Internet Storm Center Spotlight


Title: Threat actor continues to build out spam arsenal, primarily targets Amazon Web Services

Description: Cisco Talos has recently received modified versions of the TeamTNT cybercrime group's malicious shell scripts. These scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances. Besides the primary credential stealer scripts, there are several TeamTNT payloads focused on cryptocurrency mining, persistence and lateral movement using techniques such as discovering and deploying onto all Kubernetes pods in a local network. There is also a script with login credentials for the primary distribution server, and another with an API key that might provide remote access to a tmate shared terminal session. Some of the TeamTNT scripts even contain defense evasion functions focused on disabling Alibaba cloud security tools. The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.


ClamAV signature: Unix.Trojan.TeamTNT-9940866-0

Title: Lazarus Group continues to target blockchain, cryptocurrency companies

Description: The U.S. government warned last week that the Lazarus Group APT continues to target blockchain and cryptocurrency-related companies to generate revenue. The North Korean state-sponsored actor has been active for years, mainly focusing on cyber attacks that could somehow make money for the group. This campaign involves Lazarus Group targeting users with spearphishing emails, then installing a set of malicious apps called “TraderTraitor” that disguise themselves as a legitimate cryptocurrency trading application. The ultimate goal is conducting fraudulent activities on the blockchain, often stealing users’ cryptocurrency wallets.




SNORT® SIDs: 59607

Internet Storm Center Entries

New research shows that democratic nations have started using the NSO Group’s Pegasus spyware to track the activities and movements of activists, journalists and other individuals.

UN Security Council member is urging increased attention to North Korean cybercrime.

The Five Eyes Alliance countries have issued a joint alert warning of Russian state-sponsored and criminal cyberthreats to critical infrastructure.

Emotet botnet operators are testing new techniques.

The LAPSUS$ threat actor recently stole T-Mobile source code as the result of a recent wave of ransomware attacks against several high-profile companies.

Security researchers discovered a vulnerability in the web version of the Everscale blockchain ecosystem’s anti-theft functions that could allow an attacker to gain full control over a target’s wallet.

The Department of Homeland Security recently wrapped up its first-ever bug bounty program; participants discovered 122 vulnerabilities in external DHS systems.

Recent CVEs


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2015-20107

Title: Command injection vulnerability in Python mailcap Module OS

Description: In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID: CVE-2022-29464

Title: WSO2 Unrestricted Arbitrary File Upload and Remote Code Execution Vulnerability

Description: Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Prevalent Malware Files


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c


Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name:

SHA 256: 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a


Typical Filename: LwssPlayer.scr

Claimed Product: ?????????

Detection Name: Auto.125E12.241442.in02

SHA 256: 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0

MD5: b46b60327c12290e13b86e75d53114ae


Typical Filename: NAPA_HQ_SetW10config.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5: df11b3105df8d7c70e7b501e210e3cc3


Typical Filename: DOC001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0

MD5: 10f1561457242973e0fed724eec92f8c


Typical Filename: ntuser.vbe

Claimed Product: N/A

Detection Name: Auto.1A234656F8.211848.in07.Talos