tpd
47b97d
e62ae8
b2b927
542aa5
d7f3c8
58		 https://www.
virustotal.com/
gui/file/3f6e3
d8741da950
451668c833
3a4958330e
96245be1d5
92fcaa485f4
ee4eadb3
/details		 qmreport
upload
.exe		 qm
report
upload		 Win.Trojan.
Generic::in10.talos
e2ea315
d9a83e
757705
3f52c9
74f6a5a		 https://www.
virustotal.com/
gui/file/c3e53
0cc005583b
47322b6649
ddc0dab1b6
4bcf22b124a
492606763c
52fb048f
/details

c3e530
cc0055
83b473
22b664
9ddc0d
ab1b64
bcf22b1
24a492
606763
c52fb0
48f.bin

 N/A W32.
AgentWDCR:
Gen.21gn.1201
799b30
f47060
ca05d8
0ece53
866e01
cc		 https://www.
virustotal.com/
gui/file/15716
598f456637
a3be3d6c5a
c912661422
66a9910f6f
3f85cfd193
ec1d6ed8b
/details		 mf201
63415
95.exe		 N/A W32.Generic:
Gen.22fz.1201

CVEs with Recently Discovered Exploits

This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v2 Base Score Date Created Date Updated

CVE-2019-15276

Cisco Wireless LAN Controller Denial of Service Vulnerability

Cisco

 A vulnerability in the web interface of Cisco Wireless LAN Controller Software could allow a low-privileged, authenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability exists due to a failure of the HTTP parsing engine to handle specially crafted URLs. An attacker could exploit this vulnerability by authenticating with low privileges to an affected controller and submitting the crafted URL to the web interface of the affected device. 7.8
(AV:N/AC:
L/Au:N/C:
N/I:N/A:C)		 11/25/19 12/11/2019

CVE-2019-19576

Verot Remote Code Execution Vulnerability

Verot

 Verot versions are exposed to remote code execution vulnerability. class.upload.php in verot.net class.upload, as used in the K2 extension for Joomla! and other products, omits .phar from the set of dangerous file extensions. 7.5
(AV:N/AC:
L/Au:N/C:
P/I:P/A:P)		 12/04/19 12/04/2019

CVE-2019-16702

Integard Pro Remote Buffer Overflow Vulnerability

Integard

 Integard Pro allows remote attackers to execute arbitrary code via a buffer overflow involving a long NoJs parameter to the /LoginAdmin URI. Integard fails to sanitize input to the "NoJs" parameter in an HTTP POST request# resulting in a stack buffer overflow that overwrites the instruction pointer, leading to remote code execution. 7.5
(AV:N/AC:
L/Au:N/C:
P/I:P/A:P)		 09/22/19 12/06/2019

CVE-2019-15627

Trend Micro Deep Security Agent 11 Arbitrary File Overwrite Vulnerability

Trend Micro

 Trend Micro Deep Security Agent are vulnerable to an arbitrary file delete attack, which may lead to availability impact. The attack requires access to local operating system. The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere. 6.6
(AV:L/AC
:L/Au:N/C:
N/I:C/A:C)		 10/17/19 12/06/2019
Details
Date Published
December 16, 2019
Category
Threat Intelligence