Threat Intel Banner

   
   Trends

  • The top attacker country was China with 189157 unique attackers (52.86%).
  • The top Trojan C&C server detected was Redline with 10 instances detected.
  • The top phishing campaign detected was against Facebook with 97 instances detected.


   Top Attackers By Country

Country Occurences Percentage
China 189157 52.86%
United States 87175 24.36%
Romania 18061 5.05%
India 15721 4.39%
Russia 11941 3.34%
Vietnam 11227 3.14%
Brazil 5284 1.48%
Indonesia 3514 0.98%
Belize 2638 0.74%
Morocco 2450 0.68%
Israel 2082 0.58%
Mauritania 2050 0.57%
United Arab Emirates 2042 0.57%
Bangladesh 1916 0.54%
Netherlands 1421 0.40%
Isle of Man 1180 0.33%
Top Attackers by CountryChinaUnited StatesRomaniaIndiaRussiaVietnamOther6.9%5%24.4%52.9%
Country Percentage of Attacks
China 189,157
United States 87,175
Romania 18,061
India 15,721
Russia 11,941
Vietnam 11,227
Brazil 5,284
Indonesia 3,514
Belize 2,638
Morocco 2,450
Israel 2,082
Mauritania 2,050
United Arab Emirates 2,042
Bangladesh 1,916
Netherlands 1,421
Isle of Man 1,180

   
   Threat Geo-location

1,180189,157

   
   Top Attacking Hosts

Host Occurrences
149.167.149.255 59274
61.177.173.17 42046
222.186.59.199 34695
222.186.59.13 33051
61.177.173.16 18765
86.104.10.12 17817
115.159.142.211 16284
103.145.13.120 9621
69.162.124.234 5723
162.214.145.157 4059
61.160.219.109 3432
77.247.110.220 2638
37.112.57.106 2411
191.13.111.140 2406
117.2.143.99 2335
27.64.158.33 2256
216.245.221.84 2249
82.132.235.219 2215
61.177.173.3 2200
82.132.235.183 2143
117.99.101.138 2099
5.29.42.4 2082


   Top Network Attackers

ASN Country Name
135887 Australia TELSTRA-BELONG-AP Belong Telstra Corporation, AU
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
48874 Romania HOSTMAZE HOSTMAZE, RO
45090 China CNNIC-TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited, CN
213371 Netherlands SQUITTER-NETWORKS, NL
46475 United States LIMESTONENETWORKS, US
46606 United States UNIFIEDLAYER-AS-1, US
23650 China CHINANET-JIANGSU-PROVINCE-IDC AS Number for CHINANET jiangsu province backbone, CN
57044 Russia BRYANSK-AS, RU
27699 Brazil TELEFONICA BRASIL S.A, BR
7552 Vietnam VIETEL-AS-AP Viettel Group, VN
35228 United Kingdom O2BROADBAND, GB
24560 India AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services, IN
12849 Israel HOTNET-IL AMS-IX Admin LAN, IL


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 4 185.239.243.112 , 212.192.241.224 , 213.229.66.214 , 37.0.8.76
Amadey 1 185.215.113.67
Arechclient2 1 176.111.174.53
Azorult 3 104.219.251.247 , 195.133.40.191 , 34.145.104.200
BlackNet 1 74.208.16.112
Collector 8 141.8.192.151 , 141.8.193.236 , 141.8.197.42 , 168.119.39.42 , 185.114.247.54 , 45.138.24.114 , 85.204.116.127 , 94.130.71.225
Cryptbot 3 143.110.191.106 , 158.247.224.5 , 47.243.129.23
DarkVNC 1 23.83.133.152
Lokibot 7 104.21.80.157 , 165.22.105.227 , 167.71.200.225 , 172.67.129.41 , 172.67.185.42 , 172.67.197.226 , 45.252.248.59
Oski 7 103.153.76.164 , 160.153.133.86 , 172.64.80.1 , 91.151.93.127 , buck-mhe.cf , pablopanuroere.pw , samuraistudio.com.mx
Pony 1 216.104.41.99
Redline 10 135.148.139.222 , 135.181.49.56 , 185.215.113.35 , 185.215.113.63 , 45.14.12.42 , 77.246.145.4 , 86.107.197.64 , 87.251.71.100 , 91.219.61.144 , 91.219.62.16
Stealthworker 1 139.60.161.63
Vidar 1 116.202.183.50
Trojan C&C Servers DetectedAgentTeslaAmadeyArechclient2AzorultBlackNetCollectorCryptbotDarkVNCLokibotOskiPonyRedline1/28.2%6.1%16.3%6.1%20.4%14.3%14.3%
Name Number Discovered
AgentTesla 4
Amadey 1
Arechclient2 1
Azorult 3
BlackNet 1
Collector 8
Cryptbot 3
DarkVNC 1
Lokibot 7
Oski 7
Pony 1
Redline 10
Stealthworker 1
Stealthworker 1

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
2915b3f8b703eb744fc54c81f4a9c67f https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details VID001.exe N/A Win.Worm.Coinminer::1201
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
8193b63313019b614d5be721c538486b https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details SAService.exe SAService PUA.Win.Dropper.Segurazo::95.sbx.tg


   Top Phishing Campaigns

Phishing Target Count
Other 1319
Facebook 97
Steam 15
Special 6
PayPal 2
RuneScape 3
AOL 1
DHL 6
Allegro 2
Amazon.com 11
Caixa 2
Rakuten 6
Visa 3
Microsoft 1
Instagram 1
Vodafone 4
WeTransfer 1
Adobe 3


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-35184

Weak Authentication Vulnerability in Official Docker Compose

Docker

 The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 12/16/2020 07/08/2021

CVE-2021-34458

Windows Kernel Remote Code Execution Vulnerability

Windows

 This issue allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server. 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 07/16/2021 07/16/2021

CVE-2021-21513

Weak Authentication Vulnerability in Dell EMC OpenManage

Dell

 Dell EMC OpenManage Server Administrator (OMSA) version 9.5 Microsoft Windows installations with Distributed Web Server (DWS) enabled configuration contains an authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain admin access on the affected system. Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 03/02/2021 07/13/2021

CVE-2021-22911

Improper Input Validation Vulnerability in Rocket Chat Server

Rocket Chat

 A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 05/27/2021 07/07/2021

CVE-2021-34527

Windows Print Spooler Remote Code Execution Vulnerability

Microsoft

 The Print Spooler remote code execution vulnerability takes advantage of the RpcAddPrinterDriver function call in the Print Spooler service that allows clients to add arbitrary dll files as printer drivers and load them as SYSTEM (the spooler service context). 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 07/02/2021 07/14/2021
Details
Date Published
July 22, 2021
Category
Threat Intelligence