Threat Intel Banner

   
   Trends

  • The top attacker country was United States with 123365 unique attackers (45.33%).
  • The top Trojan server detected was Lu0bot with 26 instances detected.
  • The top phishing campaign detected was against Facebook with 44 instances detected.


   Top Attackers By Country

Country Occurences Percentage
United States 123365 45.33%
China 101932 37.46%
Vietnam 11304 4.15%
India 9788 3.60%
Iraq 4063 1.49%
Russia 3572 1.31%
Indonesia 3210 1.18%
Brazil 3181 1.17%
Bangladesh 2579 0.95%
Oman 2349 0.86%
France 2217 0.81%
Argentina 1628 0.60%
Colombia 1152 0.42%
Bulgaria 907 0.33%
Sweden 459 0.17%
Netherlands 418 0.15%
Top Attackers by CountryUnited StatesChinaVietnamIndiaOther45.3%9.5%37.5%
Country Percentage of Attacks
United States 123,365
China 101,932
Vietnam 11,304
India 9,788
Iraq 4,063
Russia 3,572
Indonesia 3,210
Brazil 3,181
Bangladesh 2,579
Oman 2,349
France 2,217
Argentina 1,628
Colombia 1,152
Bulgaria 907
Sweden 459
Netherlands 418

   
   Threat Geo-location

418123,365

   
   Top Attacking Hosts

Host Occurrences
188.166.2.250 33839
61.177.173.17 12792
223.95.116.13 10890
94.3.233.253 8708
61.177.173.11 8659
103.100.29.81 8447
63.143.42.242 8270
92.63.196.236 5390
69.162.124.234 5020
183.61.19.75 4966
61.177.173.3 2659
5.37.201.121 2349
123.201.142.228 2340
185.222.57.212 2238
113.161.204.110 2104
212.237.123.127 2044
103.155.223.109 2043
125.166.3.179 2020
37.239.210.139 2019


   Top Network Attackers

ASN Country Name
14061 Netherlands DIGITALOCEAN-ASN, US
4134 China CHINANET-BACKBONE No.31,Jin-rong Street, CN
56041 China CMNET-ZHEJIANG-AP China Mobile communications corporation, CN
5607 United Kingdom BSKYB-BROADBAND-AS, GB
137549 Australia NODE1-AS-AP NODE1 Pty Ltd, AU
46475 United States LIMESTONENETWORKS, US
61432 Netherlands VAIZ-AS ITBks892, RU
28885 Oman OMANTEL-NAP-AS OmanTel NAP, OM
18207 India YOU-INDIA-AP YOU Broadband & Cable India Ltd., IN
51447 Netherlands ROOTLAYERNET, BD
45899 Vietnam VNPT-AS-VN VNPT Corp, VN
206206 Iraq KNET, IQ
138754 India KVBPL-AS-IN Kerala Vision Broad Band Private Limited, IN
7713 Indonesia TELKOMNET-AS-AP PT Telekomunikasi Indonesia, ID
50710 Iraq EARTHLINK-AS, IQ


   Remote Access Trojan C&C Servers Found

Name Number Discovered Location
AgentTesla 2 162.0.233.7 , 180.214.239.67
Azorult 3 185.176.43.108 , 203.159.80.93 , 203.159.80.93
BetaBot 1 185.215.113.77
BlackNet 2 141.95.36.169 , 145.14.145.83
Collector 4 104.21.67.202 , 141.8.192.151 , 141.8.193.236 , 172.67.152.33
Cypress 1 178.208.83.36
Lokibot 2 104.21.83.148 , 172.67.155.40
Lu0bot 26 5.188.206.211 , asu00.xyz , asu03.xyz , asu06.xyz , asu08.shop , hri0.xyz , hri10.xyz , hri1.xyz , hri2.xyz , hri3.xyz , hri4.xyz , hri5.xyz , hri6.xyz , hri7.xyz , hri8.xyz , hri9.xyz , lu00.xyz , lu01.xyz , lu02.xyz , lu03.xyz , tes01.xyz , tes02.xyz , tes03.xyz , tes04.xyz , tes05.xyz , tes06.xyz
Oski 4 144.76.115.36 , 185.212.128.141 , 185.212.131.115 , 2.56.59.226
Qudox 1 164.90.195.10
Redline 6 185.118.165.94 , 185.234.247.50 , 193.188.22.4 , 209.250.245.216 , 94.103.9.168 , 95.179.244.63
SupremeMiner 7 104.21.81.65 , 141.8.192.58 , 185.231.71.62 , 37.0.8.144 , 45.137.190.241 , 45.32.232.29 , 92.119.113.254
Trojan C&C Servers DetectedAgentTeslaAZORultBlackNetCollectorLokibotLu0botOskiRedlineRedlineOther6.8%11.9%10.2%6.8%44.1%
Name Number Discovered
AgentTesla 2
AZORult 3
BetaBot 1
BlackNet 2
Collector 4
Cypress 1
Lokibot 2
Lu0bot 26
Oski 4
Qudox 1
Redline 6
Redline 7

    
   Common Malware

MD5 VirusTotal FileName Claimed Product Detection Name
9a4b7b0849a274f6f7ac13c7577daad8 https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details ww31.exe N/A W32.GenericKD:Attribute.24ch.1201
6be10a13c17391218704dc24b34cf736 https://www.virustotal.com/gui/file/9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb/details smbscanlocal0906.exe N/A Win.Dropper.Ranumbot::in03.talos
84452e3633c40030e72c9375c8a3cacb https://www.virustotal.com/gui/file/f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4/details sqhost.exe N/A W32.Auto:f0a5b257f1.in03.Talos
34560233e751b7e95f155b6f61e7419a https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details SAntivirusService.exe A n t i v i r u s S e r v i c e PUA.Win.Dropper.Segurazo::tpd
39e14b83d48ab362c9a5e03f885f5669 https://www.virustotal.com/gui/file/302f58da597128551858e8d53229340941457cad6729af0d306ebfa18a683769/details SqlServerWorks.Runner.exe SqlServerWorks.Runner W32.302F58DA59-95.SBX.TG


   Top Phishing Campaigns

Phishing Target Count
Other 1260
Facebook 44
Allegro 3
Amazon.com 14
PayPal 13
Suncorp 1
Instagram 1
Rakuten 3
Visa 4
Steam 13
DHL 1
AT&T 1
Microsoft 5
Vodafone 5
Halifax 2
Special 5
Google 1
Bradesco 1
WeTransfer 1
TSB 1


    CVEs with Recently Discovered Exploits

        This is a list of recent vulnerabilities for which exploits are available.

CVE, Title, Vendor Description CVSS v3.1 Base Score Date Created Date Updated

CVE-2020-0796

Remote Code Execution Vulnerability in Microsoft SMB

Microsoft

 A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 03/12/2020 07/21/2021

CVE-2020-1953

Malicious File Upload Vulnerability in Apache Commons

Apache

 Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 03/13/2020 07/21/2021

CVE-2020-26821

Weak Authentication Vulnerability in SAP Solution Manager

SAP

 SAP Solution Manager (JAVA stack), version - 7.20, allows an unauthenticated attacker to compromise the system because of missing authorization checks in the SVG Converter Service, this has an impact to the integrity and availability of the service. 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H) 11/10/2020 07/21/2021

CVE-2021-35211

Remote Code Execution Vulnerability in SolarWind’s Serv-U

Solarwinds

 Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability. 9.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) 07/14/2021 07/26/2021

CVE-2020-6102

Code Execution Vulnerability in Shader Functionality – AMD Radeon Directx Driver

AMD

 An exploitable code execution vulnerability exists in the Shader functionality of AMD Radeon DirectX 11 Driver atidxx64.dll 26.20.15019.19000. An attacker can provide a specially crafted shader file to trigger this vulnerability, resulting in code execution. This vulnerability can be triggered from a HYPER-V guest using the RemoteFX feature, leading to executing the vulnerable code on the HYPER-V host (inside of the rdvgm.exe process). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly). 9.9(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 07/20/2020 07/21/2021
Details
Date Published
August 12, 2021
Category
Threat Intelligence